On Thu, Jul 30 2009, Gustavo Franco wrote:
> On Thu, Jul 30, 2009 at 11:16 AM, Manoj Srivastava<sriva...@debian.org> wrote:
>> Hi,
>>
>> I would like to set up a selinux related release goal for
>> Squeeze.
>>
>> Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker,
>> but I have not discussed this with him)
>> Issues to be solved:
>> (a) Get all Debian patches to the reference security policy merged in
>> upstream. Status: In progress, we have all patches submitted,
>> some need to be tweaked and resubmitted based on feedback
>> Time line: 1-2 months, depending on free tie I have
>> (b) Update reference security policy to allow standard machines to be
>> in enforcing mode.
>> Status: It is possible to run minimal virtual machines in
>> enforcing mode, but real machines are somewhat crippled; these
>> denials need to be inspected, and determination needs to be made
>> for how to resolve them (no not want security holes enshrined in
>> policy)
>> Time line: 6-8 months (can be done in tandem with a, if here were
>> more people working on it)
>> (c) Make it easier to run in struct (no unconfined.pp module)
>> mode. This needs firstly documentation, and secondly, additional
>> tweaks to policy to make it work. Russell has a play machine
>> where it all works, but those changes are not in the reference
>> policy -- and some of them might not be fit to be in ref policy
>> at all.
>> Time line: 9-12 months
>>
>> The actual non-policy packages are now well in sync with
>> upstream, so the weak point is the security policy.
>>
>> Ideally, the goal would be to have Squeeze certifiable at EAL-4,
>> at least the "standard" install (no optional packages), if someone with
>> deep pockets were willing to actually pay for the certification, and be
>> willing to push through the process.
>
> Which parts of the work you described above would be needed to Squeeze
> be certifiable at EAL-4? All of them?
Making a Debian release EAL-4 certifiable would go beyond
(perhaps far beyond) just making strict policy work, but all three
above would be a minimal requirement.
> Based on your timeline, it seems A is on track to make Squeeze, we
> should get more people to work with you on B (setting as a goal) and C
> would be a no go for this release, jmo. Am I wrong?
Well, that would depend on when the freeze happens. If we freeze
a year from now, I think there is a fighting chance all these can be
accomplished.
manoj
--
The shortest measurable interval of time is the time between the moment
I put a little extra aside for a sudden emergency and the arrival of
that emergency.
Manoj Srivastava <sriva...@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
