Gentoo Archives: gentoo-hardened

From: Chris PeBenito <pebenito@g.o>
To: Hardened Gentoo Mail List <gentoo-hardened@g.o>
Subject: [gentoo-hardened] SELinux progress
Date: Sun, 03 Aug 2003 22:59:16
Message-Id: 1059951554.2997.21.camel@chris.pebenito.net
1 There have been a few key advances for the SELinux integration efforts.
2 The portage support for labeling files has been submitted for inclusion
3 into portage. With this support, files will have the correct context
4 after being merged (assuming applicable policy has been loaded). Users
5 won't have to 'rlpkg' or 'make relabel' after each emerge. rlpkg will
6 still remain, just in case a package needs to be relabeled.
7
8 The category sec-policy has been created, and selinux-base-policy has
9 been moved there. With this new category, we'll now begin rolling out
10 policy for common daemons, such as apache, samba, postfix, etc. A
11 dependency for these policy ebuilds will be put in the respective
12 daemon's ebuild. So if you were to merge distcc, the distcc policy
13 (sec-policy/selinux-distcc) would be a dependency, and thus will be
14 merged first. This will allow easy policy installation, and all
15 packages will have their corresponding policy installed first. This is
16 all being done using selinux-policy.eclass. If you would like the new
17 policy to be automatically loaded, add "loadpolicy" to the FEATURES in
18 make.conf. Since the policy is so important, the eclass also creates a
19 backup tarball of the policy before merging the policy, and saves it
20 into /etc/security/selinux/src/policy-backup. If the newly merged
21 policy causes problems, the backup could be restored by the user. The
22 backups are safe to clean out, of course.
23
24 Since we're going to start rolling out daemon policy, we'll now be
25 looking for more devs. I need one or two people to help with the daemon
26 policies. So if you know how to write policy, or are up to the
27 challenge of learning it, let me know, or better yet, drop by the
28 channel (#gentoo-hardened) on freenode. The responsibilities of this
29 person would be to adapt the NSA example policy to work with Gentoo, or
30 write a policy if a NSA example doesn't exist. So this would be best
31 served by someone that has machine(s) to install these daemons for
32 testing. They will also serve as a backup to me on maintaining the
33 selinux userland (selinux-small), selinux-sources, and patched programs.
34
35 --
36 Chris PeBenito
37 <pebenito@g.o>
38 Developer, SELinux
39 Hardened Gentoo Linux
40
41 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
42 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments

File name MIME type
signature.asc application/pgp-signature