SELinux base policy r20 in hardened-dev.git, now with MCS/MLS
I've pushed selinux-base-policy-2.20101213-r20 to the hardened-dev overlay.
This update contains the following changes since r19:
- Introduces a boolean called "gentoo_wait_requests", which is by default
enabled. This boolean governs policy changes that are currently in place
to work around problems, but which are reported upstream and - when fixed
- should be cleared/removed.
The use of a boolean allows (1.) developers to test the upstream patches,
(2.) users to test upstream overlays and (3.) users to verify that, when
the policy will be fixed, everything still works.
This boolean is also documented in Gentoo Hardened's module information
for the "portage" domain (in hardened-doc.git)
- Switch the boolean for Portage' NFS support from gentoo_portage_allow_nfs
to gentoo_portage_use_nfs (tracks upstream better)
- Removes an ugly hack that was introduced to support OpenRC, where we had
intermediate domains (like sysadm_initrc_notrans_t) to try and work around
the all-binaries-refer-to-/sbin/rc style (thanks to PeBenito for the
- Support NFS v4 (where rpc.statd uses TCP) (bug #375617)
- Remove haveged_t definition, use entropyd_t instead (requested upstream)
- Fix iptables save/restore routines (bug #211374)
- Support MCS/MLS
Further it has more cosmetic improvements on
- portage policy definition (refpolicy style updates)
- improve nginx definitions (bug #368795)
The MCS/MLS support is new. I was quite surprised that MCS was relatively
easy to set up. If you want to use it, read the (updated) documentation in
the hardened-docs overlay (handbook has been updated accordingly). In short:
you can select the SELinux policy type through the SELINUXTYPE setting in
/etc/selinux/config and POLICY_TYPES variable in /etc/make.conf.
Beware that MLS is also possible, but very experimental (I can't get it
working in enforcing just yet). MCS seems to work pretty well (booted in
enforcing and ran a few regression tests to make sure). For the time being,
most development will still focus on strict, but MCS will be tested more and
more (especially for those specific cases where MCS is mandatory, like with
the SELinux sandbox).
However, there is one but: in order to fully support MCS/MLS, the
selinux-policy-2.eclass needs to be patched: the four instances that you'll
find in it of
must be changed to
POLICY_TYPES="strict targeted mcs mls"
otherwise the base policy could support MCS/MLS but the modules themselves