Re: [gentoo-hardened] SELinux policy updates in hardened-dev overlay - gentoo-hardened

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] SELinux policy updates in hardened-dev overlay
Date:	Sun, 04 Nov 2012 12:02:29
Message-Id:	`20121104091810.GB26989@gentoo.org`
In Reply to:	[gentoo-hardened] SELinux policy updates in hardened-dev overlay by "Paweł Hajdan

1

On Sat, Nov 03, 2012 at 10:45:44AM -0700, "Paweł Hajdan, Jr." wrote:

2

> On 11/3/12 10:33 AM, bugzilla-daemon@g.o wrote:

3

> > https://bugs.gentoo.org/show_bug.cgi?id=436474

4

> >

5

> > Sven Vermeulen changed:

6

> >

7

> >            What    |Removed                     |Added

8

> > ----------------------------------------------------------------------------

9

> >              Status|IN_PROGRESS                 |RESOLVED

10

> >          Resolution|---                         |TEST-REQUEST

11

> >

12

> > --- Comment #11 from Sven Vermeulen ---

13

> > In hardened-dev, r6 release

14

>

15

> Thank you for getting things fixed! I appreciate that.

16

17

It's not fixed, the problem is possibly resolved and is now put in the

18

TEST-REQUEST phase.

19

20

> One note though: why not push policy fixes to main tree, ~arch or hard

21

> masked? See Diego's post

22

> <http://blog.flameeyes.eu/2010/08/fixed-in-overlay-read-not-fixed> - and

23

> I agree with most of it.

24

25

This is due to testing. I test policies locally in a few VMs to have some

26

confidence that they are still ok. Once I think they are ok, I push it out

27

to the hardened-dev overlay. Then my other test systems pick up the changes

28

and do some more testing (such as migration tests, in this case from r5 to

29

r6 in ~arch and some even from r5 to r6 in stable where only the SELinux

30

policies are accepted for ~arch).

31

32

This also allows others, with different set of systems, to try out the

33

changes. This gives a broader coverage of the changes and allows users that

34

want to verify their changes to pull them in from the overlay. Also, since

35

policies can make changes on the system that do not allow for easy reverting

36

(sometimes policies introduce new types and assign them to files, if you

37

revert, those files have a label SELinux doesn't understand and SELinux

38

prohibits accessing those files) I have to do sufficient testing without

39

influencing too many users. Hence, hardened-dev overlay.

40

41

Once they have been in hardened-dev overlay for a few days, most testing is

42

done and I move it to the main tree, ~arch'ed with bugstatus "VERIFIED

43

TEST-REQUEST". Then, after two weeks or so, the changes go to the stable

44

set.

45

46

This 14-days stabilization has been sent to the gentoo-project mailinglist.

47

48

I *could* do this on a private overlay for testing, but then I really need

49

to get those 7-ish people that test hardened-dev policies for me to use my

50

overlay instead. And since we already have an overlay, why create another

51

one?

52

53

Also, I *could* not change the bugs until they hit ~arch, but then the users

54

that want to verify the changes are ok do not have the ability until it hits

55

~arch. And when it hits ~arch and the changes are bad and incompatible with

56

the previous release, then all hell breaks loose.

57

58

> Note that when you change eclasses or toolchain, it makes sense to test

59

> in an isolated overlay. But when the in-tree policy for chromium is

60

> unusable anyway, why not just push a new version there?

61

62

SELinux policy changes are much like toolchain - it affects everyone that

63

uses it. Unlike a non-core package change, which is isolated, SELinux policy

64

changes affect all SELinux users. And like the toolchain you want to have

65

some broader testing coverage to catch potential issues before unleashing it

66

to the wider public, since a broken SELinux/toolchain might force people

67

into rescue attempts (toolchain not working, nothing installs; SELinux not

68

working, nothing works).

69

70

True, depending on your kernel configuration, you can disable SELinux to

71

working around things and when a new policy hits the tree, rerun parts of

72

the SELinux installation instructions to get back on your feet. But some

73

systems (I have four currently, not calling them production systems but they

74

do host websites or parts of websites for around 20 organizations on the

75

Internet) would rather not run with SELinux disabled...

