Changing priority of selinux back to optional
 

The priority of selinux packages was changed from optional to standard,
fairly shortly before the release of Etch.

I propose to revert that change before Lenny. The basic reason is that the
selinux packages have basically been unmaintained since the release of
Etch. Because of that current SeLinux just cannot be expected to work.

An additional reason is that the installation of selinux packages adds
significantly to the size of the base system and accounts for a significant
part of the time it takes to install the "standard" task, especially on
slower architectures. This would be OK if there were real benefits in
having SeLinux, but ATM that benefit is just not there.

Packages (both tools and policy packages) currently available in unstable
and testing are seriously outdated when compared with their upstream
versions. This also means that, with the soft freeze for Lenny starting
fairly soon, that there is little time left to substantially improve the
SeLinux support in Debian, which was one of the arguments for making it
standard in the first place.

Some facts.

Package etch lenny/sid upstream
policycoreutils 1.32-3 2.0.16-1 2.0.42 (?)
setools 2.4-3 2.4-3 3.3.2
refpolicy 0.0.20070507-5 0.0.20070507-5 20071214
libsepol 1.14-2 2.0.3-1 2.0.20 (?)
libselinux 1.32-3 2.0.15-2 2.0.50 (?)

None of the packages in Debian has been updated since June/July 2006.

There are also some longstanding bugs, including fairly simple packaging
errors in Etch, none of which have been addressed. Examples:
- #440474: chcat: syntax errors
- #405975: semodule_deps and semodule have alignment issues
- #427906: postinst: policy package name to deb name, lacks glob support
- #438604: selinux-basics: Invalid test for dynamic motd updating
- #438706: selinux-doc: Error in doc-base definition
- #438887: refpolicy: Spurious "+" causes warnings when building modules

None of these bugs has seen any reaction from the package maintainers.

I spent quite a bit of time on SeLinux back around September, with the
intention of learning more about how it worked and its state in Debian, and
to maybe contribute. At that time I filed a few bugs and asked for help
with some issues I encountered (as so kindly offered by Manoj during his
2007 Debconf talk), but never received any reaction. In the end I gave up.

My experience then was that SeLinux was fairly complex to set up and needed
a lot of custom policy tweaks for even basic things to work. I.e, not
something that deserves to be installed by default.

I have also for some time followed selinux upstream development, and it was
very high paced. Not keeping up means getting left _far_ behind and
especially for policy it means that tweaks needed for selinux to work well
on standard Debian just won't be there.

Cheers,
FJP

Changing priority of selinux back to optional
 

Hello Frans, Hello fellow DDs,
Yes, the SELinux stuff doesn't seem to have any currently active
developers. I haven't heard anything from Manoj in months.
I had to stop working on SELinux myself for various reasons; it's not
that things didn't work, but it was a mixture of personal reasons
(mostly lack of time, and no longer being responsible for the servers I
was using SELinux on) but also largely a motivational thing, that I
didn't feel people really cared much about it. Most of the time when
you'd just mention SELinux, people would basically be scared and run
away. This is largely due to FUD efforts by the AppArmor folks, who -
incorrectly - framed SELinux as being overly complex.
Just recently, at the Google Android Developer Thingy here in Munich,
someone (in the informal discussions around dinner) again suggested
something along the lines of automatically creating users to separate
applications that could easily be squashed using the SELinux stuff.
SELinux works the same way uid and gid work, so it just isn't really
that complex. All the difficulties lie in writing good restrictive
policies; and that doesn't get any easier if you do some uid/gid
magic...

Anyway, back to the original topic:
1. I agree that SELinux currently is not in shape for a release. The
packages are seriously outdated, there have been some major changes in
upstream. In particular, the 'targeted' and 'strict' policies have been
merged and only differ by having a 'targeted' module installed. AFAIK.
2. At least libselinux is linked by many of the core packages, and the
package REALLY should be updated nevertheless. However that might
require also updating most of the other packages; I'm not sure about API
compability.
3. In my experience, none of the SELinux librarys or applications were
particularly hard to package/maintain. All the hard work is in
fine-tuning the policy to support all the Debian-specific stuff.
Especially when you need the cooperation of other maintainers, such as
initscripts: http://bugs.debian.org/390067
cron: http://bugs.debian.org/333837
liblzo1: http://bugs.debian.org/336138
All of which have been open in the range of 1.5-2.5 years.
I pushed fixes for some of these issues (e.g. amavis). Usually the best
way is to split out a specific part of the init script (such as the part
doing the backups of /etc/shadow) into a separate script. This is not a
particularly hard change, but you can face a lot of resistance.
So in fact, the situation for SELinux-related bugs not in the actual
SELinux packages is even worse.

