[DSE-Dev] SELinux state for Bullseye
Laurent Bigonville
bigon at debian.org
Tue Feb 9 09:27:37 GMT 2021
OK for libselinux, I've restored the different individual commits from
Christian and force pushed everything. I also have added my change to
drop the usage of gettid() to fix the remaining RC bug.
Please before doing anything, run git pull --rebase in the "debian"
branch so you have the last revision and do not force push any changes
as a result of my own force push today.
I'll try to see if I can restore the individual commits for the other
components, but to be honest it's a bit late in the cycle to push non
essential changes to the archive, the freeze is this Friday
Le 8/02/21 à 09:44, Laurent Bigonville a écrit :
> Russell,
>
> I see that you merged the changed in the git repository (at least for
> libselinux) but you squashed all the commit in one so we have lost the
> history of what Christian has changed :(
>
> Please allways keep the history and never squash the commits together
> if it's not 100% needed
>
> Thanks
>
> Le 8/02/21 à 02:24, Russell Coker a écrit :
>> On Monday, 8 February 2021 03:41:23 AEDT Christian Göttsche wrote:
>>> Dear SELinux maintainers,
>>>
>>> As the freeze for Debian Bullseye approaches, I took a look at the
>>> SELinux related Debian packages.
>>> Most of the packages use debhelper compat level12, while level 13 is
>>> the recommend mode and e.g. uses 'dh_missing --fail-missing' by
>>> default.
>>> Also most packages are build without enabled build hardening flags,
>>> see https://wiki.debian.org/Hardening .
>>> Therefore I prepared several merge request on salsa.d.o:
>> Great work!
>>
>>> src:libselinux
>>> https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/4
>>> p.s.: the proposed fix for #979970 lgtm.
>> A comment refers to missing hardening flags, did you forget to change
>> that or
>> is something still missing?
>>> src:libsemanage
>>> https://salsa.debian.org/selinux-team/libsemanage/-/merge_requests/5
>> -Architecture: linux-any
>> +Architecture: all
>>
>> What's this for?
>>
>>> src:libsepol
>>> https://salsa.debian.org/selinux-team/libsepol/-/merge_requests/3
>> Again a comment refers to missing hardening flags.
>>
>>> src:selinux-basics
>>> https://salsa.debian.org/selinux-team/selinux-basics/-/merge_requests/1
>>
>> if grep -q selinux=1 $n ; then
>> if ! grep -q security=selinux $n ; then
>> - sed -e "s/selinux=1/selinux=1 security=selinux/" < $n >
>> $n.new
>> + sed -e "s/selinux=1/lsm=selinux/" < $n > $n.new
>> mv $n.new $n
>> update-grub
>> fi
>>
>> The above isn't what we need to do.
>>
>> if grep -q security=selinux $n ; then
>> if ! grep -q lsm=selinux $n ; then
>> sed -e "s/ \?selinux=1// -e \
>> "s/security=selinux/security=selinux lsm=selinux/" <
>> $n >
>> $n.new
>> mv $n.new $n
>> update-grub
>> fi
>>
>> Something like the above (not tested) is what we need.
>>
>> Also we need a matching patch for selinux-activate, I've attached
>> something
>> that might work.
>>
>> Which kernel first supported lsm=selinux? If the Buster kernel
>> didn't support
>> it then I'd like to keep using security=selinux for Bullseye as well as
>> lsm=selinux (like we did when transitioning from selinux=1).
>>
>> The rest were all great, would you like to build and upload?
>>
>
More information about the SELinux-devel
mailing list