I previously described four levels of SE Linux support on the desktop [1].
Last night I updated my APT repository of SE Linux packages for Lenny (as described on my document about installing SE Linux [2]). I included a new policy package that supports logging in to a graphical session via gdm in either unconfined_t or user_t. This covers all the functionality I described as target 2 (some restricted users). I have tested this to a moderate degree.
Target 3 was having all users restricted and no unconfined_t domain (the policy module unconfined.pp not being linked into the running policy). I had previously done a large part of the work towards that goal in preparation for running a SE Linux Play Machine (with public root password) [3] on Lenny – but until last night I had not published it. The combination of the policy needed to run with no unconfined_t domain and the policy to allow logging in as user_t via gdm should mean that a desktop system with gdm for graphical login that has no unconfined_t domain will work – but I have not tested this. So target 3 is likely to have been achieved, if testing reveals any problems in this regard then I’ll release another policy update.
So now the only remaining target is MLS.
Also I have been setting up a mail server with a MySQL database for user account data and using Courier-Maildrop for delivery, so I’ve written policy for that and also made some other improvements to the policy regarding complex mail servers.
- [1] http://etbe.coker.com.au/2008/08/04/lenny-se-linux-on-the-desktop/
- [2] http://doc.coker.com.au/computers/installing-se-linux-on-lenny/
- [3] http://etbe.coker.com.au/2009/02/17/lenny-play-machine-online/
Related posts:
- SE Linux in Lenny status – Achieved Level 1 I previously described the goals for SE Linux development in...
- SE Linux in Lenny Status SE Linux is almost ready to use in Lenny. Currently...
- Status of SE Linux in Debian LCA 2009 This morning I gave a talk at the Security mini-conf...
- Lenny SE Linux on the Desktop I have been asked about the current status of Lenny...
- Play Machine Update My Play Machine [1] was offline for most of the...
Can we also get Fedora’s xguest?
http://danwalsh.livejournal.com/14778.html
http://danwalsh.livejournal.com/13936.html
pabs: For stock Lenny, no.
However once I get the stock Lenny policy working really well I will start working on the latest reference policy and the policy packages will work with both Lenny and Unstable. So I’ll probably create a new apt repository for Lenny with the later reference policy – which will have xguest and SE-X.
Apropos SELinux and your play machine, I just tried to connect and I couldn’t with the password provided on http://www.coker.com.au/selinux/play.html. I’ll probably try from home, too, but is there a known problem with the play machine?
Eddy: I had accidentally used lower-case in the password. Some people worked this out so as I was seeing successful logins I didn’t realise there was a problem. Sorry for the inconvenience, it’s fixed now.
I think you should just upload to unstable and use backports.org for providing backports rather than your own repository.
pabs: Unstable is getting some major new versions that most people who run Lenny won’t want.
hi
about the
” Conflicting distribution: http://www.coker.com.au lenny Release (expected lenny but got )”
error message.
please add
Origin: Debian
Label: Debian
Suite: stable
Version: 5.0
Codename: lenny
to the Release file (taken from
ftp://ftp.ch.debian.org/debian/dists/lenny/Release).
then the message should disappear.
- Thomas