From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 18 Sep 2013 21:40:02 +0200 Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel In-Reply-To: <5239AEFF.6000902@ping.de> References: <52384CD9.60604@ping.de> <5239AEFF.6000902@ping.de> Message-ID: <1379533202.16771.17.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2013-09-18 at 15:47 +0200, Andreas Kuckartz wrote: > Any suggestions from here? Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit iceweasel, and not 64 bit. Debian's policy configuration is based off of an older reference policy, and Debian is working to rebase on the latest stable reference policy. Hopefully she will also organize a solid system to stay in sync and work with upstream to make selinux work better on debian. I think debian is working to get that sorted out However, truth be told, selinux policy is never perfect, and probably never will be. The nature of integrity is to contain processes, but process change over time and so policy configuration needs to change along with it. SELinux is really a framework, and policy is really just configuration, and so you are able to control SELinux. But to get to the point. here is how the process should work you file bug reports to the debian selinux policy bugzilla, and enclose avc denials ( this is important ), They will fix it in debian ( if they need help from the community then they know where to go #selinux at freenode or the maillinglists ), Then debian will send all the modifications (patches) they made to upstream reference policy. Upstream reference policy will review the changes, and if all is well adopt the changes. Then every once in a while refpolicy releases a stable version. Debian should rebase her policy on the latest refpolicy as soon as possible after refpolicy is released and then the circle is round and it all start over again. As for the audit2allow output you enclosed. I cannot do much with this output. I would need avc denials instead because i need the information avc denials provide to make sound decisions. But again, selinux is a framework, and you can perfect your policy yourself, it will help if you know some of the basic selinux concepts and principles but its not as hard as you might think. I and others on #selinux at freenode are also trying to be helpful so if you need help let us know You can also send patches to this maillist but they will have to be proper see: http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute If you do, then it is a good idea to save any avc denials you have related, because patches get reviewed and need to be justified. I hope this helps, and that i didn't scare you or disappointed you > > Cheers, > Andreas > > -------- Original Message -------- > Date: Tue, 17 Sep 2013 14:36:41 +0200 > From: Andreas Kuckartz > To: selinux-user at lists.alioth.debian.org > > I am running a Debian unstable system with SELinux in permissive mode. > > I have appended the result of > $ cat /var/log/audit/audit.log | audit2allow -l -R > > There are quite a few missing type enforcement (TE) allow rules. > > In addition to that Iceweasel requires allow_execstack and allow_execmem > - which is not good. I have researched that and found these two old open > Firefox issues: > > SELinux is preventing JIT from changing memory segment access > https://bugzilla.mozilla.org/show_bug.cgi?id=506693 > > Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error > https://bugzilla.mozilla.org/show_bug.cgi?id=574119 > > What do you suggest on how to proceed? > > Cheers, > Andreas > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy