On Fri, May 20, 2016 at 11:23 PM, Ralph Sanchez wrote:
> I tried setenforce and what not, but they simply returned the SELinux
> was not enabled.
Can you post your GRUB configuration?
Brandon Vincent
I installed SELinux, as described in the debian wiki, activated it per
directions, did my reboot (It did the second reboot as it said it
would, although didn't take much extra time as it says it will) and
performed the operation check-selinux-installation. The output in my
console was as fo
On Mon, 4 May 2015, Paul Wise wrote:
> On Mon, May 4, 2015 at 12:20 AM, Bart-Jan Vrielink wrote:
> > Where can I find a suitable policy? The package selinux-policy-default is
> > no longer available, and I cannot find a suitable replacement in
> > Jessie/main.
>
> The
On Mon, May 4, 2015 at 12:20 AM, Bart-Jan Vrielink wrote:
> Where can I find a suitable policy? The package selinux-policy-default is no
> longer available, and I cannot find a suitable replacement in Jessie/main.
The package was removed before jessie as it had release critical bugs
Hello,
Where can I find a suitable policy? The package selinux-policy-default is no
longer available, and I cannot find a suitable replacement in Jessie/main.
Regards,
Bart-Jan Vrielink
t; Have you tried upgrading to the latest selinux-policy-default package
> (2:2.20110726-10)?
Yes! That solved it, thanks!
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Arch
On Mon, Sep 10, 2012 at 01:01:16PM +0200, Kees de Jong wrote:
> Anyone please?
I think this is the bug #68376 that was fixed a few days ago:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683756
Have you tried upgrading to the latest selinux-policy-default package
(2:2.20110726-10)?
--
On Mon, Aug 27, 2012 at 5:08 PM, Kees de Jong wrote:
>
> Hi all,
>
>
>
> I hope this is the appropriate list to ask this question, otherwise I
> would appreciate if someone could direct me to the correct list. I've
> enabled SELinux on my Debian Wheezy virtual machine
Hi all,
I hope this is the appropriate list to ask this question, otherwise I
would appreciate if someone could direct me to the correct list. I've
enabled SELinux on my Debian Wheezy virtual machine. And I've followed
all the steps in the Debian SELinux wiki [1]. So to clarify I ad
Hello again,
I installed a fresh Squeeze in a VM and activated SELinux as the wiki
page recommends. It works just fine (including DHCP - I tried the
default packages in Squeeze, didn't try Russell's since everything
worked anyway), with just a few caveats:
- bootmisc.sh doesn
gt; > intrusive - not sure if it's even possible to use SELinux at the same
> > time). I don't mean this in a bad way, grsecurity seems to boost kernel
> > security quite a bit
>
> Meanwhile you don't enable the RBAC part of the grsecurity patch you can
> u
On 31/12/11 12:24, Laurentiu Pancescu wrote:
>
> I think now only grsecurity is available in Debian, providing similar
> functionality (it does much more than exec-shield, but it's also more
> intrusive - not sure if it's even possible to use SELinux at the same
> time
On 12/31/11 13:00 , Russell Coker wrote:
On Sat, 31 Dec 2011, Laurentiu Pancescu wrote:
effective). I tested Exec-shield in Debian a few years ago, with and
without SELinux, it makes a big difference:
I just did a quick test on an i386 system with PAE running a 686 Squeeze
kernel.
I just
t in a Squeeze update
Frankly, your lack of imagination is pretty sad. The difference is that people
cannot use squeeze properly without relying on some external repository.
Easy now... SELinux worked fine even in Lenny in targeted mode (except
DHCP, but that was my own fault starting such chang
On Sat, 31 Dec 2011, Laurentiu Pancescu wrote:
> effective). I tested Exec-shield in Debian a few years ago, with and
> without SELinux, it makes a big difference:
I just did a quick test on an i386 system with PAE running a 686 Squeeze
kernel.
SE Linux enforcing vs permissive m
On Sat, 31 Dec 2011, Holger Levsen wrote:
> On Freitag, 30. Dezember 2011, Russell Coker wrote:
> > I can't imagine what the benefit would be in using "official" packages
> > that I created and uploaded to Debian over using "unofficial" packages
> > that I created and couldn't get in a Squeeze upd
nar's patch for older
processors without an NX bit (it used segment limits to emulate this,
but could be worked around by applications or malicious code with a call
to mprotect - SELinux prevents that on Fedora, making Exec-shield
effective). I tested Exec-shield in Debian a few years ago
Dear Russell,
On Freitag, 30. Dezember 2011, Russell Coker wrote:
> I can't imagine what the benefit would be in using "official" packages that
> I created and uploaded to Debian over using "unofficial" packages that I
> created and couldn't get in a Squeeze update
Frankly, your lack of imaginat
On Sat, 31 Dec 2011, Laurentiu Pancescu wrote:
> is there any difference between i386 and amd64 as to how much protection
> SELinux is able to provide? Earlier, stuff like NX was only available on
> 64-bit processors; are there still such differences?
There has never been any differe
Hello Russell,
is there any difference between i386 and amd64 as to how much protection
SELinux is able to provide? Earlier, stuff like NX was only available on
64-bit processors; are there still such differences?
On 12/30/11 14:15 , Russell Coker wrote:
The support is quite good. I run a
On Fri, 30 Dec 2011, Laurentiu Pancescu wrote:
> I would like to harden a web server setup using SELinux. How good is the
> support for SELinux on Squeeze? Are the instructions on the Debian Wiki
> [1] up to date for Squeeze? I tried this last time on Lenny, and DHCP
> couldn't w
Hello,
I would like to harden a web server setup using SELinux. How good is the
support for SELinux on Squeeze? Are the instructions on the Debian Wiki
[1] up to date for Squeeze? I tried this last time on Lenny, and DHCP
couldn't work back then due to SELinux not letting modprobe
On Sat, 29 Jan 2011, Simon Brandmair wrote:
> I just started looking into SELinux. I am wondering if there is a way to
> have wildcards in avc rules like:
> auditallow source_t target_t : * * ;
> which audits all access from source_t to target_t.
>
> Or do I have to add all
On Sat, 29 Jan 2011 17:50:01 +0100 Simon Brandmair wrote:
> booting debian squeeze with selinux fails with following error (without
> selinux it boots fine):
>
> "Checking root file system...failed (code8)." and I get a root login
> prompt.
>
> What am I missing t
Hi,
booting debian squeeze with selinux fails with following error (without
selinux it boots fine):
"Checking root file system...failed (code8)."
and I get a root login prompt.
What am I missing to make my standard installation boot?
# sestatus
SELinux status:
Hi,
I just started looking into SELinux. I am wondering if there is a way to
have wildcards in avc rules like:
auditallow source_t target_t : * * ;
which audits all access from source_t to target_t.
Or do I have to add all classes objects to the rule like:
auditallow source_t target_t
Dino Vliet wrote:
> Hi debian security people,
> based on this document, http://wiki.debian.org/SELinux/Setup, I tried to
> install Selinux on Debian Lenny.
> [...]
> However, after step 5 in that sequence, Run check-selinux-installation to
> check that everything has been s
Hi debian security people,
based on this document, http://wiki.debian.org/SELinux/Setup, I tried to
install Selinux on Debian Lenny.
I posted the message below to the debian user list, but nobody answered it.
I've also noticed that whenever I enforce selinux, my postgresql database
server c
Hi!
In etch "semodule -r postfix" fails with next message:
libsepol.expand_module: Error while indexing out symbols
libsemanage.semanage_expand_sandbox: Expand module failed
Does someone know what is the problem and how the postfix module can be
removed?
TIA
--
To UNSUBSCRIBE, email to [EMAIL
I tried to get SElinux running in enforced mode on the weekend but
enforcement began denying things. Postfix could not read the alias
file. Gnucash would not start. Do the policies need tweaking? Did I
miss something?
--
Neil Watson | Debian Linux
System Administrator| Uptime
include new technologies
> seems to be highly present across Debian itself.
Strange, never had that experience either. :)
> That said - when Debian implements things, it usually implements
> them a helluva lot better than other distributions.
We will see. sysvinit got SELinux support a fe
nux(*) hasn't done this. One of them is:
>
> SELinux
>
> If SELinux is also suitable for desktop users for example if we look
> at the targeted policy (for fedora and RHEL) it
> shows that it doesn't restrict users sessions. Short conclusion, there
> is no loss of f
On Wed, 21 Sep 2005, Arvind Autar wrote:
> is no loss of functionality, why hasn't debian implented SELinux as
> default?
