Debian and 2.6 selinux

Debian and 2.6 selinux

[Chris Babcock]

Does the 2.6 version of SE work well on Debian Potato (r2) or do I need to
run Sid to get good results with the 2.6 version?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian and 2.6 selinux

[Russell Coker]

On Wed, 21 Jan 2004 16:48, "Chris Babcock" <cbabcock@luthresearch.com> wrote:
> Does the 2.6 version of SE work well on Debian Potato (r2) or do I need to
> run Sid to get good results with the 2.6 version?

Potato has never been supported by SE Linux.

Woody now works for the "new SE Linux" which is back-ported to 2.4.x from 
2.6.x with the following /etc/apt/sources.list line:
deb http://www.microcomaustralia.com.au/debian/ stable selinux main

However I have not tried woody with a 2.6.x kernel.  I don't know why you 
would want to run Debian/stable with a 2.6.x kernel though, as 2.6.x kernels 
are not stable in my experience!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian and 2.6 selinux

[Chris Babcock]

> On Wed, 21 Jan 2004 16:48, "Chris Babcock" <cbabcock@luthresearch.com>
> wrote:
>> Does the 2.6 version of SE work well on Debian Potato (r2) or do I need
>> to
>> run Sid to get good results with the 2.6 version?
>
> Potato has never been supported by SE Linux.

Sorry.  My brain crossed a few of the wrong wires...  I have been working
on some old third party Potato servers lately, and I blended projects
together.  I meant Woody in the original post.

>
> Woody now works for the "new SE Linux" which is back-ported to 2.4.x from
> 2.6.x with the following /etc/apt/sources.list line:
> deb http://www.microcomaustralia.com.au/debian/ stable selinux main
>
> However I have not tried woody with a 2.6.x kernel.  I don't know why you
> would want to run Debian/stable with a 2.6.x kernel though, as 2.6.x
> kernels
> are not stable in my experience!
>

Is that 2.6 alone is too unstable for your taste, or 2.6 with SE enabled
is too unstable?

I am looking to build a system that I don't have to deal with 2 moving
targets at the same time.  Sid/unstable lives up to its name at least in
the respect that it changes frequently.  Even if I find a working
combination that I like this week, the versioning and stability will
change next time I update.  SELinux also moves at a fair rate.  Over the
past year the guts of the system have been significantly changed.  It also
appears that the bulk of the development is being done on the 2.6 kernel.

So, I was thinking that perhaps running 2.6 w/SE on a known, stable
infrequently changing platform may be worth a try, since it would let me
compare Non-SE, 2.4-SE, and 2.6-SE on a common, easily reproducible base
platform.  It is probably a bad idea.  Most of the debian stable packages
are downright stale.  Odds are something in the system will end up causing
trouble with the 2.6 kernel.  Any thoughts on this?

Also, what combination of base distro and SE do you prefer for production
servers?

> --
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian and 2.6 selinux

[Russell Coker]

On Wed, 21 Jan 2004 21:16, "Chris Babcock" <cbabcock@luthresearch.com> wrote:
> > However I have not tried woody with a 2.6.x kernel.  I don't know why you
> > would want to run Debian/stable with a 2.6.x kernel though, as 2.6.x
> > kernels are not stable in my experience!
>
> Is that 2.6 alone is too unstable for your taste, or 2.6 with SE enabled
> is too unstable?

2.6 in any situation.

I have found APM not to work correctly, some Ext3 file system issues, and some 
significant driver changes that take some time and effort to sort out 
(particularly for ISA drivers).

> So, I was thinking that perhaps running 2.6 w/SE on a known, stable
> infrequently changing platform may be worth a try, since it would let me
> compare Non-SE, 2.4-SE, and 2.6-SE on a common, easily reproducible base
> platform.  It is probably a bad idea.  Most of the debian stable packages
> are downright stale.  Odds are something in the system will end up causing
> trouble with the 2.6 kernel.  Any thoughts on this?

I suggest running 2.4 with the new SE Linux back-port on Stable then.

> Also, what combination of base distro and SE do you prefer for production
> servers?

The combination that's likely to work best in most ways at the moment is 
Fedora with Arjan's kernel and Dan's packages.

For Debian use Stable with Brian's packages.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian and 2.6 selinux

[Chris Babcock]

> On Wed, 21 Jan 2004 21:16, "Chris Babcock" <cbabcock@luthresearch.com>
> wrote:
>> > However I have not tried woody with a 2.6.x kernel.  I don't know why
>> you
>> > would want to run Debian/stable with a 2.6.x kernel though, as 2.6.x
>> > kernels are not stable in my experience!
>>
>> Is that 2.6 alone is too unstable for your taste, or 2.6 with SE enabled
>> is too unstable?
>
> 2.6 in any situation.
>
> I have found APM not to work correctly, some Ext3 file system issues, and
> some
> significant driver changes that take some time and effort to sort out
> (particularly for ISA drivers).

That is unfortunate.  It makes me wonder what hardware the kernel
developers use.  If the kernel made it passed the 2.5 stage it has to run
stable for somebody (Linus?).

>
>> So, I was thinking that perhaps running 2.6 w/SE on a known, stable
>> infrequently changing platform may be worth a try, since it would let me
>> compare Non-SE, 2.4-SE, and 2.6-SE on a common, easily reproducible base
>> platform.  It is probably a bad idea.  Most of the debian stable
>> packages
>> are downright stale.  Odds are something in the system will end up
>> causing
>> trouble with the 2.6 kernel.  Any thoughts on this?
>
> I suggest running 2.4 with the new SE Linux back-port on Stable then.
>
>> Also, what combination of base distro and SE do you prefer for
>> production
>> servers?
>
> The combination that's likely to work best in most ways at the moment is
> Fedora with Arjan's kernel and Dan's packages.
>
> For Debian use Stable with Brian's packages.
>

Thanks.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian and 2.6 selinux

[Stephen Smalley]

On Wed, 2004-01-21 at 05:31, Russell Coker wrote:
> The combination that's likely to work best in most ways at the moment is 
> Fedora with Arjan's kernel and Dan's packages.

Actually, Arjan dropped the SELinux diffs from his kernel RPM a while
back; the rawhide kernel is the one to use.  Or 2.6.2-rc1, which
includes all of the SELinux diffs.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.