Re: Bits from the release team and request for discussion
Hi,
I would like to set up a selinux related release goal for
Squeeze.
Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker,
but I have not discussed this with him)
Issues to be solved:
(a) Get all Debian patches to the reference security policy merged in
upstream. Status: In progress, we have all patches submitted,
some need to be tweaked and resubmitted based on feedback
Time line: 1-2 months, depending on free tie I have
(b) Update reference security policy to allow standard machines to be
in enforcing mode.
Status: It is possible to run minimal virtual machines in
enforcing mode, but real machines are somewhat crippled; these
denials need to be inspected, and determination needs to be made
for how to resolve them (no not want security holes enshrined in
policy)
Time line: 6-8 months (can be done in tandem with a, if here were
more people working on it)
(c) Make it easier to run in struct (no unconfined.pp module)
mode. This needs firstly documentation, and secondly, additional
tweaks to policy to make it work. Russell has a play machine
where it all works, but those changes are not in the reference
policy -- and some of them might not be fit to be in ref policy
at all.
Time line: 9-12 months
The actual non-policy packages are now well in sync with
upstream, so the weak point is the security policy.
Ideally, the goal would be to have Squeeze certifiable at EAL-4,
at least the "standard" install (no optional packages), if someone with
deep pockets were willing to actually pay for the certification, and be
willing to push through the process.
manoj
--
The Public is merely a multiplied "me." Mark Twain
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: