1 |
hi, |
2 |
|
3 |
On Fri, May 05, 2006 at 07:49:31PM -0400, Kevin wrote: |
4 |
[..] |
5 |
> Also, there's one issue that I'm not quite understanding in this thread, |
6 |
> though, and I've asked the question in a number of different phrasings |
7 |
> (marked with [] ) because I'm having difficulty figuring out how to |
8 |
> express the question succinctly. |
9 |
|
10 |
if you look at [1], you will see the following text: |
11 |
|
12 |
'Below is a link to a final archived snapshot of the NSA example policy configuration for SELinux. Further work on this example policy has been superseded by the SELinux reference policy project.' |
13 |
|
14 |
this means that the reference policy project [2] is the current upstream maintainer of the policy-related work. all distros that aim to provide selinux to the users will create packages starting from what's in serefpolicy's CVS repository. |
15 |
|
16 |
> Three weeks have now passed since the last post to this thread, so |
17 |
> please pardon me if I politely ask: |
18 |
> |
19 |
> Where do the issues raised by this thread stand now? |
20 |
> |
21 |
> pebenito writes that, "Courier, dante, jabber and snort are done," so |
22 |
> that leaves: |
23 |
> |
24 |
> -The Gentoo SELinux reference policy itself [In the context of Gentoo, |
25 |
> exactly what is this? A Gentoo package? A collection of packages? A |
26 |
> collection of files that each package owns? other?] |
27 |
|
28 |
we will have a new base-policy, an eclass and new program policies based on [2]. all those nicely packaged of course. a new not-broken toolchain is also needed, and we currently lack that. |
29 |
|
30 |
> -Petre Rodan wrote: "use what we have now in the stable branch please" |
31 |
> [So is that a package in portage then?] Sorry if I'm being dense here. |
32 |
|
33 |
it means use the stable version of the toolchain ( sys-apps/checkpolicy sys-apps/policycoreutils sys-libs/libsepol sys-libs/libselinux sys-libs/libsemanage dev-python/python-selinux ) and the policies we now have in sec-policy/*. |
34 |
|
35 |
and even if there will be a serefpolicy release, you are asked not to blindly migrate your production servers/whatever without a thorough test. |
36 |
|
37 |
> -How far along is the work to migrate to the reference policy? |
38 |
|
39 |
all policies except clockspeed is now in the upstream repository. |
40 |
|
41 |
> And finally, [how do I make use of these policies if they are all done?] |
42 |
|
43 |
if there will be a policy available for package foo, package foo will have a dependency on sec-policy/selinux-foo (or similar), if you're using a selinux profile. so it will be transparent to the user, just as it has been in the last few years. |
44 |
|
45 |
> Pardon me for the newbie-ness of this additional question, but: [when |
46 |
> pebenito says, "Courier, dante, jabber and snort are done," what exactly |
47 |
> does that mean? Is there a gentoo package containing a policy for |
48 |
> courier-imap or jabber-server or dante or snort? Or is the policy for |
49 |
> (say) jabber-server just a file (or a set of files) that is incorporated |
50 |
> into the jabber-server package when the selinux USE flag is set? (or |
51 |
> other?).] |
52 |
|
53 |
in the context it ment that they've been incorporated upstream and they will be available as gentoo packages at release time. |
54 |
|
55 |
[1] http://www.nsa.gov/selinux/code/download1.cfm |
56 |
[2] http://serefpolicy.sourceforge.net |
57 |
|
58 |
bye, |
59 |
peter |
60 |
|
61 |
-- |
62 |
petre rodan |
63 |
<kaiowas@g.o> |
64 |
Developer, |
65 |
Hardened Gentoo Linux |