1 |
I'm hoping this is sufficiently "non-technical" to be on -project ;-) |
2 |
|
3 |
SELinux uses a "deny all by default" principle, which means that anything |
4 |
that isn't explicitly allowed is denied. When a policy (i.e. the rules that |
5 |
the system and its processes need to adhere to) is updated, it usually is |
6 |
enhanced (more rights added) rather than reduced (rights removed). This is |
7 |
mainly because it is hard to find out which rules can be removed without |
8 |
risk of introducing regressions. |
9 |
|
10 |
When things change on a system (we've had a few in the near past, think about |
11 |
udev binary move, /run introduction, /usr merge, ...) the policies almost |
12 |
always need to be changed. Sadly, these changes are often faster brought |
13 |
into the stable tree than I can detect. I try to reduce the likelihood of |
14 |
this with more automated infrastructural tests and autobuilds, but things do |
15 |
fall through (for instance, /run issues only coming up when /var/run is a |
16 |
symlink, which isn't the case for "older" installations). |
17 |
|
18 |
To still support stable users, I currently use the "standard" 30-day |
19 |
stabilization period for the policies, but when I know the "pending stable" |
20 |
policy has other issues (it fixes /run, but now also needs the udev-binary |
21 |
move) I start the 30-day counter on the next policy. As a result, stable |
22 |
users are often "forced" to use ~arch policies. |
23 |
|
24 |
I would like to use a 14-day stabilization period instead. Why shorter? |
25 |
Well, first of all, there is already a period of testing within the |
26 |
hardened-dev overlay. Also, as policies are usually updated (enhanced) the |
27 |
risk of introducing regressions (in the policy that is) is low. Finally, |
28 |
it'll allow stable users to get their needed updates. |
29 |
|
30 |
There will be policy changes for which I'll use a 30-day period. For |
31 |
instance, when core system confined domains are rewritten (or split) or when |
32 |
some rights have been removed. This is also why I rather not have all users |
33 |
always use ~arch because there will be times that the policies get more |
34 |
thorough changes. |
35 |
|
36 |
This has been discussed on the last hardened meeting where everyone agreed |
37 |
on, and I'm hoping I can get your support for this as well. |
38 |
|
39 |
Wkr, |
40 |
Sven Vermeulen |