[ubuntu-hardened] SELinux Support for Hardy

Thu Feb 14 16:13:30 GMT 2008

On Wed, Feb 13, 2008 at 6:48 PM, Kees Cook <kees at ubuntu.com> wrote:
> On Tue, Feb 05, 2008 at 11:49:30PM -0500, Caleb Case wrote:
>  > SELinux Support for Hardy
>  > [snip]
>
> >
>  > [1] PAM was using a deprecated method of handling login contexts
>  > <https://bugs.launchpad.net/ubuntu/+source/pam/+bug/187822>. The updated package
>  > fixes this problem by backporting changes in upstream.
>
>  Done.
>
>
>  > [2] OpenSSH Server autoconf scripts were failing to detect the libselinux
>  > functions getseuserbyname and get_default_context_with_level
>  > <https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/188136>. The updated
>  > package fixes the configure bug by correctly setting LIBS before calling
>  > AC_CHECK_FUNCS.
>
>  Done.
>
>
>  > [3] Grub's update-grub lacks a trigger (and update-grub cannot be called
>  > directly due to nested debconf issues). In order to seamlessly switch between
>  > AppArmor and SELinux we need to reconfigure the menu.lst's defoptions. This
>  > patch adds an explicit trigger for update-grub.
>
>  This looks good and has the added advantage of allowing other grub-aware
>  tools to issue a trigger too.  I'm uploading it now.
>
>
>  > [4] apparmor and apparmor-utils need to be removed separately due to a recommend
>  > in ubuntu-standard for apparmor-utils. If just apparmor is removed, then the
>  > auto-resolution attempts to remove ubuntu-standard.
>
>  Was this fixed, or is this still a problem?
>

It appears that this is only a problem if you are using aptitude
(versus apt-get). It would be best though if ubuntu-standard
recommended a 'security-utils' meta package that apparmor-utils and
selinux-utils could provide.

>
>  >
>  > [5] selinux-policy-dummy is auto-picked when selinux is installed. It would be
>  > better if selinux-policy-refpolicy was auto-picked instead and the dummy package
>  > was a second choice. ;o} Suggestions on how to make that happen are very
>  > welcome!
>
>  Done.
>
>
>  > [6] At this time the system will fail to boot in enforcing mode. This will, of
>  > course, be fixed.
>
>  This is done now too?

This has been fixed. Hardy Server and Desktop boot into SELinux enforcing mode.

>
>  Also, I did a quick review of the packages and discovered it was going
>  to be tricky for me to do my interdiff compares because the packages on
>  REVU (and in the PPA) aren't using the orig.tar.gz/diff.gz split.  If
>  the packages can be regenerated with upstream orig.tar.gz and the
>  packaging changes in diff.gz, that would help speed up the process.
>
>  Also, I see that the "selinux" package is totally new?  When this is
>  uploaded, the changelog should probably be cleared out to a single
>  "initial release".  (And since this _is_ a native package, it can keep
>  its tar.gz state -- assuming there isn't an upstream orig.tar.gz.)
>

Will be fixed shortly...

>  Things are looking good!

;o}

>
>  -Kees
>
>  --
>  Kees Cook
>  Ubuntu Security Team
>
>  --
>
>
> ubuntu-hardened mailing list
>  ubuntu-hardened at lists.ubuntu.com
>  https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>