On Thu, Mar 17, 2011 at 01:14:02PM -0400, Anthony G. Basile wrote:
> I'm think we should go for stabilization --- I'm not sure how since the
> arch teams are going to say they really can't test this for us, and as
> they did with other packages, will probably defer the judgment back to
> us.  If we do, we should take this responsibility very seriously because
> the arch teams, if nothing else, are a double check on our work.

For the time being, I'm focusing my attention on server-side testing:
integrated virtual environments running bind, openldap for authentication
with replication, a load-balanced apache setup offering squirrelmail access
to a virtual mailhosting setup (postfix/courier) and a standalone postgres
(still looking for something nice to fully test postgres with).

I'm extending the environment with more and more services so that I have
some testing environments for most of the servers (for instance, I have a
build server that uses lighttpd) for which we have policies.

However,
- I'm focussing on strict policy (no unconfined domains) which is a major
  shortage as we definitely want to support unconfined as well.
- Although I run my desktops with SELinux strict as well, I'm hardly what
  can be called a multimedia-user: apart from firefox and skype, all
  utilities I use are mostly command-line ;-) So support for
  desktop-oriented SELinux might still be lacking stuff. 

The reasons are fairly simple:
- Strict allows us to focus on the policy itself and, in theory, if a strict
  policy works well, unconfined should work well too as far as the same
  activities are concerned.
- Desktop applications are far too difficult to automatically test
  (regressions), which leads me to
- I hardly have the time to run manual tests ;-)

Of course, when there are bugs (for instance with unconfined) it's a small
step to convert to the targeted policy and verify if it is reproduceable
(like it was with that pesky bug you mentioned in the beginning of your
mail).

> So far I see only a few bugs that need addressing still in bugzilla.
> (The bug reports are a bit disorganized because of how they were
> assigned.  We're going to be assigning selinux bugs to
> [email protected] for easy lookup.)
> 
> I think these are blockers to stabilization.  Any others you want to add
> to the list?
> 
> #355675 - No brainer. I'll test the patch there this afternoon and put
> it on the tree later if it works.
> 
> #346563 - sounds like a profile problem, but I'm not sure its valid

If we go for stabilization (and I wouldn't mind, as most additional servers
that I'm setting up hardly require updates on the policy) we should push the
SELinux Hardened Handbook (currently in hardened-doc.git) as well as the
SELinux FAQ. Also, the moment we stabilize, can we please get the
"loadpolicy" stuff out of our profile (selinux/make.defaults) ;-)

Anyhow, #346563 is about that weird multilib/nomultilib situation. SELinux
profiles currently enable multilib and "-multilib" (aka "no-multilib") is
for the time being not supported. But we might need to focus on this in the
near future as I would assume in server environments no-multilib is
preferred.

Wkr,
        Sven Vermeulen

Reply via email to