[ubuntu-hardened] SELinux Support for Hardy

Kees Cook kees at ubuntu.com
Wed Feb 13 23:48:27 GMT 2008 

On Tue, Feb 05, 2008 at 11:49:30PM -0500, Caleb Case wrote:
> SELinux Support for Hardy
> [snip]
> 
> [1] PAM was using a deprecated method of handling login contexts
> <https://bugs.launchpad.net/ubuntu/+source/pam/+bug/187822>. The updated package
> fixes this problem by backporting changes in upstream.

Done.

> [2] OpenSSH Server autoconf scripts were failing to detect the libselinux
> functions getseuserbyname and get_default_context_with_level
> <https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/188136>. The updated
> package fixes the configure bug by correctly setting LIBS before calling
> AC_CHECK_FUNCS.

Done.

> [3] Grub's update-grub lacks a trigger (and update-grub cannot be called
> directly due to nested debconf issues). In order to seamlessly switch between
> AppArmor and SELinux we need to reconfigure the menu.lst's defoptions. This
> patch adds an explicit trigger for update-grub.

This looks good and has the added advantage of allowing other grub-aware
tools to issue a trigger too.  I'm uploading it now.

> [4] apparmor and apparmor-utils need to be removed separately due to a recommend
> in ubuntu-standard for apparmor-utils. If just apparmor is removed, then the
> auto-resolution attempts to remove ubuntu-standard.

Was this fixed, or is this still a problem?

> 
> [5] selinux-policy-dummy is auto-picked when selinux is installed. It would be
> better if selinux-policy-refpolicy was auto-picked instead and the dummy package
> was a second choice. ;o} Suggestions on how to make that happen are very
> welcome!

Done.

> [6] At this time the system will fail to boot in enforcing mode. This will, of
> course, be fixed.

This is done now too?

Also, I did a quick review of the packages and discovered it was going
to be tricky for me to do my interdiff compares because the packages on
REVU (and in the PPA) aren't using the orig.tar.gz/diff.gz split.  If
the packages can be regenerated with upstream orig.tar.gz and the
packaging changes in diff.gz, that would help speed up the process.

Also, I see that the "selinux" package is totally new?  When this is
uploaded, the changelog should probably be cleared out to a single
"initial release".  (And since this _is_ a native package, it can keep
its tar.gz state -- assuming there isn't an upstream orig.tar.gz.)

Things are looking good!

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list