[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packaging ltp selinux tests



On Tue, 05 May 2009 18:20:15 +0200, Manoj Srivastava <srivasta@debian.org> wrote:

On Mon, May 04 2009, Riku Voipio wrote:

On Mon, Apr 06, 2009 at 10:13:39PM -0000, Jiri Palecek wrote:
I'd like to package the selinux tests from the ltp test suite. The tests need a special selinux policy to be loaded and some files to be relabeled.
I haven't found any standard way of packaging this, so I made an
experimental package (see [1]; it sort of works - not completely,
like 10 tests out of 30, but that's not an issue now) and I would
like to hear your opinion on these issues:

1. The package loads the policy on "postinst configure" with semodule
   -i, is that right? (And did I implement it properly in the
   scripts?) There were some avc message during package install
   (semodule was denied access to a terminal with type apt_t), can
   this be solved?

        I am not yet comfortable with my security policy changing just
 because a package is installed. So far, even the policy packages do not
 install the new policy, letting the security officer audit and manually
 install policy.

OK. Would you be comfortable with a debconf question on the subject, then?

        Having security policies change automatically seems contrary to
 the whole  idea of buttoning down security, so this change is not
 likely to happen.

As long as it fails gracefully is semodule binary is missing or
selinux isn't enabled.

2. The relabeling has to be done manually with fixfiles relabel; is
   there a way to do it  (and should it be done) automatically?

        The same applies here. Having packages relabel files is one way
 to potentially allow your security to fly out of the window.

How should I convey information about the contexts of the files in the package?


3. The runtime packages depend on selinux-policy-default; should it
   (alternatively) depend on the other policies too? Would this need
   a separate policy package?

        Well, currently, selinux-policy-default is the only one being
 worked on.


4. Should the policy package be in /usr/share?

        Which policy package?

The .pp file.

Regards
    Jiri Palecek

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/


Reply to: