selinux-policy-targeted (1:1.22-2) available

All of lore.kernel.org
 help / color / mirror / Atom feed

* selinux-policy-targeted (1:1.22-2) available
@ 2005-03-27  0:54 Lorenzo Hernández García-Hierro
  2005-03-27  1:41 ` Colin Walters
  0 siblings, 1 reply; 6+ messages in thread
From: Lorenzo Hernández García-Hierro @ 2005-03-27  0:54 UTC (permalink / raw)
  To: ubuntu-hardened; +Cc: rcoker, dwalsh, selinux, ubuntu-devel

[-- Attachment #1: Type: text/plain, Size: 2132 bytes --]

Hi,

I'm (very) glad to announce the availability of the first targeted
policy package for Debian and more concretely Ubuntu Linux (this package
is Ubuntu-dependent because of the versions of logrotate, libselinux1,
etc, in which it relies, to be fixed when Debian consolidates userland
for SELinux support and accepts the patches).

The policy source itself has nothing to do Russell Coker's old
selinux-policy-default, but the package is based on his one, this mean,s
same configuration method.Of course it has been updated to complain with
the current Debian Policy (sigh) and some building errors have been
fixed (most notably are related with changes ported out of Fedora's
targeted policy specs).

I encourage all of those interested in SELinux deployment in Ubuntu
Linux (and subsequently, Debian) to check the package, report errors to
this list (we still don't have our bug reporting area like Hardened
Gentoo has within the Gentoo bugzilla, I hope to solve this soon with
the Ubuntu folks) or directly to me, make suggestions, send patches...

The http://www.ubuntulinux.org/wiki/SELinux wiki page has been updated
to reflect the changes.
The current percentage of work done amounts to 75%, if talking in basic
deployment terms, but we could talk about a percentage of 87.5% as
coreutils just need a fixed (and updated) Linux-PAM [1], among a few
fixes, currently available and provided with SELinux support, but has to
be reviewed by a Debian developer or an Ubuntu maintainer.

dpkg is left, thus, the targeted policy package still installs the
suboptimal selinux dpkg postinst script, being replace by Manoj's
changes when I get the clean diff for dpkg from him.

Among that, the configuration method needs to be reworked and I would
like to know who could take care of it, as I wouldn't have time for it.

Package available at:
http://pearls.tuxedo-es.org/selinux/ubuntu/selinux-policy-targeted/

[1]:
http://pearls.tuxedo-es.org/selinux/ubuntu/pam/

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: selinux-policy-targeted (1:1.22-2) available
  2005-03-27  0:54 selinux-policy-targeted (1:1.22-2) available Lorenzo Hernández García-Hierro
@ 2005-03-27  1:41 ` Colin Walters
  2005-03-27 12:05   ` Dale Amon
  2005-03-27 13:04   ` Lorenzo Hernández García-Hierro
  0 siblings, 2 replies; 6+ messages in thread
From: Colin Walters @ 2005-03-27  1:41 UTC (permalink / raw)
  To: Lorenzo Hernández García-Hierro
  Cc: ubuntu-hardened, rcoker, dwalsh, selinux, ubuntu-devel

[-- Attachment #1: Type: text/plain, Size: 987 bytes --]

On Sun, 2005-03-27 at 01:54 +0100, Lorenzo Hernández García-Hierro
wrote:

> I'm (very) glad to announce the availability of the first targeted
> policy package for Debian and more concretely Ubuntu Linux 

Very cool, I'm excited about this.

> The policy source itself has nothing to do Russell Coker's old
> selinux-policy-default, but the package is based on his one, this mean,s
> same configuration method.

I assume you mean this:

+        print "Do you want $file:" . substr($line, 6);
+        print "Yes/No/Display [Y/n/d]? ";

I suggest that you simply delete this code entirely, and install
every .te file.  It's outdated for several reasons:

1) With the new dynamic boolean support, SELinux enforcement for a
   particular daemon can be turned off at runtime, instead of
   at policy build time.
2) The targeted policy is significantly smaller than the strict, so
   there are no space/size concerns.  
3) It's always been annoying as hell :)

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: selinux-policy-targeted (1:1.22-2) available
  2005-03-27  1:41 ` Colin Walters
@ 2005-03-27 12:05   ` Dale Amon
  2005-04-13 13:49     ` Lorenzo Hernández García-Hierro
  2005-03-27 13:04   ` Lorenzo Hernández García-Hierro
  1 sibling, 1 reply; 6+ messages in thread
From: Dale Amon @ 2005-03-27 12:05 UTC (permalink / raw)
  To: Colin Walters
  Cc: Lorenzo Hern?ndez Garc?a-Hierro, ubuntu-hardened, rcoker, dwalsh,
	selinux, ubuntu-devel

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

On Sat, Mar 26, 2005 at 08:41:05PM -0500, Colin Walters wrote:
> I assume you mean this:
> 
> +        print "Do you want $file:" . substr($line, 6);
> +        print "Yes/No/Display [Y/n/d]? ";
> 
> I suggest that you simply delete this code entirely, and install
> every .te file.  It's outdated for several reasons:
>
> 3) It's always been annoying as hell :)

Yeah, an automatic install/configurator project
I was working on in spare time foundered on that
ever changing reef of dependencies and name changes...

