| 1 |
On 10/22/2013 07:52 PM, Rick "Zero_Chaos" Farina wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA1 |
| 4 |
> |
| 5 |
> On 10/22/2013 02:15 PM, Anthony G. Basile wrote: |
| 6 |
>> On 10/22/2013 02:06 PM, Anthony G. Basile wrote: |
| 7 |
>>> On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote: |
| 8 |
>>>> 4.0 Selinux 5.0 System Integrity 6.0 Profile I'd like to |
| 9 |
>>>> specifically discuss bringing back the desktop profile by user |
| 10 |
>>>> request. |
| 11 |
>>>> |
| 12 |
>>>> |
| 13 |
>>> The old desktop/server/developer profiles were removed for a |
| 14 |
>>> good reason. They cannot stack properly given their directory |
| 15 |
>>> location and conflicting inheritance requirements. We cannot |
| 16 |
>>> bring them back as they were else we will re-introduce the |
| 17 |
>>> ancient multilib vs non-mutlilib selinux issue in one |
| 18 |
>>> manifestation or another. |
| 19 |
>>> |
| 20 |
>>> Nonetheless, I think a desktop profile for hardened is possible |
| 21 |
>>> along the lines of what was done for selinux, ie put it in |
| 22 |
>>> features. Only if the desktop profile lands at the very bottom |
| 23 |
>>> of the profile stack will this work. Alternatively, you can |
| 24 |
>>> duplicate the desktop profile from default/linux in |
| 25 |
>>> hardened/linux and do a simple inheritance from its parent. This |
| 26 |
>>> "duplication" would really not be much of a duplication because |
| 27 |
>>> there's probably stuff you want to tweak for your own purposes. |
| 28 |
>>> |
| 29 |
>>> I was going to remove those deprecated directories today, but I |
| 30 |
>>> can hold off. To be clear, I'm not against a hardened desktop |
| 31 |
>>> profile, just not the implementation we had which was broken. |
| 32 |
>>> |
| 33 |
>> Actually I was wrong in saying "only if it lands at the bottom of |
| 34 |
>> the profile stack" ... That is in fact the problem: |
| 35 |
>> |
| 36 |
>> /usr/portage/profiles/base /usr/portage/profiles/default/linux |
| 37 |
>> /usr/portage/profiles/arch/base |
| 38 |
>> /usr/portage/profiles/features/multilib |
| 39 |
>> /usr/portage/profiles/features/multilib/lib32 |
| 40 |
>> /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases |
| 41 |
>> /usr/portage/profiles/eapi-5-files |
| 42 |
>> /usr/portage/profiles/releases/13.0 |
| 43 |
>> |
| 44 |
>> /usr/portage/profiles/hardened/linux |
| 45 |
>> /usr/portage/profiles/hardened/linux/amd64 |
| 46 |
>> /usr/portage/profiles/targets/desktop |
| 47 |
>> /usr/portage/profiles/hardened/linux/amd64/desktop |
| 48 |
>> |
| 49 |
>> So "profiles/targets/desktop" basically trump |
| 50 |
>> "profiles/hardened/linux/amd64" which is the problem: a |
| 51 |
>> non-hardened profile can undo the hardening. We have to get |
| 52 |
>> something like this: |
| 53 |
>> |
| 54 |
>> |
| 55 |
>> /usr/portage/profiles/base /usr/portage/profiles/default/linux |
| 56 |
>> /usr/portage/profiles/arch/base |
| 57 |
>> /usr/portage/profiles/features/multilib |
| 58 |
>> /usr/portage/profiles/features/multilib/lib32 |
| 59 |
>> /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases |
| 60 |
>> /usr/portage/profiles/eapi-5-files |
| 61 |
>> /usr/portage/profiles/releases/13.0 |
| 62 |
>> |
| 63 |
>> /usr/portage/profiles/targets/desktop |
| 64 |
>> /usr/portage/profiles/hardened/linux |
| 65 |
>> /usr/portage/profiles/hardened/linux/amd64 |
| 66 |
>> |
| 67 |
> I was essentially thinking to make a /desktop directory in each |
| 68 |
> profile and then parent would be targets/desktop and .. to ensure |
| 69 |
> hardened overrides default. Certainly it is not perfect and some |
| 70 |
> things from desktop may be lost, but it's a lot better than not having |
| 71 |
> a desktop profile at all. |
| 72 |
> |
| 73 |
> - -Zero |
| 74 |
|
| 75 |
If the parent file has |
| 76 |
|
| 77 |
.. |
| 78 |
../../../../targets/desktop |
| 79 |
|
| 80 |
then you get the above order with targets/desktop trumping |
| 81 |
hardened/amd64 which is bad. If the order is |
| 82 |
|
| 83 |
../../../../targets/desktop |
| 84 |
.. |
| 85 |
|
| 86 |
then you get and even worse stacking where target/desktop is prior to base. |
| 87 |
|
| 88 |
/usr/portage/profiles/targets/desktop |
| 89 |
/usr/portage/profiles/base |
| 90 |
/usr/portage/profiles/default/linux |
| 91 |
/usr/portage/profiles/arch/base |
| 92 |
/usr/portage/profiles/features/multilib |
| 93 |
/usr/portage/profiles/features/multilib/lib32 |
| 94 |
/usr/portage/profiles/arch/amd64 |
| 95 |
/usr/portage/profiles/releases |
| 96 |
/usr/portage/profiles/eapi-5-files |
| 97 |
/usr/portage/profiles/releases/13.0 |
| 98 |
/usr/portage/profiles/hardened/linux |
| 99 |
/usr/portage/profiles/hardened/linux/amd64 |
| 100 |
/usr/portage/profiles/hardened/linux/amd64/desktop |
| 101 |
|
| 102 |
Because of the way stacking works, you cannot get the desired order by |
| 103 |
inheriting both target/desktop and hardened. As I said, we removed |
| 104 |
those profiles for a good reason. |
| 105 |
|
| 106 |
-- |
| 107 |
Anthony G. Basile, Ph.D. |
| 108 |
Gentoo Linux Developer [Hardened] |
| 109 |
E-Mail : blueness@g.o |
| 110 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 111 |
GnuPG ID : F52D4BBA |
Archives