SELinux userland utilities update
Hi guys,
The hardened-dev overlay now contains the newest set of SELinux userland utilities. I've tested them with the current (2.20110726-r13) policy set and they seem to work well now (finally, had to add a few patches here and there). The sad thing is, one of the issues was that libsemanage didn't support policies without levels properly. The SELinux development mailinglist mentioned that such policies get little test coverage as most (other) distributions use a level-enabled policy type (MCS or MLS) anyhow. In Gentoo, we still support strict/targeted (although MCS is definitely usable as well). As I don't want to become the testing ground for such policies, I'll see to it that MCS becomes our default policy type as well, and that a (simple) upgrade procedure is available for those still at strict or targeted. It will also mean the docs will see some updates, and we'll need to add selinux-unconfined as well as an (optionally installable) module. Wkr, Sven Vermeulen |
SELinux userland utilities update
<<<<<<<
As I don't want to become the testing ground for such policies, I'll see to it that MCS becomes our default policy type as well, and that a (simple) upgrade procedure is available for those still at strict or targeted. >>>>>>> I'm running MCS on my server but it is still in permissive mode because I need to iron out a few things and haven't had the time but I'm preparing another server this week-end so I can try a new MCS install and report back problems and bugs. Regarding bugs, the documentation on page http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&c hap=1 Recommend the installation of selinux modules before configuring the policy. I don't recommend that because all the policies get installed into the strict directory (/etc/selinux/strict) on a default installation and the /etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug report if needed. Alain |
SELinux userland utilities update
On Fri, Feb 24, 2012 at 04:58:00PM -0500, Alain Toussaint wrote:
> I'm running MCS on my server but it is still in permissive mode because I > need to iron out a few things and haven't had the time but I'm preparing > another server this week-end so I can try a new MCS install and report back > problems and bugs. I have each of my dual-active services (bind, openldap, mail, apache, ...) running with MCS (one in strict, one in mcs) so I don't expect much troubles. After all, as long as the application doesn't really known it is in SELinux (and starts using categories) there is no difference in policy, just some additional cruft that's added to labels and contexts. > Regarding bugs, the documentation on page > > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&c > hap=1 > > Recommend the installation of selinux modules before configuring the policy. > I don't recommend that because all the policies get installed into the > strict directory (/etc/selinux/strict) on a default installation and the > /etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug > report if needed. I'll keep it in mind, but I'll probably have users rebuild all from sec-policy/ when they alter their supported policies ("strict" -> "strict mcs"), then reset type, relabel system (+ those hidden beneith other mount points), reboot, test and then - if they want - remove the older policy type (so "strict mcs" -> "mcs"). I don't think I'll deprecate strict/targeted just yet. I like the simplicity of strict. But I think it is better to start users with MCS. After all, much of the online documentation already deals with categories & levels. Wkr, Sven Vermeulen |
| All times are GMT. The time now is 11:52 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.