It is not that simple. We are doing it slowly.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness gr
Helllo,
I have been using debian for quite some time now, how ever I have
watched several distrobutions implentating so many great ideas, and I
have been wondering why such a robust distorbution as debian
GNU/Linux(*) hasn't done this. One of them is:
SELinux
If SELinux is also suitabl
) about a week
ago, at "http://people.debian.org/~adric/selinux/coreutils/";. It's not
currently setup for apt-get (I hope to take care of this in the near
future), so you'll need to download/install it directly. So far, I
haven't encountered any problems with it
On Monday 24 January 2005 19:10, "Markus Schabel" <[EMAIL PROTECTED]>
wrote:
> I've setup a server with selinux enabled, using the packages from Russel
> Coker (http://www.coker.com.au/selinux/) but they are a bit outdated, at
> least there are more current packag
Hi!
I've setup a server with selinux enabled, using the packages from Russel
Coker (http://www.coker.com.au/selinux/) but they are a bit outdated, at
least there are more current packages in debian/testing available
(coreutils, dpkg, dselect, initscripts, sysv-rc, sysvinit). I think the
pac
lease, your backport
> will not be replaced with the version from stable.
>
> I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead.
Actually there was already a 1.6-1 release which will be in stable (unless we
get newer versions first).
--
http://www.coker.com.au/selinux/
lease, your backport
> will not be replaced with the version from stable.
>
> I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead.
Actually there was already a 1.6-1 release which will be in stable (unless we
get newer versions first).
--
http://www.coker.com.au/selinux/
r backport
> will not be replaced with the version from stable.
>
> I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead.
OK. Packages are on the:
deb http://www.rns-nis.co.yu/~mps selinux/
deb-src http://www.rns-nis.co.yu/~mps selinux/
I don't have experience in maki
r backport
> will not be replaced with the version from stable.
>
> I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead.
OK. Packages are on the:
deb http://www.rns-nis.co.yu/~mps selinux/
deb-src http://www.rns-nis.co.yu/~mps selinux/
I don't have experience in maki
* Milan P. Stanic wrote:
> Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
> instead of libselinux1_1.6-0.1_i386.deb?
Well, if 1.6-0.1 will be in our next stable release, your backport
will not be replaced with the version from stable.
I'd suggest using libselinux1_1.6-0.0
* Milan P. Stanic wrote:
> Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
> instead of libselinux1_1.6-0.1_i386.deb?
Well, if 1.6-0.1 will be in our next stable release, your backport
will not be replaced with the version from stable.
I'd suggest using libselinux1_1.6-0.0
ck-port repositories in their apt config may get results that
don't work well, but that's just a mistake anyway. Just make sure that your
repository is in some way internally consistent and can be differentiated
from other repositories and everything will be fine.
--
http://www.coker
On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
> If you copy all files related to a package intact then you don't have to make
> such changes.
>
> If you make any changes at all (even re-compiling with a different compiler
> and/or libc) then you must update the changelog appropr
I don't like idea to rebuild all of them just to put my name, comments
> and notes.
If you copy all files related to a package intact then you don't have to make
such changes.
If you make any changes at all (even re-compiling with a different compiler
and/or libc) then you m
ck-port repositories in their apt config may get results that
don't work well, but that's just a mistake anyway. Just make sure that your
repository is in some way internally consistent and can be differentiated
from other repositories and everything will be fine.
--
http://www.coker
On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote:
> > If someone needs them I can put it on the net or post somewhere, or
> > maybe help if the help is needed.
>
> If you could establish an apt repository for it then that would be very
> useful. Brian's SE Linux packages haven't bee
On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
> If you copy all files related to a package intact then you don't have to make
> such changes.
>
> If you make any changes at all (even re-compiling with a different compiler
> and/or libc) then you must update the changelog appropr
I don't like idea to rebuild all of them just to put my name, comments
> and notes.
If you copy all files related to a package intact then you don't have to make
such changes.
If you make any changes at all (even re-compiling with a different compiler
and/or libc) then you m
On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote:
> > If someone needs them I can put it on the net or post somewhere, or
> > maybe help if the help is needed.
>
> If you could establish an apt repository for it then that would be very
> useful. Brian's SE Linux packages haven't bee
> Now I have to backport coreutils and sysvinit, huh.
>
> Hate to reply myself, but I'd like to inform you that I backported
> libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit,
> checkpolicy and selinux-policy-default to woody. It works under UML.
>
> If
> Now I have to backport coreutils and sysvinit, huh.
