* SELinux and LFS @ 2007-02-14 17:38 Vincenzo Ciaglia 2007-02-14 18:08 ` Christopher J. PeBenito 2007-02-15 19:12 ` Stephen Smalley 0 siblings, 2 replies; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-14 17:38 UTC (permalink / raw) To: SELinux Hi, after some weeks i decided to come back at work on SELinux. I'm still writing you about SELinux support problem on an LFS-based distribution. So, here is what i have done so far: 1) Kernel Configuration I built the kernel with these options: # CONFIG_KEYS is not set CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_CAPABILITIES=y # CONFIG_SECURITY_ROOTPLUG is not set CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set Of course with Ext[23] extended attributes, NET && INET, NETWORK_SECMARK and AUDIT support. 2) I have built and installed the SELinux userland packages (checkpolicy,libselinux, policycoreutils, policy) from: svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0/ 3) I unpacked the latest refpolicy according to: http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy 4) I still haven't patched packages like coreutils and sons. 5) I have created the /selinux mountpoint directory and added the following lines in fstab: none /selinux selinuxfs defaults 0 0 6) So i added this line to my "lilo.conf": append="enforcing=0" 7) Finally i tried to boot with the new kernel (2.6.20) and after the reboot the result is: # sestatus SELinux status: disabled # ############################# Of course i can't go ahead from the point 5 to 11 of the official README in "selinux-doc". I don't know if i really forgot something or if i skip something while i'm configuring SELinux because this is my really first experience with selinux configuration. What am i missing? Any help would be appreciated. Thanks in advance for your help! -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 17:38 SELinux and LFS Vincenzo Ciaglia @ 2007-02-14 18:08 ` Christopher J. PeBenito 2007-02-14 18:17 ` Christopher J. PeBenito ` (3 more replies) 2007-02-15 19:12 ` Stephen Smalley 1 sibling, 4 replies; 34+ messages in thread From: Christopher J. PeBenito @ 2007-02-14 18:08 UTC (permalink / raw) To: vin; +Cc: SELinux On Wed, 2007-02-14 at 18:38 +0100, Vincenzo Ciaglia wrote: > Hi, after some weeks i decided to come back at work on SELinux. > I'm still writing you about SELinux support problem on an LFS-based > distribution. I think your problem is here: > 4) I still haven't patched packages like coreutils and sons. You need a patched init to load the policy. If no policy is loaded, SELinux is disabled: > # sestatus > SELinux status: disabled -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 18:08 ` Christopher J. PeBenito @ 2007-02-14 18:17 ` Christopher J. PeBenito 2007-02-14 20:34 ` Karl MacMillan 2007-02-14 22:10 ` Vincenzo Ciaglia ` (2 subsequent siblings) 3 siblings, 1 reply; 34+ messages in thread From: Christopher J. PeBenito @ 2007-02-14 18:17 UTC (permalink / raw) To: vin; +Cc: SELinux On Wed, 2007-02-14 at 18:08 +0000, Christopher J. PeBenito wrote: > You need a patched init to load the policy. To be clearer, init does the initial policy load when the system boots. It doesn't load the policy at any other time. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 18:17 ` Christopher J. PeBenito @ 2007-02-14 20:34 ` Karl MacMillan 0 siblings, 0 replies; 34+ messages in thread From: Karl MacMillan @ 2007-02-14 20:34 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: vin, SELinux Christopher J. PeBenito wrote: > On Wed, 2007-02-14 at 18:08 +0000, Christopher J. PeBenito wrote: >> You need a patched init to load the policy. > > To be clearer, init does the initial policy load when the system boots. > It doesn't load the policy at any other time. > It is also possible to do the policy load from an initial ramdisk. The key is that init needs to somehow end up with the correct context. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 18:08 ` Christopher J. PeBenito 2007-02-14 18:17 ` Christopher J. PeBenito @ 2007-02-14 22:10 ` Vincenzo Ciaglia 2007-02-15 13:55 ` Vincenzo Ciaglia 2007-02-15 17:16 ` Vincenzo Ciaglia 3 siblings, 0 replies; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-14 22:10 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SELinux Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha scritto: > > 4) I still haven't patched packages like coreutils and sons. > > You need a patched init to load the policy. If no policy is loaded, > SELinux is disabled: Hi, i tried to re-configure sysvinit with this patch (the fedora's one): http://www.netwosix.org/selinux/sysvinit-selinux.patch (is the only one needed?) But i get these outputs: # patch -Np1 -i sysvinit-selinux.patch patching file src/init.c Hunk #1 succeeded at 42 (offset -6 lines). Hunk #2 succeeded at 2607 (offset 92 lines). Hunk #3 succeeded at 2573 (offset -6 lines). patching file src/Makefile Hunk #1 succeeded at 57 with fuzz 1 (offset 25 lines). Hunk #2 FAILED at 75. 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.rej patching file src/sulogin.c Hunk #1 FAILED at 28. Hunk #2 succeeded at 338 (offset 3 lines). 1 out of 2 hunks FAILED -- saving rejects to file src/sulogin.c.rej # make -C src make: Entering directory `/home/vciaglia/sysvinit-2.86/src' gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o mountpoint.o mountpoint.c gcc -s -o mountpoint mountpoint.o gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE init.c init.c: In function 're_exec': init.c:1889: warning: missing sentinel in function call gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DINIT_MAIN utmp.c -o init_utmp.o gcc -s -o init init.o init_utmp.o -lsepol -lselinux gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o halt.o halt.c gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o ifdown.o ifdown.c gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o hddown.o hddown.c gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE utmp.c gcc -s -o halt halt.o ifdown.o hddown.o utmp.o gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o dowall.o dowall.c gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o shutdown.o shutdown.c gcc -s -o shutdown dowall.o shutdown.o utmp.o gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o runlevel.o runlevel.c gcc -s -o runlevel runlevel.o gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -s killall5.c -o killall5 gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -c -o sulogin.o sulogin.c sulogin.c: In function 'sushell': sulogin.c:338: error: 'is_selinux_enabled' undeclared (first use in this function) sulogin.c:338: error: (Each undeclared identifier is reported only once sulogin.c:338: error: for each function it appears in.) sulogin.c:339: error: 'security_context_t' undeclared (first use in this function) sulogin.c:339: error: expected ';' before 'scon' sulogin.c:342: warning: implicit declaration of function 'getseuserbyname' sulogin.c:343: warning: implicit declaration of function 'get_default_context_with_level' sulogin.c:343: error: 'scon' undeclared (first use in this