Gentoo Archives: gentoo-hardened

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] SELinux base policy -r13 in overlay, adds "ubac" USE flag
Date: Mon, 02 May 2011 19:29:40
Message-Id: 20110502192153.GA20849@siphos.be
1 Hi folks,
2
3 sec-policy/selinux-base-policy-2.20101213-r13 is pushed to the overlay. The
4 most notable change here is that the ebuild now uses a local USE flag "ubac"
5 which enables User Based Access Control within the policy.
6
7 Previously, UBAC was enabled but could not be disabled. However, most other
8 distributions have disabled UBAC and are waiting for the RBAC model within
9 SELinux to improve. Although this work is on the way, it isn't there yet and
10 I personally do not dislike the UBAC idea.
11
12 However, we have at least one issue that was difficult to debug due to UBAC:
13 the vixie-cron "ENTRYPOINT FAILED" messages. Apparently, vixie-cron checks
14 the privileges on the users' crontab. However, if the root crontab wasn't
15 created by a console-logged-on root user (SELinux identity "root") but
16 through a su(do)'ed user (SELinux identity "staff_u" most likely), then the
17 UBAC kicked in and didn't allow cron to work.
18
19 Although the solution is simple (either create the root cronjob through the
20 root SELinux identity, or change the SELinux identity of the crontab file to
21 "root" afterwards), disabling UBAC also works here.
22
23 We had a small discussion on #gentoo-hardened and a larger discussion on
24 #selinux about UBAC. Nice as we are, we of course do not want to force any
25 choice upon our users, so we decided to see if we can work with a USE flag
26 to switch the UBAC functionality. The only remaining discussion is if we
27 want to have this USE flag enabled by default, or not. If we want to enable
28 it by default, we should work with the pending upgrade of the profiles to do
29 so. But imo, we do not really have to enable it by default.
30
31 Long story short: USE="ubac" emerge selinux-base-policy to enable UBAC.
32
33 Other changes are an update of the Portage support for live ebuilds, -r12
34 added portage_svnsrc_t but I forgot that we also have git-src and cvs-src
35 (thanks to PeBenito for noticing). So we now use portage_srcrepo_t. I also
36 added some elogs to inform the users generally about what he might want to
37 do:
38 * Updates on policies might require you to relabel files. If you, after
39 * installing new SELinux policies, get 'permission denied' errors,
40 * relabelling your system using 'rlpkg -a -r' might resolve the issues.
41
42 There's one point that I'm not sure how to handle, and that's what to do
43 when the new SELinux policy fails to load. Currently, we ignore this
44 failure, but then users aren't informed about this. But if we don't ignore,
45 they will have it more difficult to fix the problem as the new base.pp is
46 removed from the system (so they cannot run "semodule -b base.pp" to (re)try
47 and get the proper failure messages.
48
49 I'm thinking about not ignoring the failure but making sure that the
50 build logs of the (failed) install contains all information needed to fix.
51
52 Oh darn, almost a full page of rambling, I'll shut up now.
53
54 Sven Vermeulen

Replies