[DSE-Dev] Debian refpolicy and core SELinux package update

Kees Cook kees at outflux.net
Thu Mar 20 20:46:16 UTC 2008


On Thu, Mar 20, 2008 at 10:48:23AM -0500, Manoj Srivastava wrote:
> On Thu, 20 Mar 2008 09:34:38 +0100, Raphael Hertzog <hertzog at debian.org> said: 
> > On Wed, 19 Mar 2008, Manoj Srivastava wrote:
> >> I am beginning to come back from a deadline crunch on my day job, and
> >> start paying attention to my Debian packages again; so hopefully the
> >> state of SELinux in Debian will improve -- at least, I'll try to be
> >> more reactive in the future.
> >> 
> >> anyway, kick the tyres, look at the Debian diffs with regards to the
> >> upstream refpolicy.  We should have a dialog about which changes need
> >> to be purged, and which should be fed upstream.
> > Ideally, you might also convince the Tresys people to work directly on
> > Debian so that both Ubuntu and Debian benefit from their work. :-)
>         Feel free to make the advances. But given the way they have
>  forked the packages, I am not currently in the mood.

I'd love to see more intercommunication -- Tresys had contacted me about
getting involved in SELinux for Ubuntu, and we were happy to get some
help.  Since getting it to play nice with Upstart and AppArmor needed some
work, no one had yet stepped up to do anything for SELinux in Ubuntu and as
a result SELinux had been virtually unusable there.

I did try to point them your way -- I don't like seeing a delta from
Debian.  I think timing was just off; they wanted newer revisions of
things than what was in unstable when they started their work a few
months back.

> > FYI, it looks like some folks at Tresys did work on SELinux support in
> > Ubuntu hardy (their next "long term support" release). You thus might
> > want to check out the Ubuntu diff (assuming upstream packages are in
> > sync) for possible improvements.
>         I have looked at setools, and if that is an example, there is
>  not much help.  They took my package  (just this January), merger 4
>  binary library packages into one, converted the build system to use
>  CDBS, and added gazillions of files into ./debian.
>         They seem to have gone out of their way to fork the package.

I don't think this was malicious -- I think they just figured it would
be easier for them to manage future updates in Ubuntu if they used
different packaging.  But I'm just guessing -- I did balk a bit at the
extensive changes, but again, no one else was working on SELinux in
Ubuntu, so we welcomed it.

> > http://www.outflux.net/blog/archives/2008/03/16/selinux-in-hardy/
>         At this point, our packages in Sid are more recent.

Again, it's just bad timing -- Ubuntu's feature freeze had been
coming up, so they worked with what they could.  The majority of the
integration work needed for Ubuntu code-wise is upstream now, and the
bulk boot-time packaging bits is limited to the Ubuntu-only "selinux"
package they created.

Anyway, I just wanted to give some background history for all of this.
I don't want to suggest anyone should take anyone else's packaging.  :)


Kees Cook                                            @outflux.net

More information about the SELinux-devel mailing list