function) sulogin.c:344: warning: implicit declaration of function 'setexeccon' sulogin.c:346: warning: implicit declaration of function 'freecon' make: *** [sulogin.o] Error 1 make: Leaving directory `/home/vciaglia/sysvinit-2.86/src' # What is going wrong ? Maybe i'm missing something? I get the same "errors" when i try to patch the coreutils. Thank you a lot, -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 18:08 ` Christopher J. PeBenito 2007-02-14 18:17 ` Christopher J. PeBenito 2007-02-14 22:10 ` Vincenzo Ciaglia @ 2007-02-15 13:55 ` Vincenzo Ciaglia 2007-02-15 18:41 ` Stephen Smalley 2007-02-15 17:16 ` Vincenzo Ciaglia 3 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 13:55 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SELinux Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha scritto: > You need a patched init to load the policy. If no policy is loaded, > SELinux is disabled: I finally patched everything with fedora's patch (pam,coreutils,sysvinit,openssh) for selinux-support and everything seems to be ok. Coreutils-6.7 now are selinux-ready: # ls -Z -rw-r--r-- root root unlabeled System.map drwxr-xr-x root root unlabeled bin So i tried to reboot my kernel. I still can't get selinux enabled. I think that is still a sysvinit problem. Init still can't perform the /selinux mount. Here the package patched and selinux-ready that i built: http://www.netwosix.org/selinux/sysvinit-2.85-selinux.tar.gz I compiled it with the standard options: # make -C src # make -C src install I also created a script in the /etc/rc but nothing happened. Until init can't mount /selinux i can't use /selinux/enforce. So i still have problems. Any suggestions? Am i missing something ? Thank you in advance! -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 13:55 ` Vincenzo Ciaglia @ 2007-02-15 18:41 ` Stephen Smalley 2007-02-15 19:35 ` Vincenzo Ciaglia 0 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 18:41 UTC (permalink / raw) To: vin; +Cc: Christopher J. PeBenito, SELinux On Thu, 2007-02-15 at 14:55 +0100, Vincenzo Ciaglia wrote: > Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha > scritto: > > > You need a patched init to load the policy. If no policy is loaded, > > SELinux is disabled: > > I finally patched everything with fedora's patch > (pam,coreutils,sysvinit,openssh) for selinux-support and everything > seems to be ok. > > Coreutils-6.7 now are selinux-ready: > # ls -Z > -rw-r--r-- root root unlabeled System.map > drwxr-xr-x root root unlabeled bin > > So i tried to reboot my kernel. > > I still can't get selinux enabled. I think that is still a sysvinit > problem. Init still can't perform the /selinux mount. > > Here the package patched and selinux-ready that i built: > http://www.netwosix.org/selinux/sysvinit-2.85-selinux.tar.gz > > I compiled it with the standard options: > > # make -C src > # make -C src install > > I also created a script in the /etc/rc but nothing happened. Until init > can't mount /selinux i can't use /selinux/enforce. > > So i still have problems. Any suggestions? Am i missing something ? If you boot your kernel with init=/bin/bash and try to manually mount selinuxfs on /selinux, does it work? Also, be warned that it is presently very difficult to find all of the selinux-related bits in Fedora and apply them elsewhere; there may be multiple patches in a single package that are selinux-related, they can be relative to non-selinux patches in the same package, and they have become increasingly intertwined with audit patches. Which is why people familiar with that code need to do some work to extract them, unify them, clean them up, and re-base them to an upstream (if one exists). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 18:41 ` Stephen Smalley @ 2007-02-15 19:35 ` Vincenzo Ciaglia 2007-02-15 19:48 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 19:35 UTC (permalink / raw) To: Stephen Smalley; +Cc: Christopher J. PeBenito, SELinux Il giorno gio, 15/02/2007 alle 13.41 -0500, Stephen Smalley ha scritto: > If you boot your kernel with init=/bin/bash and try to manually mount > selinuxfs on /selinux, does it work? I don't know i still haven't tried but i think isn't a good idea to manually mount the selinuxfs. Like i said it will be a public-use gnu/linux distribution for networking and security related works. Even if could be used from expert and skilled users i think that this solution is really too uncomfortable, don't you? However i also tried to add this line to my "/etc/rc" script: /bin/mount -t selinuxfs /selinux But nothing happened. -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 19:35 ` Vincenzo Ciaglia @ 2007-02-15 19:48 ` Stephen Smalley 0 siblings, 0 replies; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 19:48 UTC (permalink / raw) To: vin; +Cc: Christopher J. PeBenito, SELinux On Thu, 2007-02-15 at 20:35 +0100, Vincenzo Ciaglia wrote: > Il giorno gio, 15/02/2007 alle 13.41 -0500, Stephen Smalley ha scritto: > > > If you boot your kernel with init=/bin/bash and try to manually mount > > selinuxfs on /selinux, does it work? > > I don't know i still haven't tried but i think isn't a good idea to > manually mount the selinuxfs. Like i said it will be a public-use > gnu/linux distribution for networking and security related works. Even > if could be used from expert and skilled users i think that this > solution is really too uncomfortable, don't you? I'm not suggesting it for production use, just to independently check on your ability to mount selinuxfs, since you said that init seems to be failing at that point. > However i also tried to add this line to my "/etc/rc" script: > > /bin/mount -t selinuxfs /selinux > > But nothing happened. Should be: mount -t selinuxfs none /selinux But doing it from init=/bin/bash will be closer to what init experiences than from your rc scripts. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 18:08 ` Christopher J. PeBenito ` (2 preceding siblings ...) 2007-02-15 13:55 ` Vincenzo Ciaglia @ 2007-02-15 17:16 ` Vincenzo Ciaglia 3 siblings, 0 replies; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 17:16 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SELinux Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha scritto: > You need a patched init to load the policy. If no policy is loaded, > SELinux is disabled: In addition here the pre-compiled tar.gz derived from the latest debian selinux-patched sysvinit. http://www.netwosix.org/selinux/sysvinit-2.86-5-selinux.tar.gz But again: # sestatus SELinux status: disabled # So i'm thinking that the problem isn't init anymore. -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-14 17:38 SELinux and LFS Vincenzo Ciaglia 2007-02-14 18:08 ` Christopher J. PeBenito @ 2007-02-15 19:12 ` Stephen Smalley 2007-02-15 19:23 ` Vincenzo Ciaglia 1 sibling, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 19:12 UTC (permalink / raw) To: vin; +Cc: SELinux On Wed, 2007-02-14 at 18:38 +0100, Vincenzo Ciaglia wrote: > Hi, after some weeks i decided to come back at work on SELinux. > I'm still writing you