Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Chris PeBenito <pebenito@g.o>
To: Hardened Gentoo Mail List <gentoo-hardened@l.g.o>
Subject: Re: [gentoo-hardened] SELinux updates
Date: Mon, 06 Sep 2004 15:53:17
Message-Id: 1094485987.11718.39.camel@gorn.pebenito.net
In Reply to: Re: [gentoo-hardened] SELinux updates by Chris PeBenito
1 Oops, the order matters on this. You shouldn't reboot till the end:
2
3 1. merge new kernel sources (hardened-(dev-)sources users)
4 2. compile and install new kernel (hardened-(dev-)sources users)
5 3. merge selinux-base-policy-20040702 and etc-update
6 4. cd /etc/security/selinux/src/policy && make clean install
7 5. reboot
8
9 On Sun, 2004-09-05 at 10:16, Chris PeBenito wrote:
10 > I have unmasked hardened-sources-2.4.27-r2,
11 > hardened-dev-sources-2.6.7-r8, and selinux-base-policy-20040702 for the
12 > SELinux headers update. Since my last email was a long time ago, I
13 > copied the relevant portion at the bottom. The 20040702 policy is the
14 > same as 20040629, except with the headers update, so if you are up to
15 > date on policy, it should be a trivial policy update. The headers are
16 > in the flask directory of the policy.
17 >
18 > On Sun, 2004-06-27 at 12:07, Chris PeBenito wrote:
19 > > * The 2.6.8 kernel will have some new SELinux classes for security
20 > > enhanced X. The problem is that these will collide with our PaX
21 > > support. This means that the kernel and the policy will have to be
22 > > updated at the same time, as the kernel will not load a policy whose
23 > > headers don't match its own. When 2.6.8 comes out, I will put out a
24 > > policy with the new headers, and also bump all kernels that have the
25 > > PaX SELinux hooks. Fortunately the PaX SELinux headers have been
26 > > accepted upstream, so this won't happen again. 2.6.8 will also bring
27 > > policy version 18, since fine-grained netlink socket support has been
28 > > added.
29 >
30 > If you don't reboot (with the updated kernel if relevant), you will get
31 > this error:
32 >
33 > security: the value of class pax changed
34 > security: the definition of an existing class changed
35 >
36 > The policy load will fail.
37 --
38 Chris PeBenito
39 <pebenito@g.o>
40 Developer,
41 Hardened Gentoo Linux
42 Embedded Gentoo Linux
43
44 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
45 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
RE: [gentoo-hardened] SELinux updates Richard Simpson <richard.simpson@×××××.com>
Report Message
Find on MARC Find on Google Groups