| 1 |
On 02/12/2011 09:20 AM, Sven Vermeulen wrote: |
| 2 |
> Hi hardened-folks |
| 3 |
> |
| 4 |
> Gentoo Hardened aims to follow the Tresys reference policy closely for the |
| 5 |
> SELinux policy modules / packages and puts all non-base policies in the |
| 6 |
> sec-policy/selinux-* packages. We already had a few hints on |
| 7 |
> #gentoo-hardened about the naming conventions used for those packages. |
| 8 |
> |
| 9 |
> Naming conventions might seem silly to discuss, but they can make life |
| 10 |
> difficult in the future so it's better to tackle this before we go to a |
| 11 |
> stable set of SELinux policies. There are various options available, but let |
| 12 |
> me first give some information on the issue... |
| 13 |
> |
| 14 |
> ** Naming Collisions, Categories and More... |
| 15 |
> |
| 16 |
> Well, as you are probably all aware, Gentoo might have naming collisions |
| 17 |
> when one doesn't provide the category (think app-admin/analog versus |
| 18 |
> app-emacs/analog). For regular packages, we ask users to provide the category |
| 19 |
> as well. However, for SELinux policy packages, there's only a single category |
| 20 |
> currently (sec-policy/), so we might need to provide the necessary naming |
| 21 |
> conventions in the package names. |
| 22 |
> |
| 23 |
> However, another problem arises. Some reference policy modules provide |
| 24 |
> policies for multiple Gentoo packages (think admin/bootloader, which offers |
| 25 |
> policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy |
| 26 |
> package to the Gentoo package, what would the package be called then (in |
| 27 |
> this particular case, bootloader is part of the base policy so doesn't |
| 28 |
> require a separate sec-policy/ package). |
| 29 |
> |
| 30 |
> And if that isn't enough, Tresys reference policy also uses categories |
| 31 |
> (admin, apps, kernel, roles, services and system) so they too might have |
| 32 |
> naming collisions if one would ignore the category. However, once that |
| 33 |
> occurs, there will be other issues as well, because the reference policy |
| 34 |
> sources might have categories, but SELinux doesn't, so the module name |
| 35 |
> itself would require adjustments (cfr. "semodule -l" output). |
| 36 |
> |
| 37 |
> ** SELinux policy module naming convention |
| 38 |
> |
| 39 |
> So, how should we (Gentoo Hardened) name our SELinux packages to avoid above |
| 40 |
> collisions, but also to provide our developers with a consistent guideline |
| 41 |
> on how to call SELinux module packages? |
| 42 |
> |
| 43 |
> My suggestion would be to name the packages according to the refpolicy |
| 44 |
> module name (as it is the source of the package anyhow) without category. |
| 45 |
> Collisions are unlikely to occur in the near future because SELinux has no |
| 46 |
> support for categories. In other words, if a collision would occur, the |
| 47 |
> reference policy would rename their modules (or name the new module |
| 48 |
> differently) anyhow, so we can easily follow suit. |
| 49 |
> |
| 50 |
> I rather not follow Gentoo's package names. I know it might make it easier |
| 51 |
> to deduce which sec-policy/selinux-* packages need to be installed on a |
| 52 |
> system, but this is a temporary situation - in the long term, we want all |
| 53 |
> packages that have SELinux policies to have an optional (selinux) dependency |
| 54 |
> against their sec-policy/selinux-* package. The downside would be that we |
| 55 |
> need to either make duplicate packages for these tools that have policies |
| 56 |
> within the same module (think the bootloader case) or use a different naming |
| 57 |
> convention for those particular packages. |
| 58 |
> |
| 59 |
> So, what are your thoughts on this? |
| 60 |
> |
| 61 |
> Wkr, |
| 62 |
> Sven Vermeulen |
| 63 |
> |
| 64 |
|
| 65 |
Robbat2 brought the naming issue up and suggested the ${CAT}-${PN} |
| 66 |
scheme, but you make a good point about the mapping being many-to-many |
| 67 |
in general. |
| 68 |
|
| 69 |
If we agree to this standard, how to we grandfather in the packages that |
| 70 |
are already in sec-policy? Renaming packages is a pita and we should |
| 71 |
avoid it if we can. |
| 72 |
|
| 73 |
-- |
| 74 |
Anthony G. Basile, Ph.D. |
| 75 |
Gentoo Developer |
Archives