about SELinux support problem on an LFS-based > distribution. > > So, here is what i have done so far: > > 1) Kernel Configuration > > I built the kernel with these options: > > # CONFIG_KEYS is not set > CONFIG_SECURITY=y > CONFIG_SECURITY_NETWORK=y > # CONFIG_SECURITY_NETWORK_XFRM is not set > CONFIG_SECURITY_CAPABILITIES=y > # CONFIG_SECURITY_ROOTPLUG is not set > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 > CONFIG_SECURITY_SELINUX_DISABLE=y > CONFIG_SECURITY_SELINUX_DEVELOP=y > CONFIG_SECURITY_SELINUX_AVC_STATS=y > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set > # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set > > Of course with Ext[23] extended attributes, And CONFIG_EXT3_FS_SECURITY=y too, I assume (i.e. not just the base xattr support, but also the security xattr handler). > 3) I unpacked the latest refpolicy according to: > http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And built it and installed it? And created an /etc/selinux/config file? With what contents? > 7) Finally i tried to boot with the new kernel (2.6.20) and after the > reboot the result is: > > # sestatus > SELinux status: disabled With what kernel messages from SELinux? e.g. $ dmesg | grep SELinux SELinux: Initializing. SELinux: Starting in permissive mode SELinux: Registering netfilter hooks SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr ... -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 19:12 ` Stephen Smalley @ 2007-02-15 19:23 ` Vincenzo Ciaglia 2007-02-15 19:31 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 19:23 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux Il giorno gio, 15/02/2007 alle 14.12 -0500, Stephen Smalley ha scritto: > > Of course with Ext[23] extended attributes, > > And CONFIG_EXT3_FS_SECURITY=y too, I assume (i.e. not just the base > xattr support, but also the security xattr handler). Done, of course. # # File systems # CONFIG_EXT2_FS=y CONFIG_EXT2_FS_XATTR=y CONFIG_EXT2_FS_POSIX_ACL=y CONFIG_EXT2_FS_SECURITY=y CONFIG_EXT2_FS_XIP=y CONFIG_FS_XIP=y CONFIG_EXT3_FS=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_POSIX_ACL=y CONFIG_EXT3_FS_SECURITY=y > > 3) I unpacked the latest refpolicy according to: > > http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy > > And built it and installed it? Yes, like it said in that page. > And created an /etc/selinux/config file? Yes. > With what contents? # cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 # > With what kernel messages from SELinux? # dmesg | grep SELinux SELinux: Initializing. SELinux: Starting in permissive mode # Thank you! -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 19:23 ` Vincenzo Ciaglia @ 2007-02-15 19:31 ` Stephen Smalley 2007-02-15 19:58 ` Vincenzo Ciaglia 0 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 19:31 UTC (permalink / raw) To: vin; +Cc: SELinux On Thu, 2007-02-15 at 20:23 +0100, Vincenzo Ciaglia wrote: > > With what contents? > > # cat /etc/selinux/config > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=permissive > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted And your policy is installed under /etc/selinux/targeted/policy/policy.xx? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 19:31 ` Stephen Smalley @ 2007-02-15 19:58 ` Vincenzo Ciaglia 2007-02-15 20:03 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 19:58 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux Il giorno gio, 15/02/2007 alle 14.31 -0500, Stephen Smalley ha scritto: > SELINUXTYPE=targeted > > And your policy is installed > under /etc/selinux/targeted/policy/policy.xx? Ops...hh no. Here my error. My policy is under /etc/selinux/netwosix/policy/policy.21 So i rebooted and: # dmesg | grep selinux selinux_register_security: Registering secondary module capability SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: netwosix Finally it works! Thank you very much! :) Now i can start working on policies. -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 19:58 ` Vincenzo Ciaglia @ 2007-02-15 20:03 ` Stephen Smalley 2007-02-15 20:23 ` Vincenzo Ciaglia 0 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 20:03 UTC (permalink / raw) To: vin; +Cc: SELinux, Eric Paris On Thu, 2007-02-15 at 20:58 +0100, Vincenzo Ciaglia wrote: > Il giorno gio, 15/02/2007 alle 14.31 -0500, Stephen Smalley ha scritto: > > SELINUXTYPE=targeted > > > > And your policy is installed > > under /etc/selinux/targeted/policy/policy.xx? > > Ops...hh no. Here my error. My policy is under > /etc/selinux/netwosix/policy/policy.21 Ok. SELINUXTYPE= is just the name where your policy is located; it doesn't have to mean anything about the actual kind of policy (although conventionally we use "targeted", "strict", "mls", etc to indicate the kind of policy too.) > So i rebooted and: > > # dmesg | grep selinux > selinux_register_security: Registering secondary module capability > SELinux: initialized (dev selinuxfs, type selinuxfs), uses > genfs_contexts You actually wanted to grep for "SELinux" (capitalization) or grep -i, but that's ok. Although I thought Eric was going to kill or at least silence by default many of those messages. > # sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 21 > Policy from config file: netwosix > > Finally it works! Thank you very much! :) Good. Of course, since it is permissive, it isn't enforcing anything yet, just logging what would be denied. Did you label your filesystems yet? > Now i can start working on policies. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:03 ` Stephen Smalley @ 2007-02-15 20:23 ` Vincenzo Ciaglia 2007-02-15 20:34 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 20:23 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux, Eric Paris Il giorno gio, 15/02/2007 alle 15.03 -0500, Stephen Smalley ha scritto: > You actually wanted to grep for "SELinux" (capitalization) or grep -i, > but that's ok. Although I thought Eric was going to kill or at least > silence by default many of those messages. Here we are: # dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev hdb1, type ext3), uses xattr > Good. Of course, since it is permissive, it isn't enforcing anything > yet, just logging what would be denied. Did you label your filesystems > yet? Yes: # cd /etc/selinux/refpolicy/src/policy/ # make relabel Relabeling filesystem types: ext2 ext3 xfs jfs /sbin/setfiles /etc/selinux/netwosix/contexts/files/file_contexts / /usr /sbin/setfiles: labeling files under / matchpathcon_filespec_eval: hash table stats: 2571 elements, 2559/65536 buckets used, longest chain length 2 /sbin/setfiles: labeling files under /usr matchpathcon_filespec_eval: hash table stats: 81537 elements, 20107/65536 buckets used, longest chain length 10 /sbin/setfiles: Done. # So i rebooted and when i try to "sysadm_r" i get this: # newrole -r sysadm_r Couldn't get default type. # But i still haven't read anything about this. Now i'm too happy that selinux is enabled and it's working ... after many weeks of patch+patch +hack+hack on the new netwosix system :) Thank you, -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:23 ` Vincenzo Ciaglia @ 2007-02-15 20:34 ` Stephen Smalley 2007-02-15 20:42 ` Vincenzo Ciaglia 0 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 20:34 UTC (permalink / raw) To: vin; +Cc: SELinux On Thu, 2007-02-15 at 21:23 +0100, Vincenzo Ciaglia wrote: > Il giorno gio, 15/02/2007 alle 15.03 -0500, Stephen Smalley ha scritto: > > > You actually wanted to grep for "SELinux" (capitalization) or grep -i, > > but that's ok. Although I thought Eric was going to kill or at least > > silence by default many of those messages. > > Here we are: > > # dmesg | grep -i selinux > SELinux: Initializing. > SELinux: Starting in permissive mode > selinux_register_security: Registering secondary module capability > SELinux: Completing initialization. > SELinux: Setting up existing superblocks. > SELinux: initialized (dev hda1, type ext3), uses xattr > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts > SELinux: initialized (dev selinuxfs, type selinuxfs), uses > genfs_contexts > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses > genfs_contexts > SELinux: initialized (dev devpts, type devpts), uses transition SIDs > SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs > SELinux: initialized (dev inotifyfs, type inotifyfs), uses > genfs_contexts > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs > SELinux: initialized (dev proc, type proc), uses genfs_contexts > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev hdb1, type ext3), uses xattr > > > Good. Of course, since it is permissive, it isn't enforcing anything > > yet, just logging what would be denied. Did you label your filesystems > > yet? > > Yes: > > # cd /etc/selinux/refpolicy/src/policy/ > # make relabel > Relabeling filesystem types: ext2 ext3 xfs jfs > /sbin/setfiles /etc/selinux/netwosix/contexts/files/file_contexts / /usr > /sbin/setfiles: labeling files under / > matchpathcon_filespec_eval: hash table stats: 2571 elements, 2559/65536 > buckets used, longest chain length 2 > /sbin/setfiles: labeling files under /usr > matchpathcon_filespec_eval: hash table stats: 81537 elements, > 20107/65536 buckets used, longest chain length 10 > /sbin/setfiles: Done. > # > > So i rebooted and when i try to "sysadm_r" i get this: > # newrole -r sysadm_r > Couldn't get default type. > # Targeted policy doesn't support user roles; it only confines specific programs, primarily focused on system services. Strict policy is what you want if you need user roles. In the future, we hope to reduce the divergence between them so that you can have a targeted system with some limited user roles. > But i still haven't read anything about this. Now i'm too happy that > selinux is enabled and it's working ... after many weeks of patch+patch > +hack+hack on the new netwosix system :) > > Thank you, > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:34 ` Stephen Smalley @ 2007-02-15 20:42 ` Vincenzo Ciaglia 2007-02-15 20:56 ` Eric Paris 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 20:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux Il giorno gio, 15/02/2007 alle 15.34 -0500, Stephen Smalley ha scritto: > Targeted policy doesn't support user roles; it only confines specific > programs, primarily focused on system services. Strict policy is what > you want if you need user roles. In the future, we hope to reduce the > divergence between them so that you can have a targeted system with some > limited user roles. Of course Netwosix will use "strict" policies. So i'm going to start working on it. I'll keep you updated. Thank you, -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:42 ` Vincenzo Ciaglia @ 2007-02-15 20:56 ` Eric Paris 2007-02-15 20:59 ` Stephen Smalley ` (2 more replies) 0 siblings, 3 replies; 34+ messages in thread From: Eric Paris @ 2007-02-15 20:56 UTC (permalink / raw) To: vin; +Cc: Stephen Smalley, SELinux On Thu, 2007-02-15 at 21:42 +0100, Vincenzo Ciaglia wrote: > Il giorno gio, 15/02/2007 alle 15.34 -0500, Stephen Smalley ha scritto: > > > Targeted policy doesn't support user roles; it only confines specific > > programs, primarily focused on system services. Strict policy is what > > you want if you need user roles. In the future, we hope to reduce the > > divergence between them so that you can have a targeted system with some > > limited user roles. > > Of course Netwosix will use "strict" policies. So i'm going to start > working on it. > > I'll keep you updated. > > Thank you, > Taking a look at your post at netwosix.org I think you should know that you most likely still have some serious filesystem labeling problems. Yours: # ls -Z drwxr-xr-x root root system_u:object_r:file_t bin drwxr-xr-x root root system_u:object_r:file_t boot drwxr-xr-x root root system_u:object_r:file_t cdrom drwxr-xr-x root root system_u:object_r:tmpfs_t dev Mine: #ls -Z drwxr-xr-x root root system_u:object_r:bin_t bin drwxr-xr-x root root system_u:object_r:boot_t boot drwxr-xr-x root root system_u:object_r:device_t dev Maybe someone else can chime in with the best way to try this again since it doesn't look to me like the make relabel really got everything you needed (and I have no idea if you rc.sysinit is patched to pay attention to /.autorelabel) -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:56 ` Eric Paris @ 2007-02-15 20:59 ` Stephen Smalley 2007-02-15 21:53 ` Vincenzo Ciaglia 2007-02-15 21:01 ` Vincenzo Ciaglia 2007-02-15 21:47 ` Vincenzo Ciaglia 2 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-15 20:59 UTC (permalink / raw) To: Eric Paris; +Cc: vin, SELinux On Thu, 2007-02-15 at 15:56 -0500, Eric Paris wrote: > On Thu, 2007-02-15 at 21:42 +0100, Vincenzo Ciaglia wrote: > > Il giorno gio, 15/02/2007 alle 15.34 -0500, Stephen Smalley ha scritto: > > > > > Targeted policy doesn't support user roles; it only confines specific > > > programs, primarily focused on system services. Strict policy is what > > > you want if you need user roles. In the future, we hope to reduce the > > > divergence between them so that you can have a targeted system with some > > > limited user roles. > > > > Of course Netwosix will use "strict" policies. So i'm going to start > > working on it. > > > > I'll keep you updated. > > > > Thank you, > > > Taking a look at your post at netwosix.org I think you should know that > you most likely still have some serious filesystem labeling problems. > > Yours: > # ls -Z > drwxr-xr-x root root system_u:object_r:file_t bin > drwxr-xr-x root root system_u:object_r:file_t boot > drwxr-xr-x root root system_u:object_r:file_t cdrom > drwxr-xr-x root root system_u:object_r:tmpfs_t dev > > Mine: > #ls -Z > drwxr-xr-x root root system_u:object_r:bin_t bin > drwxr-xr-x root root system_u:object_r:boot_t boot > drwxr-xr-x root root system_u:object_r:device_t dev > > Maybe someone else can chime in with the best way to try this again > since it doesn't look to me like the make relabel really got everything > you needed (and I have no idea if you rc.sysinit is patched to pay > attention to /.autorelabel) Don't know about the /bin and /boot issues, but for /dev, I'd suggest checking that your udev is built with selinux support enabled. And also you should do a restorecon -R /dev from rc.sysinit or similar, as there will be some nodes created before selinux policy gets loaded. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:59 ` Stephen Smalley @ 2007-02-15 21:53 ` Vincenzo Ciaglia 0 siblings, 0 replies; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 21:53 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, SELinux [-- Attachment #1: Type: text/plain, Size: 510 bytes --] Il giorno gio, 15/02/2007 alle 15.59 -0500, Stephen Smalley ha scritto: > Don't know about the /bin and /boot issues, but for /dev, I'd suggest > checking that your udev is built with selinux support enabled. And also > you should do a restorecon -R /dev from rc.sysinit or similar, as there > will be some nodes created before selinux policy gets loaded. Ops. In the attach the /etc/rc. It's really late here guys. -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> [-- Attachment #2: selinux-netwosix.txt --] [-- Type: text/plain, Size: 1049 bytes --] ELinux on Netwosix /sbin/restorecon -R /dev SELINUX= if [ -r /selinux/enforce ] ; then SELINUX= 'cat /selinux/enforce' else SELINUX=1 fi # Other SELINUX stuff disable_selinux() { echo $"*** Warning -- SELinux is active" echo $"*** Disabling security enforcement for system recovery." echo $"*** Run 'setenforce 1' to reenable." echo "0" > /selinux/enforce } relabel_selinux() { echo echo $"*** Warning -- SELinux policy relabel is required. " echo $"*** Disabling security enforcement." echo $"*** Relabeling could take a very long time," echo $"*** depending on file system size." echo "0" > /selinux/enforce /sbin/fixfiles -f -F relabel > /dev/null 2>&1 rm -f /.autorelabel echo "*** Enabling security enforcement. ***" echo $SELINUX > /selinux/enforce } ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:56 ` Eric Paris 2007-02-15 20:59 ` Stephen Smalley @ 2007-02-15 21:01 ` Vincenzo Ciaglia 2007-02-15 21:47 ` Vincenzo Ciaglia 2 siblings, 0 replies; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 21:01 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, SELinux Il giorno gio, 15/02/2007 alle 15.56 -0500, Eric Paris ha scritto: > Maybe someone else can chime in with the best way to try this again > since it doesn't look to me like the make relabel really got everything > you needed (and I have no idea if you rc.sysinit is patched to pay > attention to /.autorelabel) Yes, i'm just taking a look to the "ls -Z" of my Fedora's system and you're right. I'll pay attention later. -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 20:56 ` Eric Paris 2007-02-15 20:59 ` Stephen Smalley 2007-02-15 21:01 ` Vincenzo Ciaglia @ 2007-02-15 21:47 ` Vincenzo Ciaglia 2007-02-16 12:16 ` Vincenzo Ciaglia 2 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-15 21:47 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, SELinux Il giorno gio, 15/02/2007 alle 15.56 -0500, Eric Paris ha scritto: > Maybe someone else can chime in with the best way to try this again > since it doesn't look to me like the make relabel really got everything > you needed (and I have no idea if you rc.sysinit is patched to pay > attention to /.autorelabel) Ok, fixed! In the attach the SELINUX portion of my /etc/rc. I think it's ok but actually it's just working. Here the result: # ls -Z -rw-r--r-- root root system_u:object_r:default_t System.map drwxr-xr-x root root system_u:object_r:bin_t bin drwxr-xr-x root root system_u:object_r:boot_t boot drwxr-xr-x root root system_u:object_r:default_t cdrom drwxr-xr-x root root system_u:object_r:device_t dev drwxr-xr-x root root system_u:object_r:etc_t etc drwxr-xr-x root root system_u:object_r:home_root_t home drwxr-xr-x root root system_u:object_r:default_t include drwxr-xr-x root root system_u:object_r:default_t info drwxr-xr-x root root system_u:object_r:lib_t lib drwxr-xr-x root root system_u:object_r:default_t libexec drwx------ root root system_u:object_r:lost_found_t lost+found drwxr-xr-x root root system_u:object_r:default_t man drwxr-xr-x root root system_u:object_r:mnt_t mnt drwxr-xr-x root root system_u:object_r:usr_t opt dr-xr-xr-x root root system_u:object_r:proc_t proc drwxr-x--- root root root:object_r:user_home_dir_t root drwxr-xr-x root root system_u:object_r:sbin_t sbin drwxr-xr-x root root system_u:object_r:security_t selinux drwxr-xr-x root root system_u:object_r:default_t share drwxr-xr-x root root system_u:object_r:sysfs_t sys drwxrwxrwt root root system_u:object_r:tmp_t tmp drwxr-xr-x root root system_u:object_r:usr_t usr drwxr-xr-x root root system_u:object_r:var_t var -rw-r--r-- root root system_u:object_r:default_t vmlinuz However i rebuilt the refpolicy with "strict" options and now i get this: # newrole -r sysadm_r Authenticating root. newrole: incorrect password for root # I'm working no stop from almost 9 hours, so i'm in crash and unfortunately i have to stop. Tomorrow i'll restart working on and maybe i'll fix this. Of course if you want to save my time any help would be appreciated. Thank you. -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-15 21:47 ` Vincenzo Ciaglia @ 2007-02-16 12:16 ` Vincenzo Ciaglia 2007-02-16 15:13 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-16 12:16 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, SELinux Il giorno gio, 15/02/2007 alle 22.47 +0100, Vincenzo Ciaglia ha scritto: > # newrole -r sysadm_r > Authenticating root. > newrole: incorrect password for root > # Regarding to this problem i thought was a PAM problem. So i re-build the package with all the latest fedora's patch and i have created this, ready to "./configure --with-selinux": http://www.netwosix.org/selinux/Linux-PAM-selinux-0.99.6.2.tar.gz Here the patch applied and pre-build in that package: http://www.netwosix.org/selinux/pam-0.99.2.1-selinux-nofail.patch http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-drop-multiple.patch http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-keycreate.patch http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-select-context.patch http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-use-current-range.patch Moreover i adjusted some configurations in /etc/pam.d to try to do the trick. Here they are: http://www.netwosix.org/selinux/pam-seconf.tar.gz Here the /etc/security ones: http://www.netwosix.org/selinux/security-etc.tar.gz And here my /lib/security/ : http://www.netwosix.org/selinux/securitypam-selinux.tar.gz Everything is ok but when i reboot i get this: [vciaglia@desk ~]$ ssh -l root 192.168.0.4 root@192.168.0.4's password: # id -Z root:sysadm_r:sysadm_t # newrole -r sysadm_r Authenticating root. newrole: incorrect password for root # useradd -m test useradd: PAM authentication failed # Is it still a PAM problem or i have some misconfigurations ? Thank you in advance! -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-16 12:16 ` Vincenzo Ciaglia @ 2007-02-16 15:13 ` Stephen Smalley 2007-02-16 16:44 ` Vincenzo Ciaglia 0 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-16 