Differences between revisions 13 and 14
Revision 13 as of 2013-11-01 11:13:46
Size: 4133
Editor: ?AndreasKuckartz
Comment:
Revision 14 as of 2013-11-01 11:22:21
Size: 4232
Editor: ?AndreasKuckartz
Comment:
Deletions are marked like this. Additions are marked like this.
Line 19: Line 19:
preliminary packages of bigon (http://people.debian.org/~bigon/refpolicy/selinux-policy-default_2.20130928-1~bigon5_all.deb) and report any problems you encounter. (They would then try and solve those problems upstream and
package the newer upstream snapshot).
[[http://people.debian.org/~bigon/refpolicy/|preliminary packages of bigon]] ([[http://people.debian.org/~bigon/refpolicy/selinux-policy-default_2.20130928-1~bigon5_all.deb|such as selinux-policy-default_2.20130928-1~bigon5_all.deb]]) and report any problems you encounter. The developers would then try and solve those problems upstream and package the newer upstream snapshot.
Line 22: Line 21:
== properly set selinux labels during installation == == Properly set selinux labels during installation ==
Line 30: Line 29:
== Unresoved issue == == Unresoved issues ==
Line 33: Line 32:

[[http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=selinux-devel@lists.alioth.debian.org|Issues tagged for user selinux-devel@lists.alioth.debian.org]]
Line 42: Line 43:
== Further issues ==

[[http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=selinux-devel@lists.alioth.debian.org|Issues tagged for user selinux-devel@lists.alioth.debian.org]]
Line 50: Line 47:
Verify that files created by scripts have the correct SELinux context using "matchpathcon -V":
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html
[[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html|Verify that files created by scripts have the correct SELinux context using "matchpathcon -V"]]
Line 55: Line 51:
Contact selinux-devel@lists.alioth.debian.org ''Please note that the creator of this page currently has problems sending mails to that mailing list. 2013-11-01'' Contact selinux-devel@lists.alioth.debian.org

''Please note that the creator of this page currently has problems sending mails to that mailing list. 2013-11-01''

Goal description

Allow the users to enable SELinux enforcing mode on their machine without too much hassle.

  • Improve the SELinux reference policy, this is currently being worked out with upstream.
  • Be sure that when a init/maintainer script is creating a file/directory the label on disk is properly (re)set.
  • Be sure that SELinux aware applications have SELinux support enabled and that's it's working properly.

Current status / Further Information

A similar release goal had been proposed for Squeeze: https://lists.debian.org/debian-release/2009/07/msg00389.html

New reference policy

dgrift and bigon have worked on packaging a new upstream reference policy and Michael Pflüger has it on his todo-list to put those bits into a package which can go into experimental (where it can mature a bit to then get uploaded into unstable to migrate back to testing).

If you want to help that effort, you could install one of the preliminary packages of bigon (such as selinux-policy-default_2.20130928-1~bigon5_all.deb) and report any problems you encounter. The developers would then try and solve those problems upstream and package the newer upstream snapshot.

Properly set selinux labels during installation

Laurent Bigonville a while ago suggested to amend the Debian policy so that, if a package is creating a file/directory in initscript or in a maintainer script, it ensures (by calling restorecon) that the SELinux context on disk is correct (debian-policy: Document in the policy the way to properly set selinux labels on files and directories). It is difficult to measure progress.

Inform about need to execute "selinux-policy-upgrade" - or offer execution

Since years one needs to run "selinux-policy-upgrade" after installing a new policy to activate it. The user is not even informed about this but must figure this out him- or herself. This should and can be improved.

Unresoved issues

refpolicy: Please handle new dpkg_script_t execution context

Issues tagged for user selinux-devel@lists.alioth.debian.org

Resolved issues to be verified

Mail: Possible issues with dpkg SELinux support. All the issues mentioned in that mail should be fixed with dpkg 1.17.1 according to Guillem Jover (2013-10-05).

Unapplied patch

PATCH RFC - Package script(let)s SELinux execution context, PATCH - libselinux: Refactor rpm_execcon() into a new setexecfilecon(). Guillem Jover (2013-10-05): "Upstream seemed to agree with the patch, but I guess it fell through the cracks. I added the equivalent code to dpkg directly, the same was done on the rpm side. Having that upstream would allow to remove that local function from both codebases, but not after some time so that people can compile with old libselinux releases."

How to help

Enable SELinux "permissive" mode on your test system. "Enforcing" mode is not necessary.

Verify that files created by scripts have the correct SELinux context using "matchpathcon -V"

See unresolved issues under "Further information". Test the new reference policy!

Contact selinux-devel@lists.alioth.debian.org

Please note that the creator of this page currently has problems sending mails to that mailing list. 2013-11-01

Advocates

Volunteers