Archives

Categories

SE Linux Status in Debian 2012-03

I have just finished updating the user-space SE Linux code in Debian/Unstable to the version released on 2012-02-16. There were some changes to the build system from upstream which combined with the new Debian multi-arch support involved a fair bit of work for me. While I was at it I converted more of them to the new Quilt format to make it easier to send patches upstream. In the past I have been a bit slack about sending patches upstream, my aim for the next upstream release of user-space is to have at least half of my patches included upstream – this will make things easier for everyone.

Recently Mika Pflüger and Laurent Bigonville have started work on Debian SE Linux, they have done some good work converting the refpolicy source (which is used to build selinux-policy-default) to Quilt. Now it will be a lot easier to send policy patches upstream and porting them to newer versions of the upstream refpolicy.

Now the next significant thing that I want to do is to get systemd working correctly with SE Linux. But first I have to get it working correctly wit cryptsetup.

4 comments to SE Linux Status in Debian 2012-03

  • Dan

    Hi,

    Just browsing around looking for some SE Linux info in Debian and found your site. While I don’t know what exactly you do yet for Debian, it sounds like you contribute a lot, so thanks for everything!

    Now, I will state that I am not an expert at SE Linux by any means, but I have at least had the chance to mess around on some test installs with Squeeze, and every time I try to get into SE Linux, I get more and more frustrated by the lack of good answers from the Google! :)

    Of everything that comes to mind with Debian specifically, there are 3 things that really stand out that I was wondering if you might know about, or be able to discuss some time on your site, since your site seems to be indexed nicely by google. :)

    1. Everything mentions to backup using “star” (for its –xattr option), yet it only appears to be in sid, making backups and restores a more complicated thing to get into for new users that are still in the learning stage, like I am

    2. Some of the policies that ship with Debian seem to be geared to a RHEL/RPM based system, as far as directories and paths are concerned (LFS)

    3. Those of us that like to use XFS need to reformat all their filesystems after the install to use -isize=512 to allow SE Linux attributes to work

    Other than these 3 little details, I think it is a very neat system. I used to be on the grsecurity side of the fence years ago, mostly for its simplicity, but given the whole vanilla vs. Debianized kernel requirements for grsec, I am starting to think that for Debian at least, SE Linux is a better way to go in the long run.

    So I am wondering, are you aware if any of these points will be addressed by the next version of Debian perhaps?

    Point #3 isn’t too big of a deal for me since I can use LVM and CLI commands to move stuff around or reformat, or only use it on initially empty volumes (like /srv), and I never use XFS on my root fs.

    Point #2 is honestly barely a problem since it was only like 2 or 3 policies that I ran into that seemed to have issues (iirc, was stuff like kerberos, and other more uncommon/advanced topics), but mostly mentioned here to find out if the end goal in Debian is to rewrite policies to be Debian specific, or if the intent is to use the upstream policies only.

    Point #1 is probably the biggest issue that I can think of though for Debian. Even the wiki’s make reference to star for backing up. At one point a few years ago, I could have sworn I had installed and used star in Debian, yet I am puzzled that it only shows up now in sid. Still, I get the feeling that if I just write a bunch of local policies and ensure they are backed up, a simple restore+recompile+semodule -i, will work fine for now. I just hope star makes it into Wheezy! :) (and not have to use dumpfs or similar XFS dump tools, so amanda can be used without “dump” method, etc.).

    Anyways, my apologies for the wall-o-text, but it is nice to see someone working hard on Debian and SE Linux! Plus I hope there is a chance that, some of the newb SE Linux users like myself, of letting someone like you that works on these systems know what it is that plagues us :) Well, thanks for all your work, and cheers!

    Dan

  • etbe

    1) star is only needed if you want to back something up with the SE Linux labels. If you want to just restore a backup and then immediately relabel then you don’t need it. star doesn’t seem to be in Debian/Unstable either, probably because upstream makes things too difficult for us.

    2) The policy often has paths for RHEL and Fedora, but in those cases it should have Debian paths as well and everything should just work. If not then file a bug report.

    3) No reformat is required for XFS, but it will waste 4K of data per file if you have small Inodes. Also if you use XFS for a particular type of use then the context= mount option might be useful. For my mail servers I use context= for the mail store so that the millions of Maildir files don’t need labels.

    Generally filing bug reports is a good thing.

  • Dan

    Sorry to hear about star being such a problem. Good to know that those policy differences are meant to be distro agnostic though. Also, thanks for the context= trick. I saw it mentioned in the docs and such, but never really realized how beneficial it could be in a situation where you have large number of small files.

    Well, thanks for the quick reply, take care.

    Dan

  • David Sastre Medina

    Hello.
    First of all, thanks for your work.
    While I wait for 2012-02-15 to be available in the repos, I’d like to know if there is a way to have access to a preview, maybe from http://anonscm.debian.org, in order to backport it to wheezy (for personal use).