| 1 |
> > As for your question, if you want udev, then yes, you should put udev |
| 2 |
> > there. Mine is set to static because I had problems with software-RAID |
| 3 |
> > (udev not creating my rootfs, kernel fails to load init, etc, etc.). If |
| 4 |
> > udev doesn't do problems to you (and you actually need it - and with a |
| 5 |
> > server - do you really need it?) - you can use it :) |
| 6 |
> > |
| 7 |
> Same thing here. My rootfs is on a SCSI device controled by an Adaptec u160, |
| 8 |
> udev cran't create it if i don't set static. |
| 9 |
> Kernel fail to load etc etc |
| 10 |
I felt adventurous so I upgraded to ~amd64 and I used the new setting |
| 11 |
in /etc/conf.d/rc: |
| 12 |
RC_USE_FSTAB="yes" |
| 13 |
then I added to /etc/fstab: |
| 14 |
none /dev tmpfs defaults 0 0 |
| 15 |
Reboot and it all works! |
| 16 |
I had a few warnings, relabelled /dev and now everything is good! |
| 17 |
That's with a rootfs on software raid, no initrd. Works for me(tm) |
| 18 |
|
| 19 |
Antoine |
| 20 |
|
| 21 |
PS: since my other questions are still un-answered, I've re-posted them |
| 22 |
below so that they don't get forgotten about: |
| 23 |
|
| 24 |
A lot of the services are chrooted at the moment, I ended up having to |
| 25 |
change a lot of the .fc files to add "(/chroot/[myservice])?" in front |
| 26 |
of the file definitions. Is there any reason not to have this merged? |
| 27 |
(I know the benefit of having chroot is moot when you have selinux |
| 28 |
enabled - but when you're in between...) |
| 29 |
But there is still a problem with the labels under /chroot/[myservice], |
| 30 |
which conflict with some selinux checks, preventing me from duplicating |
| 31 |
the same labels that are under /. |
| 32 |
|
| 33 |
Portage triggers some policy violations that would be fixed by: |
| 34 |
allow portage_fetch_t portage_tmp_t:dir search; |
| 35 |
allow portage_fetch_t portage_tmp_t:file { getattr read }; |
| 36 |
allow portage_t tmpfs_t:filesystem getattr; |
| 37 |
Am i the only one seeing this? I see no reason not to merge them into |
| 38 |
portage.te. |
| 39 |
|
| 40 |
I've noticed that a lot of the services which can be used with a mysql |
| 41 |
backend (ie: spamd, postfix, etc) do not include policy for this since |
| 42 |
it is a package option (+mysql). Is there any way we can have this |
| 43 |
included in the .te files but conditional? |
| 44 |
Not necessarily using an "ifdef(`mysqld.te', `" (which would include it |
| 45 |
as soon as mysql is installed) but maybe a combination of the above + a |
| 46 |
flag? |
| 47 |
|
| 48 |
Is there any interest in merging the policies I have started building? |
| 49 |
Using mainly audit2allow (and a bit of thinking, and retro-fitting the |
| 50 |
macros which is the hard part), I have made policies for: amavis, |
| 51 |
setiathome, mdadm, saslauth, java, tomcat, fetchmail, psad, etc. |
| 52 |
|
| 53 |
-- |
| 54 |
gentoo-hardened@g.o mailing list |
Archives