So maybe it would be better to actually get some people involved in
SELinux again. It's a pity to see the AppArmor FUD work this well.
(Albeit AppArmor didn't make it into mainstream kernel or Debian, and I
remember having seen some news message last year that Novell stopped
development of AppArmor?)
The AppArmor WNPP bug has been open for months without any message, too:
http://bugs.debian.org/440680
This makes me wonder if we actually have enough developers working on
security infrastructure and the core system in general. Actually I have
the impression in general (not only with respect to security) that we're
losing developer share, but I can't tell you where people are going to
instead. Ubuntu didn't recently strike me as being more attractive, and
their SELinux and AppArmor stuff is as outdated/stalled as ours. It's
mostly Fedora/Gentoo (for SELinux) and SuSE (for AppArmor) that seem to
be doing progress here, but probably only because there are a few single
persons pushing the stuff for the distributions they use themselves.

best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
The future is here. It's just not evenly distributed yet. //
Die Freunde nennen sich aufrichtig. Die Feinde sind es: Daher V_/_
man ihren Tadel zur Selbsterkenntnis benutzen sollte, als
eine bittere Arznei. --- Arthur Schopenhauer


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Changing priority of selinux back to optional
 

I agree. Regarding the installed size, on my not-so-barebone KDE lenny
PC (1067 packages installed), installing standard selinux packages would
require 40 MB more. Systems with old HDD-s and miniature systems could
be bothered.



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Changing priority of selinux back to optional
 

Erich Schubert <erich@debian.org> writes:

> This makes me wonder if we actually have enough developers working on
> security infrastructure and the core system in general. Actually I have
> the impression in general (not only with respect to security) that we're
> losing developer share, but I can't tell you where people are going to
> instead. Ubuntu didn't recently strike me as being more attractive, and
> their SELinux and AppArmor stuff is as outdated/stalled as ours.

*cough*

https://lists.ubuntu.com/archives/ubuntu-hardened/2008-February/000284.html

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Changing priority of selinux back to optional
 

> The priority of selinux packages was changed from optional to standard,
> fairly shortly before the release of Etch.
>
> I propose to revert that change before Lenny. The basic reason is that
> the selinux packages have basically been unmaintained since the release
> of Etch.

I'd like to work on SELinux packages and bugs.
SELinux is doing great proactive security and I'd like
to help the Debian harden team. SELinux is currently the
most superior security policy and latest kernel see several
scalability fixes.

so asking if the SELinux team is ok with adding me as co-maintainer?
thanks Erich for your concise posting on where the work needs
to be picked up!

best regards

--
maks


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Changing priority of selinux back to optional
 

On Wed, Feb 06, 2008 at 12:27:45PM +0100, maximilian attems wrote:
> I'd like to work on SELinux packages and bugs.

That's wonderful, thanks for your help offering!

Still, if I'm interpreting correctly Frans' and Erich's mails, the
*current* status of SELinux in Debian is, erm, sub-optimal. So I think
Frans' request of demoting selinux related stuff priority is entirely
reasonable, isn't it?

So I presume you have nothing against actually changing the priority
back to optional until you're working on the various fixes. Once the
needed bug fixes and the pending package upgrades are in place, we can
for sure promote again the priority. What do you think?

Cheers.

