SE Linux Lenny Status Update

I previously described four levels of SE Linux support on the desktop [1].

Last night I updated my APT repository of SE Linux packages for Lenny (as described on my document about installing SE Linux [2]). I included a new policy package that supports logging in to a graphical session via gdm in either unconfined_t or user_t. This covers all the functionality I described as target 2 (some restricted users). I have tested this to a moderate degree.

Target 3 was having all users restricted and no unconfined_t domain (the policy module unconfined.pp not being linked into the running policy). I had previously done a large part of the work towards that goal in preparation for running a SE Linux Play Machine (with public root password) [3] on Lenny – but until last night I had not published it. The combination of the policy needed to run with no unconfined_t domain and the policy to allow logging in as user_t via gdm should mean that a desktop system with gdm for graphical login that has no unconfined_t domain will work – but I have not tested this. So target 3 is likely to have been achieved, if testing reveals any problems in this regard then I’ll release another policy update.

So now the only remaining target is MLS.

Also I have been setting up a mail server with a MySQL database for user account data and using Courier-Maildrop for delivery, so I’ve written policy for that and also made some other improvements to the policy regarding complex mail servers.

7 thoughts on “SE Linux Lenny Status Update”

  1. pabs: For stock Lenny, no.

    However once I get the stock Lenny policy working really well I will start working on the latest reference policy and the policy packages will work with both Lenny and Unstable. So I’ll probably create a new apt repository for Lenny with the later reference policy – which will have xguest and SE-X.

  2. Eddy: I had accidentally used lower-case in the password. Some people worked this out so as I was seeing successful logins I didn’t realise there was a problem. Sorry for the inconvenience, it’s fixed now.

  3. I think you should just upload to unstable and use for providing backports rather than your own repository.

  4. pabs: Unstable is getting some major new versions that most people who run Lenny won’t want.

Comments are closed.