1 |
Hi guys, |
2 |
|
3 |
I have just pushed selinux-base-policy--2.20110726-r2 to the hardened-dev |
4 |
overlay. There are not that many changes in it (although "not many" is |
5 |
relative of course) but some were quite necessary to be pushed out already. |
6 |
The main reason why I do it now and not wait until I've fixed the other bugs |
7 |
that are still lingering, is because for -r3 I might need to make more |
8 |
in-depth changes on how we support init scripts within SELinux. More on that |
9 |
later... |
10 |
|
11 |
First of all, the small list in changes: |
12 |
- for all domains that we add ourselves (like gorg, pan, skype, mutt, ...) I |
13 |
didn't include the regular user support yet (stupid me), so that's fixed |
14 |
now |
15 |
- nagios diskcheck plugin issue is fixed |
16 |
- xfce4 file contexts are fixed |
17 |
- userdomains can now use syslog |
18 |
- portage has improved layman/emerge-webrsync support (you will need to |
19 |
"rlpkg layman portage" though) |
20 |
- improved mutt domain definition (help from upstream) |
21 |
- puppet fixes (a few of them) |
22 |
- zabbix correction on context and support remote mysql support |
23 |
- LDAPS support for nsswitch stuff |
24 |
- update on courier-imap file contexts |
25 |
|
26 |
There is also one change under the hood, which is the support for the |
27 |
patchbundles. Up until now, the patchbundle was applied as one big bundle |
28 |
(epatch ...tbz2) which made it difficult to debug patching issues. With r2, |
29 |
the patches are applied one by one, so a failure in a patch immediately |
30 |
gives a clear error in which patch (and where). It also shows the user the |
31 |
list of patches being applied now - for those that like to watch epatch |
32 |
work, that is ;-) |
33 |
|
34 |
A second change is that the patches are now not only per-file fixes, but |
35 |
structured in logical patchsets. These logical sets are a lot easier to send |
36 |
upstream (and also mark as "approved upstream") and should make the |
37 |
introduction of new upstream versions a lot easier to integrate (I had too |
38 |
much time wasted due to manual patch transformations between 20101213 and |
39 |
20110726). |
40 |
|
41 |
BTW, we currently have 50 patchsets applied, 2 of them have been accepted |
42 |
upstream (so we do not need to maintain those the moment a new refpolicy is |
43 |
released), 7 of them are pending, the rest I still need to submit (but first |
44 |
need to confirm that the issues have been resolved correctly). |
45 |
|
46 |
Okay, but what is this "in-depth" change that I was talking about. Well, |
47 |
SELinux policies support labeled init scripts. For instance, |
48 |
"slapd_initrc_exec_t" which allows the init script to run in an init script |
49 |
domain specific for slapd (splad_initrc_t). This allows for slapd-specific |
50 |
allow statements (for instance PID file management) from within the init |
51 |
script. |
52 |
|
53 |
All fine, but Gentoo doesn't use that. We run all our scripts in initrc_t |
54 |
instead. Why? Because we support "integrated run_init support", which allows |
55 |
our users to just call "/etc/init.d/slapd start" instead of "run_init |
56 |
/etc/init.d/slapd start". But this integrated run_init support automatically |
57 |
transitions all scripts to initrc_t (and not slapd_initrc_t). And changing |
58 |
this to support the named init scripts isn't straight forward (well, I hope |
59 |
I eventually find a straight-forward method, but until now I didn't |
60 |
succeed). |
61 |
|
62 |
Yet we will eventually need to support this, because otherwise we need to |
63 |
"open" the privileges on initrc_t towards all potential services. Not only |
64 |
does that require lots of work, it also brings in patches in our policy that |
65 |
upstream will never accept (and they're right not to accept it). |
66 |
|
67 |
Hence I'll be working on that the upcoming days. |
68 |
|
69 |
Wkr, |
70 |
Sven Vermeulen |