1 |
portage-2.0.51_pre9 is still masked, it is not stable. I ebuild merged it |
2 |
however it doesn't work, and I can't emerge anything else. Unfortunately old |
3 |
buildpkg'ed portage binary is missing too, I'm in trouble ... |
4 |
|
5 |
----------- ( a desperate effort to remerge old portage ) : |
6 |
ebuild portage-2.0.50-r6.ebuild merge |
7 |
>>> Downloading |
8 |
http://gentoo.oregonstate.edu/distfiles/portage-2.0.50-r6.tar.bz2 |
9 |
Traceback (most recent call last): |
10 |
File "/usr/sbin/ebuild", line 42, in ? |
11 |
a=portage.doebuild(pargs[0],x,getroot(),tmpsettings,debug=debug,cleanup=cleanup) |
12 |
File "/usr/lib/portage/pym/portage.py", line 2670, in doebuild |
13 |
if not fetch(fetchme, mysettings, listonly, fetchonly): |
14 |
File "/usr/lib/portage/pym/portage.py", line 2079, in fetch |
15 |
selinux.setexec(con) |
16 |
File "/local/python-selinux/selinux.prx", line 196, in selinux.setexec |
17 |
OSError: setexec: Failed setting exec context. |
18 |
------------------- |
19 |
|
20 |
|
21 |
On Wednesday 26 May 2004 01:01 pm, Chris PeBenito wrote: |
22 |
> > I have the latest portage 2.0.50-r6. |
23 |
> |
24 |
> Unfortunately that version has broken stacked profile support :( It |
25 |
> looks like portage-2.0.51_pre9 has been marked stable. Merge that, and |
26 |
> it should all work again. |
27 |
|
28 |
|
29 |
> |
30 |
> > 4. Is there a graphical tool to create custom .fc, .te? Any pointer to |
31 |
> > sample policy creation? I will go ahead try to vi some, but it would be |
32 |
> > nice to have one guide. Any directions to posting new custom security |
33 |
> > policies, or obtaining test-versions from a pool would also help. |
34 |
> |
35 |
> The only graphical SELinux tools in portage are app-admin/setools, but |
36 |
> the policy editor that package has (sepcut), is at it's heart, just a |
37 |
> text editor. If you're looking for policy thats not in portage, you can |
38 |
> check out the NSA example policy or the Russell Coker's debian policy. |
39 |
> You can submit policies for inclusion in portage, see our project page |
40 |
> for details. There really isn't any documentation on policy creation |
41 |
> beyond the very dry NSA policy whitepaper. |
42 |
> |
43 |
> http://www.nsa.gov/selinux/code/download5.cfm |
44 |
> http://www.coker.com.au/selinux/policy.tgz |
45 |
> |
46 |
> > 5. How much overhead labeling create on a filesystem with millions of |
47 |
> > files ? If I ever want to remove those xattrs from a filesystem, how can |
48 |
> > I unlabel those millions of files, if there is any way to reclaim space |
49 |
> > those extended atrributes sits on? |
50 |
> |
51 |
> On ext[23], xattrs are stored in a block. So each label takes a block. |
52 |
> However, for space savings, the xattr blocks that have the same label |
53 |
> are shared. So if you have 1 million files with the same label, it will |
54 |
> have a 1 block overhead. Basically, there is an overhead of 1 block per |
55 |
> different label, per fs. |
56 |
> |
57 |
> On XFS, the inode size should be increased to 512 (from 256), so that |
58 |
> the label can fit in the inode. Then there is no overhead, though |
59 |
> inodes will be a little larger. If the inode size is not increased, |
60 |
> then there will be a 1 block per file overhead (i.e. huge waste) because |
61 |
> the label will not fit in the inode, and a performance hit. |
62 |
> |
63 |
> As long as you are in a kernel with selinux enabled, you will not be |
64 |
> able to unlabel a file. It will be denied regardless of |
65 |
> permissive/enforcing. If you wanted to remove selinux, you could use |
66 |
> rmfilecon (in a non-selinux kernel), which I will be adding in |
67 |
> policycoreutils. Time permitting I will put a chapter in the quickstart |
68 |
> guide for removing selinux. |
69 |
|
70 |
-- |
71 |
gentoo-hardened@g.o mailing list |