--
Stefano Zacchiroli -*- PhD in Computer Science ............... now what?
zack@{upsilon.cc,cs.unibo.it,debian.org} -<%>- http://upsilon.cc/zack/
(15:56:48) Zack: e la demo dema ? / All one has to do is hit the
(15:57:15) Bac: no, la demo scema / right keys at the right time

Changing priority of selinux back to optional
 

Il giorno Wed, 6 Feb 2008 12:27:45 +0100
maximilian attems <max@stro.at> ha scritto:

>
> > The priority of selinux packages was changed from optional to standard,
> > fairly shortly before the release of Etch.
> >
> > I propose to revert that change before Lenny. The basic reason is that
> > the selinux packages have basically been unmaintained since the release
> > of Etch.
>
> I'd like to work on SELinux packages and bugs.

Can't one just file NMUs and upload them to DELAYED/*?

David

--
. '`. Debian maintainer | http://wiki.debian.org/DavidPaleino
: :' : Linuxer #334216 --|-- http://www.hanskalabs.net/
`. `'` GPG: 1392B174 ----|---- http://snipr.com/qa_page
`- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174

Changing priority of selinux back to optional
 

Hi,
I'm not DD, but I'm very interested into SELinux on Debian (but must to
say - not a guru for SELinux yet :).

I'm experimenting with latest SELinux code on Etch, so if this staff can
be worth for anyone...

http://linux.i.cz/debian/dists/selinux-etch/

Packages are a bit hairy (changelogs). I rewrite packaging using CDBS
somewhere, which maybe is not acceptible for maintainer (Manoj).
Some packages are simply backports from Sid, some are upgraded (e.g. pam
is 0.99.9.0).
There is no package for policy yet, because this is (as Erich S. writes)
long run.
Everything is highly experimental :).

Cheers
--
Zito


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Changing priority of selinux back to optional
 

On Wed, 06 Feb 2008, Stefano Zacchiroli wrote:

> On Wed, Feb 06, 2008 at 12:27:45PM +0100, maximilian attems wrote:
> > I'd like to work on SELinux packages and bugs.
>
> That's wonderful, thanks for your help offering!
>
> Still, if I'm interpreting correctly Frans' and Erich's mails, the
> *current* status of SELinux in Debian is, erm, sub-optimal. So I think
> Frans' request of demoting selinux related stuff priority is entirely
> reasonable, isn't it?
>
> So I presume you have nothing against actually changing the priority
> back to optional until you're working on the various fixes. Once the
> needed bug fixes and the pending package upgrades are in place, we can
> for sure promote again the priority. What do you think?

well i haven't heard yet back from Erich yet,
so I'm waiting his response.
cc'ing him diretly now ;)

but currently willing to work on i'd nack fjp requests.
of course if no progress has been made in a month,
his request is more then reasonable.

best regards

--
maks

ps keep me on response on cc, thanks.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Changing priority of selinux back to optional
 

Hi everyone,
There is no real "SELinux team" anymore that could say yes or no to
anything I figure. The SELinux people at Debian were mostly Manoj, RJC
and myself. I havn't heard anything from Manoj in months, I'm not able
to do any actual SELinux work anymore and while RJC updated his SELinux
Demo machine (http://www.coker.com.au/selinux/play.html) at some point,
I havn't heard any plans from hin to 'revive' SELinux in Debian, but he
is actively advocating SELinux and actively blogging:
http://etbe.coker.com.au/tag/selinux/
and he has some somewhat-updated packages in his repository:
http://www.coker.com.au/dists/etch/selinux
Make sure to talk to him, but other than that I'd suggest you just
hijack/NMU the relevant packages.

There is an updated policy package I did early this year at
http://selinux.alioth.debian.org/experimental/refpolicy/
which is after the strict/targeted merge. It's also using my own
packaging, it's not based on Manojs work. He reproduced some of the
things I did in Perl, while I'm still using my python+sh code, which in
my opinion is superior in some cases I believe (I never tried his
packages!). I don't know if his module auto installation still loads one
module after the other, or if it's done in one pass like I do. I also
introduced some module guessing and upgrading (!) code I don't know if
he has yet adopted, so make sure to investigate both packages.

Make sure to also investigate the new Ubuntu efforts that Reinhard
pointed out. It would be best to join efforts here. Caleb Case is using
a tresys email address, that is where refpolicy upstream lives.

best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
A man doesn\'t know what he knows until he knows what he doesn\'t know. //
Es lohnt sich nicht, die Augen aufzumachen, V_/_
wenn der Kopf im Sand steckt.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org