15:13 UTC (permalink / raw) To: vin; +Cc: Eric Paris, SELinux On Fri, 2007-02-16 at 13:16 +0100, Vincenzo Ciaglia wrote: > Il giorno gio, 15/02/2007 alle 22.47 +0100, Vincenzo Ciaglia ha > scritto: > > # newrole -r sysadm_r > > Authenticating root. > > newrole: incorrect password for root > > # > > Regarding to this problem i thought was a PAM problem. Yes, IIRC, typically this indicates that your pam_unix doesn't fall back cleanly to the chkpwd helper when it cannot directly read /etc/shadow, and just fails. The original pam_unix logic was to only perform such a fallback if the caller was not uid 0, but that had to be changed for selinux since even a uid 0 process might not be allowed to directly read /etc/shadow under selinux. > So i re-build the > package with all the latest fedora's patch and i have created this, > ready to "./configure --with-selinux": > http://www.netwosix.org/selinux/Linux-PAM-selinux-0.99.6.2.tar.gz > > Here the patch applied and pre-build in that package: > http://www.netwosix.org/selinux/pam-0.99.2.1-selinux-nofail.patch > http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-drop-multiple.patch > http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-keycreate.patch > http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-select-context.patch > http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-use-current-range.patch > > Moreover i adjusted some configurations in /etc/pam.d to try to do the > trick. Here they are: http://www.netwosix.org/selinux/pam-seconf.tar.gz > Here the /etc/security ones: > http://www.netwosix.org/selinux/security-etc.tar.gz > And here my /lib/security/ : > http://www.netwosix.org/selinux/securitypam-selinux.tar.gz > > Everything is ok but when i reboot i get this: > > [vciaglia@desk ~]$ ssh -l root 192.168.0.4 > root@192.168.0.4's password: > # id -Z > root:sysadm_r:sysadm_t > # newrole -r sysadm_r > Authenticating root. > newrole: incorrect password for root > # useradd -m test > useradd: PAM authentication failed > # > > Is it still a PAM problem or i have some misconfigurations ? Likely an issue with your pam, but I haven't looked at your packages yet. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-16 15:13 ` Stephen Smalley @ 2007-02-16 16:44 ` Vincenzo Ciaglia 2007-02-16 17:04 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-16 16:44 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, SELinux Il giorno ven, 16/02/2007 alle 10.13 -0500, Stephen Smalley ha scritto: > Likely an issue with your pam, but I haven't looked at your packages > yet. Could be a policycoreutils problem too? -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-16 16:44 ` Vincenzo Ciaglia @ 2007-02-16 17:04 ` Stephen Smalley 2007-02-16 17:52 ` Vincenzo Ciaglia 0 siblings, 1 reply; 34+ messages in thread From: Stephen Smalley @ 2007-02-16 17:04 UTC (permalink / raw) To: vin; +Cc: Eric Paris, SELinux On Fri, 2007-02-16 at 17:44 +0100, Vincenzo Ciaglia wrote: > Il giorno ven, 16/02/2007 alle 10.13 -0500, Stephen Smalley ha scritto: > > > Likely an issue with your pam, but I haven't looked at your packages > > yet. > > Could be a policycoreutils problem too? If it were only newrole failing, then yes. But you showed useradd failing too, which isn't provided or affected by policycoreutils. Note however that you do need to build newrole on a system with pam-devel or equivalent installed, as the Makefile looks for /usr/include/security/pam_appl.h and disables PAM support if it isn't present. And if you want audit and/or namespace support, you need to build newrole with the appropriate options. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-16 17:04 ` Stephen Smalley @ 2007-02-16 17:52 ` Vincenzo Ciaglia 2007-02-16 17:55 ` Stephen Smalley 0 siblings, 1 reply; 34+ messages in thread From: Vincenzo Ciaglia @ 2007-02-16 17:52 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, SELinux Il giorno ven, 16/02/2007 alle 12.04 -0500, Stephen Smalley ha scritto: > Note however that you do need to build newrole on a system with > pam-devel or equivalent installed, as the Makefile looks > for /usr/include/security/pam_appl.h and disables PAM support if it > isn't present. Done! I just recompiled the policycoreutils after i rebuilt shadow and pam and: # id -Z root:sysadm_r:sysadm_t # newrole -r sysadm_r Authenticating root. Password: # id -Z root:sysadm_r:sysadm_t Can i assign to the user "root" the staff_r:staff_t, so i can force him to "newrole -r sysadm_r" to make something on the system? Do i have to edit the "$policy/users/local.users" ? Unfortunately i still have to solve some problem with pam here: # useradd -m test useradd: PAM authentication failed Just going crazy, today :) Thank you! -- Vincenzo Ciaglia, <vin(at)netwosix(dot)org> Linux Netwosix, <http://www.netwosix.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2007-02-16 17:52 ` Vincenzo Ciaglia @ 2007-02-16 17:55 ` Stephen Smalley 0 siblings, 0 replies; 34+ messages in thread From: Stephen Smalley @ 2007-02-16 17:55 UTC (permalink / raw) To: vin; +Cc: Eric Paris, SELinux On Fri, 2007-02-16 at 18:52 +0100, Vincenzo Ciaglia wrote: > Il giorno ven, 16/02/2007 alle 12.04 -0500, Stephen Smalley ha scritto: > > > Note however that you do need to build newrole on a system with > > pam-devel or equivalent installed, as the Makefile looks > > for /usr/include/security/pam_appl.h and disables PAM support if it > > isn't present. > > Done! I just recompiled the policycoreutils after i rebuilt shadow and > pam and: > > # id -Z > root:sysadm_r:sysadm_t > # newrole -r sysadm_r > Authenticating root. > Password: > # id -Z > root:sysadm_r:sysadm_t Not too exciting since you were already in sysadm_r to start with. > Can i assign to the user "root" the staff_r:staff_t, so i can force him > to "newrole -r sysadm_r" to make something on the system? Do i have to > edit the "$policy/users/local.users" ? If in enforcing mode and the ssh_sysadm_login boolean is off, this should already be the case for ssh logins. You can also adjust the ordering in $policy/contexts/users/root (root-specific) or $policy/contexts/default_contexts (system-wide defaults). First field of each line is the context of the daemon process (e.g. sshd), remainder of the line is a list of partial contexts in the preferred ordering of selection. