[DSE-Dev] New version of refpolicy headed towards incoming

Václav Ovsík vaclav.ovsik at i.cz
Tue Feb 19 07:51:17 UTC 2008 

Hi,
a bit late reply, sorry...

On Sat, Feb 09, 2008 at 10:28:21PM -0600, Manoj Srivastava wrote:
> Hi,
> 
>         With this version of the (surprisingly lintian clean) reference
>  policy uploaded, all the SELinux packages, apart from setools, are now
>  at the latest released versions (in Sid, that is). I have not yet
>  packaged SVN HEAD for these packages, since I'd like to lurk for a bit
>  on the selinux mailing lists before I package them.

I'm not DD (maintainer only). Please, excuse my courage to write there
concerning Debian essentials.

Maybe we should test the policy first even without packaging. Changes
can be pushed upstream before packaging the latest reference policy.
Latest refpolicy is already merge of targeted & strict versions. The
behavior of the strict or the targeted policy versions can be achieved
by inserting/excluding "unconfined" module now AFAIK.

>         I am also toying with the idea of breaking out the reference
>  policy packages into smaller chunks; so that we have a base policy
>  (which is all that would be in standard); and rest can be broken out
>  into smaller chunks (at one extreme is having a per package
>  granularity, so apache policy would be one package, postfix policy
>  another, and one may make use of the Enhances relationship :-)

Hmm, interesting idea.

If not this case, the SELinux module loading script (currently written
into postinst script of policy) should be moved to some utility
update-selinux-policy-something. Maybe even there should be some config
file (and interface) for system administrator, so it can force loading
some module, blacklist it or left it in default preference (automatic
loading). Some APT hook should automaticaly load/remove SELinux policy
packages according to configuration when counterpart Debian packages
will be installed/removed.

When this will be left on the package management software, there will be
no need to develop above, but information about relationship will be
broken into many packages. Maybe this will be less flexible?


>         The ideal solution would lie somewhere in between one giant
>  targeted/strict policy and each module in a separate package.  Figuring
>  out which set of modules to carve out into a Debian package is going to
>  be an interesting challenge.


> 
>         In the meanwhile, I have added a few  Debian specific bug fixes
>  to the reference policy; I'll look at SVN head and see if they need to
>  be pushed upstream.  In the meanwhile, please do send in AVC denial
>  logs for the new policy in bug reports, we need to start cleaning up
>  the reference policy now if we are to meet Lenny release deadlines.

Ok, I setup another Debian Sid XEN domU with latest SELinux packages and
the targeted policy from Debian archive. Hmm, I can't run semanage
(#465053), so I can't test this now. At first, we need a newer or patched
PAM package (#451722).

>         If people have private versions of refpolicy with fixes, I would
>  appreciate it if you could diff your policy against the  version
>  uploaded and send me the diffs.

I'm going to play with the latest reference policy and to sent mails
through selinux-devel at lists.alioth.debian.org and selinux at tycho.nsa.gov.
There is a very low traffic on the selinux-devel list and I hope, that
people on selinux at tycho.nsa.gov will fix my ideas how to the
Debian-specific changes. :)

Regards
-- 
Zito

More information about the SELinux-devel mailing list