Re: Bits from the release team and request for discussion
On Tue, Aug 25 2009, Luk Claes wrote:
> Manoj Srivastava wrote:
>> Hi,
>>
>> I would like to set up a selinux related release goal for
>> Squeeze.
>>
>> Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker,
>> but I have not discussed this with him)
>> Issues to be solved:
>> (a) Get all Debian patches to the reference security policy merged in
>> upstream. Status: In progress, we have all patches submitted,
>> some need to be tweaked and resubmitted based on feedback
>> Time line: 1-2 months, depending on free tie I have
>
> While this is relevant to Debian, it does not look like it impacts what
> is in Debian or are there possible changes in Debian depending on the
> feedback?
I think there is a distinct possibility, yes. As the reference
policy evolves upstream, and out patches are not also changed to keep
in sync, we are reaching what I think are sublte breakages. The gbest
way of ensuring that we do not have mismatches in policy is to get the
patches into upstream policy, which has many more eyeballs on it, and
is tested more extensively.
>> (b) Update reference security policy to allow standard machines to be
>> in enforcing mode.
>> Status: It is possible to run minimal virtual machines in
>> enforcing mode, but real machines are somewhat crippled; these
>> denials need to be inspected, and determination needs to be made
>> for how to resolve them (no not want security holes enshrined in
>> policy)
>> Time line: 6-8 months (can be done in tandem with a, if here were
>> more people working on it)
>
> Are the issues identified already or do you have an idea about how
> many issues there are to tackle?
The issues involved depend on the set of packages
installed. Russell Coker has identified and solved issues related to
his play machine, and to his eepc laptop. My build machines which use
selinux virtual machine now show no issues, and most of the issue on my
development machine have been resolved.
I am uncertain of issues with SELinux and packages I do not
use. There are a few reported already against the refpolicy package,
and I am working at looking at them, and then forwarding them to the
refpolicy mailing list.
I am also somewhat rusty with the conventions adopted in
reference policy (some style issues, and some with more substance), so
this s likely to be slow going until I have time to get myself back up
to speed with modern policy. Help here is greatly appreciated.
> Do you have any documentation for possible contributors to help you with
> this?
I try this recipe (can be used in virtual machines, if you do
not want to mess up your real machines)
--8<---------------cut here---------------start------------->8---
aptitude install --without-recommendsselinux-policy-default selinux-basics
if [ -e /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts ]; then
setfiles /etc/selinux/default/contexts/files/file_contexts /
fi
if [ -e /etc/pam.d/login ]; then
perl -pli~ -e 'm/session.*pam_selinux.so/ && s/^\#\s*//o' /etc/pam.d/login
rm /etc/pam.d/login~
fi
if [ -e /etc/pam.d/ssh ]; then
perl -pli~ -e 'm/session.*pam_selinux.so/ && do { s/^\#\s*//o; s/multiple//; } ' /etc/pam.d/ssh
rm /etc/pam.d/ssh~
fi
if which setfiles >/dev/null 2>&1; then
if [ -e /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts ]; then
setfiles /etc/selinux/${UML_POLICY_TYPE}/contexts/files/file_contexts /etc/pamd.d/
fi
fi
if [ -x /sbin/fixfiles ]; then
/sbin/fixfiles -l /root/fixfiles.log -f -F relabel
fi
# schedule a relabeling for the next reboot
touch /.autorelabel
--8<---------------cut here---------------end--------------->8---
To grub, I add:
--8<---------------cut here---------------start------------->8---
# defoptions=selinux=1 audit=1
--8<---------------cut here---------------end--------------->8---
And then reboot. The next reboot will finish relabelling the
files, and sets me up with selinix enabled, and in enforcing mode.
If we had more people testing the SELinux policies and reporting
the denials to the refpolicy mailing list, we could rapidly get into
refpolicy in sync with Debian specific additions.
Thanks in advance for help,
manoj
--
"Intelligence without character is a dangerous thing." Steinem
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: