search

trunkmaster / nextspace

NeXTSTEP-like desktop environment for Linux
https://trunkmaster.github.io
GNU General Public License v3.0
1.9k stars 69 forks source link

Selinux policies #327

Closed fsmunoz closed 4 years ago

fsmunoz commented 4 years ago

This is an initial PR for #228 based on some initial goals that were achieved:

  1. I was able to run the NextSPACE when choosing "Enforcing" based on the rules
  2. I was able to run NextSPACE when choosing "Permissive", which is why I suggest it becomes the default instead of "Disabled"
  3. I was able to build the RPMs and add the policies through the changed spec file

This being said the overall build process is something I don't know very well, plus:

  1. I have tested this in CentOS8 only; I see no reason for problems with CentOS7/RHEL7 but I didn't test them
  2. Adding the policies as a tar.gz and mentioning them as a Source was the most straightforward way to make the build work but I'm not convinced this is the best way, amongst others because the policies are versioned controlled
  3. Changes to the nextspace_install.sh script are likely to need changes/revision, and especially a position on the "Permissive" default
  4. The policies themselves are a work in progress and will need changes/refinement
  5. I'm quite convinced that even though I "tested it" it is likely to be broken in some small ways depending on how the build is setup; hopefully this can be easily changed since the bulk of the work - the policies - are done.

This entire topic related with GNUstep itself so it should, going forward, be incorporated there (either based on what I did or some alternative version, as long as it works). SELinux policies have their complexity and plenty of choices (e.g. I used xmd_t for Login, I could have created a separate type just for Login, etc), and the way the GNUstep filesystems maps into different domains can actually be mapped into SELinux types, etc. I will open this conversation in gnustep-dev.

trunkmaster commented 4 years ago

@fsmunoz well done. It seems you've made changes to old versions of existing files. Please resolve conflicts so I can test SELinux on fresh install of CentOS 7.

fsmunoz commented 4 years ago

@trunkmaster done, it should work now, I resolved the conflict with the new gdb require; note that as I said above I'm fairly sure that some changes will be needed in terms of the build process.

Equally important, even if it works it introduces a new source of possible problems: SELinux blocks calls and it's not impossible that some specific accesses only occur in some circumstances which weren't tested. At least a wiki entry on how to change to Permissive again or, better, log and send the output so it can be improved would be something I would do as a next step. Adding the GNUstep-specific modules to permissive is also possible and I would document it.

trunkmaster commented 4 years ago

@trunkmaster done, it should work now, I resolved the conflict with the new gdb require; note that as I said above I'm fairly sure that some changes will be needed in terms of the build process.

Equally important, even if it works it introduces a new source of possible problems: SELinux blocks calls and it's not impossible that some specific accesses only occur in some circumstances which weren't tested. At least a wiki entry on how to change to Permissive again or, better, log and send the output so it can be improved would be something I would do as a next step. Adding the GNUstep-specific modules to permissive is also possible and I would document it.

Sure, we probably could try to make new release with updated install script to test it on various installations. Let me know if this part will be release ready.