Mailing List Archive: Gentoo: Hardened

SELinux policy module packages

Index | Next | Previous | View Threaded

sven.vermeulen at siphos

Feb 12, 2011, 6:20 AM

Post #1 of 9 (767 views)
Permalink

SELinux policy module packages

Hi hardened-folks

Gentoo Hardened aims to follow the Tresys reference policy closely for the
SELinux policy modules / packages and puts all non-base policies in the
sec-policy/selinux-* packages. We already had a few hints on
#gentoo-hardened about the naming conventions used for those packages.

Naming conventions might seem silly to discuss, but they can make life
difficult in the future so it's better to tackle this before we go to a
stable set of SELinux policies. There are various options available, but let
me first give some information on the issue...

** Naming Collisions, Categories and More...

Well, as you are probably all aware, Gentoo might have naming collisions
when one doesn't provide the category (think app-admin/analog versus
app-emacs/analog). For regular packages, we ask users to provide the category
as well. However, for SELinux policy packages, there's only a single category
currently (sec-policy/), so we might need to provide the necessary naming
conventions in the package names.

However, another problem arises. Some reference policy modules provide
policies for multiple Gentoo packages (think admin/bootloader, which offers
policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy
package to the Gentoo package, what would the package be called then (in
this particular case, bootloader is part of the base policy so doesn't
require a separate sec-policy/ package).

And if that isn't enough, Tresys reference policy also uses categories
(admin, apps, kernel, roles, services and system) so they too might have
naming collisions if one would ignore the category. However, once that
occurs, there will be other issues as well, because the reference policy
sources might have categories, but SELinux doesn't, so the module name
itself would require adjustments (cfr. "semodule -l" output).

** SELinux policy module naming convention

So, how should we (Gentoo Hardened) name our SELinux packages to avoid above
collisions, but also to provide our developers with a consistent guideline
on how to call SELinux module packages?

My suggestion would be to name the packages according to the refpolicy
module name (as it is the source of the package anyhow) without category.
Collisions are unlikely to occur in the near future because SELinux has no
support for categories. In other words, if a collision would occur, the
reference policy would rename their modules (or name the new module
differently) anyhow, so we can easily follow suit.

I rather not follow Gentoo's package names. I know it might make it easier
to deduce which sec-policy/selinux-* packages need to be installed on a
system, but this is a temporary situation - in the long term, we want all
packages that have SELinux policies to have an optional (selinux) dependency
against their sec-policy/selinux-* package. The downside would be that we
need to either make duplicate packages for these tools that have policies
within the same module (think the bootloader case) or use a different naming
convention for those particular packages.

So, what are your thoughts on this?

Wkr,
Sven Vermeulen

blueness at gentoo

Feb 12, 2011, 11:03 AM

Post #2 of 9 (724 views)
Permalink

Re: SELinux policy module packages [In reply to]

