Re: How is the upstream SELinux refpolicy tied into Fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 4/4/23 14:22, David Sommerseth wrote:
On 03/04/2023 16:01, Vit Mojzis wrote:


On 3/31/23 18:09, David Sommerseth wrote:
On 31/03/2023 17:41, Petr Lautrbach wrote:
David Sommerseth <dazo@xxxxxxxxxxxx> writes:

[...snip...]
But for OpenVPN 3 Linux I do have an additional policy for a few of the
D-Bus services as well.  Would it make sense to just keep them in the
openvpn3-linux project, or should I try to get them to some more
widespread SELinux reference policies?

I'd suggest to keep them in the project and use

https://fedoraproject.org/wiki/SELinux/IndependentPolicy

I've added Vit who's expert in ^^

Thanks a lot!

I believe the policy we currently ship via Fedora Copr is in a
reasonable state.  It has also been somewhat reviewed by some of the
SELinux/refpolicy maintainers and I've implemented proposed changes.

<https://github.com/OpenVPN/openvpn3-linux/tree/master/src/selinux>

The openvpn3.te policy is what I will suggest to fedora-selinux, as that
may be useful for other projects as well.

The openvpn3_service.{fc,if,te} policy is OpenVPN
3 Linux specific.


Hi,
thank you for taking the time to write your own policy. It is great when
the policy is written by someone who actually understands what access
the product needs.

Looking at the policy I have a few suggestions.


Thanks a lot for this review!  I'll try to get everything in shape for our next release.

Just a short question ... This policy need to work on RHEL-7 to RHEL-9 and Fedora up to the latest releases.  Are there anything I should beware of in that regards?  Or will all your suggestions here work fine across all these releases?



That is a very good question. Most of the interfaces and what is in the "require" block should be stable (since it comes mostly if not completely from refpolicy) and you'll know if anything is missing once you build the package for each system (policy compilation would fail otherwise). But if you encounter any missing interface (that is most likely to occur in rhel-7) we have a workaround for that [1] which only takes effect when needed, so you can still use the same policy sources on all systems. One thing that does cause issues sometimes is compatibility of the compiled policy with selinux-policy-* packages (a binary policy compiled in rhel-8 will most likely not work in rhel-7 and even changes between minor releases can be enough to break compatibility). So please use the %{?selinux_requires} rpm macro [2] to require appropriate version of selinux-policy-* packages.

Feel free to to tag me in pull requests that have to do with the policy, or post them here.

Vit

[1] - https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Backwards_compatibility [2] - https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Example_spec_file_changes_to_incorporate_-selinux_subpackage
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux