|
Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
 |
SELinux Mailing List
subject: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Tue, 27 Nov 2001 22:20:05 +0100
What is probably of more interest to you is the locations that I've put
header files in, here's what I'm currently installing:
I would like some feedback from the authors of what they think about these locations. I will not put the include files in /usr/local, but I am open to suggestions of other ways of arranging them under /usr/include. Also it would be conveniant for people who are develping distributions if there was a suggested location for header files that worked with the LSB directory scheme...
Subject: Re: SE Linux packages of login, sshd, tar, stat, findutils,
fileutils, and [xkg]dm
On Tue, 27 Nov 2001 17:41, Giacomo Catenazzi wrote: > > PS I hope to have some test packages of SE-Linux enabled utilities on > > http://www.coker.com.au/selinux/ within 24 hours, and a complete set of > > SE-Linux Debian packages (apart from [xkg]dm) within a week. > > do you need some help? Yes! Firstly check out http://www.coker.com.au/selinux/ . Please test compiling all the source first. First compile the kernel-patch package (it's a build depdendency for libselinux-dev which everything else build-depends on). After installing it build the libselinux-dev and then build the stat package. Then of course you can't do anything without having a kernel to boot (which is easily done) and a login package to allow you to login (which I haven't packaged yet). -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Wed, 28 Nov 2001 08:28:24 -0500 (EST)
On Tue, 27 Nov 2001, Russell Coker wrote:
> What is probably of more interest to you is the locations that I've put Well, this will naturally break the build of all of the userland components of SELinux. Why do you need to change the installation directories from what we use?
> /usr/include/linux/flask This change is probably harmless for building the userland components, since the same #include directives will still work (#include <linux/flask/foo.h>). But what about the <linux/asm-i386/unistd.h> and the <linux/asm-i386/flask/unistd.h> files? These are also needed for building the userland components.
> /usr/include/selinux This change will require changes to the userland components of SELinux, and I'm not planning on making these changes to our distribution unless there is a real justification. What's wrong with /usr/local/selinux/include? -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 13:37:02 +0100
Because no package is allowed to put files in /usr/local !
> > /usr/include/linux/flask That's the plan.
> But what about the <linux/asm-i386/unistd.h> I'm not sure which is the best solution for that yet.
> > /usr/include/selinux It conflicts with the FHS. See section 4.5 and in particular 4.5.1: This directory should always be empty after first installing a FHS-compliant system. No exceptions to this rule should be made other than the listed directory stubs. So I could create a /usr/local/selinux directory which is empty if necessary, but I can not put any files in it! You will have the same issue with getting SE-Linux into any other major distribution. Although Slackware would probably make an exception for it. Also Sun ships Solaris packages containing files in /usr/local so they would probably be happy to do so for their Qube and Raq machines too. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 08:27:45 -0500 (EST)
On Thu, 29 Nov 2001, Russell Coker wrote:
> Because no package is allowed to put files in /usr/local ! Well, I suppose that this makes sense for packages that are intended to be installed as part of the base Debian system. But won't your SELinux packages be optional components to be installed after a base install? And if so, then is it really forbidden to use /usr/local? -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 17:02:54 +0100
It's forbidden for any Debian packages to put files there for any reason. Whether a package is optional or required makes no difference. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 13:14:48 -0500 (EST)
On Thu, 29 Nov 2001, Russell Coker wrote:
> It's forbidden for any Debian packages to put files there for any reason. Well, maybe we can work toward making our /usr/local/selinux hierarchy and the builds for the userland SELinux components more easily relocatable. If you can contribute suggestions and patches to help with this task, that would be useful. Otherwise, I'm not sure when we'll get to it. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Flood Randy Capt AFCA/TCAA <randy.flood_at_scott.af.mil> subject: RE: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 11:08:00 -0600
This seems to be a flaw with the Debian distribution then. Doesn't the Linux filesystems standard (or whatever its called) specify that software should be installed there?
-----Original Message-----
On Thu, 29 Nov 2001 14:27, Stephen Smalley wrote:
It's forbidden for any Debian packages to put files there for any reason. Whether a package is optional or required makes no difference. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Jose Nazario <jose_at_biocserver.bioc.cwru.edu> subject: RE: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 13:04:37 -0500 (EST)
> This seems to be a flaw with the Debian distribution then. Doesn't http://www.pathname.com/fhs/2.0/fhs-toc.html for /usr/local: http://www.pathname.com/fhs/2.0/fhs-4.6.html
the openbsd hier page is at
it would seem to come down to "is selinux the base system or an add on?" the distribution model of selinux would indicate that it's an add on, as its not a full fledged distribution.
