1*2d543d20SAndroid Build Coastguard WorkerThe SELinux Userspace Security Vulnerability Handling Process 2*2d543d20SAndroid Build Coastguard Worker=============================================================================== 3*2d543d20SAndroid Build Coastguard Workerhttps://github.com/SELinuxProject/selinux 4*2d543d20SAndroid Build Coastguard Worker 5*2d543d20SAndroid Build Coastguard WorkerThis document attempts to describe the processes through which sensitive 6*2d543d20SAndroid Build Coastguard Workersecurity relevant bugs can be responsibly disclosed to the SELinux userspace 7*2d543d20SAndroid Build Coastguard Workerproject and how the project maintainers should handle these reports. Just like 8*2d543d20SAndroid Build Coastguard Workerthe other SELinux userspace process documents, this document should be treated 9*2d543d20SAndroid Build Coastguard Workeras a guiding document and not a hard, unyielding set of regulations; the bug 10*2d543d20SAndroid Build Coastguard Workerreporters and project maintainers are encouraged to work together to address 11*2d543d20SAndroid Build Coastguard Workerthe issues as best they can, in a manner which works best for all parties 12*2d543d20SAndroid Build Coastguard Workerinvolved. 13*2d543d20SAndroid Build Coastguard Worker 14*2d543d20SAndroid Build Coastguard Worker### Reporting Problems 15*2d543d20SAndroid Build Coastguard Worker 16*2d543d20SAndroid Build Coastguard WorkerFor serious problems or security vulnerabilities in the SELinux kernel code 17*2d543d20SAndroid Build Coastguard Workerplease refer to the SELinux Kernel Subsystem Security Policy in the link below: 18*2d543d20SAndroid Build Coastguard Worker 19*2d543d20SAndroid Build Coastguard Worker* https://github.com/SELinuxProject/selinux-kernel/blob/main/SECURITY.md 20*2d543d20SAndroid Build Coastguard Worker 21*2d543d20SAndroid Build Coastguard WorkerProblems with the SELinux userspace that are not suitable for immediate public 22*2d543d20SAndroid Build Coastguard Workerdisclosure should be emailed to the current SELinux userspace maintainers, the 23*2d543d20SAndroid Build Coastguard Workerlist is below. We typically request at most a 90 day time period to address 24*2d543d20SAndroid Build Coastguard Workerthe issue before it is made public, but we will make every effort to address 25*2d543d20SAndroid Build Coastguard Workerthe issue as quickly as possible and shorten the disclosure window. 26*2d543d20SAndroid Build Coastguard Worker 27*2d543d20SAndroid Build Coastguard Worker* Petr Lautrbach, [email protected] 28*2d543d20SAndroid Build Coastguard Worker* Nicolas Iooss, [email protected] 29*2d543d20SAndroid Build Coastguard Worker * (GPG fingerprint) E25E 254C 8EE4 D303 554B F5AF EC70 1A1D A494 C5EB 30*2d543d20SAndroid Build Coastguard Worker* Jeffrey Vander Stoep, [email protected] 31*2d543d20SAndroid Build Coastguard Worker* Joshua Brindle, [email protected] 32*2d543d20SAndroid Build Coastguard Worker* James Carter, [email protected] 33*2d543d20SAndroid Build Coastguard Worker * (GPG fingerprint) 4568 1128 449B 65F8 80C6 1797 3A84 A946 B4BA 62AE 34*2d543d20SAndroid Build Coastguard Worker* Paul Moore, [email protected] 35*2d543d20SAndroid Build Coastguard Worker * (GPG fingerprint) 7100 AADF AE6E 6E94 0D2E 0AD6 55E4 5A5A E8CA 7C8A 36*2d543d20SAndroid Build Coastguard Worker* Jason Zaman, [email protected] 37*2d543d20SAndroid Build Coastguard Worker * (GPG fingerprint) 6319 1CE9 4183 0986 89CA B8DB 7EF1 37EC 935B 0EAF 38*2d543d20SAndroid Build Coastguard Worker* Steve Lawrence, [email protected] 39*2d543d20SAndroid Build Coastguard Worker* William Roberts, [email protected] 40*2d543d20SAndroid Build Coastguard Worker* Ondrej Mosnacek, [email protected] 41*2d543d20SAndroid Build Coastguard Worker 42*2d543d20SAndroid Build Coastguard Worker### Resolving Sensitive Security Issues 43*2d543d20SAndroid Build Coastguard Worker 44*2d543d20SAndroid Build Coastguard WorkerUpon disclosure of a bug, the maintainers should work together to investigate 45*2d543d20SAndroid Build Coastguard Workerthe problem and decide on a solution. In order to prevent an early disclosure 46*2d543d20SAndroid Build Coastguard Workerof the problem, those working on the solution should do so privately and 47*2d543d20SAndroid Build Coastguard Workeroutside of the traditional SELinux userspace development practices. One 48*2d543d20SAndroid Build Coastguard Workerpossible solution to this is to leverage the GitHub "Security" functionality to 49*2d543d20SAndroid Build Coastguard Workercreate a private development fork that can be shared among the maintainers, and 50*2d543d20SAndroid Build Coastguard Workeroptionally the reporter. A placeholder GitHub issue may be created, but details 51*2d543d20SAndroid Build Coastguard Workershould remain extremely limited until such time as the problem has been fixed 52*2d543d20SAndroid Build Coastguard Workerand responsibly disclosed. If a CVE, or other tag, has been assigned to the 53*2d543d20SAndroid Build Coastguard Workerproblem, the GitHub issue title should include the vulnerability tag once the 54*2d543d20SAndroid Build Coastguard Workerproblem has been disclosed. 55*2d543d20SAndroid Build Coastguard Worker 56*2d543d20SAndroid Build Coastguard Worker### Public Disclosure 57*2d543d20SAndroid Build Coastguard Worker 58*2d543d20SAndroid Build Coastguard WorkerWhenever possible, responsible reporting and patching practices should be 59*2d543d20SAndroid Build Coastguard Workerfollowed, including notification to the linux-distros and oss-security mailing 60*2d543d20SAndroid Build Coastguard Workerlists. 61*2d543d20SAndroid Build Coastguard Worker 62*2d543d20SAndroid Build Coastguard Worker* https://oss-security.openwall.org/wiki/mailing-lists/distros 63*2d543d20SAndroid Build Coastguard Worker* https://oss-security.openwall.org/wiki/mailing-lists/oss-security 64