On 02/12/2011 09:20 AM, Sven Vermeulen wrote:
> Hi hardened-folks
>
> Gentoo Hardened aims to follow the Tresys reference policy closely for the
> SELinux policy modules / packages and puts all non-base policies in the
> sec-policy/selinux-* packages. We already had a few hints on
> #gentoo-hardened about the naming conventions used for those packages.
>
> Naming conventions might seem silly to discuss, but they can make life
> difficult in the future so it's better to tackle this before we go to a
> stable set of SELinux policies. There are various options available, but let
> me first give some information on the issue...
>
> ** Naming Collisions, Categories and More...
>
> Well, as you are probably all aware, Gentoo might have naming collisions
> when one doesn't provide the category (think app-admin/analog versus
> app-emacs/analog). For regular packages, we ask users to provide the category
> as well. However, for SELinux policy packages, there's only a single category
> currently (sec-policy/), so we might need to provide the necessary naming
> conventions in the package names.
>
> However, another problem arises. Some reference policy modules provide
> policies for multiple Gentoo packages (think admin/bootloader, which offers
> policies for LILO, GRUB, YaBoot and more). If we name our SELinux policy
> package to the Gentoo package, what would the package be called then (in
> this particular case, bootloader is part of the base policy so doesn't
> require a separate sec-policy/ package).
>
> And if that isn't enough, Tresys reference policy also uses categories
> (admin, apps, kernel, roles, services and system) so they too might have
> naming collisions if one would ignore the category. However, once that
> occurs, there will be other issues as well, because the reference policy
> sources might have categories, but SELinux doesn't, so the module name
> itself would require adjustments (cfr. "semodule -l" output).
>
> ** SELinux policy module naming convention
>
> So, how should we (Gentoo Hardened) name our SELinux packages to avoid above
> collisions, but also to provide our developers with a consistent guideline
> on how to call SELinux module packages?
>
> My suggestion would be to name the packages according to the refpolicy
> module name (as it is the source of the package anyhow) without category.
> Collisions are unlikely to occur in the near future because SELinux has no
> support for categories. In other words, if a collision would occur, the
> reference policy would rename their modules (or name the new module
> differently) anyhow, so we can easily follow suit.
>
> I rather not follow Gentoo's package names. I know it might make it easier
> to deduce which sec-policy/selinux-* packages need to be installed on a
> system, but this is a temporary situation - in the long term, we want all
> packages that have SELinux policies to have an optional (selinux) dependency
> against their sec-policy/selinux-* package. The downside would be that we
> need to either make duplicate packages for these tools that have policies
> within the same module (think the bootloader case) or use a different naming
> convention for those particular packages.
>
> So, what are your thoughts on this?
>
> Wkr,
> Sven Vermeulen
>

Robbat2 brought the naming issue up and suggested the ${CAT}-${PN}
scheme, but you make a good point about the mapping being many-to-many
in general.

If we agree to this standard, how to we grandfather in the packages that
are already in sec-policy? Renaming packages is a pita and we should
avoid it if we can.

--
Anthony G. Basile, Ph.D.
Gentoo Developer

sven.vermeulen at siphos

Feb 12, 2011, 11:12 AM

Post #3 of 9 (758 views)
Permalink

Re: SELinux policy module packages [In reply to]

On Sat, Feb 12, 2011 at 02:03:40PM -0500, Anthony G. Basile wrote:
> Robbat2 brought the naming issue up and suggested the ${CAT}-${PN}
> scheme, but you make a good point about the mapping being many-to-many
> in general.
>
> If we agree to this standard, how to we grandfather in the packages that
> are already in sec-policy? Renaming packages is a pita and we should
> avoid it if we can.

In theory, when the SELinux state is appropriate for more production-like
use, the packages are being pulled in as a dependency and not as an
emergeable package (so not "emerge selinux-gnupg" but "emerge gnupg" should
pull in the selinux- package).

As such, I think we can have the older one(s) die as long as the
dependencies on the master packages are brought up to date.

I personally dislike packages like "sec-policy/selinux-app-crypt-gnupg" if
"sec-policy/selinux-gpg" works equally well (or better), but I haven't read
the discussion on this online (just heard from others about it). I also
don't mind if general consensus is not my preference as I think it is more
important that we set a rule/guideline for the developers to follow
strictly.

Wkr,
Sven Vermeulen

gizmo at giz-works

Feb 12, 2011, 11:43 AM

Post #4 of 9 (728 views)
Permalink

Re: SELinux policy module packages [In reply to]

On 02/12/2011 08:20 AM, Sven Vermeulen wrote:
> I rather not follow Gentoo's package names. I know it might make it easier
> to deduce which sec-policy/selinux-* packages need to be installed on a
> system, but this is a temporary situation - in the long term, we want all
> packages that have SELinux policies to have an optional (selinux) dependency
> against their sec-policy/selinux-* package. The downside would be that we
> need to either make duplicate packages for these tools that have policies
> within the same module (think the bootloader case) or use a different naming
> convention for those particular packages.

TBH, I really see nothing wrong with the naming convention we are using
now, which (AFAIK) pretty much follows the upstream module naming
convention (which I think is what you are proposing). In all
probability, it seems rather unlikely that there will be multiple
selinux policy modules with the same file name, as the file name tends
to reflect either the module name or its functionality (depending on
what's included in the file), either of which will tend to constrain the
range of both possible and likely names.

I also am not following the argument about 'make duplicate packages'?
If a policy module ebuild can work for multiple different packages, that
is fine. We simply have an optional selinux dependency in each of the
application ebuilds on that same selinux module. If the module is
already installed then the dependency is already satisfied. If not,
then we pull it in. Or am I missing something?

I agree that the long-term goal should be to modify all packages that
need to have an selinux module such that they have an optional selinux
dependency.

As blueness has pointed out, renaming a bunch of packages is a PITA. I
really don't see that we get anything from doing so at this point,
except a bunch of pain.

Later,
Chris

sven.vermeulen at siphos

Feb 12, 2011, 12:03 PM

Post #5 of 9 (731 views)
Permalink

Re: SELinux policy module packages [In reply to]

On Sat, Feb 12, 2011 at 01:43:40PM -0600, Chris Richards wrote:
> TBH, I really see nothing wrong with the naming convention we are using
> now, which (AFAIK) pretty much follows the upstream module naming
> convention (which I think is what you are proposing).

Indeed; however I couldn't find a post or something that reflects that we
are indeed trying to following the upstream module naming. For instance, the
packages selinux-acpi (mod=apm), selinux-courier-imap (mod=courier),
selinux-cyrus-sasl (mod=sasl), selinux-desktop (various mods), selinux-ftpd
(mod=ftp), selinux-gnupg (mod=gpg) and more all don't follow this logic,
even though I see no reason why they don't (except for the selinux-desktop
one).

It looked/looks like those packages rather follow the Gentoo package names
instead of the SELinux module.

> I also am not following the argument about 'make duplicate packages'?
> If a policy module ebuild can work for multiple different packages, that
> is fine. We simply have an optional selinux dependency in each of the
> application ebuilds on that same selinux module. If the module is
> already installed then the dependency is already satisfied. If not,
> then we pull it in. Or am I missing something?

Actually, the argument is only valid if we would require our policy packages
to be named after the package. If we follow the reference policy module
names, the argument is void.

> As blueness has pointed out, renaming a bunch of packages is a PITA. I
> really don't see that we get anything from doing so at this point,
> except a bunch of pain.

Actually, I'm rather hoping that if everyone agrees on the guideline that
SELinux policy packages are called "selinux-<modname>" with <modname> being
the policy name used by the reference policy, that we can use that as well
in the Gentoo Hardened SELinux Policy document [1].

By doing so, future developers immediately know how Gentoo Hardened works
(it is documented, so they don't need to start pondering how to call the
policy package for module "foo").

Wkr,
Sven Vermeulen

[1] goo.gl/2U0Zr

gizmo at giz-works

Feb 12, 2011, 12:25 PM

Post #6 of 9 (724 views)
Permalink

Re: SELinux policy module packages [In reply to]

On 02/12/2011 02:03 PM, Sven Vermeulen wrote:
> Indeed; however I couldn't find a post or something that reflects that we
> are indeed trying to following the upstream module naming. For instance, the
> packages selinux-acpi (mod=apm), selinux-courier-imap (mod=courier),
> selinux-cyrus-sasl (mod=sasl), selinux-desktop (various mods), selinux-ftpd
> (mod=ftp), selinux-gnupg (mod=gpg) and more all don't follow this logic,
> even though I see no reason why they don't (except for the selinux-desktop
> one).
>
> It looked/looks like those packages rather follow the Gentoo package names
> instead of the SELinux module.
I rather suspect that, since PeBenito was basically the only one working
on that stuff, he probably named them according to what seemed
appropriate for that specific module. Obviously, with more of us
working on the project now we need a somewhat more formal declaration,
so it is quite appropriate to bring the subject up.
> Actually, I'm rather hoping that if everyone agrees on the guideline that
> SELinux policy packages are called "selinux-<modname>" with<modname> being
> the policy name used by the reference policy, that we can use that as well
> in the Gentoo Hardened SELinux Policy document [1].
+1

Later,
Chris

sven.vermeulen at siphos

Feb 21, 2011, 1:57 PM

Post #7 of 9 (669 views)
Permalink

Re: SELinux policy module packages [In reply to]

On Sat, Feb 12, 2011 at 02:25:29PM -0600, Chris Richards wrote:
> On 02/12/2011 02:03 PM, Sven Vermeulen wrote:
> > Actually, I'm rather hoping that if everyone agrees on the guideline that
> > SELinux policy packages are called "selinux-<modname>" with<modname> being
> > the policy name used by the reference policy, that we can use that as well
> > in the Gentoo Hardened SELinux Policy document [1].
>
> +1

Okay, with no further feedback received on this, I've added this to the
suggested Gentoo Hardened SELinux Policy document [1].

