SELinux screwup in FC2 update-kernels
Stephen Smalley
sds at epoch.ncsc.mil
Fri Aug 20 12:15:44 UTC 2004
On Thu, 2004-08-19 at 23:17, Enrico Scholz wrote:
> in recent FC2 update-kernels (verified on 2.6.7-1.494.2.2, and 2.6.8-1.521
> changelog does not indicate a fix), SELinux is unusable because:
>
> * policy can not be rebuilt ('checkpolicy' has compatibility range
> 15-17, but kernel is 18)
>
> * sshd fails to allocate a second pty
>
>
> Is SELinux in FC2 assumed as completely broken and newer kernels will
> not fix these issues? Or, can I expected a fixed kernel/policy/tools in
> the near future?
Newer SELinux kernels still accept older policy versions, so it should
be possible to fix the first problem just by modifying the policy
Makefile and spec file to load whatever version was built by checkpolicy
rather than always using the kernel's policy version (which just
represents the latest version it understands). /sbin/init should
already contain the code to try older policy versions.
I'm not sure about your reference to sshd and ptys, but I have seen an
occasional problem with devpts where I have had to unmount it and
re-mount it to get things working again. I don't think that was
SELinux-related, except that SELinux would then deny access when sshd
tried to fall back to BSD ptys since the policy is only set up for
devpts.
The larger concern to me is that FC2 kernel updates do not appear to be
getting tested with SELinux prior to release, and thus are not
coordinated with appropriate changes to policy. This is the second time
that this has happened. Most of the external SELinux "testing"
community has already moved on to FC3/devel, and thus is not likely to
catch issues with FC2.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-devel-list
mailing list