1 |
Hi folks, |
2 |
|
3 |
sec-policy/selinux-base-policy-2.20101213-r13 is pushed to the overlay. The |
4 |
most notable change here is that the ebuild now uses a local USE flag "ubac" |
5 |
which enables User Based Access Control within the policy. |
6 |
|
7 |
Previously, UBAC was enabled but could not be disabled. However, most other |
8 |
distributions have disabled UBAC and are waiting for the RBAC model within |
9 |
SELinux to improve. Although this work is on the way, it isn't there yet and |
10 |
I personally do not dislike the UBAC idea. |
11 |
|
12 |
However, we have at least one issue that was difficult to debug due to UBAC: |
13 |
the vixie-cron "ENTRYPOINT FAILED" messages. Apparently, vixie-cron checks |
14 |
the privileges on the users' crontab. However, if the root crontab wasn't |
15 |
created by a console-logged-on root user (SELinux identity "root") but |
16 |
through a su(do)'ed user (SELinux identity "staff_u" most likely), then the |
17 |
UBAC kicked in and didn't allow cron to work. |
18 |
|
19 |
Although the solution is simple (either create the root cronjob through the |
20 |
root SELinux identity, or change the SELinux identity of the crontab file to |
21 |
"root" afterwards), disabling UBAC also works here. |
22 |
|
23 |
We had a small discussion on #gentoo-hardened and a larger discussion on |
24 |
#selinux about UBAC. Nice as we are, we of course do not want to force any |
25 |
choice upon our users, so we decided to see if we can work with a USE flag |
26 |
to switch the UBAC functionality. The only remaining discussion is if we |
27 |
want to have this USE flag enabled by default, or not. If we want to enable |
28 |
it by default, we should work with the pending upgrade of the profiles to do |
29 |
so. But imo, we do not really have to enable it by default. |
30 |
|
31 |
Long story short: USE="ubac" emerge selinux-base-policy to enable UBAC. |
32 |
|
33 |
Other changes are an update of the Portage support for live ebuilds, -r12 |
34 |
added portage_svnsrc_t but I forgot that we also have git-src and cvs-src |
35 |
(thanks to PeBenito for noticing). So we now use portage_srcrepo_t. I also |
36 |
added some elogs to inform the users generally about what he might want to |
37 |
do: |
38 |
* Updates on policies might require you to relabel files. If you, after |
39 |
* installing new SELinux policies, get 'permission denied' errors, |
40 |
* relabelling your system using 'rlpkg -a -r' might resolve the issues. |
41 |
|
42 |
There's one point that I'm not sure how to handle, and that's what to do |
43 |
when the new SELinux policy fails to load. Currently, we ignore this |
44 |
failure, but then users aren't informed about this. But if we don't ignore, |
45 |
they will have it more difficult to fix the problem as the new base.pp is |
46 |
removed from the system (so they cannot run "semodule -b base.pp" to (re)try |
47 |
and get the proper failure messages. |
48 |
|
49 |
I'm thinking about not ignoring the failure but making sure that the |
50 |
build logs of the (failed) install contains all information needed to fix. |
51 |
|
52 |
Oh darn, almost a full page of rambling, I'll shut up now. |
53 |
|
54 |
Sven Vermeulen |