Hi, first I want to thank Laurent and Russell for their work on packaging selinux related software and on porting the reference policy to debian.
I noticed the recent upload of a new policy for debian sid. Because of the prior lack of a proper policy, I tried to get one working on my own: https://github.com/cgzones/debian-package-refpolicy It works for me on a virtual machine with a minimal non-graphical installation with booting in enforced mode and logging into confined users. Maybe you can take a look, e.g. I got the 'systemd --user' process confined with https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/patches/0041-systemd-user-fix.patch. Another point I'd like to suggest is basing the debian package on a newer git version of the reference policy. The new upload is based on the 20150812 release, which is already over half a year old, and I would not consider the state of the reference policy ready-to-use. So I threw a script together for using the latest git snapshot: https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/fetch-latest-upstream.sh Next I'd like to request some patches regarding the debian packaging, which are attached. My last point is selinux module management: While having some spare time I tried out a script for managing selinux modules based on installed debian packages, so that not all 370+ available module are automatically installed. Is this even a sane idea, and are there any feature plans in this direction? https://github.com/cgzones/debian-package-refpolicy/compare/management Kindly Regards Christian Göttsche p.s.: I took a quick look at the packaging repository today https://anonscm.debian.org/cgit/selinux/refpolicy.git/ and noticed some missing changes from Laurent in the current debian branch, which were present recently (e.g. the sign-tags option in debian/gbp.conf). Also the systemd flag seems not to be enabled in the debian/build.conf.* files?
From 6d6b5a78470b3ad349a31c4db6d1d5857389930b Mon Sep 17 00:00:00 2001 From: cgzones <[email protected]> Date: Thu, 4 Aug 2016 17:15:28 +0200 Subject: [PATCH 1/4] fix gbp warning --- debian/gbp.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/gbp.conf b/debian/gbp.conf index 6837223..557fbe8 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -3,6 +3,7 @@ debian-branch = debian upstream-branch = upstream pristine-tar = True -[git-buildpackage] +[buildpackage] +sign-tags = True tarball-dir = ../tarballs/ export-dir = ../build-area/ -- 2.8.1
From 16867f8c415ef05ceba69952bf546fd60d6ec854 Mon Sep 17 00:00:00 2001 From: cgzones <[email protected]> Date: Thu, 4 Aug 2016 17:17:44 +0200 Subject: [PATCH 2/4] ship list of basemodules --- debian/rules | 1 + debian/selinux-policy-default.install | 1 + debian/selinux-policy-mls.install | 1 + 3 files changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules index 45e0187..d6fe74b 100755 --- a/debian/rules +++ b/debian/rules @@ -122,6 +122,7 @@ install-%-policy: build-%-policy mkdir -p $(CURDIR)/debian/tmp/var/lib/selinux/$* # Create a list with the modules we are shipping (cd $(CURDIR)/debian/tmp/usr/share/selinux/$*; LC_ALL=C ls -1 | cut -d. -f1 > .modules) + (cd $(CURDIR)/debian/tmp/usr/share/selinux/$*; grep -P '^[a-z0-9_]+\s*=\s*base$$' $(CURDIR)/debian/build-$*/policy/modules.conf | cut -d= -f1 | awk '{$$1=$$1};1' | sort > .basemodules) touch $@ # The headers are based on the default policy diff --git a/debian/selinux-policy-default.install b/debian/selinux-policy-default.install index b736f14..2d792e9 100644 --- a/debian/selinux-policy-default.install +++ b/debian/selinux-policy-default.install @@ -1,4 +1,5 @@ etc/selinux/default/ +usr/share/selinux/default/.basemodules usr/share/selinux/default/.modules usr/share/selinux/default/*.pp var/lib/selinux/default/ diff --git a/debian/selinux-policy-mls.install b/debian/selinux-policy-mls.install index ef57ad0..8c0082c 100644 --- a/debian/selinux-policy-mls.install +++ b/debian/selinux-policy-mls.install @@ -1,4 +1,5 @@ etc/selinux/mls/ +usr/share/selinux/mls/.basemodules usr/share/selinux/mls/.modules usr/share/selinux/mls/*.pp var/lib/selinux/mls/ -- 2.8.1
From 03f5df0a3a38a85019d7f4f67c8036bb4cc7bdb0 Mon Sep 17 00:00:00 2001 From: cgzones <[email protected]> Date: Thu, 4 Aug 2016 17:18:41 +0200 Subject: [PATCH 3/4] dh_install: use fail-missing instead of list-missing --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index d6fe74b..d1f7e7c 100755 --- a/debian/rules +++ b/debian/rules @@ -23,7 +23,7 @@ endif override_dh_auto_configure: $(patsubst %, conf-%-policy, $(FLAVOURS)) conf-docs conf-src override_dh_install: - dh_install --list-missing + dh_install --fail-missing override_dh_fixperms: dh_fixperms -- 2.8.1
From bdcc0d995c9e638db108f7288d024d961524966b Mon Sep 17 00:00:00 2001 From: cgzones <[email protected]> Date: Thu, 4 Aug 2016 17:21:44 +0200 Subject: [PATCH 4/4] use domain_auto_transition_pattern instead of old domain_auto_trans interface --- debian/example/example.if | 2 +- debian/policygentool | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/example/example.if b/debian/example/example.if index e9308e5..de3c797 100644 --- a/debian/example/example.if +++ b/debian/example/example.if @@ -29,7 +29,7 @@ interface(`myapp_domtrans',` type myapp_t, myapp_exec_t; ') - domain_auto_trans($1,myapp_exec_t,myapp_t) + domain_auto_transition_pattern($1,myapp_exec_t,myapp_t) allow $1 myapp_t:fd use; allow myapp_t $1:fd use; diff --git a/debian/policygentool b/debian/policygentool index 47afdd5..1180459 100644 --- a/debian/policygentool +++ b/debian/policygentool @@ -42,7 +42,7 @@ interface(`TEMPLATETYPE_domtrans',` type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; ') - domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) + domain_auto_transition_pattern($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) allow $1 TEMPLATETYPE_t:fd use; allow TEMPLATETYPE_t $1:fd use; -- 2.8.1
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
