1 |
Hi guys 'n gals |
2 |
|
3 |
obligatory tl;dr: |
4 |
Please check your package below this list and see if it (the package) has |
5 |
a proper DEPEND and RDEPEND on the listed sec-policy/selinux-<module> package(s) |
6 |
|
7 |
Within the Gentoo Hardened project, we are working on getting the SELinux |
8 |
support into shape. Recent evolutions are the stabilization of latest upstream |
9 |
userspace utilities and policies as well as documentation improvements and even |
10 |
some "human resource improvements" (read: fresh blood in our ranks). |
11 |
|
12 |
Within SELinux, specific modules are used (called SELinux modules, because we |
13 |
are not that creative in our naming) that contain the SELinux policy (what is |
14 |
allowed) as well as labeling information for files (which we call file context |
15 |
information). This labeling is very important in order for the policies to work |
16 |
well - wrong labels will lead to applications running with wrong permissions |
17 |
(which usually means "Application No Workie"). |
18 |
|
19 |
In Gentoo, unlike some other distributions, we try to keep the number of |
20 |
loaded/installed modules to a minimum so that policy rebuilds as well as the |
21 |
system overhead is limited. This results in a "base" policy (provided by |
22 |
selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>). To make |
23 |
sure that installations of a package pull in the right SELinux module, the |
24 |
proper dependencies must be defined. |
25 |
|
26 |
In the list below you will find "package dependency" information. This means |
27 |
that the given package should have both DEPEND and RDEPEND on the dependency |
28 |
(which is always of the form sec-policy/selinux-<modulename> since dependencies |
29 |
on sec-policy/selinux-base-policy are always satisfied the moment a user has SELinux |
30 |
enabled on his Gentoo system). |
31 |
|
32 |
The dependency should be USE="selinux"-triggered (the selinux USE flag is masked |
33 |
for non-SELinux profiles and mandatory on SELinux systems), like so: |
34 |
IUSE="selinux" |
35 |
DEPEND="selinux? ( sec-policy/selinux-<modulename> )" |
36 |
RDEPEND="selinux? ( sec-policy/selinux-<modulename> )" |
37 |
|
38 |
The dependency must be on both levels, because the SELinux module must be |
39 |
installed before the package is installed (and in theory, RDEPEND could |
40 |
trigger an installation afterwards): during the installation phase, Portage |
41 |
labels the files on the system (which would get wrong labels if the module |
42 |
isn't installed yet[1]). Also, DEPEND isn't sufficient due to binary package |
43 |
support requirements. |
44 |
|
45 |
Since there are quite a few packages that would need updates, I thought about |
46 |
first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I |
47 |
also wouldn't mind creating bugreports for each of them, but that would still be |
48 |
best done after having mailed gentoo-dev ;-) |
49 |
|
50 |
Wkr, |
51 |
Sven Vermeulen |
52 |
|
53 |
[1] I am aware that Portage currently installs RDEPEND before the package |
54 |
itself, but that might change in the future and other package managers might |
55 |
exhibit different behavior. |
56 |
|
57 |
games-board/aisleriot sec-policy/selinux-games |
58 |
sys-apps/apmd sec-policy/selinux-apm |
59 |
net-dns/bind sec-policy/selinux-bind |
60 |
