Re: Legitimate Question

From: Russell Coker (bofhat_private)
Date: Sun Jan 27 2002 - 05:16:00 PST

  • Next message: Casey Schaufler: "Re: Legitimate Question"

    On Sat, 26 Jan 2002 14:17, Valdis.Kletnieksat_private wrote:
    > On Sat, 26 Jan 2002 13:20:29 +1100, Russell Coker <bofhat_private>  said:
    > > You can build a RPM or DEB package on a machine without any LSM support
    > > and then install it on an LSM machine.  As long as the package
    > > dependencies were correct then it would work fine.
    >
    > Try that with an NTP RPM, and let me know how well it works when the LSM
    > you have loaded refuses to allow the process to set the system clock. ;)
    
    There are only two problems with that:
    
    1)  There has been no chsid/relabel operation done after the files were put 
    in place to give them the correct security settings.
    2)  The standard RPM package of NTP undoubtably doesn't use run_init.
    
    For Debian we are currently discussing ways of solving 1.  One suggestion 
    that can be immidiately supported is to unpack a package, search it's file 
    list and match it on /etc/flask/file_contexts, and apply SIDs appropriates.  
    Then continue with the package configuration.  I could possibly even divert 
    dpkg to a wrapper which does this.
    
    For 2 I plan to mess with start-stop-daemon in Debian.
    
    These things are solvable!
    
    -- 
    http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
    http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
    http://www.coker.com.au/projects.html Projects I am working on
    http://www.coker.com.au/~russell/     My home page
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sun Jan 27 2002 - 16:25:52 PST