[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Making SELinux standard for etch

Hi,

        We are at a point where we can support a targeted SELinux
 policy, at least in permissive mode.  Everything seems to work for
 me; I can fire up targeted SELinux UML's and only see a few harmless
 log messages.

        I brought this over on the debian-installer mailing list, and
 suggested that we ship SELinux installed, but turned off by default;
 and a README or a short shell script fr the local administrator to
 enable SELinux.  Our support at this point is better in some respects
 to any other distribution (selecting and installing modular policy
 modules, for instance). All the core packages support SELinux (unlike
 in, say, Ubuntu).

       We can do this by adding selinux-policy-refpolicy-targeted,
 and the dependencies, to the standard install.

        With the help of
  apt-rdepends --dotty selinux-policy-refpolicy-targeted
 I have managed to determine that the packages not already included in
 Priority Standard are:

,----[ Additional packages required ]
| Package: selinux-policy-refpolicy-targeted
| Size: 1232692
| Installed-Size: 16712
|
| Package: policycoreutils
| Size: 348324
| Installed-Size: 3304
|
| Package: libsemanage1-dev
| Size: 333718
| Installed-Size: 2076
|
| Package: libsemanage1
| Size: 70910
| Installed-Size: 296
|
| Package: python-semanage
| Size: 115336
| Installed-Size: 648
|
| Package: python-selinux
| Size: 61788
| Installed-Size: 308
|
| Package: python-support
| Size: 22934
| Installed-Size: 104
`----

        The size of the .debs for targeted policy is 2185702 Bytes,
 and adds seven packages to the standard install.  No special
 configuration should be required; the default configuration out of
 the box ought to work.  All these packages are available on all
 architectures:
 http://people.debian.org/~igloo/status.php?email=srivasta%40debian.org
 And all have migrated to testing:
 http://qa.debian.org/developer.php?login=srivasta

        As per policy, I am raising a balloon about ths issue; I think
 if we ship vacation, finger, and sharutils, we can also ship
 mandatory acess controls in the standard distribution :)

        As shipped, the Debian kernel images have SELinux compiled in,
 but disabled, a command line parameter is required to turn SELinux
 on. When SELinux is turned on (by enabling it in grub), the default
 policy setting are that the machine would come on in permissive mode,
 using the targeted policy; so the worst case scenario is that the
 there would be lots of log messages if someone "accidentally" turned
 on SELinux.

        I think we are ready.  And shipping SELinux by default would
 be a positive thing, in these days of accelerating attacks :)


        manoj
-- 
No skis take rocks like rental skis!
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: