1 |
There have been a few key advances for the SELinux integration efforts. |
2 |
The portage support for labeling files has been submitted for inclusion |
3 |
into portage. With this support, files will have the correct context |
4 |
after being merged (assuming applicable policy has been loaded). Users |
5 |
won't have to 'rlpkg' or 'make relabel' after each emerge. rlpkg will |
6 |
still remain, just in case a package needs to be relabeled. |
7 |
|
8 |
The category sec-policy has been created, and selinux-base-policy has |
9 |
been moved there. With this new category, we'll now begin rolling out |
10 |
policy for common daemons, such as apache, samba, postfix, etc. A |
11 |
dependency for these policy ebuilds will be put in the respective |
12 |
daemon's ebuild. So if you were to merge distcc, the distcc policy |
13 |
(sec-policy/selinux-distcc) would be a dependency, and thus will be |
14 |
merged first. This will allow easy policy installation, and all |
15 |
packages will have their corresponding policy installed first. This is |
16 |
all being done using selinux-policy.eclass. If you would like the new |
17 |
policy to be automatically loaded, add "loadpolicy" to the FEATURES in |
18 |
make.conf. Since the policy is so important, the eclass also creates a |
19 |
backup tarball of the policy before merging the policy, and saves it |
20 |
into /etc/security/selinux/src/policy-backup. If the newly merged |
21 |
policy causes problems, the backup could be restored by the user. The |
22 |
backups are safe to clean out, of course. |
23 |
|
24 |
Since we're going to start rolling out daemon policy, we'll now be |
25 |
looking for more devs. I need one or two people to help with the daemon |
26 |
policies. So if you know how to write policy, or are up to the |
27 |
challenge of learning it, let me know, or better yet, drop by the |
28 |
channel (#gentoo-hardened) on freenode. The responsibilities of this |
29 |
person would be to adapt the NSA example policy to work with Gentoo, or |
30 |
write a policy if a NSA example doesn't exist. So this would be best |
31 |
served by someone that has machine(s) to install these daemons for |
32 |
testing. They will also serve as a backup to me on maintaining the |
33 |
selinux userland (selinux-small), selinux-sources, and patched programs. |
34 |
|
35 |
-- |
36 |
Chris PeBenito |
37 |
<pebenito@g.o> |
38 |
Developer, SELinux |
39 |
Hardened Gentoo Linux |
40 |
|
41 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
42 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |