[refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

From: dominick.grift@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel
Date: Wed, 18 Sep 2013 21:40:02 +0200	[thread overview]
Message-ID: <1379533202.16771.17.camel@d30> (raw)
In-Reply-To: <5239AEFF.6000902@ping.de>

On Wed, 2013-09-18 at 15:47 +0200, Andreas Kuckartz wrote:
> Any suggestions from here?

Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit
iceweasel, and not 64 bit.

Debian's policy configuration is based off of an older reference policy,
and Debian is working to rebase on the latest stable reference policy.

Hopefully she will also organize a solid system to stay in sync and work
with upstream to make selinux work better on debian.

I think debian is working to get that sorted out

However, truth be told, selinux policy is never perfect, and probably
never will be. The nature of integrity is to contain processes, but
process change over time and so policy configuration needs to change
along with it.

SELinux is really a framework, and policy is really just configuration,
and so you are able to control SELinux.

But to get to the point. here is how the process should work

you file bug reports to the debian selinux policy bugzilla, and enclose
avc denials ( this is important ), They will fix it in debian ( if they
need help from the community then they know where to go #selinux at
freenode or the maillinglists ), Then debian will send all the
modifications (patches) they made to upstream reference policy. Upstream
reference policy will review the changes, and if all is well adopt the
changes.

Then every once in a while refpolicy releases a stable version. Debian
should rebase her policy on the latest refpolicy as soon as possible
after refpolicy is released and then the circle is round and it all
start over again.

As for the audit2allow output you enclosed. I cannot do much with this
output. I would need avc denials instead because i need the information
avc denials provide to make sound decisions.

But again, selinux is a framework, and you can perfect your policy
yourself, it will help if you know some of the basic selinux concepts
and principles but its not as hard as you might think. I and others on
#selinux at freenode are also trying to be helpful so if you need help
let us know

You can also send patches to this maillist but they will have to be
proper see:
http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute

If you do, then it is a good idea to save any avc denials you have
related, because patches get reviewed and need to be justified.

I hope this helps, and that i didn't scare you or disappointed you

> 
> Cheers,
> Andreas
> 
> -------- Original Message --------
> Date: Tue, 17 Sep 2013 14:36:41 +0200
> From: Andreas Kuckartz <a.kuckartz@ping.de>
> To: selinux-user at lists.alioth.debian.org
> 
> I am running a Debian unstable system with SELinux in permissive mode.
> 
> I have appended the result of
> $ cat /var/log/audit/audit.log | audit2allow -l -R
> 
> There are quite a few missing type enforcement (TE) allow rules.
> 
> In addition to that Iceweasel requires allow_execstack and allow_execmem
> - which is not good. I have researched that and found these two old open
> Firefox issues:
> 
> SELinux is preventing JIT from changing memory segment access
> https://bugzilla.mozilla.org/show_bug.cgi?id=506693
> 
> Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
> https://bugzilla.mozilla.org/show_bug.cgi?id=574119
> 
> What do you suggest on how to proceed?
> 
> Cheers,
> Andreas
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy