1 |
On Thu, Mar 17, 2011 at 01:14:02PM -0400, Anthony G. Basile wrote: |
2 |
> I'm think we should go for stabilization --- I'm not sure how since the |
3 |
> arch teams are going to say they really can't test this for us, and as |
4 |
> they did with other packages, will probably defer the judgment back to |
5 |
> us. If we do, we should take this responsibility very seriously because |
6 |
> the arch teams, if nothing else, are a double check on our work. |
7 |
|
8 |
For the time being, I'm focusing my attention on server-side testing: |
9 |
integrated virtual environments running bind, openldap for authentication |
10 |
with replication, a load-balanced apache setup offering squirrelmail access |
11 |
to a virtual mailhosting setup (postfix/courier) and a standalone postgres |
12 |
(still looking for something nice to fully test postgres with). |
13 |
|
14 |
I'm extending the environment with more and more services so that I have |
15 |
some testing environments for most of the servers (for instance, I have a |
16 |
build server that uses lighttpd) for which we have policies. |
17 |
|
18 |
However, |
19 |
- I'm focussing on strict policy (no unconfined domains) which is a major |
20 |
shortage as we definitely want to support unconfined as well. |
21 |
- Although I run my desktops with SELinux strict as well, I'm hardly what |
22 |
can be called a multimedia-user: apart from firefox and skype, all |
23 |
utilities I use are mostly command-line ;-) So support for |
24 |
desktop-oriented SELinux might still be lacking stuff. |
25 |
|
26 |
The reasons are fairly simple: |
27 |
- Strict allows us to focus on the policy itself and, in theory, if a strict |
28 |
policy works well, unconfined should work well too as far as the same |
29 |
activities are concerned. |
30 |
- Desktop applications are far too difficult to automatically test |
31 |
(regressions), which leads me to |
32 |
- I hardly have the time to run manual tests ;-) |
33 |
|
34 |
Of course, when there are bugs (for instance with unconfined) it's a small |
35 |
step to convert to the targeted policy and verify if it is reproduceable |
36 |
(like it was with that pesky bug you mentioned in the beginning of your |
37 |
mail). |
38 |
|
39 |
> So far I see only a few bugs that need addressing still in bugzilla. |
40 |
> (The bug reports are a bit disorganized because of how they were |
41 |
> assigned. We're going to be assigning selinux bugs to |
42 |
> selinux@g.o for easy lookup.) |
43 |
> |
44 |
> I think these are blockers to stabilization. Any others you want to add |
45 |
> to the list? |
46 |
> |
47 |
> #355675 - No brainer. I'll test the patch there this afternoon and put |
48 |
> it on the tree later if it works. |
49 |
> |
50 |
> #346563 - sounds like a profile problem, but I'm not sure its valid |
51 |
|
52 |
If we go for stabilization (and I wouldn't mind, as most additional servers |
53 |
that I'm setting up hardly require updates on the policy) we should push the |
54 |
SELinux Hardened Handbook (currently in hardened-doc.git) as well as the |
55 |
SELinux FAQ. Also, the moment we stabilize, can we please get the |
56 |
"loadpolicy" stuff out of our profile (selinux/make.defaults) ;-) |
57 |
|
58 |
Anyhow, #346563 is about that weird multilib/nomultilib situation. SELinux |
59 |
profiles currently enable multilib and "-multilib" (aka "no-multilib") is |
60 |
for the time being not supported. But we might need to focus on this in the |
61 |
near future as I would assume in server environments no-multilib is |
62 |
preferred. |
63 |
|
64 |
Wkr, |
65 |
Sven Vermeulen |