1 |
Hi all, |
2 |
|
3 |
I've pushed selinux-base-policy-2.20101213-r20 to the hardened-dev overlay. |
4 |
This update contains the following changes since r19: |
5 |
|
6 |
- Introduces a boolean called "gentoo_wait_requests", which is by default |
7 |
enabled. This boolean governs policy changes that are currently in place |
8 |
to work around problems, but which are reported upstream and - when fixed |
9 |
- should be cleared/removed. |
10 |
The use of a boolean allows (1.) developers to test the upstream patches, |
11 |
(2.) users to test upstream overlays and (3.) users to verify that, when |
12 |
the policy will be fixed, everything still works. |
13 |
This boolean is also documented in Gentoo Hardened's module information |
14 |
for the "portage" domain (in hardened-doc.git) |
15 |
- Switch the boolean for Portage' NFS support from gentoo_portage_allow_nfs |
16 |
to gentoo_portage_use_nfs (tracks upstream better) |
17 |
- Removes an ugly hack that was introduced to support OpenRC, where we had |
18 |
intermediate domains (like sysadm_initrc_notrans_t) to try and work around |
19 |
the all-binaries-refer-to-/sbin/rc style (thanks to PeBenito for the |
20 |
solution) |
21 |
- Support NFS v4 (where rpc.statd uses TCP) (bug #375617) |
22 |
- Remove haveged_t definition, use entropyd_t instead (requested upstream) |
23 |
- Fix iptables save/restore routines (bug #211374) |
24 |
- Support MCS/MLS |
25 |
|
26 |
Further it has more cosmetic improvements on |
27 |
- portage policy definition (refpolicy style updates) |
28 |
- improve nginx definitions (bug #368795) |
29 |
|
30 |
The MCS/MLS support is new. I was quite surprised that MCS was relatively |
31 |
easy to set up. If you want to use it, read the (updated) documentation in |
32 |
the hardened-docs overlay (handbook has been updated accordingly). In short: |
33 |
you can select the SELinux policy type through the SELINUXTYPE setting in |
34 |
/etc/selinux/config and POLICY_TYPES variable in /etc/make.conf. |
35 |
|
36 |
Beware that MLS is also possible, but very experimental (I can't get it |
37 |
working in enforcing just yet). MCS seems to work pretty well (booted in |
38 |
enforcing and ran a few regression tests to make sure). For the time being, |
39 |
most development will still focus on strict, but MCS will be tested more and |
40 |
more (especially for those specific cases where MCS is mandatory, like with |
41 |
the SELinux sandbox). |
42 |
|
43 |
However, there is one but: in order to fully support MCS/MLS, the |
44 |
selinux-policy-2.eclass needs to be patched: the four instances that you'll |
45 |
find in it of |
46 |
POLICY_TYPES="strict targeted" |
47 |
must be changed to |
48 |
POLICY_TYPES="strict targeted mcs mls" |
49 |
otherwise the base policy could support MCS/MLS but the modules themselves |
50 |
not. |
51 |
|
52 |
Wkr, |
53 |
Sven Vermeulen |