[Clip] Plans to update?
Mark Steele
msteele at beringmedia.com
Fri Dec 16 10:27:01 CST 2011
I've run through the puppet content on 5.7, and I didn't have any obvious
errors (apart from needing to fix up escaping of backslashes in the puppet
modules).
I was planning on reviewing all the puppet modules anyways, as I wanted to
see if I could improve them a bit to make them more suitable for
remediation as well as initial state (to eventually integrate with secstate)
How long is the typical dev cycle for creating the selinux policy?
Cheers,
Mark
On Fri, Dec 16, 2011 at 10:37 AM, Spencer Shimko <sshimko at tresys.com> wrote:
> On 12/16/2011 9:13 AM, Mark Steele wrote:
> > I'm trying to get CLIP running on CentOS 6.1 (or 5.7 for that matter).
> The puppet content works with a bit of massaging, but the selinux policy
> appears to be pretty broken.
> >
> > What would be the best approach to troubleshoot this? Are there any
> plans to maintain/update CLIP?
>
> Hi Mark,
>
> The CLIP policy for RHEL 5 is going to be missing a lot of rules needed to
> address functional changes between RHEL 5 & RHEL 6. You could start by
> analyzing the audit logs and begin carefully adding policy rules as long as
> they don't compromise the underlying security goals driven by the various
> requirement sets and your own environment's goals.
>
> That said, we have a lot of work to do on our end to address RHEL 6.
> Applying the existing puppet content might result in functional problems
> due to the differences between 5 & 6. Perhaps more concerning, the content
> may not completely address the requirement sets in a RHEL 6 environment and
> there may not be a clear indication that a requirement is not being met.
> We will be comparing the requirement sets against a RHEL 6 system and
> generating new content as necessary. The userspace packages we distribute
> may also have issues running on RHEL 6.
>
> We are currently in the planning phase for our next CLIP releases. Right
> now it looks like we will be targeting RHEL 5.7 & RHEL 6.2 but the exact
> versions may change as the project progresses. Once we have a road map
> finalized (soonish :) we will share the plans and start cranking on the
> next releases.
>
> Thanks,
> --Spencer
> Spencer R. Shimko
> Lead Engineer, Linux Solutions Practice
> Tresys Technology
> 8840 Stanford Boulevard, Suite 2100
> Columbia, MD 21045
> Phone: +1 410 290-1411 x125
> FAX: +1 410 953-0494
> sshimko at tresys.com | www.tresys.com
>
> >
> > Cheers,
> >
> > Mark Steele, CISSP, CSM
> > Bering Media Inc.
> > Office: +1 (416) 583-5227
> > Mobile: +1 (416) 888-1009
> >
> >
> >
> > _______________________________________________
> > Clip mailing list
> > Clip at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/clip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/clip/attachments/20111216/44d7b63f/attachment.html
More information about the Clip
mailing list