[DSE-Dev] Re: Fixing up SELinux reference policy for Debian

Manoj Srivastava srivasta at debian.org
Sat May 12 01:53:47 UTC 2007 

Hi,

        I have just uploaded a version of refpolicy that has a number of
 Debian specific SELinux policy changes. I can now do and aptitude
 update, and aptitude upgrade while running strict policy in enforcing
 mode in my UML machine.  The createfs.sh script now incorporates all
 the recommended changes on http://wiki.debian.org/SELinux/Setup, so it
 is relatively easy to create such a UML.
  http://www.golden-gryphon.com/software/security/selinux-uml.xhtml

        I also have a patch for sysvinit's /etc/network/if-up.d/mountnfs 
 to provide the context when creating /var/run/network/mountnft; if and
 only if we are running selinux.  I'll send in a wishlist bug report
 soon.

        My local policy file has been reduced to a single allow rule,
 and a bout half a dozen  dontaudit rules; and is now shipped with the
 strict policy package as an example.

        The single allow rule that I still need is due to Bug#390067, I
 have not yet had a chance to create a helper script that would do the
 logging, and which can be put into a different security domain.

        However, a more basic problem exists: as an ordinary user, I
 can't run dpkg-checkbuilddeps, or do anything that needs looking at
 /var/lib/dpkg -- since plain old users can't look into /var.

        I think we need to create debian specific policy changes to
 allow searching /var, /var/lib. and /var/lib/dpkg.  We also read file
 permissions on files in /var/lib/dpkg; and these need to be added to a
 generic user.

        Any objections? (I don't think I want to create a whole
 different class of user for this capability).  This would be the
 minimal requirements to start building my Debian packages in enforcing
 mode again.

        After that, I need to start branching out, and adding, say,
 apache2 servers to my UML, and checking validity of strict policy.

        Given the magnitude of these changes, I am planning on trying to
 do a backport of SELinux packages for Etch, at least, for the current
 release, before the kernel requirements diverge too much.


        manoj
-- 
No use getting too involved in life -- you're only here for a limited
time.
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the SELinux-devel mailing list