Hi guys,

The hardened-dev overlay now contains the newest set of SELinux userland
utilities. I've tested them with the current (2.20110726-r13) policy set and
they seem to work well now (finally, had to add a few patches here and
there).

The sad thing is, one of the issues was that libsemanage didn't support
policies without levels properly. The SELinux development mailinglist
mentioned that such policies get little test coverage as most (other)
distributions use a level-enabled policy type (MCS or MLS) anyhow. In
Gentoo, we still support strict/targeted (although MCS is definitely usable
as well).

As I don't want to become the testing ground for such policies, I'll see to
it that MCS becomes our default policy type as well, and that a (simple)
upgrade procedure is available for those still at strict or targeted.

It will also mean the docs will see some updates, and we'll need to add
selinux-unconfined as well as an (optionally installable) module.

Wkr,
Sven Vermeulen

<<<<<<<
As I don't want to become the testing ground for such policies, I'll see to
it that MCS becomes our default policy type as well, and that a (simple)
upgrade procedure is available for those still at strict or targeted.
>>>>>>>

I'm running MCS on my server but it is still in permissive mode because I
need to iron out a few things and haven't had the time but I'm preparing
another server this week-end so I can try a new MCS install and report back
problems and bugs. Regarding bugs, the documentation on page

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&c
hap=1

Recommend the installation of selinux modules before configuring the policy.
I don't recommend that because all the policies get installed into the
strict directory (/etc/selinux/strict) on a default installation and the
/etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug
report if needed.

Alain

On Fri, Feb 24, 2012 at 04:58:00PM -0500, Alain Toussaint wrote:
> I'm running MCS on my server but it is still in permissive mode because I
> need to iron out a few things and haven't had the time but I'm preparing
> another server this week-end so I can try a new MCS install and report back
> problems and bugs.

I have each of my dual-active services (bind, openldap, mail, apache, ...)
running with MCS (one in strict, one in mcs) so I don't expect much
troubles. After all, as long as the application doesn't really known it is
in SELinux (and starts using categories) there is no difference in policy,
just some additional cruft that's added to labels and contexts.

> Regarding bugs, the documentation on page
>
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&c
> hap=1
>
> Recommend the installation of selinux modules before configuring the policy.
> I don't recommend that because all the policies get installed into the
> strict directory (/etc/selinux/strict) on a default installation and the
> /etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug
> report if needed.

I'll keep it in mind, but I'll probably have users rebuild all from
sec-policy/ when they alter their supported policies ("strict" -> "strict
mcs"), then reset type, relabel system (+ those hidden beneith other mount
points), reboot, test and then - if they want - remove the older policy type
(so "strict mcs" -> "mcs").

I don't think I'll deprecate strict/targeted just yet. I like the simplicity
of strict. But I think it is better to start users with MCS. After all, much
of the online documentation already deals with categories & levels.

Wkr,
Sven Vermeulen