Re: RPM support for SELinux

[Joshua Brindle <method@manicmethod.com>]

Jeff Johnson wrote:
>
> On Oct 22, 2009, at 3:12 PM, Joshua Brindle wrote:
>
>> Jeff Johnson wrote:
>>>
>>> On Oct 22, 2009, at 2:37 PM, Chad Sellers wrote:
>>>
>>>> I just wanted to let everyone know that we've submitted a patchset
>>>> to add
>>>> more robust SELinux support to RPM4. You can view the patchset here:
>>>>
>>>> http://lists.rpm.org/pipermail/rpm-maint/2009-October/002561.html
>>>>
>>>> Note that these patches require running on the current trunk of
>>>> libselinux
>>>> and libsemanage.
>>>>
>>>> If you're interested in trying out the support or just looking at
>>>> how it
>>>> works, we've put up a wiki page talking about it here:
>>>>
>>>> http://selinuxproject.org/page/RPM
>>>>
>>>> Comments are welcome.
>>>>
>>>
>>>
>>> Just a short reply:
>>>
>>> The patches will never be included @rpm5.org as is because
>>> you missed the abstraction (for packaging) and haven't tied
>>> various stray identifiers as in
>>> Type: mls targeted
>>
>> These should never be "concrete" in RPM. These are identifiers that
>> are created on end systems and forcing a specific set of them is a
>> good way to make sure custom solutions won't use this feature in RPM.
>>
>
> The bz2 blobs need to be verifiable even if opaque.
>
> And the tagging (which you've chosen to add to *.rpm) needs
> to be verifiable as being accurate, however that is arranged.
>
> The fundamental design flaw is that you are choosing to distribute
> security sensitive policy tagging without any visible means (other than
> what
> is provided by bzip2) that the blob's are, in fact, what they are supposed
> to be.
>
> The claimed purpose of this patch set (by you) is so that rpm can be
> labeled
> as "untrusted". I haven't any problem whatsoever with RPM being labeled
> "untrusted". Just that you cannot send "trusted" data through an
> "untrusted"
> channel without any means of verification and expect anything other than
> Sh*t happens.
>

That is not the purpose of this patchset, and it was never claimed to be 
the purpose of this patchset.

The purpose of this patchset is to start integrating policy support into 
RPM, and for RPM to remain completely trusted. I did say that we have an 
ultimate goal of breaking RPM up into pieces so we could remove trust 
from the main parts, and to eventually be able to run RPM in different 
security domains depending on different aspects of the RPM (where it 
came from, who signed it, who is running RPM, etc) but that is not 
something this patch set can accomplish and indeed is a long term goal.

We can't very well go off for a long time and come back with a patchset 
that completely changes the architecture of RPM, we are doing this 
development in the open and therefore each individual patch set along 
the way brings us closer, it doesn't completely solve the problem.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.