>
> Hate to reply myself, but I'd like to inform you that I backported
> libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit,
> checkpolicy and selinux-policy-default to woody. It works under UML.
>
> If
orm you that I backported
libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit,
checkpolicy and selinux-policy-default to woody. It works under UML.
If someone needs them I can put it on the net or post somewhere, or
maybe help if the help is needed.
orm you that I backported
libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit,
checkpolicy and selinux-policy-default to woody. It works under UML.
If someone needs them I can put it on the net or post somewhere, or
maybe help if the help is needed.
--
To UNSUBSCRIBE, email to [E
On Wed, Mar 10, 2004 at 10:04:38PM +1100, Russell Coker wrote:
> > So, the question: how can I link libattr to libselinux1?
>
> Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO).
That is. I just rebuilt policycoreutils and pam with libselinux1
which is linked with libattr and it was
ries but I don't know
> low-level work.
>
> So, the question: how can I link libattr to libselinux1?
Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard
On Wed, Mar 10, 2004 at 10:04:38PM +1100, Russell Coker wrote:
> > So, the question: how can I link libattr to libselinux1?
>
> Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO).
That is. I just rebuilt policycoreutils and pam with libselinux1
which is linked with libattr and it was
On Wed, Mar 10, 2004 at 04:58:14PM +1100, Russell Coker wrote:
> > I suspect that the problem can be with old glibc (2.2.5) but I'm not
> > sure. Because that I'd like to ask should I backport glibc from sarge?
>
> There have been some changes to the way libxattr works. From memory I think
> tha
ries but I don't know
> low-level work.
>
> So, the question: how can I link libattr to libselinux1?
Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard
On Wed, Mar 10, 2004 at 04:58:14PM +1100, Russell Coker wrote:
> > I suspect that the problem can be with old glibc (2.2.5) but I'm not
> > sure. Because that I'd like to ask should I backport glibc from sarge?
>
> There have been some changes to the way libxattr works. From memory I think
> tha
On Wed, 10 Mar 2004 08:58, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> [ Sorry, I'm not sure if this list is right place to ask this, but
> I can't remember better one ]
The NSA mailing list is another option, but this one is OK.
> I'm trying to b
On Wed, 10 Mar 2004 08:58, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> [ Sorry, I'm not sure if this list is right place to ask this, but
> I can't remember better one ]
The NSA mailing list is another option, but this one is OK.
> I'm trying to b
Hi!
[ Sorry, I'm not sure if this list is right place to ask this, but
I can't remember better one ]
I'm trying to backport SELinux tools and libraries from unstable to
stable (woody). Well, actually I succeed to build all except coreutils
and sysvinit and installed all under
Hi!
[ Sorry, I'm not sure if this list is right place to ask this, but
I can't remember better one ]
I'm trying to backport SELinux tools and libraries from unstable to
stable (woody). Well, actually I succeed to build all except coreutils
and sysvinit and installed all under
On Sat, Nov 29, 2003 at 12:05:58AM +0100, Peter Busser wrote:
> it works fine.
Oho ho, what a bold claim.
Not even adamantix people claim that. I found it not working correctly in
few scenarios, although I must say security was improved.
Adamantix is a very nice project, I like it alot, but it c
On Sat, Nov 29, 2003 at 12:05:58AM +0100, Peter Busser wrote:
> it works fine.
Oho ho, what a bold claim.
Not even adamantix people claim that. I found it not working correctly in
few scenarios, although I must say security was improved.
Adamantix is a very nice project, I like it alot, but it c
On Sat, 29 Nov 2003 11:46, Forrest L Norvell <[EMAIL PROTECTED]> wrote:
> > > un libselinux-dev(no description
> > > available) ii libselinux1 1.2-1.1 SELinux
> > > shared libraries un libselinux1-dev
On Sat, 29 Nov 2003 11:46, Forrest L Norvell <[EMAIL PROTECTED]> wrote:
> > > un libselinux-dev(no description
> > > available) ii libselinux1 1.2-1.1 SELinux
> > > shared libraries un libselinux1-dev
On Fri, Nov 28, 2003 at 11:40:12AM -0500, Colin Walters wrote:
> On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> > Hi!
> >
> > I'm attempting to set up an SELinux system using the Debian packages
> > and am unashamed to admit that I'm a little stuck a
On Fri, Nov 28, 2003 at 11:06:40PM +1100, Russell Coker wrote:
> > 2. When I attempt to boot into my SELinux kernel (all packages,
> > versions, and kernel configuration options at the end of this
> > message), I get an error about being unable to find
> > /u
On Fri, Nov 28, 2003 at 11:40:12AM -0500, Colin Walters wrote:
> On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> > Hi!
