[DSE-Dev] Fixing up SELinux reference policy for Debian

Russell Coker russell at coker.com.au
Mon May 21 10:05:54 UTC 2007


On Saturday 19 May 2007 02:00, Manoj Srivastava <srivasta at debian.org> wrote:
> > We'd also need people to work on e.g. an exim and a tomcat policy.
>
>         I don't use exim, or tomcat, so this is likely to take me
>  longer.  The version I uploaded last night now fixes all the problems I
>  saw last time, and includes the changes that Russell posted (updated

For Exim we need code changes to get it working in the best possible manner.  
Upstream is interested in accepting patches.

Exim periodically re-exec's itself for different tasks.  What we want is for 
it to execute exim-FOO instead where FOO is the task in question.  On a 
non-SE system exim-FOO could be a sym-link to exim, on a SE system it would 
be a wrapper program that executes the main exim program in a different 
domain.

>  localStrict.te included below).  I can compile my packages, and run

Does localStrict.te really provide a benefit?

>         However, I noticed that installing packages can still cause AVC
>  denials (like, flashplayer non-free packages download files from the
>  internet, installing auditd caused a whole flurry of denials). I think

Yes, there is still work to be done there.

>         I think a number of these things that happen in post install
>  scripts might require Debian specific policy, since I suspect Debian
>  does far more in the postinst phase than does Fedora.

Yes, it does more things and requires more access.

Now further changes:
It's probably best to permit getattr access when read access is permitted, I 
omitted this in the fs_allow_tmpfs_file_read patch I sent you.

I'll send other patches soon.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development



More information about the SELinux-devel mailing list