| 1 |
Hi all, |
| 2 |
|
| 3 |
I've pushed selinux-base-policy-2.20101213-r20 to the hardened-dev overlay. |
| 4 |
This update contains the following changes since r19: |
| 5 |
|
| 6 |
- Introduces a boolean called "gentoo_wait_requests", which is by default |
| 7 |
enabled. This boolean governs policy changes that are currently in place |
| 8 |
to work around problems, but which are reported upstream and - when fixed |
| 9 |
- should be cleared/removed. |
| 10 |
The use of a boolean allows (1.) developers to test the upstream patches, |
| 11 |
(2.) users to test upstream overlays and (3.) users to verify that, when |
| 12 |
the policy will be fixed, everything still works. |
| 13 |
This boolean is also documented in Gentoo Hardened's module information |
| 14 |
for the "portage" domain (in hardened-doc.git) |
| 15 |
- Switch the boolean for Portage' NFS support from gentoo_portage_allow_nfs |
| 16 |
to gentoo_portage_use_nfs (tracks upstream better) |
| 17 |
- Removes an ugly hack that was introduced to support OpenRC, where we had |
| 18 |
intermediate domains (like sysadm_initrc_notrans_t) to try and work around |
| 19 |
the all-binaries-refer-to-/sbin/rc style (thanks to PeBenito for the |
| 20 |
solution) |
| 21 |
- Support NFS v4 (where rpc.statd uses TCP) (bug #375617) |
| 22 |
- Remove haveged_t definition, use entropyd_t instead (requested upstream) |
| 23 |
- Fix iptables save/restore routines (bug #211374) |
| 24 |
- Support MCS/MLS |
| 25 |
|
| 26 |
Further it has more cosmetic improvements on |
| 27 |
- portage policy definition (refpolicy style updates) |
| 28 |
- improve nginx definitions (bug #368795) |
| 29 |
|
| 30 |
The MCS/MLS support is new. I was quite surprised that MCS was relatively |
| 31 |
easy to set up. If you want to use it, read the (updated) documentation in |
| 32 |
the hardened-docs overlay (handbook has been updated accordingly). In short: |
| 33 |
you can select the SELinux policy type through the SELINUXTYPE setting in |
| 34 |
/etc/selinux/config and POLICY_TYPES variable in /etc/make.conf. |
| 35 |
|
| 36 |
Beware that MLS is also possible, but very experimental (I can't get it |
| 37 |
working in enforcing just yet). MCS seems to work pretty well (booted in |
| 38 |
enforcing and ran a few regression tests to make sure). For the time being, |
| 39 |
most development will still focus on strict, but MCS will be tested more and |
| 40 |
more (especially for those specific cases where MCS is mandatory, like with |
| 41 |
the SELinux sandbox). |
| 42 |
|
| 43 |
However, there is one but: in order to fully support MCS/MLS, the |
| 44 |
selinux-policy-2.eclass needs to be patched: the four instances that you'll |
| 45 |
find in it of |
| 46 |
POLICY_TYPES="strict targeted" |
| 47 |
must be changed to |
| 48 |
POLICY_TYPES="strict targeted mcs mls" |
| 49 |
otherwise the base policy could support MCS/MLS but the modules themselves |
| 50 |
not. |
| 51 |
|
| 52 |
Wkr, |
| 53 |
Sven Vermeulen |
Archives