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: selinux-policy-targeted (1:1.22-2) available
  2005-03-27 12:05   ` Dale Amon
@ 2005-04-13 13:49     ` Lorenzo Hernández García-Hierro
  0 siblings, 0 replies; 6+ messages in thread
From: Lorenzo Hernández García-Hierro @ 2005-04-13 13:49 UTC (permalink / raw)
  To: Dale Amon
  Cc: Colin Walters, ubuntu-devel, dwalsh, rcoker, selinux,
	ubuntu-hardened

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

El dom, 27-03-2005 a las 13:05 +0100, Dale Amon escribió:
> On Sat, Mar 26, 2005 at 08:41:05PM -0500, Colin Walters wrote:
> > I assume you mean this:
> > 
> > +        print "Do you want $file:" . substr($line, 6);
> > +        print "Yes/No/Display [Y/n/d]? ";
> > 
> > I suggest that you simply delete this code entirely, and install
> > every .te file.  It's outdated for several reasons:
> >
> > 3) It's always been annoying as hell :)
> 
> Yeah, an automatic install/configurator project
> I was working on in spare time foundered on that
> ever changing reef of dependencies and name changes...

We don't need that in the targeted policy package, but it would make
sense as an independently packaged tool or included in the -strict
policy package.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: selinux-policy-targeted (1:1.22-2) available
  2005-03-27  1:41 ` Colin Walters
  2005-03-27 12:05   ` Dale Amon
@ 2005-03-27 13:04   ` Lorenzo Hernández García-Hierro
  2005-03-27 16:24     ` selinux-policy-targeted (1:1.22-3) available Lorenzo Hernández García-Hierro
  1 sibling, 1 reply; 6+ messages in thread
From: Lorenzo Hernández García-Hierro @ 2005-03-27 13:04 UTC (permalink / raw)
  To: Colin Walters; +Cc: ubuntu-hardened, rcoker, dwalsh, selinux

[-- Attachment #1: Type: text/plain, Size: 1030 bytes --]

El sáb, 26-03-2005 a las 20:41 -0500, Colin Walters escribió:
> Very cool, I'm excited about this.

We'll see how well it works.
If not, then blame at me ;)

> I assume you mean this:
> 
> +        print "Do you want $file:" . substr($line, 6);
> +        print "Yes/No/Display [Y/n/d]? ";
> 
> I suggest that you simply delete this code entirely, and install
> every .te file.  It's outdated for several reasons:
> 
> 1) With the new dynamic boolean support, SELinux enforcement for a
>    particular daemon can be turned off at runtime, instead of
>    at policy build time.
> 2) The targeted policy is significantly smaller than the strict, so
>    there are no space/size concerns.  
> 3) It's always been annoying as hell :)

Done, I'm doing some improvements for the -3 revision.

Now I need to do other stuff, I'll upload the new package later.

Cheers and thanks for the help ;),
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* selinux-policy-targeted (1:1.22-3) available
  2005-03-27 13:04   ` Lorenzo Hernández García-Hierro
@ 2005-03-27 16:24     ` Lorenzo Hernández García-Hierro
  0 siblings, 0 replies; 6+ messages in thread
From: Lorenzo Hernández García-Hierro @ 2005-03-27 16:24 UTC (permalink / raw)
  To: ubuntu-hardened; +Cc: Colin Walters, rcoker, dwalsh, selinux

[-- Attachment #1: Type: text/plain, Size: 1219 bytes --]

Hi,

The new selinux-policy-targeted (1:1.22-3) package is available.

Some improvements have been made to the package since the 1.22-2
version, the weird configuration method is not anymore used,
post-installation script doesn't add a selinuxfs entry to
your /etc/fstab everytime you (re)install or upgrade the package...

Changes are reflected at:
http://pearls.tuxedo-es.org/selinux/ubuntu/selinux-policy-targeted/
selinux-policy-targeted_1.22-3_i386.changes

The package is available at:
http://pearls.tuxedo-es.org/selinux/ubuntu/selinux-policy-targeted/

Continue making comments, suggestions and critics ;)

I don't want to seem impatient with the SELinux deployment in Ubuntu
Linux, but the next 3 months I will have limited time, so, I want to
have at least the 75% of the work done (it's around 87% now, just some
more userland work and we are done for fine-tuning, etc), even if Breezy
is far away from us (Hoary is still not released).
By doing this quickly and before others, and as soon as we start it, as
soon as we will finish it, we gain momentum ;)

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-04-13 13:54 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-27  0:54 selinux-policy-targeted (1:1.22-2) available Lorenzo Hernández García-Hierro
2005-03-27  1:41 ` Colin Walters
2005-03-27 12:05   ` Dale Amon
2005-04-13 13:49     ` Lorenzo Hernández García-Hierro
2005-03-27 13:04   ` Lorenzo Hernández García-Hierro
2005-03-27 16:24     ` selinux-policy-targeted (1:1.22-3) available Lorenzo Hernández García-Hierro

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.