With the new libselinux, new policy and the [http://www.nsa.gov/selinux/patches/2.6.7-selinux1.patch.gz Kernel patch for 2.6.7] i got selinux working again on that box. As usual i do have a lot of audit violations i need to sort out...

When doing such upgrades, i always use permissive mode first. I don't like locking myself out of the box...

SELinux is kind of cool. I really like the concept.

What ''is'' annoying about SELinux is the complexity.

There are so many fine-grained rules to be written that it takes you ages to setup on a fairly complex system. There is a good repository of pre-written rules available, still you need to add a lot.

Unfortunately i cannot subscribe the SELinux mailing list, the mailserver just refuses to talk to me.

If you intend to install SELinux: it's broken on sid currently. russel said you'll need the latest patches for 2.6 - i guess to support port restrictions - which will bump you to policy version 18.

Right now, the corresponding libselinux1 has not yet hit my mirror, but the latest init from russels pool has. Therefore the box i just prepared doesn't yet boot with selinux.

I promised to publish a couple of notes on setting up SELinux on Debian, here are the first set of them:

• for any system user (above uid 100, below is okay; usually these are clamav, amavis and such) do change the shell to /bin/false.
• /etc/cron.daily/standard tries to backup files like "shadow", but it doesn't have the appropriate rights. I just #'ed the backup lines.
• in postfix, disable all chroots. selinux is better than normal chroots, and it is a lot easier to setup without.
• remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] - use pts.
• if mount lists "unknown" as filesystem for /, "make relabel" won't relabel it. you need to modify the makefile (add a / before the big shellsubst)
• while running in permissive mode for testing, do not forget "newrole -r sysadm_r", and do use se_dpkg, se_apt-get!
• /etc/init.d/checkroot.sh and /etc/init.d/mountvirtfs try to "touch" your filesystem. Make that a "true touch".
• /etc/cron.daily/find - this updates your locatedb. but findutils is an essential package, i suggest to "exit 0" in that script

http://www.le-prince-bleu.com/ - this is just plain awesome. I really really love this short movie. The quality is amazing. Guess they'll have job offers from all the big movie companies by now. The movie URL is http://perso.club-internet.fr/xauria/forbidden/l921.rig in case you do not have mplayer as plugin installed.