On Tue, Aug 25 2009, Luk Claes wrote: > Manoj Srivastava wrote: >> Hi, >> >> I would like to set up a selinux related release goal for >> Squeeze. >> >> Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker, >> but I have not discussed this with him) >> Issues to be solved: >> (a) Get all Debian patches to the reference security policy merged in >> upstream. Status: In progress, we have all patches submitted, >> some need to be tweaked and resubmitted based on feedback >> Time line: 1-2 months, depending on free tie I have > > While this is relevant to Debian, it does not look like it impacts what > is in Debian or are there possible changes in Debian depending on the > feedback?
I think there is a distinct possibility, yes. As the reference policy evolves upstream, and out patches are not also changed to keep in sync, we are reaching what I think are sublte breakages. The gbest way of ensuring that we do not have mismatches in policy is to get the patches into upstream policy, which has many more eyeballs on it, and is tested more extensively. >> (b) Update reference security policy to allow standard machines to be >> in enforcing mode. >> Status: It is possible to run minimal virtual machines in >> enforcing mode, but real machines are somewhat crippled; these >> denials need to be inspected, and determination needs to be made >> for how to resolve them (no not want security holes enshrined in >> policy) >> Time line: 6-8 months (can be done in tandem with a, if here were >> more people working on it) > > Are the issues identified already or do you have an idea about how > many issues there are to tackle? The issues involved depend on the set of packages installed. Russell Coker has identified and solved issues related to his play machine, and to his eepc laptop. My build machines which use selinux virtual machine now show no issues, and most of the issue on my development machine have been resolved. I am uncertain of issues with SELinux and packages I do not use. There are a few reported already against the refpolicy package, and I am working at looking at them, and then forwarding them to the refpolicy mailing list. I am also somewhat rusty with the conventions adopted in reference policy (some style issues, and some with more substance), so this s likely to be slow going until I have time to get myself back up to speed with modern policy. Help here is greatly appreciated. > Do you have any documentation for possible contributors to help you with > this? I try this recipe (can be used in virtual machines, if you do not want to mess up your real machines) --8<---------------cut here---------------start------------->8--- aptitude install --without-recommendsselinux-policy-default selinux-basics if [ -e /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts ]; then setfiles /etc/selinux/default/contexts/files/file_contexts / fi if [ -e /etc/pam.d/login ]; then perl -pli~ -e 'm/session.*pam_selinux.so/ && s/^\#\s*//o' /etc/pam.d/login rm /etc/pam.d/login~ fi if [ -e /etc/pam.d/ssh ]; then perl -pli~ -e 'm/session.*pam_selinux.so/ && do { s/^\#\s*//o; s/multiple//; } ' /etc/pam.d/ssh rm /etc/pam.d/ssh~ fi if which setfiles >/dev/null 2>&1; then if [ -e /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts ]; then setfiles /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts /etc/pamd.d/ fi fi if [ -x /sbin/fixfiles ]; then /sbin/fixfiles -l /root/fixfiles.log -f -F relabel fi # schedule a relabeling for the next reboot touch /.autorelabel --8<---------------cut here---------------end--------------->8--- To grub, I add: --8<---------------cut here---------------start------------->8--- # defoptions=selinux=1 audit=1 --8<---------------cut here---------------end--------------->8--- And then reboot. The next reboot will finish relabelling the files, and sets me up with selinix enabled, and in enforcing mode. If we had more people testing the SELinux policies and reporting the denials to the refpolicy mailing list, we could rapidly get into refpolicy in sync with Debian specific additions. Thanks in advance for help, manoj -- "Intelligence without character is a dangerous thing." Steinem Manoj Srivastava <sriva...@debian.org> <http://www.debian.org/~srivasta/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org