FS#15612 - better support for selinux

Attached to Project: Arch Linux
Opened by Michal Svoboda (pht) - Tuesday, 21 July 2009, 06:34 GMT
Last edited by Paul Mattal (paul) - Thursday, 26 November 2009, 15:20 GMT
Task Type Support Request
Category Security
Status Closed
Assigned To Tobias Powalowski (tpowa)
Aaron Griffin (phrakture)
Thomas Bächler (brain0)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: Please include support for SELinux out of the box so Arch can be used on systems where people do mean security. I attempted to tweak my Arch install for selinux thus:

1) I installed all the selinux packages only to find out that the refpolicy sources and accompanying userland programs are outdated badly
2) I tweaked and makepkg'd manually all the new packages only to find out that the udev daemon fails to perform its role because it was not compiled with --enable-selinux (or so) and perhaps because /dev is on ramfs instead of tmpfs
3) I worked around all this but then I found out that the refpolicy does not have arch linux as its distro option and a lot of stuff just does not work (take initscripts as an example)
4) I spent some more time with it but then I gave up
This task depends upon

Closed by  Paul Mattal (paul)
Thursday, 26 November 2009, 15:20 GMT
Reason for closing:  Deferred
Additional comments about closing:  Deferred per Gerardo and bug submitter.
Comment by Roman Kyrylych (Romashka) - Tuesday, 21 July 2009, 10:13 GMT
I suggest contacting sergej (the maintainer of selinux packages in community) as I guess he managed to run Arch with SELinux somehow.
Personally I don't think SELinux is nice - because of its complexity.
When it comes to security - I'd be more interesting in SMACK support - because of its simplicity.
Comment by Michal Svoboda (pht) - Tuesday, 21 July 2009, 10:48 GMT
How do I contact him?

As for SMACK vs SELinux it would be best if both were supported just as we don't stick to one version of shell, etc.
Comment by Roman Kyrylych (Romashka) - Tuesday, 21 July 2009, 11:03 GMT
Sergej Pupykin, pupykin.s at gmail
Comment by Michal Svoboda (pht) - Thursday, 13 August 2009, 08:53 GMT
Didn't succeed in summoning him yet. Anyway the question was not "how to get SELinux working *once*" - the answer to that is "patience and wisdom" but it was rather "please make it so it runs more or less out of the box". That is,

1) Have all necessary tools support SELinux or provide SELinux enabled alternative packages (for example, there is init, but not udev)
2) Provide updated SELinux userspace packages
3) Submit patches to the reference policy so that 'arch' is a valid DISTRO option ... this will require mainly to set correct paths for the initscripts, etc.
4) After 3) is done provide policy packages in BINARY form (not source)
Comment by Laszlo Papp (djszapi) - Saturday, 07 November 2009, 17:32 GMT
He don't care anymore, it seems so:
http://mailman.archlinux.org/pipermail/aur-general/2009-November/007200.html
Comment by Michal Svoboda (pht) - Sunday, 08 November 2009, 07:21 GMT
noone else wants to take it over then? i could give a hand but i don't want to be a maintainer...
Comment by Allan McRae (Allan) - Friday, 13 November 2009, 16:09 GMT
I'd suggest creating a community project to implement SELinux on Arch. It seems doubtful to me that this will be officially picked officially at any stage soon... And community projects that are successful may eventually become official.
Comment by Laszlo Papp (djszapi) - Friday, 13 November 2009, 19:47 GMT
It sounds a good idea, because maybe this is not so popular so that every users need it, and some problems can be read around this service/application, but it could be a good community project.
Comment by Gerardo Exequiel Pozzi (djgera) - Wednesday, 18 November 2009, 22:04 GMT
Acording to the last comment from Allan, i guess that this task can be closed as "Deferred". OK?
Comment by Michal Svoboda (pht) - Thursday, 19 November 2009, 17:15 GMT
hmm, yes. now only if someone actually did that community thing. ;)

Loading...