[DSE-Dev] Future of refpolicy

Russell Coker russell at coker.com.au
Thu Dec 5 13:35:40 UTC 2013

On Sun, 29 Sep 2013 20:52:46 Mika Pflüger wrote:
> Dominick Grift, Laurent Bigonville and me have been working on getting
> upstream refpolicy into shape for debian. Especially dgrift got tens of
> patches written for upstream refpolicy last week (you might have read
> it in refpolicy ml) and bigon made packages of upstream refpolicy [1].

I'm behind on mailing list posts.  Thanks for your good work.

> We talked about the future of refpolicy in debian (over in #selinux at
> freenode) and for us it seems the best option forward is to package
> upstream, i.e. dropping all patches from the debian package. We do not
> seem to have the resources to package new upstream refpolicy releases
> maintaining all the patches in debian, so I think we are better of
> starting from upstream.

We can start from upstream and then look to the past policy for Debian for things to include.

The most difficult parts of the Wheezy policy were the things that involved taking future stuff from 
upstream and from Fedora (like systemd support).  Those things shouldn't be required.

> Also, many of the debian patches have been
> upstreamed last year (although some are missing, like the useful lda
> patches) and by going an "upstream first" route we possibly can have
> very recent refpolicy versions in debian (in contrast to the current
> situation, where we have a version of refpolicy in debian that was
> released over three years ago). What do you think?

Good idea.

The 3yo policy in Wheezy is fine.  But for Unstable we need newer.
> Back in June you said you were also working on policy in debian. How is
> going? We should maybe coordinate efforts, such that we get useful
> patches upstreamed asap and don't duplicate work.

I haven't got the things done that I wanted.

I'm now working on some updates to Wheezy policy.  I'm not sure if I can get them in a Wheezy 
update (I haven't been tracking what the policy is for updates) but if nothing else I can put them in 
my own repository for the benefit of people who want them.  My current changelog is below.

  * Allow dhclient dhcpc_t to bind to generic UDP ports port_t.
  * new boolean dovecot_shadow_auth to allow Dovecot to directly authenticate
    via /etc/shadow.
  * Allow asterisk_t to read /dev/random, have file transitions for
    sock_file:asterisk_var_run_t, and setattr asterisk_var_run_t:dir.  Label
    tcp port 2000 as asterisk_port_t for SCCP.
  * Add block_suspend to capability2 and allow initrc_t, init_t, and udev_t
    access to it - for kernel > 3.2.
  * Label /etc/locale.alias as locale_t

I'll make this available to you in a day or two.

The next thing I'd like to do going forward is to setup a Xen server running images of some common 
Debian configurations on Unstable and update them regularly to ensure that they still work.  I was 
thinking of writing scripts to download files from web servers, send email into, out of, and through 
mail servers, etc and test for correct functioning.  Verifying correct functionality and lack of AVC 
messages will do a large portion of the work of ensuring that policy is working correctly.

Is anyone interested in working on such automated testing with me?  All you need to do is run a 
DomU with a server configuration that interests you and debug it when things go wrong.  Of course 
when tracking Unstable things will often go wrong in ways that aren't our fault, but we can debug 
that too.

Sorry for the delay in replying.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20131206/c3786717/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20131206/c3786717/attachment.sig>

More information about the SELinux-devel mailing list