[DSE-Dev] Selinux policy for debian sid
cgzones
cgzones at googlemail.com
Thu Aug 4 15:40:08 UTC 2016
Hi,
first I want to thank Laurent and Russell for their work on packaging
selinux related software and on porting the reference policy to
debian.
I noticed the recent upload of a new policy for debian sid.
Because of the prior lack of a proper policy, I tried to get one
working on my own: https://github.com/cgzones/debian-package-refpolicy
It works for me on a virtual machine with a minimal non-graphical
installation with booting in enforced mode and logging into confined
users. Maybe you can take a look, e.g. I got the 'systemd --user'
process confined with
https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/patches/0041-systemd-user-fix.patch.
Another point I'd like to suggest is basing the debian package on a
newer git version of the reference policy. The new upload is based on
the 20150812 release, which is already over half a year old, and I
would not consider the state of the reference policy ready-to-use. So
I threw a script together for using the latest git snapshot:
https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/fetch-latest-upstream.sh
Next I'd like to request some patches regarding the debian packaging,
which are attached.
My last point is selinux module management: While having some spare
time I tried out a script for managing selinux modules based on
installed debian packages, so that not all 370+ available module are
automatically installed.
Is this even a sane idea, and are there any feature plans in this direction?
https://github.com/cgzones/debian-package-refpolicy/compare/management
Kindly Regards
Christian Göttsche
p.s.:
I took a quick look at the packaging repository today
https://anonscm.debian.org/cgit/selinux/refpolicy.git/ and noticed
some missing changes from Laurent in the current debian branch, which
were present recently (e.g. the sign-tags option in debian/gbp.conf).
Also the systemd flag seems not to be enabled in the debian/build.conf.* files?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-fix-gbp-warning.patch
Type: text/x-patch
Size: 596 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20160804/4f04b11f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-ship-list-of-basemodules.patch
Type: text/x-patch
Size: 1705 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20160804/4f04b11f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-dh_install-use-fail-missing-instead-of-list-missing.patch
Type: text/x-patch
Size: 648 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20160804/4f04b11f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-use-domain_auto_transition_pattern-instead-of-old-do.patch
Type: text/x-patch
Size: 1235 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20160804/4f04b11f/attachment-0003.bin>
More information about the SELinux-devel
mailing list