76

77

I hope that clarifies things. So in short: I use hardened-dev overlay to

78

stage my changes so other test systems I and others have can test for

79

regressions before it hits ~arch as policy changes are not easily

80

revertible.

81

82

Wkr,

83

	Sven Vermeulen

1	On Sat, Nov 03, 2012 at 10:45:44AM -0700, "Paweł Hajdan, Jr." wrote:
2	> On 11/3/12 10:33 AM, bugzilla-daemon@g.o wrote:
3	> > https://bugs.gentoo.org/show_bug.cgi?id=436474
4	> >
5	> > Sven Vermeulen changed:
6	> >
7	> > What \|Removed \|Added
8	> > ----------------------------------------------------------------------------
9	> > Status\|IN_PROGRESS \|RESOLVED
10	> > Resolution\|--- \|TEST-REQUEST
11	> >
12	> > --- Comment #11 from Sven Vermeulen ---
13	> > In hardened-dev, r6 release
14	>
15	> Thank you for getting things fixed! I appreciate that.
16
17	It's not fixed, the problem is possibly resolved and is now put in the
18	TEST-REQUEST phase.
19
20	> One note though: why not push policy fixes to main tree, ~arch or hard
21	> masked? See Diego's post
22	> <http://blog.flameeyes.eu/2010/08/fixed-in-overlay-read-not-fixed> - and
23	> I agree with most of it.
24
25	This is due to testing. I test policies locally in a few VMs to have some
26	confidence that they are still ok. Once I think they are ok, I push it out
27	to the hardened-dev overlay. Then my other test systems pick up the changes
28	and do some more testing (such as migration tests, in this case from r5 to
29	r6 in ~arch and some even from r5 to r6 in stable where only the SELinux
30	policies are accepted for ~arch).
31
32	This also allows others, with different set of systems, to try out the
33	changes. This gives a broader coverage of the changes and allows users that
34	want to verify their changes to pull them in from the overlay. Also, since
35	policies can make changes on the system that do not allow for easy reverting
36	(sometimes policies introduce new types and assign them to files, if you
37	revert, those files have a label SELinux doesn't understand and SELinux
38	prohibits accessing those files) I have to do sufficient testing without
39	influencing too many users. Hence, hardened-dev overlay.
40
41	Once they have been in hardened-dev overlay for a few days, most testing is
42	done and I move it to the main tree, ~arch'ed with bugstatus "VERIFIED
43	TEST-REQUEST". Then, after two weeks or so, the changes go to the stable
44	set.
45
46	This 14-days stabilization has been sent to the gentoo-project mailinglist.
47
48	I could do this on a private overlay for testing, but then I really need
49	to get those 7-ish people that test hardened-dev policies for me to use my
50	overlay instead. And since we already have an overlay, why create another
51	one?
52
53	Also, I could not change the bugs until they hit ~arch, but then the users
54	that want to verify the changes are ok do not have the ability until it hits
55	~arch. And when it hits ~arch and the changes are bad and incompatible with
56	the previous release, then all hell breaks loose.
57
58	> Note that when you change eclasses or toolchain, it makes sense to test
59	> in an isolated overlay. But when the in-tree policy for chromium is
60	> unusable anyway, why not just push a new version there?
61
62	SELinux policy changes are much like toolchain - it affects everyone that
63	uses it. Unlike a non-core package change, which is isolated, SELinux policy
64	changes affect all SELinux users. And like the toolchain you want to have
65	some broader testing coverage to catch potential issues before unleashing it
66	to the wider public, since a broken SELinux/toolchain might force people
67	into rescue attempts (toolchain not working, nothing installs; SELinux not
68	working, nothing works).
69
70	True, depending on your kernel configuration, you can disable SELinux to
71	working around things and when a new policy hits the tree, rerun parts of
72	the SELinux installation instructions to get back on your feet. But some
73	systems (I have four currently, not calling them production systems but they
74	do host websites or parts of websites for around 20 organizations on the
75	Internet) would rather not run with SELinux disabled...
76
77	I hope that clarifies things. So in short: I use hardened-dev overlay to
78	stage my changes so other test systems I and others have can test for
79	regressions before it hits ~arch as policy changes are not easily
80	revertible.
81
82	Wkr,
83	Sven Vermeulen

Gentoo Archives: gentoo-hardened