Re: Bits from the release team and request for discussion

To: debian-devel@lists.debian.org, debian-release@lists.debian.org
Subject: Re: Bits from the release team and request for discussion
From: Gustavo Franco <stratus@debian.org>
Date: Thu, 30 Jul 2009 11:50:47 -0700
Message-id: <[🔎] 5fabd6fd0907301150k2f96d081i17484eb200d7e6af@mail.gmail.com>
In-reply-to: <[🔎] 87ws5qvxy6.fsf@anzu.internal.golden-gryphon.com>
References: <4A71D85A.7060309@debian.org> <[🔎] 87ws5qvxy6.fsf@anzu.internal.golden-gryphon.com>

On Thu, Jul 30, 2009 at 11:16 AM, Manoj Srivastava<srivasta@debian.org> wrote:
> Hi,
>
>        I would like to set up a selinux related release goal for
>  Squeeze.
>
>  Developer assiociated:  Manoj Srivastava (Perhaps also Russell Coker,
>                         but I have not discussed this with him)
>  Issues to be solved:
>   (a) Get all Debian patches to the reference security policy merged in
>       upstream.  Status: In progress, we have all patches submitted,
>       some need to be tweaked and resubmitted based on feedback
>        Time line: 1-2 months, depending on free tie I have
>   (b) Update reference security policy to allow standard machines to be
>       in enforcing mode.
>       Status: It is possible to run minimal virtual machines in
>       enforcing mode, but real machines are somewhat crippled; these
>       denials need to be inspected, and determination needs to be made
>       for how to resolve them (no not want security holes enshrined in
>       policy)
>      Time line: 6-8 months (can be done in tandem with a, if here were
>      more people working on it)
>   (c) Make it easier to run in struct (no unconfined.pp module)
>       mode. This needs firstly documentation, and secondly, additional
>       tweaks to policy to make it work. Russell has a play machine
>       where it all works, but those changes are not in the reference
>       policy -- and some of them might not be fit to be in ref policy
>       at all.
>      Time line: 9-12 months
>
>        The actual non-policy packages are now well in sync with
>  upstream,  so the weak point is the security policy.
>
>        Ideally, the goal would be to have Squeeze certifiable at EAL-4,
>  at least the "standard" install (no optional packages), if someone with
>  deep pockets were willing to actually pay for the certification, and be
>  willing to push through the process.

Which parts of the work you described above would be needed to Squeeze
be certifiable at EAL-4? All of them?

Based on your timeline, it seems A is on track to make Squeeze, we
should get more people to work with you on B (setting as a goal) and C
would be a no go for this release, jmo. Am I wrong?

regards,
-- Gustavo "stratus" Franco

Reply to:

Follow-Ups:
- Re: Bits from the release team and request for discussion
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Bits from the release team and request for discussion
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Bits from the release team and request for discussion
Next by Date: Re: Bits from the release team and request for discussion
Previous by thread: Re: Bits from the release team and request for discussion
Next by thread: Re: Bits from the release team and request for discussion
Index(es):
- Date
- Thread