| 1 |
On Mon, 2002-10-28 at 17:45, nixnut wrote: |
| 2 |
> Chris PeBenito wrote: |
| 3 |
> |
| 4 |
> >Mainly just try stuff to make sure your system still works. :) I needed |
| 5 |
> >to make sure everything was ok, since I need to get people updated; |
| 6 |
> > |
| 7 |
> Ok, so far so good. Is there a reference gentoo-selinux platform? One |
| 8 |
> that specifies which applications are supported (required)? That way we |
| 9 |
> know what needs to work and thus what needs testing. |
| 10 |
|
| 11 |
Not specifically, but mainly things to test is common stuff like: |
| 12 |
|
| 13 |
* init loads policy on startup |
| 14 |
* can login from console |
| 15 |
* can login from ssh |
| 16 |
* can newrole |
| 17 |
* restart services |
| 18 |
|
| 19 |
On a side note, there are a few new things in this release. run_init is |
| 20 |
no longer needed, because we have integrated it into our init script |
| 21 |
system (still needed on other distros). Also there is a sestatus tool |
| 22 |
that I wrote, and contributed upstream. With no options, it gives you a |
| 23 |
short status: |
| 24 |
|
| 25 |
# sestatus |
| 26 |
SELinux status: enabled |
| 27 |
SELinuxfs mount: /selinux |
| 28 |
Current mode: enforcing |
| 29 |
Policy version: 16 |
| 30 |
|
| 31 |
with a -v option, it checks the context of several files and processes, |
| 32 |
in addition to the above. It can help in making sure contexts are |
| 33 |
consistent: |
| 34 |
|
| 35 |
Process contexts: |
| 36 |
Current context: pebenito:sysadm_r:sysadm_t |
| 37 |
Init context: system_u:system_r:init_t |
| 38 |
/sbin/agetty system_u:system_r:getty_t |
| 39 |
/usr/sbin/sshd system_u:system_r:sshd_t |
| 40 |
|
| 41 |
File contexts: |
| 42 |
Controlling term: pebenito:object_r:sysadm_devpts_t |
| 43 |
/etc/passwd system_u:object_r:etc_t |
| 44 |
/etc/shadow system_u:object_r:shadow_t |
| 45 |
/bin/bash system_u:object_r:shell_exec_t |
| 46 |
/bin/login system_u:object_r:login_exec_t |
| 47 |
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t |
| 48 |
/sbin/agetty system_u:object_r:getty_exec_t |
| 49 |
/sbin/init system_u:object_r:init_exec_t |
| 50 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 51 |
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t |
| 52 |
/lib/ld.so.1 system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
| 53 |
|
| 54 |
> Ok, I assume you know that the packages file in the new profile is |
| 55 |
> rather empty? I tried to bootstrap a new system with it without looking |
| 56 |
> at it first, so I was a bit surprised that emerge asked me to tell it |
| 57 |
> what to do :-) |
| 58 |
|
| 59 |
The file looks empty because of the new stacked profiles. The profile |
| 60 |
that make.profile is linked to has several parent profiles, that |
| 61 |
eventually gets to the base profile, which has a quite full packages |
| 62 |
file :) However, it won't work right unless you have a |
| 63 |
>=portage-2.0.50-r2 installed. |
| 64 |
|
| 65 |
-- |
| 66 |
Chris PeBenito |
| 67 |
<pebenito@g.o> |
| 68 |
Developer, |
| 69 |
Hardened Gentoo Linux |
| 70 |
Embedded Gentoo Linux |
| 71 |
|
| 72 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 73 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives