Re: SE Linux in Etch - was Release sarge now, or discuss etch issues?

[Manoj Srivastava <srivasta@debian.org (va, manoj)>]

On Wed, 20 Apr 2005 10:13:54 +1000, Russell Coker <russell@coker.com.au> said: 

> On Tuesday 15 March 2005 09:32, Joey Hess <joeyh@debian.org> wrote:
>> The fact that the release team now sees the light at the end of the
>> tunnel for the release of sarge means that now is the time we need
>> to begin planning for etch. Allowing unstable development to pick
>> back up after a release with no clear plan for the next release has
>> been shown time and time again to delay the next release by one to
>> two *years*.  The rest follows from that.

> Currently we plan to have libselinux in base for Etch.  SE Linux
> code is in cron and logrotate which can be simply recompiled for
> full SE support.  Fcron already is compiled with SE Linux support.
> The maintainer of sysvinit has agreed in concept to compile with SE
> support once libselinux is in base.

> We can basically make SE Linux usable by most people with a small
> amount of work once the above changes are made.

> I would like to see a general goal for Etch to have SE Linux as an
> option at install time.  

	In pursuance of that goal, I have made available a patched
 branch of dpkg-devel which has support for SELinux. Please pull from  
 srivasta@debian.org--2005-selinux/dpkg--selinux--1.13
  (http://arch.debian.org/arch/private/srivasta/archive-2005-selinux)

	This branch should have a small, very non-intrusive patch that
 does not have a performance hit on a non-SELinux system. It does add
 a dependency on libselinux1 for dpkg.

	Please see
 http://www.golden-gryphon.com/software/security/selinux.xhtml
  for details.

	You may browse the repository at
 http://www.golden-gryphon.com/cgi-bin/archzoom.cgi/srivasta@debian.org--2005-selinux/?expand

        If you want to try out this selinux aware dpkg, as well as
 Greg T. Norris' selinux patched coreutils  package, please point apt
 at: 

 deb http://people.debian.org/~srivasta/ packages/
 deb-src http://people.debian.org/~srivasta/ packages/source/

	manoj

Repository links

dpkg--stable
    The stable upstream DPKG branch, meant for Sarge. 
dpkg--devel
    The upstream development branch for dpkg. This is meant for Etch
    -- and since Etch can promote libselinux1 to an essential
    priority, this branch of dpkg could be linked against libselinux1.  
dpkg--selinux-old
    Russell Coker's modifications to dpkg, which introduce
    {pre,post}{inst,rm}.d/ directories to label installed package
    files correctly, using setfiles. Unfortunately, these changes were
    deemed too far reaching, and really suboptimal, by dpkg authors,
    since they were not comfortable introducing the general purpose
    hook directories, which could lead to non-deterministic behaviour,
    and could be open to all kinds of abuse.  
dpkg--selinux
    A new modification of dpkg, using SELinux library calls
    (matchpathcon and {l,f}setfilecon) to set the security context of
    component files just after unpacking. This approach may be more
    acceptable, since it does not create a whole set of directories
    that are open to potential abuse, and fits in with the chown/chmod
    calls that dpkg already makes. 


-- 
What is food to one, is to others bitter poison. Titus Lucretius Carus
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C