[DSE-User] Upgrade difficulties

Mantaray mantaray_1 at cox.net
Sat Dec 19 19:04:03 UTC 2009 

Hello,

I have been using Debian since the Etch release, and I have been using a 
2007 SELinux policy with some adaptations (I compile my own policy) from 
December 2007 to the present.  I am getting ready to use Debian 6, so I 
have a copy running on my test drive.  My policy is broken on Debian 6.

Explanation of "broken":
1)  I have node-based restrictions on internet access for two of my user 
accounts (I have defined my own users with their own role and type).  
One of these is for an rdc connection to a company server (used on a 
"work" user account), which is restricted to one ip address; and another 
is for my young son, to keep him limited to his "pbs kids" site.  This 
has been accomplished by defining nodes, and using constraints relating 
to the node names and the user role.  These have consistently worked 
with every upgrade until now.  When I compile my policy with the current 
"testing" distribution, these restrictions no longer take effect, and 
the web browser can access any site from any account.

2)  When the restrictions no longer took effect, I decided to upgrade 
the policy, so I replaced the SELinux source with the source that is 
currently being used for "testing."  When I compile this source, with 
the same changes to the base module, all of the user directories are 
labeled "user_u ...", and when I attempt to log in, The following 
message appears: "Would you like to enter a security context?"  When I 
attempt to enter the appropriate context, I receive a message declaring 
that the context is invalid.  In an attempt to resolve this, I copied my 
original pam login file to pam.d, with no effect.  I am not sure what to 
look at next with regard to the login.

3)  My users names show up in the per-user context file when I compile 
the policy, however none of the labeling rules from the related .fc 
file  (compiled as a loadable module after the base module) appear in 
this file.

I have spent a great deal of time working on my policy, and I would 
really like to get it working on the new Debian.  If anyone has 
suggestions that may help me to troubleshoot the problems I am having, I 
would really appreciate it.

-Ken-

More information about the Selinux-user mailing list