[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing up SELinux reference policy for Debian

Hi Manoj,
Thanks for the work on getting SELinux strict working!
Are you using an initrd and/or udev in your UML?

>         I think we need to create debian specific policy changes to
>  allow searching /var, /var/lib. and /var/lib/dpkg.  We also read file
>  permissions on files in /var/lib/dpkg; and these need to be added to a
>  generic user.

IMHO that is okay.

>         After that, I need to start branching out, and adding, say,
>  apache2 servers to my UML, and checking validity of strict policy.

We'd also need people to work on e.g. an exim and a tomcat policy.

>         Given the magnitude of these changes, I am planning on trying to
>  do a backport of SELinux packages for Etch, at least, for the current
>  release, before the kernel requirements diverge too much.

I'm with you on that. We really should provide backports to offer
powerful SELinux support for etch. There are just too many small issues
with etch that break it one place or another.
(Such as liblzo breaking openvpn; http://bugs.debian.org/336138 )
We should try to get SELinux *strict* on etch into shape so people can
use it on firewalls (including openvpn and IPSec), common mail and web
server setups with little effort (well, lets say 'without cgi and
complex PHP things' because that is an endless field then).
Maybe propose them for a maintainance release even.

best regards,
Erich Schubert
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    There was never a good war or a bad peace. - Benjamin Franklin   //\
   Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.   V_/_

Reply to: