| 1 |
portage-2.0.51_pre9 is still masked, it is not stable. I ebuild merged it |
| 2 |
however it doesn't work, and I can't emerge anything else. Unfortunately old |
| 3 |
buildpkg'ed portage binary is missing too, I'm in trouble ... |
| 4 |
|
| 5 |
----------- ( a desperate effort to remerge old portage ) : |
| 6 |
ebuild portage-2.0.50-r6.ebuild merge |
| 7 |
>>> Downloading |
| 8 |
http://gentoo.oregonstate.edu/distfiles/portage-2.0.50-r6.tar.bz2 |
| 9 |
Traceback (most recent call last): |
| 10 |
File "/usr/sbin/ebuild", line 42, in ? |
| 11 |
a=portage.doebuild(pargs[0],x,getroot(),tmpsettings,debug=debug,cleanup=cleanup) |
| 12 |
File "/usr/lib/portage/pym/portage.py", line 2670, in doebuild |
| 13 |
if not fetch(fetchme, mysettings, listonly, fetchonly): |
| 14 |
File "/usr/lib/portage/pym/portage.py", line 2079, in fetch |
| 15 |
selinux.setexec(con) |
| 16 |
File "/local/python-selinux/selinux.prx", line 196, in selinux.setexec |
| 17 |
OSError: setexec: Failed setting exec context. |
| 18 |
------------------- |
| 19 |
|
| 20 |
|
| 21 |
On Wednesday 26 May 2004 01:01 pm, Chris PeBenito wrote: |
| 22 |
> > I have the latest portage 2.0.50-r6. |
| 23 |
> |
| 24 |
> Unfortunately that version has broken stacked profile support :( It |
| 25 |
> looks like portage-2.0.51_pre9 has been marked stable. Merge that, and |
| 26 |
> it should all work again. |
| 27 |
|
| 28 |
|
| 29 |
> |
| 30 |
> > 4. Is there a graphical tool to create custom .fc, .te? Any pointer to |
| 31 |
> > sample policy creation? I will go ahead try to vi some, but it would be |
| 32 |
> > nice to have one guide. Any directions to posting new custom security |
| 33 |
> > policies, or obtaining test-versions from a pool would also help. |
| 34 |
> |
| 35 |
> The only graphical SELinux tools in portage are app-admin/setools, but |
| 36 |
> the policy editor that package has (sepcut), is at it's heart, just a |
| 37 |
> text editor. If you're looking for policy thats not in portage, you can |
| 38 |
> check out the NSA example policy or the Russell Coker's debian policy. |
| 39 |
> You can submit policies for inclusion in portage, see our project page |
| 40 |
> for details. There really isn't any documentation on policy creation |
| 41 |
> beyond the very dry NSA policy whitepaper. |
| 42 |
> |
| 43 |
> http://www.nsa.gov/selinux/code/download5.cfm |
| 44 |
> http://www.coker.com.au/selinux/policy.tgz |
| 45 |
> |
| 46 |
> > 5. How much overhead labeling create on a filesystem with millions of |
| 47 |
> > files ? If I ever want to remove those xattrs from a filesystem, how can |
| 48 |
> > I unlabel those millions of files, if there is any way to reclaim space |
| 49 |
> > those extended atrributes sits on? |
| 50 |
> |
| 51 |
> On ext[23], xattrs are stored in a block. So each label takes a block. |
| 52 |
> However, for space savings, the xattr blocks that have the same label |
| 53 |
> are shared. So if you have 1 million files with the same label, it will |
| 54 |
> have a 1 block overhead. Basically, there is an overhead of 1 block per |
| 55 |
> different label, per fs. |
| 56 |
> |
| 57 |
> On XFS, the inode size should be increased to 512 (from 256), so that |
| 58 |
> the label can fit in the inode. Then there is no overhead, though |
| 59 |
> inodes will be a little larger. If the inode size is not increased, |
| 60 |
> then there will be a 1 block per file overhead (i.e. huge waste) because |
| 61 |
> the label will not fit in the inode, and a performance hit. |
| 62 |
> |
| 63 |
> As long as you are in a kernel with selinux enabled, you will not be |
| 64 |
> able to unlabel a file. It will be denied regardless of |
| 65 |
> permissive/enforcing. If you wanted to remove selinux, you could use |
| 66 |
> rmfilecon (in a non-selinux kernel), which I will be adding in |
| 67 |
> policycoreutils. Time permitting I will put a chapter in the quickstart |
| 68 |
> guide for removing selinux. |
| 69 |
|
| 70 |
-- |
| 71 |
gentoo-hardened@g.o mailing list |
Archives