[Clip] Plans to update?

Spencer Shimko sshimko at tresys.com
Fri Dec 16 10:48:03 CST 2011 

On 12/16/2011 11:27 AM, Mark Steele wrote:
> I've run through the puppet content on 5.7, and I didn't have any obvious errors (apart from needing to fix up escaping of backslashes in the puppet modules).
>
> I was planning on reviewing all the puppet modules anyways, as I wanted to see if I could improve them a bit to make them more suitable for remediation as well as initial state (to eventually integrate with secstate)

The puppet content definitely needs some help.  As part of this phase we will be scrapping most of the previous content and starting anew so I'm not sure it would be worth the effort on your part to fix the existing content.

>
> How long is the typical dev cycle for creating the selinux policy?

Unfortunately there is no straight-forward answer here as it depends on a number of variables.  Eg, does policy already exist for all the apps on the system, does the existing policy meet the security goals and requirements, does base policy need to be modified or trimmed down?  If you happen to own some of the apps in question and have an deep understanding of their functionality that can reduce the development time.  If you're using third-party apps and have to analyze their requirements and functionality it will increase the development time.  Also there is the "just doing it" vs. the "doing it right."  Blindly converting denial messages into policy is quick, but is the wrong thing thing to do and may not support the defined security architecture.  Finally, much like a programming language, initial treks into policy development will take much longer than future efforts and experience goes a long way. 

Thanks,
--Spencer

>
> Cheers,
>
> Mark
>
> On Fri, Dec 16, 2011 at 10:37 AM, Spencer Shimko <sshimko at tresys.com <mailto:sshimko at tresys.com>> wrote:
>
>     On 12/16/2011 9:13 AM, Mark Steele wrote:
>     > I'm trying to get CLIP running on CentOS 6.1 (or 5.7 for that matter). The puppet content works with a bit of massaging, but the selinux policy appears to be pretty broken.
>     >
>     > What would be the best approach to troubleshoot this? Are there any plans to maintain/update CLIP?
>
>     Hi Mark,
>
>     The CLIP policy for RHEL 5 is going to be missing a lot of rules needed to address functional changes between RHEL 5 & RHEL 6.  You could start by analyzing the audit logs and begin carefully adding policy rules as long as they don't compromise the underlying security goals driven by the various requirement sets and your own environment's goals.
>
>     That said, we have a lot of work to do on our end to address RHEL 6.  Applying the existing puppet content might result in functional problems due to the differences between 5 & 6.  Perhaps more concerning, the content may not completely address the requirement sets in a RHEL 6 environment and there may not be a clear indication that a requirement is not being met.  We will be comparing the requirement sets against a RHEL 6 system and generating new content as necessary.  The userspace packages we distribute may also have issues running on RHEL 6.
>
>     We are currently in the planning phase for our next CLIP releases.  Right now it looks like we will be targeting RHEL 5.7 & RHEL 6.2 but the exact versions may change as the project progresses.  Once we have a road map finalized (soonish :) we will share the plans and start cranking on the next releases.
>
>     Thanks,
>     --Spencer
>     Spencer R. Shimko
>     Lead Engineer, Linux Solutions Practice
>     Tresys Technology
>     8840 Stanford Boulevard, Suite 2100
>     Columbia, MD 21045
>     Phone: +1 410 290-1411 x125
>     FAX: +1 410 953-0494
>     sshimko at tresys.com <mailto:sshimko at tresys.com> | www.tresys.com <http://www.tresys.com>
>
>     >
>     > Cheers,
>     >
>     > Mark Steele, CISSP, CSM
>     > Bering Media Inc.
>     > Office: +1 (416) 583-5227
>     > Mobile: +1 (416) 888-1009
>     >
>     >
>     >
>     > _______________________________________________
>     > Clip mailing list
>     > Clip at oss.tresys.com <mailto:Clip at oss.tresys.com>
>     > http://oss.tresys.com/mailman/listinfo/clip
>
>

More information about the Clip mailing list