[DSE-User] Reference Policy Packaging

Erich Schubert erich at debian.org
Tue Feb 28 02:06:42 UTC 2006 

Hello,
I'm currently putting together a team for reference policy packaging for
Debian and Ubuntu. On the team so far are Andrew Mitchell, Manoj
Srivastava, Thomas Bleher and me (in no particular order, and no
particular task assigned).
You are of course welcome to join!
Also there is no reason why users of other Distributions shouldn't be
able to participate - the policy should ideall work on all
distributions. ;-)

I've also just created (sorry, will take some time until the list is
actually working) a list named selinux-devel at lists.alioth.debian.org for
policy packaging and development.

We're currently discussing how to setup our repository (or repositories)
for
policy development and packaging.

Manoj has expressed the wish to use an Arch repository. Given that there
were no objections to this so far, it's likely that we'll go with this
choice.

The subversion repository I have setup on
http://svn.debian.org/wsvn/selinux/
is therefore only a temporary setup, I've mostly created so I can right
now put my policy changes so far (e.g. amavis, clam, dpkg, apt, tor
policies) and minor fixes somewhere, and maybe use SVN smartness to
merge them with upstream changes. And of course so that others can see
my differences.
I'm somewhat disappointed that none of the changes I've submitted
upstream so far have been included...
To e.g. retrieve the differences between the latest upstream version I
imported and the current debian branch, you can use
$ svn diff \
svn://svn.debian.org/selinux/refpolicy/branches/upstream \
svn://svn.debian.org/selinux/refpolicy/branches/debian

I'd really appreciate if you could setup the current reference policy on
a testbox of yours (I don't think, enforcing is realistic yet...) and
help ironing out all these small violations we get with the current
version. Some of these will only show up in specific setups, so we need
to test it on as many setups as possible. For example, the apache policy
was lacking support for symlinks such as /var/www/phpmyadmin, or the
logrotate cron rules were lacking one small statement for logcheck
support.
I think it's okay for now to add such rules "unaudited" to our policy,
because the policy is not yet audited anyway, and it's probably of more
use for us if we actually manage to arrive in a state where we can run
enforcing.

Of course if we had a volunteer to run an "audited" branch to check the
added rules for correctness that would be even better... but currently
we're lacking the manpower to do so.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
      To be trusted is a greater complement than to be loved.       //\
    Der Anfang aller Erkenntnis ist das Staunen. --- Aristoteles    V_/_

More information about the Selinux-user mailing list