| 1 |
Hi hardened-folks |
| 2 |
|
| 3 |
Gentoo Hardened aims to follow the Tresys reference policy closely for the |
| 4 |
SELinux policy modules / packages and puts all non-base policies in the |
| 5 |
sec-policy/selinux-* packages. We already had a few hints on |
| 6 |
#gentoo-hardened about the naming conventions used for those packages. |
| 7 |
|
| 8 |
Naming conventions might seem silly to discuss, but they can make life |
| 9 |
difficult in the future so it's better to tackle this before we go to a |
| 10 |
stable set of SELinux policies. There are various options available, but let |
| 11 |
me first give some information on the issue... |
| 12 |
|
| 13 |
** Naming Collisions, Categories and More... |
| 14 |
|
| 15 |
Well, as you are probably all aware, Gentoo might have naming collisions |
| 16 |
when one doesn't provide the category (think app-admin/analog versus |
| 17 |
app-emacs/analog). For regular packages, we ask users to provide the category |
| 18 |
as well. However, for SELinux policy packages, there's only a single category |
| 19 |
currently (sec-policy/), so we might need to provide the necessary naming |
| 20 |
conventions in the package names. |
| 21 |
|
| 22 |
However, another problem arises. Some reference policy modules provide |
| 23 |
policies for multiple Gentoo packages (think admin/bootloader, which offers |
| 24 |
policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy |
| 25 |
package to the Gentoo package, what would the package be called then (in |
| 26 |
this particular case, bootloader is part of the base policy so doesn't |
| 27 |
require a separate sec-policy/ package). |
| 28 |
|
| 29 |
And if that isn't enough, Tresys reference policy also uses categories |
| 30 |
(admin, apps, kernel, roles, services and system) so they too might have |
| 31 |
naming collisions if one would ignore the category. However, once that |
| 32 |
occurs, there will be other issues as well, because the reference policy |
| 33 |
sources might have categories, but SELinux doesn't, so the module name |
| 34 |
itself would require adjustments (cfr. "semodule -l" output). |
| 35 |
|
| 36 |
** SELinux policy module naming convention |
| 37 |
|
| 38 |
So, how should we (Gentoo Hardened) name our SELinux packages to avoid above |
| 39 |
collisions, but also to provide our developers with a consistent guideline |
| 40 |
on how to call SELinux module packages? |
| 41 |
|
| 42 |
My suggestion would be to name the packages according to the refpolicy |
| 43 |
module name (as it is the source of the package anyhow) without category. |
| 44 |
Collisions are unlikely to occur in the near future because SELinux has no |
| 45 |
support for categories. In other words, if a collision would occur, the |
| 46 |
reference policy would rename their modules (or name the new module |
| 47 |
differently) anyhow, so we can easily follow suit. |
| 48 |
|
| 49 |
I rather not follow Gentoo's package names. I know it might make it easier |
| 50 |
to deduce which sec-policy/selinux-* packages need to be installed on a |
| 51 |
system, but this is a temporary situation - in the long term, we want all |
| 52 |
packages that have SELinux policies to have an optional (selinux) dependency |
| 53 |
against their sec-policy/selinux-* package. The downside would be that we |
| 54 |
need to either make duplicate packages for these tools that have policies |
| 55 |
within the same module (think the bootloader case) or use a different naming |
| 56 |
convention for those particular packages. |
| 57 |
|
| 58 |
So, what are your thoughts on this? |
| 59 |
|
| 60 |
Wkr, |
| 61 |
Sven Vermeulen |
Archives