On Fri, 31 Jul 2009, Manoj Srivastava <sriva...@debian.org> wrote: > Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker, > but I have not discussed this with him)
I will be involved in this, but I find it difficult to get enough free time. > Issues to be solved: > (a) Get all Debian patches to the reference security policy merged in > upstream. Status: In progress, we have all patches submitted, > some need to be tweaked and resubmitted based on feedback > Time line: 1-2 months, depending on free tie I have Great work! > (b) Update reference security policy to allow standard machines to be > in enforcing mode. > Status: It is possible to run minimal virtual machines in > enforcing mode, but real machines are somewhat crippled; these > denials need to be inspected, and determination needs to be made > for how to resolve them (no not want security holes enshrined in > policy) > Time line: 6-8 months (can be done in tandem with a, if here were > more people working on it) That shouldn't be difficult. Incidentally it would really help me with working on this if you could get the policy to build with -j2... > (c) Make it easier to run in strict (no unconfined.pp module) > mode. This needs firstly documentation, and secondly, additional > tweaks to policy to make it work. Russell has a play machine > where it all works, but those changes are not in the reference > policy -- and some of them might not be fit to be in ref policy > at all. > Time line: 9-12 months My Play Machine runs the same policy as every other SE Linux machine I run which is also the same as the policy in my repository (a newer version than the policy in Lenny). There is a single extra module of policy which allows read-only and read-append file types so that guest users can't mess with each other so easily. The basic strict functionality works without any changes to policy. Solving B plus writing a tiny amount of documentation will solve C. > Ideally, the goal would be to have Squeeze certifiable at EAL-4, > at least the "standard" install (no optional packages), if someone with > deep pockets were willing to actually pay for the certification, and be > willing to push through the process. The EAL number is a matter of how well you meet your profile targets. We can meet the requirements to be certifiable (*) with CAPP and RBACPP at EAL-4 if we continue on the current course. Meeting LSPP will be a lot harder, I've never even tried that on Debian. Not that out users are likely to mind - very few people use LSPP configurations. (*) Getting certified requires a lot of time, paperwork, and money. Expect to spend the best part of $1,000,000 to get it. -- russ...@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
