Re: Bits from the release team and request for discussion
On Fri, 31 Jul 2009, Manoj Srivastava <firstname.lastname@example.org> wrote:
> Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker,
> but I have not discussed this with him)
I will be involved in this, but I find it difficult to get enough free time.
> Issues to be solved:
> (a) Get all Debian patches to the reference security policy merged in
> upstream. Status: In progress, we have all patches submitted,
> some need to be tweaked and resubmitted based on feedback
> Time line: 1-2 months, depending on free tie I have
> (b) Update reference security policy to allow standard machines to be
> in enforcing mode.
> Status: It is possible to run minimal virtual machines in
> enforcing mode, but real machines are somewhat crippled; these
> denials need to be inspected, and determination needs to be made
> for how to resolve them (no not want security holes enshrined in
> Time line: 6-8 months (can be done in tandem with a, if here were
> more people working on it)
That shouldn't be difficult. Incidentally it would really help me with
working on this if you could get the policy to build with -j2...
> (c) Make it easier to run in strict (no unconfined.pp module)
> mode. This needs firstly documentation, and secondly, additional
> tweaks to policy to make it work. Russell has a play machine
> where it all works, but those changes are not in the reference
> policy -- and some of them might not be fit to be in ref policy
> at all.
> Time line: 9-12 months
My Play Machine runs the same policy as every other SE Linux machine I run
which is also the same as the policy in my repository (a newer version than
the policy in Lenny). There is a single extra module of policy which allows
read-only and read-append file types so that guest users can't mess with each
other so easily.
The basic strict functionality works without any changes to policy.
Solving B plus writing a tiny amount of documentation will solve C.
> Ideally, the goal would be to have Squeeze certifiable at EAL-4,
> at least the "standard" install (no optional packages), if someone with
> deep pockets were willing to actually pay for the certification, and be
> willing to push through the process.
The EAL number is a matter of how well you meet your profile targets. We can
meet the requirements to be certifiable (*) with CAPP and RBACPP at EAL-4 if
we continue on the current course. Meeting LSPP will be a lot harder, I've
never even tried that on Debian. Not that out users are likely to mind -
very few people use LSPP configurations.
(*) Getting certified requires a lot of time, paperwork, and money. Expect to
spend the best part of $1,000,000 to get it.
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog