On Tue, 05 May 2009 18:20:15 +0200, Manoj Srivastava <sriva...@debian.org>
wrote:
On Mon, May 04 2009, Riku Voipio wrote:
On Mon, Apr 06, 2009 at 10:13:39PM -0000, Jiri Palecek wrote:
I'd like to package the selinux tests from the ltp test suite. The
tests
need a special selinux policy to be loaded and some files to be
relabeled.
I haven't found any standard way of packaging this, so I made an
experimental package (see [1]; it sort of works - not completely,
like 10 tests out of 30, but that's not an issue now) and I would
like to hear your opinion on these issues:
1. The package loads the policy on "postinst configure" with semodule
-i, is that right? (And did I implement it properly in the
scripts?) There were some avc message during package install
(semodule was denied access to a terminal with type apt_t), can
this be solved?
I am not yet comfortable with my security policy changing just
because a package is installed. So far, even the policy packages do not
install the new policy, letting the security officer audit and manually
install policy.
OK. Would you be comfortable with a debconf question on the subject, then?
Having security policies change automatically seems contrary to
the whole idea of buttoning down security, so this change is not
likely to happen.
As long as it fails gracefully is semodule binary is missing or
selinux isn't enabled.
2. The relabeling has to be done manually with fixfiles relabel; is
there a way to do it (and should it be done) automatically?
The same applies here. Having packages relabel files is one way
to potentially allow your security to fly out of the window.
How should I convey information about the contexts of the files in the
package?
3. The runtime packages depend on selinux-policy-default; should it
(alternatively) depend on the other policies too? Would this need
a separate policy package?
Well, currently, selinux-policy-default is the only one being
worked on.
4. Should the policy package be in /usr/share?
Which policy package?
The .pp file.
Regards
Jiri Palecek
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
