[DSE-Dev] First cute at updating the reference policy

Manoj Srivastava manoj.srivastava at stdc.com
Sun Feb 15 16:29:25 UTC 2009 

Hi,

        I have uploaded the user land packages to Sid, and have packaged
 the latest released refpolicy (20081014), again, available at:
--8<---------------cut here---------------start------------->8---
deb      http://newpeople.debian.org/~srivasta/ packages/=20
deb-src  http://newpeople.debian.org/~srivasta/ packages/
--8<---------------cut here---------------end--------------->8---

        This is just a base import of the upstream release, with all the
 upstream changes, but with none of the fixes for bugs reported on the
 Debian BTS which were not fixed by upstream.

        There are known issues with this policy; policy generation fails
 in the postinst:
,----
| libsepol.print_missing_requirements:
|    cups's global requirements were not met:
|       type/attribute print_spool_t 
| --->> Needs to load lpd.pp before cups.pp
`----

,----
| libsepol.print_missing_requirements:
|     telnet's global requirements were not met:
|        type/attribute remote_login_t
| ----->> Needs to load remotelogin.pp before telnet.pp
`----

        I think it is time to pull out the module dependency checker out
 of the postinst, and make it a proper admin command. This iwll make it
 easier to debug; since in this case the upstream policy does seem to be
 fine. We can also pre-calculate the dependency graph, and shave a few
 seconds off the refpolicy install time.

--8<---------------cut here---------------start------------->8---
% cd /usr/share/selinux/default
% semodule_deps -g base.pp a*.pp b[i-o]*.pp [c-z]*.pp
digraph mod_deps {
        overlap=false
        webalizer -> apache
        telnet -> remotelogin
        cups -> lpd
        rlogin -> remotelogin
        xen -> unconfined
        xen -> netutils
}
--8<---------------cut here---------------end--------------->8---



        I realize that in the Lenny cycle Debian policy fell behind
 (until Russel came in and packaged it); to avoid the same happening
 this time around, I solicit help and patches; I've time to handle the
 packaging, and will be happy to coordinate patches, but Russel is the
 go-to guy for SELinux policy in Debian.

        manoj
-- 
Manoj Srivastava <manoj.srivastava at stdc.com> <srivasta at acm.org>        
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the SELinux-devel mailing list