> >
> > I'm attempting to set up an SELinux system using the Debian packages
> > and am unashamed to admit that I'm a little stuck a
On Fri, Nov 28, 2003 at 11:06:40PM +1100, Russell Coker wrote:
> > 2. When I attempt to boot into my SELinux kernel (all packages,
> > versions, and kernel configuration options at the end of this
> > message), I get an error about being unable to find
> > /u
Hi!
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
>> A little OT, but http://www.adamantix.org 's distro provides everything
>> and more SELinux has to offer while IMHO being a little easier to handle.
> Adamantix is not Debian. Th
Hi!
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
>> A little OT, but http://www.adamantix.org 's distro provides everything
>> and more SELinux has to offer while IMHO being a little easier to handle.
> Adamantix is not Debian. Th
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
> A little OT, but http://www.adamantix.org 's distro provides everything
> and more SELinux has to offer while IMHO being a little easier to handle.
Adamantix is not Debian. The people subsc
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
> A little OT, but http://www.adamantix.org 's distro provides everything
> and more SELinux has to offer while IMHO being a little easier to handle.
Adamantix is not Debian. The people subsc
Alohá!
A little OT, but http://www.adamantix.org 's distro provides everything
and more SELinux has to offer while IMHO being a little easier to handle.
Don't want to discourage anybody from SELinux, especially not with
kernel 2.6 reaching production status, just my 2c ;-)
be
Alohá!
A little OT, but http://www.adamantix.org 's distro provides everything
and more SELinux has to offer while IMHO being a little easier to handle.
Don't want to discourage anybody from SELinux, especially not with
kernel 2.6 reaching production status, just my 2c ;-)
be
On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> Hi!
>
> I'm attempting to set up an SELinux system using the Debian packages
> and am unashamed to admit that I'm a little stuck at the moment.
If you're planning to run a production system, I'd recommen
On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> Hi!
>
> I'm attempting to set up an SELinux system using the Debian packages
> and am unashamed to admit that I'm a little stuck at the moment.
If you're planning to run a production system, I'd recommen
; #
> type device_t, file_type;
> /usr/bin/checkpolicy: error(s) encountered while parsing
That should be declared at about line 200 in attrib.te.
Try the following:
cd /etc/selinux
make clean
make load
> 2. When I attempt to boot into my SELinux kernel (all packages,
> versio
On Fri, Nov 28, 2003 at 03:03:08AM -0800, Forrest L Norvell wrote:
> I know I'm not the first person to encounter this error, because I
Yes, I'm working through some of these issues with
Russell as we speak. There are errors in
/etc/mkinitrd/scripts/selinux which builds the
; #
> type device_t, file_type;
> /usr/bin/checkpolicy: error(s) encountered while parsing
That should be declared at about line 200 in attrib.te.
Try the following:
cd /etc/selinux
make clean
make load
> 2. When I attempt to boot into my SELinux kernel (all packages,
> versio
Hi!
I'm attempting to set up an SELinux system using the Debian packages
and am unashamed to admit that I'm a little stuck at the moment. I
have two problems that I could use some help with:
1. I've done the bare minimum amount of tweaking of the default
policy beyond an
On Fri, Nov 28, 2003 at 03:03:08AM -0800, Forrest L Norvell wrote:
> I know I'm not the first person to encounter this error, because I
Yes, I'm working through some of these issues with
Russell as we speak. There are errors in
/etc/mkinitrd/scripts/selinux which builds the
Hi!
I'm attempting to set up an SELinux system using the Debian packages
and am unashamed to admit that I'm a little stuck at the moment. I
have two problems that I could use some help with:
1. I've done the bare minimum amount of tweaking of the default
policy beyond an
Hi,
I finally decided to invest some time into SELinux, having run it in
permissive/useless mode for months now. While trying to come up with
the right policy changes to make my system still work I stumbled upon
a few things.
How to handle daemons that drop root? Is it ok to allow their domain
Hi,
I finally decided to invest some time into SELinux, having run it in
permissive/useless mode for months now. While trying to come up with
the right policy changes to make my system still work I stumbled upon
a few things.
How to handle daemons that drop root? Is it ok to allow their domain
89 matches
Mail list logo
