1 |
On Fri, 2004-01-30 at 13:27, Andy Dustman wrote: |
2 |
> I had my own problems with the recent LiveCD. It would get a good way |
3 |
> through the bootstrap and then it would lock up. Unfortunately, it |
4 |
> always seemed to do this when I wasn't watching, and by the time I |
5 |
> noticed, the screen would be blanked and pressing keys wouldn't revive |
6 |
> it. The solution was to use scripts/bootstrap-2.6.sh: That worked the |
7 |
> first time. I had intended to install gentoo-dev-sources anyway. |
8 |
|
9 |
I'll have to look into this bootstrap-2.6.sh, I'm not familar with it. |
10 |
Then I'll fix up the install guide. |
11 |
|
12 |
> Additionally, I cannot find any of the stages on the Live CD. It seems |
13 |
> like they should be there, since it's 100 MB, but I have the CD mounted |
14 |
|
15 |
The loopback isn't compressed, so thats why its 100MB. I decided not to |
16 |
put any stages on the livecd, since the livecd and the stages are still |
17 |
experimental. |
18 |
|
19 |
> I still don't really have a good grip on SELinux, though. For example, |
20 |
> once I'm in enforcing mode, it seems that I can't run emerge, even if |
21 |
> I'm using the sysadm_r role. The reason for this seemed to be that |
22 |
> /usr/bin/emerge was a symlink to ../lib/portage/bin/emerge. I added |
23 |
> /usr/bin/emerge into the profile, and relabeled, and then it worked. |
24 |
|
25 |
Hmm, this sounds odd. But as is, the policy is to have a separate |
26 |
portage_r role that can use portage, so there can be a separation of |
27 |
sysadm_r and portage. Then, optionally, there is an auto-transition for |
28 |
sysadm_t that can be uncommented. However, it doesn't seem that anyone |
29 |
wants to use the portage_r, so I'm strongly considering removing the |
30 |
role, and just using the more natural auto-transition. Are there any |
31 |
comments on this? |
32 |
|
33 |
> Another related problem is with portage itself. Emerge won't let you |
34 |
> merge packages unless you are actually root. With SELinux, it's not a |
35 |
> matter of being root, but being in the sysadm_r role. So it prevents a |
36 |
> normal user with the right role from merging packages, even though they |
37 |
> have the correct privileges from a filesystem perspective; and it allows |
38 |
|
39 |
If the user is not in the portage_t domain, then they don't have the |
40 |
correct privileges from a fs perspective. |
41 |
|
42 |
> (Well, mostly. A user in the portage |
43 |
> group ought to at least be able to build binary packages, I think.) |
44 |
|
45 |
The policy doesn't support this, and probably never will. Access to |
46 |
portage is tightly controlled, since it allows modification of all files |
47 |
on the system. |
48 |
|
49 |
> On the systems I have now, I give someone else sudo access so they can |
50 |
> update package. I don't know if sudo is really compatible with SELinux |
51 |
|
52 |
The requirements for running portage are root/su/sudo/uid 0, and either |
53 |
portage_r or a auto transition from sysadm_t to portage_t. |
54 |
|
55 |
> or not. But presently to do updates, you'd have to su, which requires |
56 |
> giving out the root password, and then newrole -r sysadm_t. |
57 |
|
58 |
Generally whats done is to newrole, then su/sudo. Even if you gave out |
59 |
the root password to certain privileged users, you can still remove root |
60 |
from the users file, and then root will be limited to user_r, as is done |
61 |
on the demo machine. Then if someone logs in as root, they can't really |
62 |
do anything beyond a regular user. But if you log in from another |
63 |
account that can newrole to sysadm_r, they can su/sudo and administrate |
64 |
the machine normally (which is what we do on the demo machine). The key |
65 |
is that SELinux maintains a user identity which is separate from the |
66 |
uid. The uid can change, but the identity doesn't. See the policy |
67 |
overview for more info. |
68 |
|
69 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-policy.xml |
70 |
|
71 |
There has been talk of trying to merge newrole and sudo, but nothing has |
72 |
materialized afaik. |
73 |
|
74 |
-- |
75 |
Chris PeBenito |
76 |
<pebenito@g.o> |
77 |
Developer, |
78 |
Hardened Gentoo Linux |
79 |
Embedded Gentoo Linux |
80 |
|
81 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
82 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |