1 |
> > As for your question, if you want udev, then yes, you should put udev |
2 |
> > there. Mine is set to static because I had problems with software-RAID |
3 |
> > (udev not creating my rootfs, kernel fails to load init, etc, etc.). If |
4 |
> > udev doesn't do problems to you (and you actually need it - and with a |
5 |
> > server - do you really need it?) - you can use it :) |
6 |
> > |
7 |
> Same thing here. My rootfs is on a SCSI device controled by an Adaptec u160, |
8 |
> udev cran't create it if i don't set static. |
9 |
> Kernel fail to load etc etc |
10 |
I felt adventurous so I upgraded to ~amd64 and I used the new setting |
11 |
in /etc/conf.d/rc: |
12 |
RC_USE_FSTAB="yes" |
13 |
then I added to /etc/fstab: |
14 |
none /dev tmpfs defaults 0 0 |
15 |
Reboot and it all works! |
16 |
I had a few warnings, relabelled /dev and now everything is good! |
17 |
That's with a rootfs on software raid, no initrd. Works for me(tm) |
18 |
|
19 |
Antoine |
20 |
|
21 |
PS: since my other questions are still un-answered, I've re-posted them |
22 |
below so that they don't get forgotten about: |
23 |
|
24 |
A lot of the services are chrooted at the moment, I ended up having to |
25 |
change a lot of the .fc files to add "(/chroot/[myservice])?" in front |
26 |
of the file definitions. Is there any reason not to have this merged? |
27 |
(I know the benefit of having chroot is moot when you have selinux |
28 |
enabled - but when you're in between...) |
29 |
But there is still a problem with the labels under /chroot/[myservice], |
30 |
which conflict with some selinux checks, preventing me from duplicating |
31 |
the same labels that are under /. |
32 |
|
33 |
Portage triggers some policy violations that would be fixed by: |
34 |
allow portage_fetch_t portage_tmp_t:dir search; |
35 |
allow portage_fetch_t portage_tmp_t:file { getattr read }; |
36 |
allow portage_t tmpfs_t:filesystem getattr; |
37 |
Am i the only one seeing this? I see no reason not to merge them into |
38 |
portage.te. |
39 |
|
40 |
I've noticed that a lot of the services which can be used with a mysql |
41 |
backend (ie: spamd, postfix, etc) do not include policy for this since |
42 |
it is a package option (+mysql). Is there any way we can have this |
43 |
included in the .te files but conditional? |
44 |
Not necessarily using an "ifdef(`mysqld.te', `" (which would include it |
45 |
as soon as mysql is installed) but maybe a combination of the above + a |
46 |
flag? |
47 |
|
48 |
Is there any interest in merging the policies I have started building? |
49 |
Using mainly audit2allow (and a bit of thinking, and retro-fitting the |
50 |
macros which is the hard part), I have made policies for: amavis, |
51 |
setiathome, mdadm, saslauth, java, tomcat, fetchmail, psad, etc. |
52 |
|
53 |
-- |
54 |
gentoo-hardened@g.o mailing list |