Summary: Create a framework for providing security modules with packages
- SELinux policy familiarity. Since the proposal requires setting up a framework for parcelling out security policy modules to the correspondig packages, some familiarity with how SELinux modular policy works would be needed/
- Debian Packaging experience. This proposal also involves creating the packaging glue to make this happen, so knowing how Debian packages are put together is also important.
Description:Currently, Distributions distribute the reference SELinux security policy either as one huge, monolithic package, where every installation has all the security modules that exist, whether they need them or not, needlessly blowing up the memory usage when the policy is loaded into the kernel. Debian itself ships with two variants of the modular reference policy, and on initial install loads some security policy modules based on guessg at which modules will be needed by looking at the installed packages -- but this is prone to error. Other solutions consist of splitting up the security modules into a few omnibus packages, and installing all the security policy modules a package contains when the user elects to install the security module package. None of these approaches handle loading a policy module when a new package is installed later, or updating the security policy when a new version of the policy is installed.
None of this is optimal. Ideally, each package which needs special handling by policy should ship with their own policy module; and there should be a means of loading that policy module, perhaps optionally, on package install. Security policy modules would then get installed only when needed. However, this requires infrastructure to ease the burde on the package mantainer. Updates to security policy are often done by security experts (somewhat like translations are done by translators). There should be a mechanism for allowing people to provide updatyes to security modules, and then for the package maintainer to easily add calls to load and unload seciroty modules on package installation or uninstallation, based on a debconf question -- if and only if the target machine is running SELinux.
This proposal is about developing such a mechanism, and corresponding technical policy rules, in order to allow package developers to add SELinux support into their packages.