Re: Packaging ltp selinux tests

To: debian-devel@lists.debian.org
Subject: Re: Packaging ltp selinux tests
From: Manoj Srivastava <srivasta@debian.org>
Date: Tue, 05 May 2009 11:06:38 -0500
Message-id: <[🔎] 87hbzzjzzl.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20090504174508.GA14615@kos.to> (Riku Voipio's message of "Mon, 4 May 2009 20:45:08 +0300")
References: <op.urzj0r1zcfnueu@localhost> <[🔎] 20090504174508.GA14615@kos.to>

On Mon, May 04 2009, Riku Voipio wrote:

> On Mon, Apr 06, 2009 at 10:13:39PM -0000, Jiri Palecek wrote:
>> I'd like to package the selinux tests from the ltp test suite. The tests  
>> need a special selinux policy to be loaded and some files to be relabeled.  
>> I haven't found any standard way of packaging this, so I made an  
>> experimental package (see [1]; it sort of works - not completely,
>> like 10 tests out of 30, but that's not an issue now) and I would
>> like to hear your opinion on these issues: 
>
>> 1. The package loads the policy on "postinst configure" with semodule
>>    -i, is that right? (And did I implement it properly in the
>>    scripts?) There were some avc message during package install
>>    (semodule was denied access to a terminal with type apt_t), can
>>    this be solved? 

        I am not yet comfortable with my security policy changing just
 because a package is installed. So far, even the policy packages do not
 install the new policy, letting the security officer audit and manually
 install policy.

        Having security policies change automatically seems contrary to
 the whole  idea of buttoning down security, so this change is not
 likely to happen.

> As long as it fails gracefully is semodule binary is missing or
> selinux isn't enabled. 
>
>> 2. The relabeling has to be done manually with fixfiles relabel; is
>>    there a way to do it  (and should it be done) automatically? 

        The same applies here. Having packages relabel files is one way
 to potentially allow your security to fly out of the window.

>
>> 3. The runtime packages depend on selinux-policy-default; should it
>>    (alternatively) depend on the other policies too? Would this need
>>    a separate policy package? 

        Well, currently, selinux-policy-default is the only one being
 worked on.

>
>> 4. Should the policy package be in /usr/share?

        Which policy package?

        manoj
-- 
In Hollywood, if you don't have happiness, you send out for it. Rex Reed
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: Packaging ltp selinux tests
  - From: Jiří Paleček <jpalecek@web.de>

References:
- Re: Packaging ltp selinux tests
  - From: Riku Voipio <riku.voipio@iki.fi>

Prev by Date: Re: deprecating /usr as a standalone filesystem?
Next by Date: Re: deprecating /usr as a standalone filesystem?
Previous by thread: Re: Packaging ltp selinux tests
Next by thread: Re: Packaging ltp selinux tests
Index(es):
- Date
- Thread