On 4/8/19 11:05 AM, Jag Raman wrote:
> Hi,
>
> I need some help with testing "refpolicy".
>
> I'm able to install and load the refpolicy. But I'm unable
> to switch to "enforcing" mode because the OS (Fedora29)
> hangs due to missing policies.
>
> What distro of Linux are we expected to use for testing it?
>
> Are there any patches that should be applied on top of it?
> If so where could it be found? I'm trying to find out how
> you test changes to the refpolicy.
>
> Thank you very much!
Please note the new refpolicy list. [1]
There is no official distro for testing. It does support customizations
for various distributions (DISTRO build option), but that also depends
on how much of the distro's customizations are upstreamed.
[1] http://vger.kernel.org/vger-lists.html#selinux-refpolicy
--
Chris PeBenito
On 4/9/2019 8:02 AM, Chris PeBenito wrote:
> On 4/8/19 11:05 AM, Jag Raman wrote:
>> Hi,
>>
>> I need some help with testing "refpolicy".
>>
>> I'm able to install and load the refpolicy. But I'm unable
>> to switch to "enforcing" mode because the OS (Fedora29)
>> hangs due to missing policies.
>>
>> What distro of Linux are we expected to use for testing it?
>>
>> Are there any patches that should be applied on top of it?
>> If so where could it be found? I'm trying to find out how
>> you test changes to the refpolicy.
>>
>> Thank you very much!
>
Hi Chris,
Thanks for your response.
> Please note the new refpolicy list. [1]
Sorry about this. I've subscribed to the new list, and added it to this
email.
>
> There is no official distro for testing. It does support customizations
> for various distributions (DISTRO build option), but that also depends
> on how much of the distro's customizations are upstreamed.
I tried setting the "DISTRO" build option to "redhat", and tested on
Fedora. But it looks like "refpolicy" customizations are not upstream
for Fedora. It could be because RedHat is maintaining a separate set of
patches [2] that apply on top of an older version (RELEASE_2_20130424)
of SELinux refpolicy.
Do you know of any distro whose customizations are upstream?
[2] https://git.centos.org/summary/?r=rpms/selinux-policy.git
Thanks!
--
Jag
>
> [1] http://vger.kernel.org/vger-lists.html#selinux-refpolicy
>
On Wednesday, 10 April 2019 1:58:28 AM AEST Jag Raman wrote:
> > There is no official distro for testing. It does support customizations
> > for various distributions (DISTRO build option), but that also depends
> > on how much of the distro's customizations are upstreamed.
>
> I tried setting the "DISTRO" build option to "redhat", and tested on
> Fedora. But it looks like "refpolicy" customizations are not upstream
> for Fedora. It could be because RedHat is maintaining a separate set of
> patches [2] that apply on top of an older version (RELEASE_2_20130424)
> of SELinux refpolicy.
>
> Do you know of any distro whose customizations are upstream?
The vast majority of Debian patches are upstreamed. A couple of months ago I
submitted a lot of patches to get the Debian policy very close to upstream,
the differences at that time were mostly things that upstream didn't agree
with.
Since that time there have been more changes and one particularly noteworthy
thing is that there's been a new release of systemd that needs some changes.
I plan to have all the patches needed for that submitted upstream soon.
If you run Debian/Testing with the upstream policy there is about 10 minutes
work needed to get it all going properly. If you find it more difficult than
that then let me know and I'll fix it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/