[redhat-lspp] LSPP kickstart config v0.20 released

Klaus Weidner klaus at atsec.com
Tue Feb 13 07:05:28 UTC 2007 

Hello,

a mostly bugfix release. IMPORTANT: the labeled sshd has moved from port
2222 to port 222. The old port was reserved, and it's more secure to use
a low port in any case. Use the following to access it:

	ssh -p 222 user at host

The only rule patch left in lspp_policy.te is:

	auth_rw_faillog(ftpd_t)

This is a workaround for the following bug which is marked closed but
should IMHO be reopened:

	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220085

Known bugs:

	mcstransd from mcstrans-0.2.2-1.el5.i386.rpm doesn't seem to be
	translating any labels?

Changes (thanks especially to Dan Walsh, Klaus Kiwi, Linda Knippers,
Debbie Velarde, and Matt Anderson for their testing and contributions):

    Add "capp-lspp" service to shut down udevd to ensure it's off in
    interactive mode

    config script: add (optional) pretty PS1 prompt containing role/level
    (thanks Matt)

    Remove obsolete lspp_policy rules

    Declare port 222 (used by labeled sshd) to be ssh_port_t type

    Move labeled sshd to port 222 (was on port 2222)

    Add "semanage login" and restorecon for admin user creation again.

I recommend updating the following packages from
http://people.redhat.com/dwalsh/SELinux/RHEL5/ and/or
http://people.redhat.com/sgrubb/files/lspp in the postinstall phase:

	kernel-2.6.18-6.el5.lspp.64.i686.rpm
	kernel-devel-2.6.18-6.el5.lspp.64.i686.rpm
	libselinux-1.33.4-4.el5.i386.rpm
	libselinux-devel-1.33.4-4.el5.i386.rpm
	libselinux-python-1.33.4-4.el5.i386.rpm
	mcstrans-0.2.2-1.el5.i386.rpm
	openssh-4.3p2-17.el5.i386.rpm
	openssh-clients-4.3p2-17.el5.i386.rpm
	openssh-server-4.3p2-17.el5.i386.rpm
	policycoreutils-1.33.12-4.el5.i386.rpm
	policycoreutils-newrole-1.33.12-4.el5.i386.rpm
	selinux-policy-2.4.6-37.el5.noarch.rpm
	selinux-policy-devel-2.4.6-37.el5.noarch.rpm
	selinux-policy-mls-2.4.6-37.el5.noarch.rpm
	selinux-policy-strict-2.4.6-37.el5.noarch.rpm
	selinux-policy-targeted-2.4.6-37.el5.noarch.rpm

You'll need to run "rpm -Uvh --oldpackage *.rpm" to install them since
the kernel version number looks older than the installed one.

You can also do this once the system is installed. The installer should
work with the plain RC versions.

RPM download:

   http://klaus.vh.swiftco.net/lspp/SRPMS/
   http://klaus.vh.swiftco.net/lspp/RPMS/noarch/

Git repository:

   http://klaus.vh.swiftco.net/lspp/git/

-Klaus

More information about the redhat-lspp mailing list