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* SELinux and LFS @ 2003-05-07 16:02 Nick Gray 2003-05-07 17:43 ` Russell Coker ` (2 more replies) 0 siblings, 3 replies; 34+ messages in thread From: Nick Gray @ 2003-05-07 16:02 UTC (permalink / raw) To: selinux All, I introduced myself several months back. I work on a MLS project for the ONI. We have been evaluating SELinux for awhile. A couple of months ago I raise a question, within our group, about the viability of using RedHat as a base for a secure system. I believe that certification of a system based on a (almost any) distribution would be rather difficult to achieve. This coupled with the fact that a Redhat server that was under scrutiny here at the lab, continued to contact Redhat via HTTPS despite my efforts to remove the software responsible. I actually found circular dependencies in the packages. This led me to the question, Does anyone remember when we used to build this things from scratch. In answer to that question, I found a web site which I have been playing with for the last couple of weeks called appropriately enough "Linux from Scratch" so far I have been able to use LFS as the starting point for a CDROM based Linux gateway/firewall.I started a build of SELinux on a LFS system, but had several problems including discovering what I believe are a couple bugs in the code.I have put it aside for the moment to work on a couple of other things, but I will return to this when I get the chance. I am interested in whether anyone on the list has used this as the starting point for SELinux and what the results where. In the next day or so I will post the problem I found in the makefile. Perhaps it is either a known issue or doesn't come up on Redhat based systems. In a separate post I will address a problem I found in string.h (as soon as I get a chance to figure out what the problem is) Don't get me wrong, I have nothing against Redhat. I'm just not sure that I could keep a straight face when placing this in front of the accreditors. Any comments/discussion would be appreciated Nick Gray Senior Network Engineer Bruzenak Inc. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2003-05-07 16:02 Nick Gray @ 2003-05-07 17:43 ` Russell Coker 2003-05-07 19:03 ` Richard Troth 2003-05-07 18:09 ` Keith Bottner 2003-05-07 21:01 ` ccallen 2 siblings, 1 reply; 34+ messages in thread From: Russell Coker @ 2003-05-07 17:43 UTC (permalink / raw) To: Nick Gray, selinux On Thu, 8 May 2003 02:02, Nick Gray wrote: > I raise a question, within our group, about the viability of using > RedHat as a base for a secure system. I believe that certification of a Considered Debian? > system based on a (almost any) distribution would be rather difficult to > achieve. This coupled with the fact that a Redhat server that was under > scrutiny here at the lab, continued to contact Redhat via HTTPS despite > my efforts to remove the software responsible. I actually found circular > dependencies in the packages. Debian has no such "features", and is in a fairly good state with regard to circular dependencies. For building a Debian system from source there are some dependency issues. For example you can't build packages in a regular fashion without Perl, and Perl needs a huge number of other things to be built before it can be built. Doing a cross-compile bootstrap of Debian will be painful because of this. But recompiling every package in a Debian system should be quite easy (on i486 and newer CPUs at least). > which I have been playing with for the last couple of weeks called > appropriately enough "Linux from Scratch" so far I have been able to use Some people on this list have been talking about getting SE Linux going with Gentoo which is based on compiling everything. I wonder how their progress is going. > LFS as the starting point for a CDROM based Linux gateway/firewall.I > started a build of SELinux on a LFS system, but had several problems > including discovering what I believe are a couple bugs in the code.I Which code do you suspect to contain bugs? SE code or LFS? > In the next day or so I will post the problem I found in the makefile. > Perhaps it is either a known issue or doesn't come up on Redhat based > systems. In a separate post I will address a problem I found in string.h > (as soon as I get a chance to figure out what the problem is) What version of libc6 was used for the headers? Some of my programs used to have problems with older libc6 header files for string.h and other things. > Don't get me wrong, I have nothing against Redhat. I'm just not sure > that I could keep a straight face when placing this in front of the > accreditors. If there is anything I can do to make Debian more suitable for such things then please let me know. Subject to the constraint of having almost no free time I'll do what I can. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2003-05-07 17:43 ` Russell Coker @ 2003-05-07 19:03 ` Richard Troth 0 siblings, 0 replies; 34+ messages in thread From: Richard Troth @ 2003-05-07 19:03 UTC (permalink / raw) To: Russell Coker; +Cc: Nick Gray, selinux > Considered Debian? Good point. For my own "Linux from scratch", Debian has proved to be a vital source depot and reference. ... > > my efforts to remove the software responsible. I actually found circular > > dependencies in the packages. > > Debian has no such "features", and is in a fairly good state with regard to > circular dependencies. > > For building a Debian system from source there are some dependency issues. > For example you can't build packages in a regular fashion without Perl, and > Perl needs a huge number of other things to be built before it can be built. Right. For the "tool chain", you need GCC, GLIBC, and a smattering few other development tools. But one or two of those (in my experience, not exhaustively scientific) required Perl for their auto config. [sigh] So the basic tool chain racked up to 28 packages. That was enough to give me a usable 'chroot' where I could re-build the same 28 and then build anything else. > Doing a cross-compile bootstrap of Debian will be painful because of this. > But recompiling every package in a Debian system should be quite easy (on > i486 and newer CPUs at least). [Mine is not related to SE.] I still haven't figured out Debian's build process. I'm trying to stick to the usual ./configure make make install though a good number of packages need an explicit "--prefix=/usr". > Some people on this list have been talking about getting SE Linux going > with Gentoo which is based on compiling everything. I wonder how their > progress is going. Yes. Gentoo is recommended by many hard-core bootstrappers. -- RMT -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* RE: SELinux and LFS 2003-05-07 16:02 Nick Gray 2003-05-07 17:43 ` Russell Coker @ 2003-05-07 18:09 ` Keith Bottner 2003-05-07 21:01 ` ccallen 2 siblings, 0 replies; 34+ messages in thread From: Keith Bottner @ 2003-05-07 18:09 UTC (permalink / raw) To: 'Nick Gray', selinux Nick, I think this is a great idea. I am very interested in your results. I have been thinking of doing something similar but as of yet have had no time to pursue it. Please keep us informed of your progress. Keith Bottner kbottner@istation.com -----Original Message----- From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Nick Gray Sent: Wednesday, May 07, 2003 11:03 AM To: selinux@tycho.nsa.gov Subject: SELinux and LFS All, I introduced myself several months back. I work on a MLS project for the ONI. We have been evaluating SELinux for awhile. A couple of months ago I raise a question, within our group, about the viability of using RedHat as a base for a secure system. I believe that certification of a system based on a (almost any) distribution would be rather difficult to achieve. This