From: a.kuckartz@ping.de (Andreas Kuckartz) Date: 19 Sep 2013 09:39:36 +0200 Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel In-Reply-To: <1379533202.16771.17.camel@d30> References: <52384CD9.60604@ping.de> <5239AEFF.6000902@ping.de> <1379533202.16771.17.camel@d30> Message-ID: <523AAA38.8020300@ping.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Dominick, thanks for your replies. > Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit > iceweasel, and not 64 bit. It is running on 64 bit Debian unstable and according to about:buildconfig the build target is x86_64-pc-linux-gnu. > Debian's policy configuration is based off of an older reference policy, > and Debian is working to rebase on the latest stable reference policy. That might explain some of the avc denials. > However, truth be told, selinux policy is never perfect, and probably > never will be. The nature of integrity is to contain processes, but > process change over time and so policy configuration needs to change > along with it. Yes, but the packaged policy should work out of the box as long as only Debian packages are installed without any special configuration *and* those packages have no security issues. > you file bug reports to the debian selinux policy bugzilla, and enclose > avc denials ( this is important ), I will do that. Cheers, Andreas