Re: Fixing up SELinux reference policy for Debian

[Manoj Srivastava]

Hi,

I have just uploaded a version of refpolicy that has a number of
 Debian specific SELinux policy changes. I can now do and aptitude
 update, and aptitude upgrade while running strict policy in enforcing
 mode in my UML machine.  The createfs.sh script now incorporates all
 the recommended changes on http://wiki.debian.org/SELinux/Setup, so it
 is relatively easy to create such a UML.
  http://www.golden-gryphon.com/software/security/selinux-uml.xhtml

I also have a patch for sysvinit's /etc/network/if-up.d/mountnfs 
 to provide the context when creating /var/run/network/mountnft; if and
 only if we are running selinux.  I'll send in a wishlist bug report
 soon.

My local policy file has been reduced to a single allow rule,
 and a bout half a dozen  dontaudit rules; and is now shipped with the
 strict policy package as an example.

The single allow rule that I still need is due to Bug#390067, I
 have not yet had a chance to create a helper script that would do the
 logging, and which can be put into a different security domain.

However, a more basic problem exists: as an ordinary user, I
 can't run dpkg-checkbuilddeps, or do anything that needs looking at
 /var/lib/dpkg -- since plain old users can't look into /var.

I think we need to create debian specific policy changes to
 allow searching /var, /var/lib. and /var/lib/dpkg.  We also read file
 permissions on files in /var/lib/dpkg; and these need to be added to a
 generic user.

Any objections? (I don't think I want to create a whole
 different class of user for this capability).  This would be the
 minimal requirements to start building my Debian packages in enforcing
 mode again.

After that, I need to start branching out, and adding, say,
 apache2 servers to my UML, and checking validity of strict policy.

Given the magnitude of these changes, I am planning on trying to
 do a backport of SELinux packages for Etch, at least, for the current
 release, before the kernel requirements diverge too much.


manoj
-- 
No use getting too involved in life -- you're only here for a limited
time.
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Did the number of installations really increase by a half in one month?

[Petter Reinholdtsen]

[Filipus Klutiero]
> This is probably material for some kind of announcement, but I would
> like to verify if I'm missing something. Does this graph reveal an
> increase of installations by about a half in one month? Or did the
> proportion of installations reporting to popcon increase
> significantly?

The increase was due to our first release of a version of debian with
an installer asking about popcon as part of the default installation.
So the proportion of installations reporting to popcon increased with
Etch. :)

Friendly,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#423443: ITP: python-cups -- Python bindings for CUPS

[otavio]

Package: wnpp
Owner: Otavio Salvador <[EMAIL PROTECTED]>
Severity: wishlist

  Package name: python-cups
  Version : 1.9.21
  Upstream Author : Tim Waugh <[EMAIL PROTECTED]>
  Web page: http://cyberelk.net/tim/data/pycups/
  License : GPL
  Description : Python bindings for CUPS
   A module for using the CUPS 1.2 API in Python programs.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Did the number of installations really increase by a half in one month?

[Filipus Klutiero]

In "The number of etch installations is rocketing" Joey Hess linked to a 
useful graph showing the evolution of the number of installations reporting 
to popcon:
http://popcon.debian.org/stat/sub-i386.png

Petter Reinholdtsen was wondering how long the rate of increase would keep up, 
and it seems the rate is getting back to normal now, after an increase of 
about a half in one month. This is probably material for some kind of 
announcement, but I would like to verify if I'm missing something. Does this 
graph reveal an increase of installations by about a half in one month? Or 
did the proportion of installations reporting to popcon increase 
significantly?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#423424: ITP: scanmem -- Locate and modify a variable in an executing process

[Romain Francoise]

Package: wnpp
Severity: wishlist
Owner: Romain Francoise <[EMAIL PROTECTED]>

* Package name: scanmem
  Version : 0.06
  Upstream Author : Tavis Ormandy 
* URL : http://taviso.decsystem.org/scanmem.html
* License : GNU GPL
  Programming Lang: C
  Description : Locate and modify a variable in an executing process

scanmem is an interactive debugging utility that can be used to isolate
the address of a variable in an executing process by successively
scanning the process' address space looking for matching values. By
informing scanmem how the value of the variable changes over time, it
can determine the actual location (or locations) of the variable by
successively eliminating non-matches. Once a variable has been found,
scanmem can monitor the variable, or change it to a user specified
value, either once, or continually over a period of time.

Homepage: http://taviso.decsystem.org/scanmem.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: CDD: GastroLinux (RFC)

[Christian Surchi]

On Fri, May 11, 2007 at 02:41:41PM +0200, RalfGesellensetter wrote:
> 1) use computer as media player:
> 
> There are already companies that sell dedicated PCs to restaurants. 
> Anybody should be able to beat their rates by using free software like 
> Amarok. 

