[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the release team and request for discussion

On Fri, 31 Jul 2009, Manoj Srivastava <srivasta@debian.org> wrote:
>  Developer assiociated:  Manoj Srivastava (Perhaps also Russell Coker,
>                          but I have not discussed this with him)

I will be involved in this, but I find it difficult to get enough free time.

>  Issues to be solved:
>    (a) Get all Debian patches to the reference security policy merged in
>        upstream.  Status: In progress, we have all patches submitted,
>        some need to be tweaked and resubmitted based on feedback
>         Time line: 1-2 months, depending on free tie I have

Great work!

>    (b) Update reference security policy to allow standard machines to be
>        in enforcing mode.
>        Status: It is possible to run minimal virtual machines in
>        enforcing mode, but real machines are somewhat crippled; these
>        denials need to be inspected, and determination needs to be made
>        for how to resolve them (no not want security holes enshrined in
>        policy)
>       Time line: 6-8 months (can be done in tandem with a, if here were
>       more people working on it)

That shouldn't be difficult.  Incidentally it would really help me with 
working on this if you could get the policy to build with -j2...

>    (c) Make it easier to run in strict (no unconfined.pp module)
>        mode. This needs firstly documentation, and secondly, additional
>        tweaks to policy to make it work. Russell has a play machine
>        where it all works, but those changes are not in the reference
>        policy -- and some of them might not be fit to be in ref policy
>        at all.
>       Time line: 9-12 months

My Play Machine runs the same policy as every other SE Linux machine I run 
which is also the same as the policy in my repository (a newer version than 
the policy in Lenny).  There is a single extra module of policy which allows 
read-only and read-append file types so that guest users can't mess with each 
other so easily.

The basic strict functionality works without any changes to policy.

Solving B plus writing a tiny amount of documentation will solve C.

>         Ideally, the goal would be to have Squeeze certifiable at EAL-4,
>  at least the "standard" install (no optional packages), if someone with
>  deep pockets were willing to actually pay for the certification, and be
>  willing to push through the process.

The EAL number is a matter of how well you meet your profile targets.  We can 
meet the requirements to be certifiable (*) with CAPP and RBACPP at EAL-4 if 
we continue on the current course.  Meeting LSPP will be a lot harder, I've 
never even tried that on Debian.  Not that out users are likely to mind - 
very few people use LSPP configurations.

(*) Getting certified requires a lot of time, paperwork, and money.  Expect to 
spend the best part of $1,000,000 to get it.

http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

Reply to: