The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. This release contains bug fixes and
additional policy domains and permissions. The capability module may
now be stacked with SELinux. The base for SELinux has been updated to
the lsm-2001_10_11 patch against kernel 2.4.12.
--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
A few additional notes about this release:
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Wed, 2001-10-17 at 08:05, Stephen Smalley wrote:
>
> A few additional notes about this release:
>
> 1) A new run_init utility program and domain have been created to allow
> administrators to run the init scripts with the appropriate security
> context (e.g. to restart daemons) in a secure manner. This was requested
> by several SELinux users. See the updated README, utils/run_init, and
> utils/appconfig/initrc_context.
If you are not using PAM it didn't compile so I just moved
#define CONTEXT_FILE .....
out of the ifdef PAM block. in run_init.c FYI.
Also newrole.c line 412 almost certanly has an error
I changed
if ( !authenticate_via_shadow_passwd(d p_passwd_line) ) {
to
if ( !authenticate_via_shadow_passwd(p_passwd_line) ) {
Also, I have integrated this with a Slackware 8.0 filewall that is re-exporting nfs filesystems to samba for windows clients. It is also running dhcp. I have created iptables, dhcpd, and samba domains. I also had to change a huge amount of file_contexts. It is working fine as a production server. I am very pleased with selinux.
J
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On 18 Oct 2001, J wrote:
> If you are not using PAM it didn't compile so I just moved
<snip>
> Also newrole.c line 412 almost certanly has an error
<snip>
Yes, sorry about that. The fixes for using run_init and newrole when not using PAM didn't make it in prior to cutting this release. The attached patch fixes these errors and makes a few other minor changes. To apply, save it to ~/shadow.patch, change to your selinux directory, and run 'patch -p1 < ~/shadow.patch'. This patch is relative to the sources in the release.
> Also, I have integrated this with a Slackware 8.0 filewall
> that is re-exporting nfs filesystems to samba for windows clients.
> It is also running dhcp. I have created iptables, dhcpd, and samba
> domains. I also had to change a huge amount of file_contexts. It is
> working fine as a production server. I am very pleased with selinux.
Glad to hear that SELinux is working well for you. If you are willing to share your policy customizations, we would be interested in seeing them. If they aren't too specific to your particular setup, we might roll them into the example policy in the distribution. Even if they are very specific to your setup, it might still be good to make them available for reference by others, perhaps on the sourceforge selinux project site.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
- TEXT/PLAIN attachment: shadow.patch
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT