1 |
Hi hardened-folks |
2 |
|
3 |
Gentoo Hardened aims to follow the Tresys reference policy closely for the |
4 |
SELinux policy modules / packages and puts all non-base policies in the |
5 |
sec-policy/selinux-* packages. We already had a few hints on |
6 |
#gentoo-hardened about the naming conventions used for those packages. |
7 |
|
8 |
Naming conventions might seem silly to discuss, but they can make life |
9 |
difficult in the future so it's better to tackle this before we go to a |
10 |
stable set of SELinux policies. There are various options available, but let |
11 |
me first give some information on the issue... |
12 |
|
13 |
** Naming Collisions, Categories and More... |
14 |
|
15 |
Well, as you are probably all aware, Gentoo might have naming collisions |
16 |
when one doesn't provide the category (think app-admin/analog versus |
17 |
app-emacs/analog). For regular packages, we ask users to provide the category |
18 |
as well. However, for SELinux policy packages, there's only a single category |
19 |
currently (sec-policy/), so we might need to provide the necessary naming |
20 |
conventions in the package names. |
21 |
|
22 |
However, another problem arises. Some reference policy modules provide |
23 |
policies for multiple Gentoo packages (think admin/bootloader, which offers |
24 |
policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy |
25 |
package to the Gentoo package, what would the package be called then (in |
26 |
this particular case, bootloader is part of the base policy so doesn't |
27 |
require a separate sec-policy/ package). |
28 |
|
29 |
And if that isn't enough, Tresys reference policy also uses categories |
30 |
(admin, apps, kernel, roles, services and system) so they too might have |
31 |
naming collisions if one would ignore the category. However, once that |
32 |
occurs, there will be other issues as well, because the reference policy |
33 |
sources might have categories, but SELinux doesn't, so the module name |
34 |
itself would require adjustments (cfr. "semodule -l" output). |
35 |
|
36 |
** SELinux policy module naming convention |
37 |
|
38 |
So, how should we (Gentoo Hardened) name our SELinux packages to avoid above |
39 |
collisions, but also to provide our developers with a consistent guideline |
40 |
on how to call SELinux module packages? |
41 |
|
42 |
My suggestion would be to name the packages according to the refpolicy |
43 |
module name (as it is the source of the package anyhow) without category. |
44 |
Collisions are unlikely to occur in the near future because SELinux has no |
45 |
support for categories. In other words, if a collision would occur, the |
46 |
reference policy would rename their modules (or name the new module |
47 |
differently) anyhow, so we can easily follow suit. |
48 |
|
49 |
I rather not follow Gentoo's package names. I know it might make it easier |
50 |
to deduce which sec-policy/selinux-* packages need to be installed on a |
51 |
system, but this is a temporary situation - in the long term, we want all |
52 |
packages that have SELinux policies to have an optional (selinux) dependency |
53 |
against their sec-policy/selinux-* package. The downside would be that we |
54 |
need to either make duplicate packages for these tools that have policies |
55 |
within the same module (think the bootloader case) or use a different naming |
56 |
convention for those particular packages. |
57 |
|
58 |
So, what are your thoughts on this? |
59 |
|
60 |
Wkr, |
61 |
Sven Vermeulen |