[DSE-Dev] MCS/MLS status in Debian

Manoj Srivastava srivasta at debian.org
Wed Apr 16 01:13:27 UTC 2008 

Hi,

        Plans for refpolicy.

        I have been looking at what the tresys folks have done in
 Ubuntu.  They have the unconfined module in it's own package; and the
 rest of the policy in others (they also have pulled out just cups
 policy into a package by itself, but I have figured out why cups was
 selected for special treatment).

        Unfortunately, I do not think they have offered a transition
 path. Here is a tentative plan:

 1. Create a package that has all packages that belong in Debian
    standard distribution. All the modules in this package are in the
    base.pp module. Make this package compile base module, but not load
    it. This is the common/base/standard package.
 2. Create a package that just has the unconfined module. Make this
    package compile the unconfined module on installation, but not load
    it. This package depends on the package created in step one. 
 3. Create a package that has the rest of the policy modules. This
    package also depends on the package created in step one. In the long
    term, when we create the preinst hook in dpkg, which should be fed
    the name of all the packages which dpkg is going to install, then we
    compile the corresponding modules, and we load them.

    In the short term, we can create a script that, when run:
    a) look at the installed packages, and compile policy modules that
       corresponds to installed packages. Only non-base modules are
       looked for, of course.
    b) Given a list of package or policy module names, adds that to the
       list of packages installed, and loads the policy modules
       corresponding to the package/module names passed in on the
       command line.
    Call this script from the postinst, and let the user call it at
    will. make any user interactions in this script happen via
    debconf. This script can then eventually be called from the preinst
    hook.


        manoj
-- 
The older a man gets, the farther he had to walk to school as a boy.
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the SELinux-devel mailing list