Wkr,
Sven Vermeulen

[1] goo.gl/2U0Zr

blueness at gentoo

Feb 21, 2011, 2:49 PM

Post #8 of 9 (674 views)
Permalink

Re: SELinux policy module packages [In reply to]

On 02/21/2011 04:57 PM, Sven Vermeulen wrote:
> On Sat, Feb 12, 2011 at 02:25:29PM -0600, Chris Richards wrote:
>> On 02/12/2011 02:03 PM, Sven Vermeulen wrote:
>>> Actually, I'm rather hoping that if everyone agrees on the guideline that
>>> SELinux policy packages are called "selinux-<modname>" with<modname> being
>>> the policy name used by the reference policy, that we can use that as well
>>> in the Gentoo Hardened SELinux Policy document [1].
>>
>> +1
>
> Okay, with no further feedback received on this, I've added this to the
> suggested Gentoo Hardened SELinux Policy document [1].
>
> Wkr,
> Sven Vermeulen
>
> [1] goo.gl/2U0Zr

I am in agreement, but I hesitate because moving packages is a pita. If
it can be done with minimal disruption, then lets move in that
direction. Do you know what current sec-policy/selinux-* are in violation?

--
Anthony G. Basile, Ph.D.
Gentoo Developer

sven.vermeulen at siphos

Feb 22, 2011, 12:18 PM

Post #9 of 9 (666 views)
Permalink

Re: SELinux policy module packages [In reply to]

On Mon, Feb 21, 2011 at 05:49:59PM -0500, Anthony G. Basile wrote:
> I am in agreement, but I hesitate because moving packages is a pita. If
> it can be done with minimal disruption, then lets move in that
> direction. Do you know what current sec-policy/selinux-* are in violation?

A quick check shows:
selinux-acpi (apm)
selinux-audio-entropyd (audioentropy)
selinux-courier-imap (courier)
selinux-cyrus-sasl (sasl)
selinux-desktop (xserver xfs mplayer mozilla java mono wine)
selinux-ftpd (ftp)
selinux-gnupg (gpg)
selinux-hal (hal dmidecode)
selinux-jabber-server (jabber)
selinux-nfs (rpc)
selinux-ucspi-tcp (ucspitcp)

The other 193 packages do follow this convention already.

I don't think we need to force a rename. We can just update the
packages that depend on them (there aren't many yet, so the work should be
limited) and let the old ones "die" (in a more ideal scenario, all
sec-policy/ packages are pulled in as dependencies except for the
selinux-base-policy one). Every time the parent packages are updated, we
update the old package as well to become "empty". The new package contains
a blocker on the old package which Portage hopefully resolves correctly (so
that we don't have a file collision on the /usr/share/selinux/*/*.pp files).

Or, in somewhat more schematic approach...

Phase 1 (as-is)
===============

app-crypt/gnupg-A dependson sec-policy/selinux-gnupg-X

Phase 2
=======

In one "commit": update gnupg (A->B), selinux-gnupg (X->Y), introduce
selinux-gpg. As a result, Portage will install selinux-gpg. The blocker
tells Portage that selinux-gnupg needs to be updated (towards the "empty"
package) first. For SELinux itself, this doesn't matter as the policy module
is loaded (even when it has disappeared from /usr/share/selinux/*/*.pp)

app-crypt/gnupg-B dependson sec-policy/selinux-gpg-1
sec-policy/selinux-gnupg-Y blocks !~sec-policy/selinux-gnupg-X

Phase 3 (fade-out)
==================

sec-policy/selinux-gnupg is removed from Portage tree.

BTW, the selinux-desktop one is a weird one and my suggestion would be to
purge it (it's not manageable).

Wkr,
Sven Vermeulen

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads