[DSE-User] Upgrade difficulties
Mantaray
mantaray_1 at cox.net
Sat Dec 19 19:04:03 UTC 2009
Hello,
I have been using Debian since the Etch release, and I have been using a
2007 SELinux policy with some adaptations (I compile my own policy) from
December 2007 to the present. I am getting ready to use Debian 6, so I
have a copy running on my test drive. My policy is broken on Debian 6.
Explanation of "broken":
1) I have node-based restrictions on internet access for two of my user
accounts (I have defined my own users with their own role and type).
One of these is for an rdc connection to a company server (used on a
"work" user account), which is restricted to one ip address; and another
is for my young son, to keep him limited to his "pbs kids" site. This
has been accomplished by defining nodes, and using constraints relating
to the node names and the user role. These have consistently worked
with every upgrade until now. When I compile my policy with the current
"testing" distribution, these restrictions no longer take effect, and
the web browser can access any site from any account.
2) When the restrictions no longer took effect, I decided to upgrade
the policy, so I replaced the SELinux source with the source that is
currently being used for "testing." When I compile this source, with
the same changes to the base module, all of the user directories are
labeled "user_u ...", and when I attempt to log in, The following
message appears: "Would you like to enter a security context?" When I
attempt to enter the appropriate context, I receive a message declaring
that the context is invalid. In an attempt to resolve this, I copied my
original pam login file to pam.d, with no effect. I am not sure what to
look at next with regard to the login.
3) My users names show up in the per-user context file when I compile
the policy, however none of the labeling rules from the related .fc
file (compiled as a loadable module after the base module) appear in
this file.
I have spent a great deal of time working on my policy, and I would
really like to get it working on the new Debian. If anyone has
suggestions that may help me to troubleshoot the problems I am having, I
would really appreciate it.
-Ken-
More information about the Selinux-user
mailing list