[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the release team and request for discussion



On Tue, Aug 25 2009, Luk Claes wrote:

> Manoj Srivastava wrote:
>> Hi,
>> 
>>         I would like to set up a selinux related release goal for
>>  Squeeze.
>> 
>>  Developer assiociated:  Manoj Srivastava (Perhaps also Russell Coker,
>>                          but I have not discussed this with him)
>>  Issues to be solved:
>>    (a) Get all Debian patches to the reference security policy merged in
>>        upstream.  Status: In progress, we have all patches submitted,
>>        some need to be tweaked and resubmitted based on feedback
>>         Time line: 1-2 months, depending on free tie I have
>
> While this is relevant to Debian, it does not look like it impacts what
> is in Debian or are there possible changes in Debian depending on the
> feedback?

        I think there is a distinct possibility, yes. As the reference
 policy evolves upstream, and out patches are not also changed to keep
 in sync, we are reaching what I think are sublte breakages. The gbest
 way of ensuring that we do not have mismatches in policy is to get the
 patches into upstream policy, which has many more eyeballs on it, and
 is tested more extensively.

>>    (b) Update reference security policy to allow standard machines to be
>>        in enforcing mode.
>>        Status: It is possible to run minimal virtual machines in
>>        enforcing mode, but real machines are somewhat crippled; these
>>        denials need to be inspected, and determination needs to be made
>>        for how to resolve them (no not want security holes enshrined in
>>        policy)
>>       Time line: 6-8 months (can be done in tandem with a, if here were
>>       more people working on it)
>
> Are the issues identified already or do you have an idea about how
> many issues there are to tackle?

        The issues involved depend on the set of packages
 installed. Russell Coker has identified and solved  issues related to
 his play machine, and to his eepc laptop. My build machines which use
 selinux virtual machine now show no issues, and most of the issue on my
 development machine have been resolved.

        I am uncertain of issues with SELinux and packages I do not
 use.  There are a few reported already against the refpolicy package,
 and I am working at looking at them, and then forwarding them to the
 refpolicy mailing list.

        I am also somewhat rusty with the conventions adopted in
 reference policy (some style issues, and some with more substance), so
 this s likely to be slow going until I have time to get myself back up
 to speed with modern policy. Help here is greatly appreciated.

> Do you have any documentation for possible contributors to help you with
> this?

        I try this recipe (can be used in virtual machines, if you do
 not want to mess up your real machines)
--8<---------------cut here---------------start------------->8---
aptitude install --without-recommendsselinux-policy-default selinux-basics
if [ -e /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts  ]; then
 setfiles /etc/selinux/default/contexts/files/file_contexts /
fi
if [ -e  /etc/pam.d/login ]; then
  perl -pli~ -e 'm/session.*pam_selinux.so/ && s/^\#\s*//o' /etc/pam.d/login
  rm /etc/pam.d/login~
fi
if [ -e /etc/pam.d/ssh ]; then
  perl -pli~ -e 'm/session.*pam_selinux.so/ && do { s/^\#\s*//o; s/multiple//; } ' /etc/pam.d/ssh
  rm /etc/pam.d/ssh~
fi

if which setfiles >/dev/null 2>&1; then
  if [ -e /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts  ]; then
   setfiles /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts /etc/pamd.d/
  fi
fi

if [  -x /sbin/fixfiles ]; then
    /sbin/fixfiles -l /root/fixfiles.log  -f -F relabel
fi

# schedule a relabeling for the next reboot
touch /.autorelabel
--8<---------------cut here---------------end--------------->8---

        To grub, I add:
--8<---------------cut here---------------start------------->8---
# defoptions=selinux=1 audit=1
--8<---------------cut here---------------end--------------->8---

        And then reboot. The next reboot will finish relabelling the
 files, and sets me up with selinix enabled, and in enforcing mode.

        If we had more people testing the SELinux policies and reporting
 the denials to the refpolicy mailing list, we  could rapidly get into
 refpolicy in sync with Debian specific additions.

        Thanks in advance for help,

        manoj
-- 
"Intelligence without character is a dangerous thing." Steinem
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


Reply to: