From: a.kuckartz@ping.de (Andreas Kuckartz)
Date: 19 Sep 2013 09:39:36 +0200
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel
In-Reply-To: <1379533202.16771.17.camel@d30>
References: <52384CD9.60604@ping.de> <5239AEFF.6000902@ping.de>
	<1379533202.16771.17.camel@d30>
Message-ID: <523AAA38.8020300@ping.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi Dominick,

thanks for your replies.

> Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit
> iceweasel, and not 64 bit.

It is running on 64 bit Debian unstable and according to
about:buildconfig the build target is x86_64-pc-linux-gnu.

> Debian's policy configuration is based off of an older reference policy,
> and Debian is working to rebase on the latest stable reference policy.

That might explain some of the avc denials.

> However, truth be told, selinux policy is never perfect, and probably
> never will be. The nature of integrity is to contain processes, but
> process change over time and so policy configuration needs to change
> along with it.

Yes, but the packaged policy should work out of the box as long as only
Debian packages are installed without any special configuration *and*
those packages have no security issues.

> you file bug reports to the debian selinux policy bugzilla, and enclose
> avc denials ( this is important ),

I will do that.

Cheers,
Andreas