[DSE-Dev] SELinux state for Bullseye
Laurent Bigonville
bigon at debian.org
Mon Feb 8 08:44:02 GMT 2021
Russell,
I see that you merged the changed in the git repository (at least for
libselinux) but you squashed all the commit in one so we have lost the
history of what Christian has changed :(
Please allways keep the history and never squash the commits together if
it's not 100% needed
Thanks
Le 8/02/21 à 02:24, Russell Coker a écrit :
> On Monday, 8 February 2021 03:41:23 AEDT Christian Göttsche wrote:
>> Dear SELinux maintainers,
>>
>> As the freeze for Debian Bullseye approaches, I took a look at the
>> SELinux related Debian packages.
>> Most of the packages use debhelper compat level12, while level 13 is
>> the recommend mode and e.g. uses 'dh_missing --fail-missing' by
>> default.
>> Also most packages are build without enabled build hardening flags,
>> see https://wiki.debian.org/Hardening .
>> Therefore I prepared several merge request on salsa.d.o:
> Great work!
>
>> src:libselinux
>> https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/4
>> p.s.: the proposed fix for #979970 lgtm.
> A comment refers to missing hardening flags, did you forget to change that or
> is something still missing?
>
>> src:libsemanage
>> https://salsa.debian.org/selinux-team/libsemanage/-/merge_requests/5
> -Architecture: linux-any
> +Architecture: all
>
> What's this for?
>
>> src:libsepol
>> https://salsa.debian.org/selinux-team/libsepol/-/merge_requests/3
> Again a comment refers to missing hardening flags.
>
>> src:selinux-basics
>> https://salsa.debian.org/selinux-team/selinux-basics/-/merge_requests/1
>
> if grep -q selinux=1 $n ; then
> if ! grep -q security=selinux $n ; then
> - sed -e "s/selinux=1/selinux=1 security=selinux/" < $n > $n.new
> + sed -e "s/selinux=1/lsm=selinux/" < $n > $n.new
> mv $n.new $n
> update-grub
> fi
>
> The above isn't what we need to do.
>
> if grep -q security=selinux $n ; then
> if ! grep -q lsm=selinux $n ; then
> sed -e "s/ \?selinux=1// -e \
> "s/security=selinux/security=selinux lsm=selinux/" < $n >
> $n.new
> mv $n.new $n
> update-grub
> fi
>
> Something like the above (not tested) is what we need.
>
> Also we need a matching patch for selinux-activate, I've attached something
> that might work.
>
> Which kernel first supported lsm=selinux? If the Buster kernel didn't support
> it then I'd like to keep using security=selinux for Bullseye as well as
> lsm=selinux (like we did when transitioning from selinux=1).
>
> The rest were all great, would you like to build and upload?
>
More information about the SELinux-devel
mailing list