I have unmasked hardened-sources-2.4.27-r2,
hardened-dev-sources-2.6.7-r8, and selinux-base-policy-20040702 for the
SELinux headers update. Since my last email was a long time ago, I
copied the relevant portion at the bottom. The 20040702 policy is the
same as 20040629, except with the headers update, so if you are up to
date on policy, it should be a trivial policy update. The headers are
in the flask directory of the policy.
On Sun, 2004-06-27 at 12:07, Chris PeBenito wrote:
> * The 2.6.8 kernel will have some new SELinux classes for security
> enhanced X. The problem is that these will collide with our PaX
> support. This means that the kernel and the policy will have to be
> updated at the same time, as the kernel will not load a policy whose
> headers don't match its own. When 2.6.8 comes out, I will put out a
> policy with the new headers, and also bump all kernels that have the
> PaX SELinux hooks. Fortunately the PaX SELinux headers have been
> accepted upstream, so this won't happen again. 2.6.8 will also bring
> policy version 18, since fine-grained netlink socket support has been
> added.
If you don't reboot (with the updated kernel if relevant), you will get
this error:
security: the value of class pax changed
security: the definition of an existing class changed
The policy load will fail.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
hardened-dev-sources-2.6.7-r8, and selinux-base-policy-20040702 for the
SELinux headers update. Since my last email was a long time ago, I
copied the relevant portion at the bottom. The 20040702 policy is the
same as 20040629, except with the headers update, so if you are up to
date on policy, it should be a trivial policy update. The headers are
in the flask directory of the policy.
On Sun, 2004-06-27 at 12:07, Chris PeBenito wrote:
> * The 2.6.8 kernel will have some new SELinux classes for security
> enhanced X. The problem is that these will collide with our PaX
> support. This means that the kernel and the policy will have to be
> updated at the same time, as the kernel will not load a policy whose
> headers don't match its own. When 2.6.8 comes out, I will put out a
> policy with the new headers, and also bump all kernels that have the
> PaX SELinux hooks. Fortunately the PaX SELinux headers have been
> accepted upstream, so this won't happen again. 2.6.8 will also bring
> policy version 18, since fine-grained netlink socket support has been
> added.
If you don't reboot (with the updated kernel if relevant), you will get
this error:
security: the value of class pax changed
security: the definition of an existing class changed
The policy load will fail.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243