| 1 |
I just released a ~arch base-policy for testing. It includes the 1.12 |
| 2 |
NSA example policy merge. An addition is an experimental |
| 3 |
SELinux-enforced sandbox ("sesandbox"). |
| 4 |
|
| 5 |
For those interested in testing sesandbox you need: |
| 6 |
1. sesandbox in FEATURES (in make.conf) |
| 7 |
2. /usr/lib/portage/pym/portage.py patched with |
| 8 |
http://dev.gentoo.org/~pebenito/portage.py-sesandbox.diff |
| 9 |
|
| 10 |
Then when doing merges, the sandbox will be in portage_sandbox_t. It |
| 11 |
would be most helpful to test with regular sandbox disabled |
| 12 |
(FEATURES="-sandbox"). If you get denials that cause a merge to fail, |
| 13 |
please test with sandbox enabled and sesandbox disabled to make sure |
| 14 |
that regular sandbox allows it. Both sandboxes can also be used |
| 15 |
simultaneously. Remember that the machine must be enforcing for |
| 16 |
sesandbox to be effective. |
| 17 |
|
| 18 |
Report sesandbox denials to me over private emails, rather than bugzilla |
| 19 |
or the list. It is already known that ebuilds with kernel modules will |
| 20 |
probably fail due to 2.6's kbuild system, but I'd like verification. |
| 21 |
|
| 22 |
-- |
| 23 |
Chris PeBenito |
| 24 |
<pebenito@g.o> |
| 25 |
Developer, |
| 26 |
Hardened Gentoo Linux |
| 27 |
Embedded Gentoo Linux |
| 28 |
|
| 29 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 30 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives