Tales from the Gryphon

I finally got around to updating the SELinux UML recipe page to the latest 2.6.11.2 kernel. Of course, the new linux UML kernel expects a newer version of SELinux policy (19) than I had in my root_fs, so I’ll have to rebuild a new root file system. I wanted to get the newest version of the SELinux tools into Sid, but I seem to be coming down with a flu like thing. Since I would like to see Etch be SELinux capable, it is important that the barrier of entry be low for people wanting to play around with it.

Well, all but one, since we still do not have one of the contributions in. I also think we have an agreement about the timing of the IRC debate, so we are well on our way to having a properly educated and primed electorate. As always, look at the vote page for details.

While working on my key-signing-helper script, I came across examples of IO::Select usage that I think shall benefit devotee, though I am leery of changing things this close to a vote. Oh, well, I guess the new gpg output processing code shall see the light of day with the first GR of the season.

A while ago, my guessnet setup started messing up, just before a business trip, and I did not have the time to debug the error. After a quick consult on IRC, I installed and configured laptop-net, which worked.

While I had a working package that would let me carry my laptop from home to LUG to office, and various trips with Hotel networks once in a while, I always had to tell the system which scheme to use, since several of the networks used similar IP addresses and topologies (welcome to the world of NAT). I have never been comfortable with the fact that laptop-net did not consider MAC addresses while making its determinations.

laptop-net, on the other hand, is like a combination of ifplugd, intuitively, and switchconf, except better since it is all integrated and works seamlessly. guessnet does seem to work better for me, though, if for nothing else since it can actually determine where the laptop finds itself. I have successfully integrated guessnet in with ifplugd, and made sure that things play nice even with hotplug in the picture. So I am a happy Guessnet camper once again.

Well, yes, that sounds somewhat pompous. But I do think this is a worthwhile release goal; from where I stand I think that hard-hat security is a critical option for any OS to remain viable in the current security conscious environment, and Debian, after a period of being well ahead of the curve (thanks to Russell Coker, Colin Walters, Brian May, and others), has fallen well behind entities like Red Hat and Gentoo when it comes to providing a hardened, secure platform.

So, along with a few other people (Greg T. Norris, Lorenzo Garcia-Heirro), I have started a mini project to bring Debian’s SELinux patched packages back in sync with the latest upstream and the latest SELinux patches, and to make it easier for Debian developers to access SELinux patches. The only package that is ready to go is coreutils, and that is thanks to Greg.

I’ve just come back from the Se-Linux symposium, followed by the Central Pennsylvania LUG Security conference, which was a lot of fun. I also managed to get myself talked into upgrading to the X Org server, which is to be 3expected after spending two days sitting Next to Jim Gettys at a conference watching the neat gizmos.

And, if I get through this key signing process, I may get my key connectivity ranking up again (also thanks to getting it signed by Russell Coker). Of course, due to my weird key signing protocol this is more tedious than the norm, but hey, that’s what you get for trying to add value to your signature.