FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 03-02-2011, 04:48 PM
Sven Vermeulen
 
Default SELinux base policy 2.20101213-r9 in overlay

Hi guys,

I've committed sec-policy/selinux-base-policy-2.20101213-r9 to the
hardened-development overlay. It has the following fixes since -r8:
- Allow Portage sandbox to ptrace (some package installs require this)
- Use xserver_domtrans instead of allowing siginh (cleaner policy)
- Fix issue that dhcpcd didn't work (could not find interfaces)
- Allow unconfined_t domain to transition to portage domains

The latter should fix bugs #355745 and #356533.

This is also the first (but definitely not the last) commit which I'm now
also testing various stuff with. The testing approach I use is to set up
Gentoo Hardened base, then update to SELinux (strict), install mysql,
install postgresql and then run some administrative tests:

portage - - - - Performing portage activities -
portage - 001 - Run emerge --info - success
portage - 002 - Run emerge -puDN world - success
portage - 003 - Run emerge cowsay - success
portage - 004 - Run emerge -C cowsay (remove) - success
portage - 005 - Run eselect profile list - success
portage - 006 - Run gcc-config -l - success
inittest - - - - Create temporary working database (gentoo) -
inittest - 001 - Load SQL file (restore database dump) - success
mysql - - - - Performing mysql command activities -
mysql - 001 - Create table (as admin) through mysql command - success
mysql - 002 - Show tables (as admin) - success
mysql - 003 - Drop table (as admin) - success
mysql - 004 - Describe table (as guest) - success
mysql - 005 - Select data from table (as guest) - success
mysql - 006 - Select data from table (as test) - success
mysql - 007 - Create table (as guest) - success
exittest - - - - Cleanup temporary working database (gentoo) -
exittest - 001 - Drop database gentoo - success
exittest - 002 - Revoke all (gentoo) privileges from guest account - success
exittest - 003 - Revoke all (gentoo) privileges from admin account - success
inittest - - - - Create temporary working database -
inittest - 001 - Create admin role - success
inittest - 002 - Create guest role - success
inittest - 003 - Load SQL file (restore database dump) - success
postgres - - - - Performing psql command activities -
postgres - 001 - Create table (as admin) through psql command - success
postgres - 002 - Describe test table (as admin) through psql command - success
postgres - 003 - Drop test table (as admin) through psql command - success
postgres - 004 - Describe table (as guest) through psql command - success
postgres - 005 - Query test data (as guest) through psql command - success
postgres - 006 - Testing invalid user access - success
exittest - - - - Cleanup temporary working database -
exittest - 001 - Drop test database - success
exittest - 002 - Drop admin user - success
exittest - 003 - Drop guest user - success


These tests are done for both strict and targeted policy (but always in
enforcing mode). The idea I have is to try and reproduce issues reported or
seen on the forums and try to automate those. If they can be automated, I
add them to the test scripts so that (1.) the issue is confirmed, and (2.)
regressions can be detected.

For the time being you'll see that the tests aren't advanced, but at least
it's a start and it can grow more easily ;-)

Wkr,
Sven Vermeulen
 
Old 03-02-2011, 09:29 PM
"Aaron W. Swenson"
 
Default SELinux base policy 2.20101213-r9 in overlay

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/02/2011 12:48 PM, Sven Vermeulen wrote:
> Hi guys,
>
> I've committed sec-policy/selinux-base-policy-2.20101213-r9 to the
> hardened-development overlay. It has the following fixes since -r8:
> - Allow Portage sandbox to ptrace (some package installs require this)
> - Use xserver_domtrans instead of allowing siginh (cleaner policy)
> - Fix issue that dhcpcd didn't work (could not find interfaces)
> - Allow unconfined_t domain to transition to portage domains
>
> The latter should fix bugs #355745 and #356533.
>
> This is also the first (but definitely not the last) commit which I'm now
> also testing various stuff with. The testing approach I use is to set up
> Gentoo Hardened base, then update to SELinux (strict), install mysql,
> install postgresql and then run some administrative tests:
>
> portage - - - - Performing portage activities -
> portage - 001 - Run emerge --info - success
> portage - 002 - Run emerge -puDN world - success
> portage - 003 - Run emerge cowsay - success
> portage - 004 - Run emerge -C cowsay (remove) - success
> portage - 005 - Run eselect profile list - success
> portage - 006 - Run gcc-config -l - success
> inittest - - - - Create temporary working database (gentoo) -
> inittest - 001 - Load SQL file (restore database dump) - success
> mysql - - - - Performing mysql command activities -
> mysql - 001 - Create table (as admin) through mysql command - success
> mysql - 002 - Show tables (as admin) - success
> mysql - 003 - Drop table (as admin) - success
> mysql - 004 - Describe table (as guest) - success
> mysql - 005 - Select data from table (as guest) - success
> mysql - 006 - Select data from table (as test) - success
> mysql - 007 - Create table (as guest) - success
> exittest - - - - Cleanup temporary working database (gentoo) -
> exittest - 001 - Drop database gentoo - success
> exittest - 002 - Revoke all (gentoo) privileges from guest account - success
> exittest - 003 - Revoke all (gentoo) privileges from admin account - success
> inittest - - - - Create temporary working database -
> inittest - 001 - Create admin role - success
> inittest - 002 - Create guest role - success
> inittest - 003 - Load SQL file (restore database dump) - success
> postgres - - - - Performing psql command activities -
> postgres - 001 - Create table (as admin) through psql command - success
> postgres - 002 - Describe test table (as admin) through psql command - success
> postgres - 003 - Drop test table (as admin) through psql command - success
> postgres - 004 - Describe table (as guest) through psql command - success
> postgres - 005 - Query test data (as guest) through psql command - success
> postgres - 006 - Testing invalid user access - success
> exittest - - - - Cleanup temporary working database -
> exittest - 001 - Drop test database - success
> exittest - 002 - Drop admin user - success
> exittest - 003 - Drop guest user - success
>
>
> These tests are done for both strict and targeted policy (but always in
> enforcing mode). The idea I have is to try and reproduce issues reported or
> seen on the forums and try to automate those. If they can be automated, I
> add them to the test scripts so that (1.) the issue is confirmed, and (2.)
> regressions can be detected.
>
> For the time being you'll see that the tests aren't advanced, but at least
> it's a start and it can grow more easily ;-)
>
> Wkr,
> Sven Vermeulen
>

Does this affect bug 328297, if at all?

There will be some changes coming to PostgreSQL soon, once Mr. Chvatal
(scarabeus) or Mr. Lauer (bonsaikitten) get the time to test and commit.

The configuration files will be in /etc/postgresql-${SLOT}/. And
src_test() works on it now with its socket created in ${T} and
executables and miscellaneous files in ${S}/src/test/regress/.

All of that works just fine on Hardened, but I'm not familiar with
SELinux other than it's an additional security measure.

Sincerely,
Mr. Aaron W. Swenson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk1uxNgACgkQCOhwUhu5AEla2AD+LgsjRH7IWh HutaDaBhm7Jgc8
y2t71dwhN+4YYr763woBAI+UWeFaz14WAjV8CeNK2+DsfJauy3 5HP5bKYt97BFai
=TOm8
-----END PGP SIGNATURE-----
 

Thread Tools




All times are GMT. The time now is 11:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org