FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 01-10-2012, 06:53 PM
Sven Vermeulen
 
Default SELinux base policy rev 11 in hardened-dev

Hi guys,

I haven't merged hardened-development overlay with the main tree yet because
I had to make sure that the changes in the policycoreutils wouldn't break
(m)any systems. Since I'm now pushing out rev 11, I'm going to skip merging
rev 10 and focus on the rev 11 instead in a few days.

So yes, the updated policies are now available and include the following
fixes:

bug #397535: Add policy for working with dracut (creating initramfs)
bug #396241: Updates for bacula policy
(no bug): Introduce aggregated types for Apache (needed later to support phpfpm)
(no bug): Additional dontaudit statements for dbus, mozilla, networkmanager, wpa_cli, hostname, sysnetwork
(no bug): Do not use java* wildcard in file contexts as it hits java-config as well then

I'm currently putting most work in getting an initramfs with full SELinux
support (not by forcing unconfined domains or switching to permissive first)
working (through dracut for the moment). Hopefully that'll work in the near
future :-(

Wkr,
Sven Vermeulen
 
Old 05-28-2012, 09:13 AM
Sven Vermeulen
 
Default SELinux base policy rev 11 in hardened-dev

Hi guys 'n girls,

The next iteration of our policies is now in the hardened-dev overlay. For
~arch users, this is one you will probably need to install through a small
workaround, but first the changes:

#417937 Do not audit access to device_t:chr_file by dmesg
#417857 Support dynamic /run directories
#413719 Correct udev context in /run/udev
<no bug> Backporting SEPostgresql changes
<no bug> Update udev file contexts (udevadm and udevd binaries)
#417821 Mark /etc/selinux/*/modules as semanage_store_t (fixes permission issue on .../modules/tmp)

~arch users will, if they have -r9 or -r10 installed, need to do the
following steps first:

"""
setenforce 0
semanage fcontext -a -t semanage_store_t "/etc/selinux/strict/modules"
restorecon -R /etc/selinux/strict/modules
setenforce 1
"""

This is because otherwise any attempt to load the new policy will result in
a failure. Of course, substitute "strict" with your SELinux policy type you
have installed.

This also means that r9 and r10 are no candidates for stabilization. And
since r8 is fairly low on changes, r11 is the next stabilization candidate.

Wkr,
Sven Vermeulen
 
Old 05-29-2012, 03:30 PM
Hinnerk van Bruinehsen
 
Default SELinux base policy rev 11 in hardened-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28.05.2012 11:13, Sven Vermeulen wrote:
> Hi guys 'n girls,
>
> The next iteration of our policies is now in the hardened-dev
> overlay. For ~arch users, this is one you will probably need to
> install through a small workaround, but first the changes:
>
> #417937 Do not audit access to device_t:chr_file by dmesg
> #417857 Support dynamic /run directories #413719
> Correct udev context in /run/udev <no bug> Backporting
> SEPostgresql changes <no bug> Update udev file contexts
> (udevadm and udevd binaries) #417821 Mark
> /etc/selinux/*/modules as semanage_store_t (fixes permission issue
> on .../modules/tmp)
>
> ~arch users will, if they have -r9 or -r10 installed, need to do
> the following steps first:
>
> """ setenforce 0 semanage fcontext -a -t semanage_store_t
> "/etc/selinux/strict/modules" restorecon -R
> /etc/selinux/strict/modules setenforce 1 """
>
> This is because otherwise any attempt to load the new policy will
> result in a failure. Of course, substitute "strict" with your
> SELinux policy type you have installed.
>
> This also means that r9 and r10 are no candidates for
> stabilization. And since r8 is fairly low on changes, r11 is the
> next stabilization candidate.
>
> Wkr, Sven Vermeulen
>

Hi,

I've got some problems with r11 on mcs. The error is:

Creating mcs base module base.conf
Compiling mcs base module
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:2184:ERROR 'permission execute is not defined' at token ';'
on line 2184:
( h1 dom h2 );
mlsconstrain db_schema { drop getattr setattr relabelfrom execute }
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1

The error is introduced in
"0098-all-sepostgresql_updates_backport-r11.patch".

In older versions db_schema is db_language (which by the way is in the
older versions defined two times). If I remove the "execute" from
db_schema it builds. I don't know if db_schema needs execute, if not
it should be dropped, otherwise execute should be defined for
db_schema, I think.

WKR

Hinnerk van Bruinehsen



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPxOuhAAoJEJwwOFaNFkYc1hkIAI0IPqIVub 5DgflWjMaxo2dW
fWFsXmtyDWQ6peRf+FgKszwDe+XHw1IL9bW9UdVDd7/ClN+8tJnTm5Da1cd5txN4
gx+QyUiahw6WL4sgb9aQZo+Fkfm1YpdU3VsFvjtLbxvmiRG6LH AuwY7e8nvEDC5h
REkpjMc/F5tWaT0WGd8UobYzY75MABGaH94ZwInIkl3KVPT8dMM6OSJ8Z4 tmeWaT
q45moIerdk5mQFu/cYcB3V/29QSx3Z3nI/Ehk547RWoAvBqCNyn6GknpF0nh+jYb
q4N28fsnnHnj55g39LHZJqV2IqfRzIsWsgcUmJKzCI7As7VMeP LNZtlB0shl7/Y=
=mCYS
-----END PGP SIGNATURE-----
 
Old 05-29-2012, 06:08 PM
Sven Vermeulen
 
Default SELinux base policy rev 11 in hardened-dev

On Tue, May 29, 2012 at 05:30:41PM +0200, Hinnerk van Bruinehsen wrote:
> I've got some problems with r11 on mcs. The error is:
>
> Creating mcs base module base.conf
> Compiling mcs base module
> /usr/bin/checkmodule: loading policy configuration from base.conf
> base.conf:2184:ERROR 'permission execute is not defined' at token ';'
> on line 2184:
> ( h1 dom h2 );
> mlsconstrain db_schema { drop getattr setattr relabelfrom execute }
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
> The error is introduced in
> "0098-all-sepostgresql_updates_backport-r11.patch".
>
> In older versions db_schema is db_language (which by the way is in the
> older versions defined two times). If I remove the "execute" from
> db_schema it builds. I don't know if db_schema needs execute, if not
> it should be dropped, otherwise execute should be defined for
> db_schema, I think.

You're right; the upstream patch didn't apply cleanly so I had to do some
stuff manually, and this one slipped.

There's also a "ype_transition" somewhere that should be "type_transition".

Wkr,
Sven Vermeulen
 

Thread Tools




All times are GMT. The time now is 10:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org