On Thu, Jul 30 2009, Gustavo Franco wrote: > On Thu, Jul 30, 2009 at 11:16 AM, Manoj Srivastava<sriva...@debian.org> wrote: >> Hi, >> >> I would like to set up a selinux related release goal for >> Squeeze. >> >> Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker, >> but I have not discussed this with him) >> Issues to be solved: >> (a) Get all Debian patches to the reference security policy merged in >> upstream. Status: In progress, we have all patches submitted, >> some need to be tweaked and resubmitted based on feedback >> Time line: 1-2 months, depending on free tie I have >> (b) Update reference security policy to allow standard machines to be >> in enforcing mode. >> Status: It is possible to run minimal virtual machines in >> enforcing mode, but real machines are somewhat crippled; these >> denials need to be inspected, and determination needs to be made >> for how to resolve them (no not want security holes enshrined in >> policy) >> Time line: 6-8 months (can be done in tandem with a, if here were >> more people working on it) >> (c) Make it easier to run in struct (no unconfined.pp module) >> mode. This needs firstly documentation, and secondly, additional >> tweaks to policy to make it work. Russell has a play machine >> where it all works, but those changes are not in the reference >> policy -- and some of them might not be fit to be in ref policy >> at all. >> Time line: 9-12 months >> >> The actual non-policy packages are now well in sync with >> upstream, so the weak point is the security policy. >> >> Ideally, the goal would be to have Squeeze certifiable at EAL-4, >> at least the "standard" install (no optional packages), if someone with >> deep pockets were willing to actually pay for the certification, and be >> willing to push through the process. > > Which parts of the work you described above would be needed to Squeeze > be certifiable at EAL-4? All of them?
Making a Debian release EAL-4 certifiable would go beyond (perhaps far beyond) just making strict policy work, but all three above would be a minimal requirement. > Based on your timeline, it seems A is on track to make Squeeze, we > should get more people to work with you on B (setting as a goal) and C > would be a no go for this release, jmo. Am I wrong? Well, that would depend on when the freeze happens. If we freeze a year from now, I think there is a fighting chance all these can be accomplished. manoj -- The shortest measurable interval of time is the time between the moment I put a little extra aside for a sudden emergency and the arrival of that emergency. Manoj Srivastava <sriva...@debian.org> <http://www.debian.org/~srivasta/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org