| 1 |
hi, |
| 2 |
|
| 3 |
On Fri, May 05, 2006 at 07:49:31PM -0400, Kevin wrote: |
| 4 |
[..] |
| 5 |
> Also, there's one issue that I'm not quite understanding in this thread, |
| 6 |
> though, and I've asked the question in a number of different phrasings |
| 7 |
> (marked with [] ) because I'm having difficulty figuring out how to |
| 8 |
> express the question succinctly. |
| 9 |
|
| 10 |
if you look at [1], you will see the following text: |
| 11 |
|
| 12 |
'Below is a link to a final archived snapshot of the NSA example policy configuration for SELinux. Further work on this example policy has been superseded by the SELinux reference policy project.' |
| 13 |
|
| 14 |
this means that the reference policy project [2] is the current upstream maintainer of the policy-related work. all distros that aim to provide selinux to the users will create packages starting from what's in serefpolicy's CVS repository. |
| 15 |
|
| 16 |
> Three weeks have now passed since the last post to this thread, so |
| 17 |
> please pardon me if I politely ask: |
| 18 |
> |
| 19 |
> Where do the issues raised by this thread stand now? |
| 20 |
> |
| 21 |
> pebenito writes that, "Courier, dante, jabber and snort are done," so |
| 22 |
> that leaves: |
| 23 |
> |
| 24 |
> -The Gentoo SELinux reference policy itself [In the context of Gentoo, |
| 25 |
> exactly what is this? A Gentoo package? A collection of packages? A |
| 26 |
> collection of files that each package owns? other?] |
| 27 |
|
| 28 |
we will have a new base-policy, an eclass and new program policies based on [2]. all those nicely packaged of course. a new not-broken toolchain is also needed, and we currently lack that. |
| 29 |
|
| 30 |
> -Petre Rodan wrote: "use what we have now in the stable branch please" |
| 31 |
> [So is that a package in portage then?] Sorry if I'm being dense here. |
| 32 |
|
| 33 |
it means use the stable version of the toolchain ( sys-apps/checkpolicy sys-apps/policycoreutils sys-libs/libsepol sys-libs/libselinux sys-libs/libsemanage dev-python/python-selinux ) and the policies we now have in sec-policy/*. |
| 34 |
|
| 35 |
and even if there will be a serefpolicy release, you are asked not to blindly migrate your production servers/whatever without a thorough test. |
| 36 |
|
| 37 |
> -How far along is the work to migrate to the reference policy? |
| 38 |
|
| 39 |
all policies except clockspeed is now in the upstream repository. |
| 40 |
|
| 41 |
> And finally, [how do I make use of these policies if they are all done?] |
| 42 |
|
| 43 |
if there will be a policy available for package foo, package foo will have a dependency on sec-policy/selinux-foo (or similar), if you're using a selinux profile. so it will be transparent to the user, just as it has been in the last few years. |
| 44 |
|
| 45 |
> Pardon me for the newbie-ness of this additional question, but: [when |
| 46 |
> pebenito says, "Courier, dante, jabber and snort are done," what exactly |
| 47 |
> does that mean? Is there a gentoo package containing a policy for |
| 48 |
> courier-imap or jabber-server or dante or snort? Or is the policy for |
| 49 |
> (say) jabber-server just a file (or a set of files) that is incorporated |
| 50 |
> into the jabber-server package when the selinux USE flag is set? (or |
| 51 |
> other?).] |
| 52 |
|
| 53 |
in the context it ment that they've been incorporated upstream and they will be available as gentoo packages at release time. |
| 54 |
|
| 55 |
[1] http://www.nsa.gov/selinux/code/download1.cfm |
| 56 |
[2] http://serefpolicy.sourceforge.net |
| 57 |
|
| 58 |
bye, |
| 59 |
peter |
| 60 |
|
| 61 |
-- |
| 62 |
petre rodan |
| 63 |
<kaiowas@g.o> |
| 64 |
Developer, |
| 65 |
Hardened Gentoo Linux |
Archives