Re: [SLE] Re: [suse-security] NSA SELinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JM >JW writes: JM >I Hope this helps, it is hard to tell what this thread is about. It is about applying the SE Linux security patches to the the SuSE kernel 2.4.18 for 8.0. Currently, the NSA (the SE-Linux authors) work with RedHat. Some work has ben done before on patchign a SuSEsystem to work with SE-Linux, but no one has (yet) gotten very far. I dearly hope to change that... - -- - ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE89/3sQ5u80xXOLBcRAgksAJ4lLaPamFTUx/hkhZOJn+lqdv/2uQCfRQKE w5WGBDPonWHvtpiI++rKp00= =YSZC -----END PGP SIGNATURE-----
JW wrote:
Some work has ben done before on patchign a SuSEsystem to work with SE-Linux, but no one has (yet) gotten very far. I dearly hope to change that...
My utils now compile up to the openssh package on the SuSE system. I'll check that package probably tomorrow or on monday. Mark
On Saturday 01 June 2002 05:01 am, you wrote:
JW wrote:
Some work has ben done before on patchign a SuSEsystem to work with SE-Linux, but no one has (yet) gotten very far. I dearly hope to change that...
My utils now compile up to the openssh package on the SuSE system. I'll check that package probably tomorrow or on monday.
Mark
What version of SuSE are you compiling against, 8.0? Would like to know exactly what packages you have working and each packages version number. That way it will be clear what's been worked on and what hasn't been, to avoid duplicate effort? Are you modifying the SuSE srpms or just using tars from each vendor as appropriate? I'm interestd in making RPMs out of each at some point. Thanks. JW
JW wrote:
What version of SuSE are you compiling against, 8.0? 7.3 Pro. I think compilation would be the same on 8.0 and 7.3.
Would like to know exactly what packages you have working and each packages version number. That way it will be clear what's been worked on and what hasn't been, to avoid duplicate effort? You need at least:
1. the LSM/Selinux kernel from the homepage (I downloaded the prepatched vanilla kernel) 2. Flex for compiling the policy. It should be flex-<Version>.rpm (flex-2.5.4-410.i386.rpm from the SuSE ftp server) 3. for the newrole and run_init program: pam-devel-*.rpm (pam-devel-0.75-78.i386.rpm) It contains the libraries and header files for Linux-PAM used by SEL. 4. for util-linux: - termcap library. I suggest to download the latest package from the ftp-server, the older version was vulnerable to a buffer overflow attack iirc. - Slang library: slang-*.rpm (slang-1.4.4-95.i386.rpm) - Modification to util-linux-2.11f/text-utils/Makefile: A library is missing for more: Buggy: more: more.o $(LIB)/xstrncpy.o $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBTERMCAP) better: more: more.o $(LIB)/xstrncpy.o $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBTERMCAP) $(LIBCURSES) However if you compare the makefile from the SELinux package to the original or to the SuSE makefile, it's slightly different at this point. I don't know why they changed (RedHat or SELinux staff) it. If you change the makefile so that it looks like the original or the SuSE version it should work I think.
Are you modifying the SuSE srpms or just using tars from each vendor as appropriate? I'm interestd in making RPMs out of each at some point. My goal is to modify as least as possible in order to have a very simple installation. First I tried to change Makefiles and configuration files but its easier to leave SELinux as it is and install necessary libraries. I don't like messing with packages if it is not absolutely necessary. And I don't want to do the job over and over again when a new release comes.
Shall we move to the suse-selinux mailing list or keep the thread here open? Mark
On Sunday 02 June 2002 04:17 am, you wrote:
Shall we move to the suse-selinux mailing list or keep the thread here open?
To suse-selinux, I have already posted an additional Re under Subject "Packages required was: Re: [suse-security] NSA SELinux" Thanks JW
- Modification to util-linux-2.11f/text-utils/Makefile: A library is missing for more: Buggy: more: more.o $(LIB)/xstrncpy.o $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBTERMCAP) better: more: more.o $(LIB)/xstrncpy.o $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBTERMCAP) $(LIBCURSES)
However if you compare the makefile from the SELinux package to the original or to the SuSE makefile, it's slightly different at this point. I don't know why they changed (RedHat or SELinux staff) it. If you change the makefile so that it looks like the original or the SuSE version it should work I think.
If you look at the redhat source RPM for the libncurses package, you will know. A hint: On my 8.0 at home I've installed just about everything that had -devel in the package name. The time looking for these packages doesn't compare to the cost of these few megs of space under /usr/include and similar. I usually copy the /ARCHIVES.gz from the first CD to / so that I can locate just about any file in the distribution with a single zgrep command. It happened too many times that I was about to install some library or utility from the internet on my box, and it turned out that I just didn't look close enough for it on the CDs. *sigh*
Are you modifying the SuSE srpms or just using tars from each vendor as appropriate? I'm interestd in making RPMs out of each at some point. My goal is to modify as least as possible in order to have a very simple installation. First I tried to change Makefiles and configuration files but its easier to leave SELinux as it is and install necessary libraries. I don't like messing with packages if it is not absolutely necessary. And I don't want to do the job over and over again when a new release comes.
Welcome to the club. :-) Do it like the SuSE packagers do: Provide the patches that you made and send them to the authors. After a while, it should compile flawlessly on all systems. You remember: there are 3000+ packages on a SuSE, and most of them cause little or no headache when you build an RPM package from the sources.
Shall we move to the suse-selinux mailing list or keep the thread here open?
Mark
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Roman Drahtmueller wrote:
- Modification to util-linux-2.11f/text-utils/Makefile: If you look at the redhat source RPM for the libncurses package, you will know. I took a short look at it but it revealed nothing to me (as I'm not that familiar with Makefiles) :) The RedHat-rpm has the originial package with the original makefile. So shame on RedHat.
A hint: On my 8.0 at home I've installed just about everything that had -devel in the package name. The time looking for these packages doesn't compare to the cost of these few megs of space under /usr/include and similar. Indeed it's usefull. But if someone starts from zero he just wonders why the sources don't compile. However I finally succeeded without installing a massive *-devel-*.rpm. And now I got a good argument against Linux when I have to defend Micro$oft against Linux ;p
I usually copy the /ARCHIVES.gz from the first CD to / so that I can locate just about any file in the distribution with a single zgrep command. It happened too many times that I was about to install some library or utility from the internet on my box, and it turned out that I just didn't look close enough for it on the CDs. *sigh* Well I like ftp-ing the latest (exploit free?) packages from my favorite SuSE mirror.
Welcome to the club. :-) Do it like the SuSE packagers do: Provide the patches that you made and send them to the authors. After a while, it should compile flawlessly on all systems. You remember: there are 3000+ packages on a SuSE, and most of them cause little or no headache when you build an RPM package from the sources. No patches yet. Installing libraries will do fine. The tools I've tested under the SELinux kernel work (e.g. modified login, ps, ls). Building is really easy if you know the dependencies :)
Currently I'm adapting configuration files to the SuSE system layout and watching the log file for access violations in permissive mode. Mark
participants (3)
-
JW -
Mark Müller -
Roman Drahtmueller