coupled with the fact that a Redhat server that was under scrutiny here at the lab, continued to contact Redhat via HTTPS despite my efforts to remove the software responsible. I actually found circular dependencies in the packages. This led me to the question, Does anyone remember when we used to build this things from scratch. In answer to that question, I found a web site which I have been playing with for the last couple of weeks called appropriately enough "Linux from Scratch" so far I have been able to use LFS as the starting point for a CDROM based Linux gateway/firewall.I started a build of SELinux on a LFS system, but had several problems including discovering what I believe are a couple bugs in the code.I have put it aside for the moment to work on a couple of other things, but I will return to this when I get the chance. I am interested in whether anyone on the list has used this as the starting point for SELinux and what the results where. In the next day or so I will post the problem I found in the makefile. Perhaps it is either a known issue or doesn't come up on Redhat based systems. In a separate post I will address a problem I found in string.h (as soon as I get a chance to figure out what the problem is) Don't get me wrong, I have nothing against Redhat. I'm just not sure that I could keep a straight face when placing this in front of the accreditors. Any comments/discussion would be appreciated Nick Gray Senior Network Engineer Bruzenak Inc. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: SELinux and LFS 2003-05-07 16:02 Nick Gray 2003-05-07 17:43 ` Russell Coker 2003-05-07 18:09 ` Keith Bottner @ 2003-05-07 21:01 ` ccallen 2 siblings, 0 replies; 34+ messages in thread From: ccallen @ 2003-05-07 21:01 UTC (permalink / raw) To: selinux; +Cc: nagray I have been working on the same kind of thing and wanted to ask the same question. My goal has been to create a minimal dist (like the linux router project) that has just whats needed (http & smtp for now), and boots from a cd (like a rescue / boot disk). If my system does get hacked or out of wack, It can just be rebooted. Selinux would be used to protect the system in memory (on a ram disk), and protect any working files on disk (logs, databases, etc). For a gui I want to use motif. The gui is not for a production dist but for configuring and building the dist. However it could be on the production machine (ran from the hard drive, not on a ram disk). I built some motif configuration management tools that would work for this project. Although I have them on an HP DAT tape and dont have a tape drive, so I cant read the data :( Is there anyone in the Bellevue / Redmond area who has one of these drives I could use to read the source code off with? I started with the boot disk howto and Linux Router Project, and eventually stumbled across the LFS project. The LFS looks to have a bunch of LFS specific unix utilities, I wasnt sure if they would be compatible with selinux. All I wanted was a list of esential files and steps to build and configure a minimal linux system. Then I could pull these files from redhat so it would be compatible with selinux. The author of the boot-disk how created a tool, Yard, that looks like it does what I have in mind. http://www.croftj.net/~fawcett/yard/index.html I decided to start with yard and build on that. There are many other boot disk tools like yard, but Yard looks like it's as good as any. If your interested I can track down some of the links I came across. Conan ----- Original Message ----- From: "Nick Gray" <nagray@austin.rr.com> To: <selinux@tycho.nsa.gov> Sent: Wednesday, May 07, 2003 9:02 AM Subject: SELinux and LFS All, I introduced myself several months back. I work on a MLS project for the ONI. We have been evaluating SELinux for awhile. A couple of months ago I raise a question, within our group, about the viability of using RedHat as a base for a secure system. I believe that certification of a system based on a (almost any) distribution would be rather difficult to achieve. This coupled with the fact that a Redhat server that was under scrutiny here at the lab, continued to contact Redhat via HTTPS despite my efforts to remove the software responsible. I actually found circular dependencies in the packages. This led me to the question, Does anyone remember when we used to build this things from scratch. In answer to that question, I found a web site which I have been playing with for the last couple of weeks called appropriately enough "Linux from Scratch" so far I have been able to use LFS as the starting point for a CDROM based Linux gateway/firewall.I started a build of SELinux on a LFS system, but had several problems including discovering what I believe are a couple bugs in the code.I have put it aside for the moment to work on a couple of other things, but I will return to this when I get the chance. I am interested in whether anyone on the list has used this as the starting point for SELinux and what the results where. In the next day or so I will post the problem I found in the makefile. Perhaps it is either a known issue or doesn't come up on Redhat based systems. In a separate post I will address a problem I found in string.h (as soon as I get a chance to figure out what the problem is) Don't get me wrong, I have nothing against Redhat. I'm just not sure that I could keep a straight face when placing this in front of the accreditors. Any comments/discussion would be appreciated Nick Gray Senior Network Engineer Bruzenak Inc. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 34+ messages in thread
end of thread, other threads:[~2007-02-16 17:55 UTC | newest] Thread overview: 34+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2007-02-14 17:38 SELinux and LFS Vincenzo Ciaglia 2007-02-14 18:08 ` Christopher J. PeBenito 2007-02-14 18:17 ` Christopher J. PeBenito 2007-02-14 20:34 ` Karl MacMillan 2007-02-14 22:10 ` Vincenzo Ciaglia 2007-02-15 13:55 ` Vincenzo Ciaglia 2007-02-15 18:41 ` Stephen Smalley 2007-02-15 19:35 ` Vincenzo Ciaglia 2007-02-15 19:48 ` Stephen Smalley 2007-02-15 17:16 ` Vincenzo Ciaglia 2007-02-15 19:12 ` Stephen Smalley 2007-02-15 19:23 ` Vincenzo Ciaglia 2007-02-15 19:31 ` Stephen Smalley 2007-02-15 19:58 ` Vincenzo Ciaglia 2007-02-15 20:03 ` Stephen Smalley 2007-02-15 20:23 ` Vincenzo Ciaglia 2007-02-15 20:34 ` Stephen Smalley 2007-02-15 20:42 ` Vincenzo Ciaglia 2007-02-15 20:56 ` Eric Paris 2007-02-15 20:59 ` Stephen Smalley 2007-02-15 21:53 ` Vincenzo Ciaglia 2007-02-15 21:01 ` Vincenzo Ciaglia 2007-02-15 21:47 ` Vincenzo Ciaglia 2007-02-16 12:16 ` Vincenzo Ciaglia 2007-02-16 15:13 ` Stephen Smalley 2007-02-16 16:44 ` Vincenzo Ciaglia 2007-02-16 17:04 ` Stephen Smalley 2007-02-16 17:52 ` Vincenzo Ciaglia 2007-02-16 17:55 ` Stephen Smalley -- strict thread matches above, loose matches on Subject: below -- 2003-05-07 16:02 Nick Gray 2003-05-07 17:43 ` Russell Coker 2003-05-07 19:03 ` Richard Troth 2003-05-07 18:09 ` Keith Bottner 2003-05-07 21:01 ` ccallen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.