Re: [DSE-Dev] New version of refpolicy headed towards incoming

To: debian-devel@lists.debian.org
Subject: Re: [DSE-Dev] New version of refpolicy headed towards incoming
From: Manoj Srivastava <srivasta@debian.org>
Date: Fri, 21 Mar 2008 04:44:23 -0500
Message-id: <[🔎] 873aqko1hk.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <20080219075117.GA14001@bobek.pm.i.cz> ("Václav Ovsík"'s message of "Tue, 19 Feb 2008 08:51:17 +0100")
References: <871w7lmo4a.fsf@anzu.internal.golden-gryphon.com> <20080219075117.GA14001@bobek.pm.i.cz>

On Tue, 19 Feb 2008 08:51:17 +0100, Václav Ovsík <vaclav.ovsik@i.cz> said: 

> Maybe we should test the policy first even without packaging. Changes
> can be pushed upstream before packaging the latest reference policy.

        Well, the policy in Sid is now the SVN HEAD/

> Latest refpolicy is already merge of targeted & strict versions. The
> behavior of the strict or the targeted policy versions can be achieved
> by inserting/excluding "unconfined" module now AFAIK.

        Which begs the question: Shouyld we drop the "strict" and
 "targeted" policies, and just ship refpolicy?

> If not this case, the SELinux module loading script (currently written
> into postinst script of policy) should be moved to some utility
> update-selinux-policy-something. Maybe even there should be some
> config file (and interface) for system administrator, so it can force
> loading some module, blacklist it or left it in default preference
> (automatic loading). Some APT hook should automaticaly load/remove
> SELinux policy packages according to configuration when counterpart
> Debian packages will be installed/removed.

        Sounds like a plan.

> Ok, I setup another Debian Sid XEN domU with latest SELinux packages
> and the targeted policy from Debian archive. Hmm, I can't run semanage
> (#465053), so I can't test this now. At first, we need a newer or
> patched PAM package (#451722).

        The semanage issue should now be fixed; and we need to get the
 pam bug fixed.

> I'm going to play with the latest reference policy and to sent mails
> through selinux-devel@lists.alioth.debian.org and
> selinux@tycho.nsa.gov.  There is a very low traffic on the
> selinux-devel list and I hope, that people on selinux@tycho.nsa.gov
> will fix my ideas how to the Debian-specific changes. :)

        Well, you could always file wishlist bugs on Debian packages,
 you know.

        manoj
-- 
Are the STEWED PRUNES still in the HAIR DRYER?
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Prev by Date: Re: Using apt-file db to find possible conflicts
Next by Date: Re: source:Version and ancient dpkg-dev
Previous by thread: Work-needing packages report for Mar 21, 2008
Next by thread: Bug#471954: ITP: lxde -- Lightweight X11 Desktop Environment
Index(es):
- Date
- Thread