| 1 |
On Fri, Mar 18, 2011 at 06:55:34PM -0400, Anthony G. Basile wrote: |
| 2 |
> You're not wrong, but this can be restructured to come better in line |
| 3 |
> with the rest of the hardened profiles. I have to do a careful analysis |
| 4 |
> of the stacking and see if we can get something similar out of simpler |
| 5 |
> stackings and then fix up what might be missed in the final layers of |
| 6 |
> the stack. |
| 7 |
|
| 8 |
My suggestion would be to |
| 9 |
|
| 10 |
1. stabilize the current set of policies |
| 11 |
2. remove the policies whose version is >= 3.0 (including those -2008* ones) |
| 12 |
3. make a "features/selinux" profile (which contains all SELinux relevant |
| 13 |
aspects but is not a real profile in its own) |
| 14 |
4. Create sublocations within the existing profiles for SELinux (like |
| 15 |
hardened/linux/amd64/selinux and hardened/linux/amd64/no-multilib/selinux) |
| 16 |
|
| 17 |
These sublocations would only have a single file called "parent" showing |
| 18 |
something like: |
| 19 |
../ |
| 20 |
../../../../features/selinux |
| 21 |
|
| 22 |
I just tried this on my no-multilib system as well as on a multilib one, and |
| 23 |
apart from USE="gdbm bzip2 urandom nptl justify -fortran" I have had no |
| 24 |
other changes (checked the different outputs of "emerge --info" as well as a |
| 25 |
"emerge -puDN world"). |
| 26 |
|
| 27 |
Wkr, |
| 28 |
Sven Vermeulen |
Archives