| 1 |
Hi guys, |
| 2 |
|
| 3 |
I have just pushed selinux-base-policy--2.20110726-r2 to the hardened-dev |
| 4 |
overlay. There are not that many changes in it (although "not many" is |
| 5 |
relative of course) but some were quite necessary to be pushed out already. |
| 6 |
The main reason why I do it now and not wait until I've fixed the other bugs |
| 7 |
that are still lingering, is because for -r3 I might need to make more |
| 8 |
in-depth changes on how we support init scripts within SELinux. More on that |
| 9 |
later... |
| 10 |
|
| 11 |
First of all, the small list in changes: |
| 12 |
- for all domains that we add ourselves (like gorg, pan, skype, mutt, ...) I |
| 13 |
didn't include the regular user support yet (stupid me), so that's fixed |
| 14 |
now |
| 15 |
- nagios diskcheck plugin issue is fixed |
| 16 |
- xfce4 file contexts are fixed |
| 17 |
- userdomains can now use syslog |
| 18 |
- portage has improved layman/emerge-webrsync support (you will need to |
| 19 |
"rlpkg layman portage" though) |
| 20 |
- improved mutt domain definition (help from upstream) |
| 21 |
- puppet fixes (a few of them) |
| 22 |
- zabbix correction on context and support remote mysql support |
| 23 |
- LDAPS support for nsswitch stuff |
| 24 |
- update on courier-imap file contexts |
| 25 |
|
| 26 |
There is also one change under the hood, which is the support for the |
| 27 |
patchbundles. Up until now, the patchbundle was applied as one big bundle |
| 28 |
(epatch ...tbz2) which made it difficult to debug patching issues. With r2, |
| 29 |
the patches are applied one by one, so a failure in a patch immediately |
| 30 |
gives a clear error in which patch (and where). It also shows the user the |
| 31 |
list of patches being applied now - for those that like to watch epatch |
| 32 |
work, that is ;-) |
| 33 |
|
| 34 |
A second change is that the patches are now not only per-file fixes, but |
| 35 |
structured in logical patchsets. These logical sets are a lot easier to send |
| 36 |
upstream (and also mark as "approved upstream") and should make the |
| 37 |
introduction of new upstream versions a lot easier to integrate (I had too |
| 38 |
much time wasted due to manual patch transformations between 20101213 and |
| 39 |
20110726). |
| 40 |
|
| 41 |
BTW, we currently have 50 patchsets applied, 2 of them have been accepted |
| 42 |
upstream (so we do not need to maintain those the moment a new refpolicy is |
| 43 |
released), 7 of them are pending, the rest I still need to submit (but first |
| 44 |
need to confirm that the issues have been resolved correctly). |
| 45 |
|
| 46 |
Okay, but what is this "in-depth" change that I was talking about. Well, |
| 47 |
SELinux policies support labeled init scripts. For instance, |
| 48 |
"slapd_initrc_exec_t" which allows the init script to run in an init script |
| 49 |
domain specific for slapd (splad_initrc_t). This allows for slapd-specific |
| 50 |
allow statements (for instance PID file management) from within the init |
| 51 |
script. |
| 52 |
|
| 53 |
All fine, but Gentoo doesn't use that. We run all our scripts in initrc_t |
| 54 |
instead. Why? Because we support "integrated run_init support", which allows |
| 55 |
our users to just call "/etc/init.d/slapd start" instead of "run_init |
| 56 |
/etc/init.d/slapd start". But this integrated run_init support automatically |
| 57 |
transitions all scripts to initrc_t (and not slapd_initrc_t). And changing |
| 58 |
this to support the named init scripts isn't straight forward (well, I hope |
| 59 |
I eventually find a straight-forward method, but until now I didn't |
| 60 |
succeed). |
| 61 |
|
| 62 |
Yet we will eventually need to support this, because otherwise we need to |
| 63 |
"open" the privileges on initrc_t towards all potential services. Not only |
| 64 |
does that require lots of work, it also brings in patches in our policy that |
| 65 |
upstream will never accept (and they're right not to accept it). |
| 66 |
|
| 67 |
Hence I'll be working on that the upcoming days. |
| 68 |
|
| 69 |
Wkr, |
| 70 |
Sven Vermeulen |
Archives