| 1 |
On 10/22/2013 02:06 PM, Anthony G. Basile wrote: |
| 2 |
> On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote: |
| 3 |
>> |
| 4 |
>> 4.0 Selinux |
| 5 |
>> 5.0 System Integrity |
| 6 |
>> 6.0 Profile |
| 7 |
>> I'd like to specifically discuss bringing back the desktop profile by |
| 8 |
>> user request. |
| 9 |
>> |
| 10 |
>> |
| 11 |
> The old desktop/server/developer profiles were removed for a good |
| 12 |
> reason. They cannot stack properly given their directory location and |
| 13 |
> conflicting inheritance requirements. We cannot bring them back as |
| 14 |
> they were else we will re-introduce the ancient multilib vs |
| 15 |
> non-mutlilib selinux issue in one manifestation or another. |
| 16 |
> |
| 17 |
> Nonetheless, I think a desktop profile for hardened is possible along |
| 18 |
> the lines of what was done for selinux, ie put it in features. Only |
| 19 |
> if the desktop profile lands at the very bottom of the profile stack |
| 20 |
> will this work. Alternatively, you can duplicate the desktop profile |
| 21 |
> from default/linux in hardened/linux and do a simple inheritance from |
| 22 |
> its parent. This "duplication" would really not be much of a |
| 23 |
> duplication because there's probably stuff you want to tweak for your |
| 24 |
> own purposes. |
| 25 |
> |
| 26 |
> I was going to remove those deprecated directories today, but I can |
| 27 |
> hold off. To be clear, I'm not against a hardened desktop profile, |
| 28 |
> just not the implementation we had which was broken. |
| 29 |
> |
| 30 |
Actually I was wrong in saying "only if it lands at the bottom of the |
| 31 |
profile stack" ... That is in fact the problem: |
| 32 |
|
| 33 |
/usr/portage/profiles/base |
| 34 |
/usr/portage/profiles/default/linux |
| 35 |
/usr/portage/profiles/arch/base |
| 36 |
/usr/portage/profiles/features/multilib |
| 37 |
/usr/portage/profiles/features/multilib/lib32 |
| 38 |
/usr/portage/profiles/arch/amd64 |
| 39 |
/usr/portage/profiles/releases |
| 40 |
/usr/portage/profiles/eapi-5-files |
| 41 |
/usr/portage/profiles/releases/13.0 |
| 42 |
|
| 43 |
/usr/portage/profiles/hardened/linux |
| 44 |
/usr/portage/profiles/hardened/linux/amd64 |
| 45 |
/usr/portage/profiles/targets/desktop |
| 46 |
/usr/portage/profiles/hardened/linux/amd64/desktop |
| 47 |
|
| 48 |
So "profiles/targets/desktop" basically trump |
| 49 |
"profiles/hardened/linux/amd64" which is the problem: a non-hardened |
| 50 |
profile can undo the hardening. We have to get something like this: |
| 51 |
|
| 52 |
|
| 53 |
/usr/portage/profiles/base |
| 54 |
/usr/portage/profiles/default/linux |
| 55 |
/usr/portage/profiles/arch/base |
| 56 |
/usr/portage/profiles/features/multilib |
| 57 |
/usr/portage/profiles/features/multilib/lib32 |
| 58 |
/usr/portage/profiles/arch/amd64 |
| 59 |
/usr/portage/profiles/releases |
| 60 |
/usr/portage/profiles/eapi-5-files |
| 61 |
/usr/portage/profiles/releases/13.0 |
| 62 |
|
| 63 |
/usr/portage/profiles/targets/desktop |
| 64 |
/usr/portage/profiles/hardened/linux |
| 65 |
/usr/portage/profiles/hardened/linux/amd64 |
| 66 |
|
| 67 |
-- |
| 68 |
Anthony G. Basile, Ph.D. |
| 69 |
Gentoo Linux Developer [Hardened] |
| 70 |
E-Mail : blueness@g.o |
| 71 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 72 |
GnuPG ID : F52D4BBA |
Archives