FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 12-11-2011, 12:48 PM
Sven Vermeulen
 
Default SELinux base policy rev 8 in hardened-dev

Hi guys,

I just pushed rev 8 of selinux-base-policy (and the various policy modules
that have changes in them since rev 7). The included changes are:

- <bug #390881> dontaudit statements for portage (netlink_route_socket)
- <bug #393315> update file contexts to support slim and lxdm
- <bug #393443> fix syntax issue with mutt
- <bug #389577> initial set of fixes for fail2ban (more to come though)
- <no bug> update on gorg policy
- <no bug> update on XDG definitions (mozilla)
- <no bug> dontaudit on mount_t write/setattr on mountpoints
- <no bug> dontaudit creation of socket by qemu
- <no bug> dontaudit sudo searching in home dirs
- <no bug> dontaudit vde searching in home dirs
- <no bug> mark portage_ebuild_t as a mountpoint
- <no bug> have selinux-telnet depend on selinux-remotelogin

There are also a couple of module packages who referred to a non-existing
module. These have been updated to properly depend on the correct module
package.

For the SELinux fans, the SELinux FAQ and SELinux Handbook have also seen a
few updates, not in the least about supporting non-hardened profiles with
SELinux. The SELinux bug reporting guide has also been uploaded.

http://hardened.gentoo.org/selinux

I'm also adding the proper dependencies on the packages towards the
sec-policy/selinux-<module> as mentioned on gentoo-dev@g.o. I'm doing that
as I see them pass by currently, but will probably do a larger bump later.

Also, there's a bug open for the base-system to have sudo built with
--with-selinux to enable SELinux support in sudo (out-of-the-box).

Wkr,
Sven Vermeulen
 
Old 04-22-2012, 08:35 AM
Sven Vermeulen
 
Default SELinux base policy rev 8 in hardened-dev

Hi guys,

Revision 8 of the 2.20120215 policies are now in the hardened-dev overlay.
It contains the following changes:

<no bug> Update whitespace in python scripts (support python3)
#411149 Introduce httpd_setrlimit to support setrlimit/sys_resource on apache (for lighttpd)
#411943 Allow unconfined users to start X (or XFCE) from the commandline

Testing is, as always, appreciated. However, the changes are non-intrusive
and I'm going to make a few more intrusive changes now which will need a bit
more testing, so I'm heading out with rev 8 now.

Also, I've moved the repository I use for maintaining the policies from
github to gogo [1]. I didn't use the git magic, just a copy of the sources,
as patching is always done in incremental manners (and not through git
patches)... for now ;-)

I'll have our SELinux development guide also updated to have users base
their patches from this tree instead, that should make development a bit
easier for them.

Wkr,
Sven Vermeulen
 

Thread Tools




All times are GMT. The time now is 05:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org