[refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: a.kuckartz@ping.de (Andreas Kuckartz)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel
Date: 19 Sep 2013 09:39:36 +0200	[thread overview]
Message-ID: <523AAA38.8020300@ping.de> (raw)
In-Reply-To: <1379533202.16771.17.camel@d30>

Hi Dominick,

thanks for your replies.

> Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit
> iceweasel, and not 64 bit.

It is running on 64 bit Debian unstable and according to
about:buildconfig the build target is x86_64-pc-linux-gnu.

> Debian's policy configuration is based off of an older reference policy,
> and Debian is working to rebase on the latest stable reference policy.

That might explain some of the avc denials.

> However, truth be told, selinux policy is never perfect, and probably
> never will be. The nature of integrity is to contain processes, but
> process change over time and so policy configuration needs to change
> along with it.

Yes, but the packaged policy should work out of the box as long as only
Debian packages are installed without any special configuration *and*
those packages have no security issues.

> you file bug reports to the debian selinux policy bugzilla, and enclose
> avc denials ( this is important ),

I will do that.

Cheers,
Andreas

next prev parent reply	other threads:[~2013-09-19  7:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <52384CD9.60604@ping.de>
2013-09-18 13:47 ` [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel Andreas Kuckartz
2013-09-18 19:40   ` Dominick Grift
2013-09-19  7:39     ` Andreas Kuckartz [this message]
2013-09-19 12:53       ` Mika Pflüger
2013-09-18 19:54   ` Dominick Grift
2013-09-18 20:10     ` Dominick Grift
2013-09-19  7:24       ` Andreas Kuckartz
2013-09-19  7:59         ` Dominick Grift
2013-09-19  9:07           ` Andreas Kuckartz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=523AAA38.8020300@ping.de \
    --to=a.kuckartz@ping.de \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.