FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 07-21-2011, 07:42 PM
Sven Vermeulen
 
Default SELinux base policy r20 in hardened-dev.git, now with MCS/MLS

Hi all,

I've pushed selinux-base-policy-2.20101213-r20 to the hardened-dev overlay.
This update contains the following changes since r19:

- Introduces a boolean called "gentoo_wait_requests", which is by default
enabled. This boolean governs policy changes that are currently in place
to work around problems, but which are reported upstream and - when fixed
- should be cleared/removed.
The use of a boolean allows (1.) developers to test the upstream patches,
(2.) users to test upstream overlays and (3.) users to verify that, when
the policy will be fixed, everything still works.
This boolean is also documented in Gentoo Hardened's module information
for the "portage" domain (in hardened-doc.git)
- Switch the boolean for Portage' NFS support from gentoo_portage_allow_nfs
to gentoo_portage_use_nfs (tracks upstream better)
- Removes an ugly hack that was introduced to support OpenRC, where we had
intermediate domains (like sysadm_initrc_notrans_t) to try and work around
the all-binaries-refer-to-/sbin/rc style (thanks to PeBenito for the
solution)
- Support NFS v4 (where rpc.statd uses TCP) (bug #375617)
- Remove haveged_t definition, use entropyd_t instead (requested upstream)
- Fix iptables save/restore routines (bug #211374)
- Support MCS/MLS

Further it has more cosmetic improvements on
- portage policy definition (refpolicy style updates)
- improve nginx definitions (bug #368795)

The MCS/MLS support is new. I was quite surprised that MCS was relatively
easy to set up. If you want to use it, read the (updated) documentation in
the hardened-docs overlay (handbook has been updated accordingly). In short:
you can select the SELinux policy type through the SELINUXTYPE setting in
/etc/selinux/config and POLICY_TYPES variable in /etc/make.conf.

Beware that MLS is also possible, but very experimental (I can't get it
working in enforcing just yet). MCS seems to work pretty well (booted in
enforcing and ran a few regression tests to make sure). For the time being,
most development will still focus on strict, but MCS will be tested more and
more (especially for those specific cases where MCS is mandatory, like with
the SELinux sandbox).

However, there is one but: in order to fully support MCS/MLS, the
selinux-policy-2.eclass needs to be patched: the four instances that you'll
find in it of
POLICY_TYPES="strict targeted"
must be changed to
POLICY_TYPES="strict targeted mcs mls"
otherwise the base policy could support MCS/MLS but the modules themselves
not.

Wkr,
Sven Vermeulen
 

Thread Tools




All times are GMT. The time now is 09:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org