| 1 |
I'm hoping this is sufficiently "non-technical" to be on -project ;-) |
| 2 |
|
| 3 |
SELinux uses a "deny all by default" principle, which means that anything |
| 4 |
that isn't explicitly allowed is denied. When a policy (i.e. the rules that |
| 5 |
the system and its processes need to adhere to) is updated, it usually is |
| 6 |
enhanced (more rights added) rather than reduced (rights removed). This is |
| 7 |
mainly because it is hard to find out which rules can be removed without |
| 8 |
risk of introducing regressions. |
| 9 |
|
| 10 |
When things change on a system (we've had a few in the near past, think about |
| 11 |
udev binary move, /run introduction, /usr merge, ...) the policies almost |
| 12 |
always need to be changed. Sadly, these changes are often faster brought |
| 13 |
into the stable tree than I can detect. I try to reduce the likelihood of |
| 14 |
this with more automated infrastructural tests and autobuilds, but things do |
| 15 |
fall through (for instance, /run issues only coming up when /var/run is a |
| 16 |
symlink, which isn't the case for "older" installations). |
| 17 |
|
| 18 |
To still support stable users, I currently use the "standard" 30-day |
| 19 |
stabilization period for the policies, but when I know the "pending stable" |
| 20 |
policy has other issues (it fixes /run, but now also needs the udev-binary |
| 21 |
move) I start the 30-day counter on the next policy. As a result, stable |
| 22 |
users are often "forced" to use ~arch policies. |
| 23 |
|
| 24 |
I would like to use a 14-day stabilization period instead. Why shorter? |
| 25 |
Well, first of all, there is already a period of testing within the |
| 26 |
hardened-dev overlay. Also, as policies are usually updated (enhanced) the |
| 27 |
risk of introducing regressions (in the policy that is) is low. Finally, |
| 28 |
it'll allow stable users to get their needed updates. |
| 29 |
|
| 30 |
There will be policy changes for which I'll use a 30-day period. For |
| 31 |
instance, when core system confined domains are rewritten (or split) or when |
| 32 |
some rights have been removed. This is also why I rather not have all users |
| 33 |
always use ~arch because there will be times that the policies get more |
| 34 |
thorough changes. |
| 35 |
|
| 36 |
This has been discussed on the last hardened meeting where everyone agreed |
| 37 |
on, and I'm hoping I can get your support for this as well. |
| 38 |
|
| 39 |
Wkr, |
| 40 |
Sven Vermeulen |
Archives