net-wireless/bluez sec-policy/selinux-bluetooth |
61 |
app-i18n/canna sec-policy/selinux-canna |
62 |
app-cdr/cdrkit sec-policy/selinux-cdrecord |
63 |
app-cdr/cdrtools sec-policy/selinux-cdrecord |
64 |
app-antivirus/clamav sec-policy/selinux-clamav |
65 |
net-im/climm sec-policy/selinux-games |
66 |
mail-mta/courier sec-policy/selinux-courier |
67 |
net-print/cups sec-policy/selinux-lpd |
68 |
dev-vcs/cvs sec-policy/selinux-cvs |
69 |
sys-process/daemontools sec-policy/selinux-daemontools |
70 |
sys-process/daemontools-encore sec-policy/selinux-daemontools |
71 |
mail-filter/dcc sec-policy/selinux-dcc |
72 |
app-admin/denyhosts sec-policy/selinux-denyhosts |
73 |
sys-devel/distcc sec-policy/selinux-distcc |
74 |
net-dns/djbdns sec-policy/selinux-djbdns |
75 |
app-arch/dpkg sec-policy/selinux-dpkg |
76 |
app-cdr/dvd+rw-tools sec-policy/selinux-cdrecord |
77 |
www-client/epiphany sec-policy/selinux-mozilla |
78 |
x11-misc/expocity sec-policy/selinux-wm |
79 |
net-analyzer/fail2ban sec-policy/selinux-fail2ban |
80 |
app-arch/fastjar sec-policy/selinux-java |
81 |
net-mail/fetchmail sec-policy/selinux-fetchmail |
82 |
www-client/firefox-bin sec-policy/selinux-mozilla |
83 |
dev-java/gcj-jdk sec-policy/selinux-java |
84 |
dev-vcs/gitolite sec-policy/selinux-gitosis |
85 |
dev-vcs/gitolite-gentoo sec-policy/selinux-gitosis |
86 |
dev-vcs/gitosis sec-policy/selinux-gitosis |
87 |
dev-vcs/gitosis-gentoo sec-policy/selinux-gitosis |
88 |
virtual/gnat sec-policy/selinux-ada |
89 |
gnome-base/gnome-applets sec-policy/selinux-cpufreqselector |
90 |
gnome-extra/gnome-games sec-policy/selinux-games |
91 |
gnome-base/gnome-shell sec-policy/selinux-wm |
92 |
app-crypt/gnupg sec-policy/selinux-gpg |
93 |
www-servers/gorg sec-policy/selinux-gorg |
94 |
gpe-base/gpe-dm sec-policy/selinux-xserver |
95 |
net-print/hplip sec-policy/selinux-cups |
96 |
x11-apps/iceauth sec-policy/selinux-xserver |
97 |
net-misc/icecast sec-policy/selinux-icecast |
98 |
net-nntp/inn sec-policy/selinux-inn |
99 |
kde-base/katomic sec-policy/selinux-games |
100 |
kde-base/kbattleship sec-policy/selinux-games |
101 |
sys-apps/kbd sec-policy/selinux-loadkeys |
102 |
kde-base/kblackbox sec-policy/selinux-games |
103 |
kde-base/kbounce sec-policy/selinux-games |
104 |
kde-base/kgoldrunner sec-policy/selinux-games |
105 |
kde-base/kgpg sec-policy/selinux-gpg |
106 |
net-wireless/kismet sec-policy/selinux-kismet |
107 |
kde-base/kjumpingcube sec-policy/selinux-games |
108 |
kde-base/klickety sec-policy/selinux-games |
109 |
kde-base/klines sec-policy/selinux-games |
110 |
kde-base/kmahjongg sec-policy/selinux-games |
111 |
kde-base/kmines sec-policy/selinux-games |
112 |
kde-base/kolf sec-policy/selinux-games |
113 |
kde-base/konquest sec-policy/selinux-games |
114 |
kde-base/kpat sec-policy/selinux-games |
115 |
kde-base/kreversi sec-policy/selinux-games |
116 |
kde-base/kshisen sec-policy/selinux-games |
117 |
kde-base/kspaceduel sec-policy/selinux-games |
118 |
kde-base/ktron sec-policy/selinux-games |
119 |
kde-base/ktuberling sec-policy/selinux-games |
120 |
app-emulation/libvirt sec-policy/selinux-xen |
121 |
www-client/links sec-policy/selinux-links |
122 |
kde-base/lskat sec-policy/selinux-games |
123 |
dev-db/mariadb sec-policy/selinux-mysql |
124 |
net-misc/memcached sec-policy/selinux-memcached |
125 |
x11-wm/metacity sec-policy/selinux-wm |
126 |
