Re: Testing changes to "refpolicy"

Re: Testing changes to "refpolicy"

[Chris PeBenito]

On 4/8/19 11:05 AM, Jag Raman wrote:
> Hi,
> 
> I need some help with testing "refpolicy".
> 
> I'm able to install and load the refpolicy. But I'm unable
> to switch to "enforcing" mode because the OS (Fedora29)
> hangs due to missing policies.
> 
> What distro of Linux are we expected to use for testing it?
> 
> Are there any patches that should be applied on top of it?
> If so where could it be found? I'm trying to find out how
> you test changes to the refpolicy.
> 
> Thank you very much!

Please note the new refpolicy list. [1]

There is no official distro for testing.  It does support customizations 
for various distributions (DISTRO build option), but that also depends 
on how much of the distro's customizations are upstreamed.

[1] http://vger.kernel.org/vger-lists.html#selinux-refpolicy

-- 
Chris PeBenito

Re: Testing changes to "refpolicy"

[Jag Raman]

On 4/9/2019 8:02 AM, Chris PeBenito wrote:
> On 4/8/19 11:05 AM, Jag Raman wrote:
>> Hi,
>>
>> I need some help with testing "refpolicy".
>>
>> I'm able to install and load the refpolicy. But I'm unable
>> to switch to "enforcing" mode because the OS (Fedora29)
>> hangs due to missing policies.
>>
>> What distro of Linux are we expected to use for testing it?
>>
>> Are there any patches that should be applied on top of it?
>> If so where could it be found? I'm trying to find out how
>> you test changes to the refpolicy.
>>
>> Thank you very much!
> 

Hi Chris,

Thanks for your response.

> Please note the new refpolicy list. [1]

Sorry about this. I've subscribed to the new list, and added it to this
email.

> 
> There is no official distro for testing.  It does support customizations 
> for various distributions (DISTRO build option), but that also depends 
> on how much of the distro's customizations are upstreamed.

I tried setting the "DISTRO" build option to "redhat", and tested on
Fedora. But it looks like "refpolicy" customizations are not upstream
for Fedora. It could be because RedHat is maintaining a separate set of
patches [2] that apply on top of an older version (RELEASE_2_20130424)
of SELinux refpolicy.

Do you know of any distro whose customizations are upstream?

[2] https://git.centos.org/summary/?r=rpms/selinux-policy.git

Thanks!
--
Jag

> 
> [1] http://vger.kernel.org/vger-lists.html#selinux-refpolicy
>

Re: Testing changes to "refpolicy"

[Russell Coker]

On Wednesday, 10 April 2019 1:58:28 AM AEST Jag Raman wrote:
> > There is no official distro for testing.  It does support customizations
> > for various distributions (DISTRO build option), but that also depends
> > on how much of the distro's customizations are upstreamed.
> 
> I tried setting the "DISTRO" build option to "redhat", and tested on
> Fedora. But it looks like "refpolicy" customizations are not upstream
> for Fedora. It could be because RedHat is maintaining a separate set of
> patches [2] that apply on top of an older version (RELEASE_2_20130424)
> of SELinux refpolicy.
> 
> Do you know of any distro whose customizations are upstream?

The vast majority of Debian patches are upstreamed.  A couple of months ago I 
submitted a lot of patches to get the Debian policy very close to upstream, 
the differences at that time were mostly things that upstream didn't agree 
with.

Since that time there have been more changes and one particularly noteworthy 
thing is that there's been a new release of systemd that needs some changes.  
I plan to have all the patches needed for that submitted upstream soon.

If you run Debian/Testing with the upstream policy there is about 10 minutes 
work needed to get it all going properly.  If you find it more difficult than 
that then let me know and I'll fix it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/