Differences between revisions 22 and 23
Revision 22 as of 2013-11-03 11:38:57
Size: 5438
Editor: ?AndreasKuckartz
Comment: Mention new packaged tool chain release
Revision 23 as of 2013-11-10 19:27:47
Size: 5694
Editor: ?AndreasKuckartz
Comment:
Deletions are marked like this. Additions are marked like this.
Line 31: Line 31:
== Unresoved issues == == Unresolved issues ==
Line 50: Line 50:

[[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=390760|debian-installer: Support targeted SELinux in the installer]] was resolved in April 2007, still resolved? Can Debian Installer configuration be improved for SELinux? Install in permissive mode?

Goal description

Allow the users to enable SELinux enforcing mode on their machine without too much hassle.

  • Improve the SELinux reference policy, this is currently being worked out with upstream.
  • Be sure that when a init/maintainer script is creating a file/directory the label on disk is properly (re)set.
  • Be sure that SELinux aware applications have SELinux support enabled and that's it's working properly.

Current status / Further Information

A similar release goal had been proposed for Squeeze: https://lists.debian.org/debian-release/2009/07/msg00389.html

New reference policy

Dominick Grift and Laurent Bigonville have worked on packaging a new upstream reference policy and Michael Pflüger has it on his todo-list to put those bits into a package which can go into experimental (where it can mature a bit to then get uploaded into unstable to migrate back to testing). (2013-10-31)

If you want to help that effort, you could install one of the preliminary packages of bigon (such as selinux-policy-default_2.20130928-1~bigon5_all.deb) and report any problems you encounter. The developers would then try and solve those problems upstream and package the newer upstream snapshot.

(BTW: The major release of the SELinux tool chain published upstream on 2013-10-30 was already packaged for Debian by Laurent Bigonville on 2013-11-03)

Properly set selinux labels during installation

Laurent Bigonville a while ago suggested to amend the Debian policy so that, if a package is creating a file/directory in initscript or in a maintainer script, it ensures (by calling restorecon) that the SELinux context on disk is correct (debian-policy: Document in the policy the way to properly set selinux labels on files and directories). It is difficult to measure progress.

Inform about need to execute "selinux-policy-upgrade" - or offer execution

Since years one needs to run "selinux-policy-upgrade" after installing a new policy to activate it. The user is not even informed about this but must figure this out him- or herself. This should and can be improved.

Unresolved issues

refpolicy: Please handle new dpkg_script_t execution context

Issues tagged for user selinux-devel@lists.alioth.debian.org

"SELinux Policy Analysis" tool (apol) from package setools has no menu item in KDE. (Gnome ?) This seems to be a violation of the Debian policy ("9.6 Menus")

Other issues involving SELinux

Iceweasel/Firefox

"if I'm not mistaken, -z relro actually makes things not work with selinux, seeing how selinux already breaks the mprotect that removes the write bit on code sections after text relocations" (Please enable hardened build flags through dpkg-buildpackage, Comment 61)

This needs clarification. It is important that SELinux can be used to protect against Iceweasel/Firefox security issues. And using hardened build flags is also important!

Resolved issues to be verified

Mail: Possible issues with dpkg SELinux support. All the issues mentioned in that mail should be fixed with dpkg 1.17.1 according to Guillem Jover (2013-10-05).

debian-installer: Support targeted SELinux in the installer was resolved in April 2007, still resolved? Can Debian Installer configuration be improved for SELinux? Install in permissive mode?

Unapplied patch

PATCH RFC - Package script(let)s SELinux execution context, PATCH - libselinux: Refactor rpm_execcon() into a new setexecfilecon(). Guillem Jover (2013-10-05): "Upstream seemed to agree with the patch, but I guess it fell through the cracks. I added the equivalent code to dpkg directly, the same was done on the rpm side. Having that upstream would allow to remove that local function from both codebases, but not after some time so that people can compile with old libselinux releases."

Nice to have

Re-add a Debian package for SETroubleShoot: User friendly utility for troubleshooting SELinux

How to help

Enable SELinux "permissive" mode on your test system. "Enforcing" mode is not necessary to help improve the SELinux integration in Debian.

Verify that files created by scripts have the correct SELinux context using "matchpathcon -V"

See unresolved issues under "Further information". Test the new reference policy!

Contact selinux-devel@lists.alioth.debian.org

Please note that the creator of this page currently has problems sending mails to that mailing list. 2013-11-01

Advocates

Volunteers