sys-apps/mlocate sec-policy/selinux-slocate |
127 |
www-servers/mongrel sec-policy/selinux-apache |
128 |
media-sound/mpd sec-policy/selinux-mpd |
129 |
sys-cluster/mpich2 sec-policy/selinux-mpd |
130 |
media-video/mplayer sec-policy/selinux-mplayer |
131 |
media-video/mplayer2 sec-policy/selinux-mplayer |
132 |
net-analyzer/mrtg sec-policy/selinux-mrtg |
133 |
mail-client/mutt sec-policy/selinux-mutt |
134 |
dev-db/mysql sec-policy/selinux-mysql |
135 |
media-libs/nas sec-policy/selinux-soundserver |
136 |
net-misc/netcf sec-policy/selinux-ncftool |
137 |
net-ftp/netkit-ftpd sec-policy/selinux-publicfile |
138 |
mail-mta/netqmail sec-policy/selinux-qmail |
139 |
net-analyzer/ntop sec-policy/selinux-ntop |
140 |
net-misc/nxserver-freeedition sec-policy/selinux-nx |
141 |
net-misc/nxserver-freenx sec-policy/selinux-nx |
142 |
x11-wm/openbox sec-policy/selinux-wm |
143 |
net-misc/openconnect sec-policy/selinux-vpn |
144 |
net-nntp/pan sec-policy/selinux-pan |
145 |
sys-boot/plymouth sec-policy/selinux-plymouthd |
146 |
app-admin/prelude-lml sec-policy/selinux-prelude |
147 |
app-admin/prelude-manager sec-policy/selinux-prelude |
148 |
mail-filter/procmail sec-policy/selinux-procmail |
149 |
net-ftp/proftpd sec-policy/selinux-ftp |
150 |
www-servers/publicfile sec-policy/selinux-publicfile |
151 |
media-sound/pulseaudio sec-policy/selinux-pulseaudio |
152 |
app-admin/puppet sec-policy/selinux-puppet |
153 |
dev-python/pyzor sec-policy/selinux-pyzor |
154 |
app-emulation/qemu sec-policy/selinux-qemu |
155 |
app-emulation/qemu-kvm sec-policy/selinux-qemu |
156 |
www-apps/roundup sec-policy/selinux-roundup |
157 |
app-arch/rpm sec-policy/selinux-rpm |
158 |
app-shells/rssh sec-policy/selinux-rssh |
159 |
net-fs/samba sec-policy/selinux-samba |
160 |
app-misc/screen sec-policy/selinux-screen |
161 |
net-mail/serialmail sec-policy/selinux-daemontools |
162 |
net-im/skype sec-policy/selinux-skype |
163 |
net-nntp/slrn sec-policy/selinux-slrnpull |
164 |
mail-filter/spamassassin sec-policy/selinux-spamassassin |
165 |
net-misc/stunnel sec-policy/selinux-stunnel |
166 |
net-nntp/suck sec-policy/selinux-inn |
167 |
net-misc/taylor-uucp sec-policy/selinux-uucp |
168 |
media-sound/timidity++ sec-policy/selinux-timidity |
169 |
net-irc/tirc sec-policy/selinux-irc |
170 |
net-misc/tor sec-policy/selinux-tor |
171 |
media-tv/tvtime sec-policy/selinux-tvtime |
172 |
x11-wm/twm sec-policy/selinux-wm |
173 |
sys-apps/ucspi-tcp sec-policy/selinux-ucspitcp |
174 |
sys-apps/usermode-utilities sec-policy/selinux-uml |
175 |
www-servers/varnish sec-policy/selinux-varnishd |
176 |
net-misc/vde sec-policy/selinux-vde |
177 |
media-video/vlc sec-policy/selinux-mplayer |
178 |
app-emulation/vmware-workstation sec-policy/selinux-vmware |
179 |
net-analyzer/vnstat sec-policy/selinux-vnstatd |
180 |
app-admin/webalizer sec-policy/selinux-webalizer |
181 |
app-emulation/wine sec-policy/selinux-wine |
182 |
net-analyzer/wireshark sec-policy/selinux-wireshark |
183 |
net-wireless/wpa_supplicant sec-policy/selinux-networkmanager |
184 |
x11-apps/xauth sec-policy/selinux-xserver |
185 |
media-video/xine-ui sec-policy/selinux-mplayer |
186 |
x11-base/xorg-server sec-policy/selinux-xprint |
187 |
x11-base/xorg-server sec-policy/selinux-xprint |
188 |
x11-misc/xscreensaver sec-policy/selinux-xscreensaver |
189 |
sys-apps/yum sec-policy/selinux-rpm |