<opinion>
if debian wants it someplace else, have locally available patches. please don't attempt to apply such standards to everyone else. thank you. it is, after all, why you're a different distro. $ cat disclaimer.h #ifndef FLAMESUIT #define FLAMESUIT 1 #endif i am in no way connected to the SELinux team. i just use it and have a longstanding interest in both filesystem hierarchies, the UNIX model (and Linux deviances from it), and trusted OSes. i am speaking only for myself. /* EOF */ </opinion> jose nazario jose@cwru.edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Achim D. Brucker <brucker_at_informatik.uni-freiburg.de> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Thu, 29 Nov 2001 20:48:05 +0100
Best wishes Achim -- Achim D. Brucker, brucker@informatik.uni-freiburg.de http://www.informatik.uni-freiburg.de/~brucker pgp-key on request: send mail with subject: public-key Those who do not understand Unix are condemned to reinvent it, poorly. -- Henry Spencer -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Fri, 30 Nov 2001 20:13:14 +0100
Please read the specs. Software installed by "make install" or equivalent belongs in /usr/local, software installed in packages as part of the OS belongs elsewhere. My aim is to produce packages ot SE-Linux for Debian not to write a wrapper around "make install" (if the latter was my aim I'd have completed it long ago and moved on to other projects).
On Thu, 29 Nov 2001 19:04, Jose Nazario wrote:
It's an add on if it's installed by "make install". It's part of the base system if it's installed by dpkg or dselect. If we use your logic then almost everything is an add-on and everything will be in /usr/local...
> <opinion> Yes, Debian is the distribution that most closely follows standards such as the FHS (FSSTD) and the LSB. Anyone who wants to write software that is incompatible with such standards is free to do so. It'll limit acceptance of their software. Then of course if we can't get agreement between all the distributions (Debian, Red Hat, SUSE, etc) on how to change such software to make it comply to relevant standards then everyone will suffer.
On Thu, 29 Nov 2001 20:48, Achim D. Brucker wrote:
Absolutely!
> package controlled through the packet manager is allowed to put files in I think that the risk of the package manager breaking what the administrator does is just as great. Sometimes I want to have two copies of the same program installed, a package and a custom version in /usr/local.
> Personally I like this very much and it perfectly conforms Also conforms to common practise over the last 10+ years.
> When I remember correctly, the packages officially distributed by Suse or Yes. Sun is the only vendor I've come across that ships packages that mess with /usr/local. They seem to think that a Sun package of bash for Solaris 2.6 (distributed from a Sun web site) should install to /usr/local/bin while a package for Solaris 8.0 (distributed on the install CDs) should be in /bin. This sort of thing really sucks when you are trying to manage a network.
> When SE-Linux is included in Debian (which I wish), it has to play the Absolutely! -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Tom <tom_at_lemuria.org> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Fri, 30 Nov 2001 23:17:36 +0100
OpenBSD also does this. bash is in /usr/local/bin even though it's not a port or a 3rd party piece, but an official package. I agree on that not being good practice. I don't know that rationale for these, though. -- http://web.lemuria.org/pubkey.html pub 1024D/D88D35A6 2001-11-14 Tom Vogt <tom@lemuria.org> Key fingerprint = 276B B7BB E4D8 FCCE DB8F F965 310B 811A D88D 35A6 -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Jesse Pollard <jesse_at_cats-chateau.net> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Fri, 30 Nov 2001 18:46:36 -0600
I can give a rationale, but can't promise it as the real one... These "packages" are NOT part of Solaris. They are "contributed" packages that may not be upgraded, may not be patched, nor are they required to even work. The /bin and friends are part of Solaris. If they cause security problems, then Sun is obliged to provide patches/updates. Not so for /usr/local. If theres a problem, you remove or don't install them. The stuff in /usr/local is not contractually maintained.... -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Sat, 1 Dec 2001 10:00:45 +0100
When an important security related package such as syslogd has a bug that allows it to be killed by users (or remotely killed if listening to the network) it's still not serious enough for Sun to fix it. Solaris 2.6 syslogd has been known as buggy for years and Sun have announced plans to never fix it. I'm sure that the contrib packages will get updated when there's an upstream fix for a security issue. I can't see any difference between the packages for /bin and the packages for /usr/local/bin in this regard. If anything the ones in /usr/local/bin have better support I think. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Jesse Pollard <jesse_at_cats-chateau.net> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Sat, 1 Dec 2001 07:11:11 -0600
I don't believe sun is supporting 2.6 at all now. You will have to update the OS to get any fixes. Unless some volunteer at sun (or elsewere) updates the the "contributed" packages they won't be updated at all. The difference is that Sun doesn't pay employees to work on packages for /usr/local. They do pay for the core distribution. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Dale Amon <amon_at_vnl.com> subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Mon, 17 Dec 2001 16:48:27 +0000
Rich: have you seen this? I'd rather match my solution to yours rather than go reinventing wheels. In case you didn't read the earlier posting, in the selinux utils install ssh is looking for libwrap during a .configure and dying. sid dist has libwrap0 which I already have installed.
--
Nuke bin Laden: Dale Amon, CEO/MD
improve the global Islandone Society
gene pool. www.islandone.org
-- subject: Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm Date: Mon, 17 Dec 2001 21:30:47 +0100
It does exist though.
> In case you didn't read the earlier posting, in the What about libwrap0-dev? libwrap0-dev is what you need to compile programs that use TCP wrappers. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |
Top NSA Banner
2009 National Security Agency
Privacy
|
Terms of Use
|
NoFEAR Act
|
FOIA
|
DNI.gov
|
DOD.mil
|
USA.gov
|
Contact Us
|
Site Map
Privacy
|
Terms of Use
|
NoFEAR Act
|
FOIA
|
DNI.gov
|
DOD.mil
|
USA.gov
|
Contact Us
|
Site Map