Here I know two pubs, at least, using a pc with ubuntu as jukebox. 
Just a desktop with xmms or rhythmbox. :)

bye
Christian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: CDD: GastroLinux (RFC)

[Lennart Sorensen]

On Fri, May 11, 2007 at 02:41:41PM +0200, RalfGesellensetter wrote:
> Dear list,
> 
> Custom Debian Distributions are getting en vogue: After Debian-Edu 
> (Skolelinux) and Debian-Med, Debian-Office had been proposed.
> 
> Now, I bear this idea in mind:
> 
> Combine too major tasks that pubs and restaurants need in one Distro:
> 
> 1) use computer as media player:
> 
> There are already companies that sell dedicated PCs to restaurants. 
> Anybody should be able to beat their rates by using free software like 
> Amarok. 
> 
> 2) use computers as cash station:
> 
> More and more (good and bad) systems can be seen, most of which using 
> touch screens. I've seen quite a few ugly and unhandy pieces of GUIs, 
> however I think that this task is quite pretentious: 
> - it must be stable and have backends to a database or even a cash line
> - it might be desired to handle credit card readers; some cash systems 
>   use cheap hardware (embedded).
> 
> I'd advise to focus on 1) but also offer 2). The default screen saver 
> should make some P.R. for gnu/linux/debian. In a pub, this will get 
> some publicity ;)

Screen savers on LCDs really make no sense, and if it is supposed to be
a cash register then the screen saver will be amazingly annoying to the
user since they will first have to do something to get the screen saver
to go away before hitting the buttons on the touch screen.  So if you do
2, absolutely no screen saver seems about the only sane configuration.

--
Len Sorensen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

CDD: GastroLinux (RFC)

[RalfGesellensetter]

Dear list,

Custom Debian Distributions are getting en vogue: After Debian-Edu 
(Skolelinux) and Debian-Med, Debian-Office had been proposed.

Now, I bear this idea in mind:

Combine too major tasks that pubs and restaurants need in one Distro:

1) use computer as media player:

There are already companies that sell dedicated PCs to restaurants. 
Anybody should be able to beat their rates by using free software like 
Amarok. 

2) use computers as cash station:

More and more (good and bad) systems can be seen, most of which using 
touch screens. I've seen quite a few ugly and unhandy pieces of GUIs, 
however I think that this task is quite pretentious: 
- it must be stable and have backends to a database or even a cash line
- it might be desired to handle credit card readers; some cash systems 
  use cheap hardware (embedded).

I'd advise to focus on 1) but also offer 2). The default screen saver 
should make some P.R. for gnu/linux/debian. In a pub, this will get 
some publicity ;)

Regards
Ralf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#423365: question about #418098

[Don Armstrong]

reassign 423365 rdesktop
forcemerge 418098 423365
thanks

On Fri, 11 May 2007, Olaf Zaplinski wrote:
> Package: general
> 
> On http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418098 Laszlo says that 
> the fixed rdesktop will not be released before Etch r1. Is that true? If 
> yes, this would be definitely a "general bug". It would mean that I had to 
> replace Debian by e.g. Redhat because I have to administer several Windows 
> servers. A non-functional rdesktop is a no-go IMHO.
> 
> Can you confirm that?

Stable (in general) does not get updates for non-security problems
until point releases are made.

That said, Laszlo has already offered to make the fixed packages
available to you, so there's no reason why you wouldn't be able to
install them using dpkg -i yourself.


Don Armstrong

-- 
She was alot like starbucks.
IE, generic and expensive.
 -- hugh macleod http://www.gapingvoid.com/batch3.htm

http://www.donarmstrong.com  http://rzlab.ucr.edu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#423365: question about #418098

[Debian Bug Tracking System]

Processing commands for [EMAIL PROTECTED]:

> reassign 423365 rdesktop
Bug#423365: question about #418098
Bug reassigned from package `general' to `rdesktop'.

> forcemerge 418098 423365
Bug#418098: rdesktop segfault with libx11-6 1.0.3-7
Bug#423365: question about #418098
Bug#418525: rdesktop: Does not check for error-code on XInitImage
Bug#418533: rdesktop: segfaults always
Bug#418654: Package rdesktop 1.5.0-1 segfaults with libx11-6 1.0.3-7 installed
Bug#418907: rdesktop: patch for segfaults with libx11-6 1.0.3-7 (stable)
Forcibly Merged 418098 418525 418533 418654 418907 423365.

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#423365: question about #418098

[Olaf Zaplinski]

Package: general

On http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418098 Laszlo says that 
the fixed rdesktop will not be released before Etch r1. Is that true? If 
yes, this would be definitely a "general bug". It would mean that I had to 
replace Debian by e.g. Redhat because I have to administer several Windows 
servers. A non-functional rdesktop is a no-go IMHO.


Can you confirm that?


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: packages newer in Ubuntu than in Debian (reduced false positives)

[Paul Wise]

On 5/11/07, Bart Martens <[EMAIL PROTECTED]> wrote:


Good idea.  That might make my reports obsolete, and that would be OK
for me.


Integrating it into the newly ressurected dehs might be useful too.

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Announce: DebianArt.org

[Raphael Hertzog]

On Thu, 10 May 2007, Marc 'HE' Brockschmidt wrote:
> Raphael Hertzog <[EMAIL PROTECTED]> writes:
> > On Wed, 09 May 2007, Gustavo Franco wrote:
> >> I don't think that it will be accepeted as art.debian.org though, not
> >> ugly enough yet.
> > What does that mean ?
> 
> Usually the web services on debian.org hosts provide access to quite
> ugly pages. See -www for the regular "We really, really need to switch
> to a nice website for a change" thread.

That far I could guess but the reasoning is flawed. Getting a
art.debian.org for this service is a matter of convincing DSA and I highly
doubt that DSA will require uglyness to accept it.

So this remark was best avoided since it's just an attack that doesn't
make any sense. And it's not this kind of remark that will encourage -www
people to switch.

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]