| 1 |
I had my own problems with the recent LiveCD. It would get a good way |
| 2 |
through the bootstrap and then it would lock up. Unfortunately, it |
| 3 |
always seemed to do this when I wasn't watching, and by the time I |
| 4 |
noticed, the screen would be blanked and pressing keys wouldn't revive |
| 5 |
it. The solution was to use scripts/bootstrap-2.6.sh: That worked the |
| 6 |
first time. I had intended to install gentoo-dev-sources anyway. |
| 7 |
|
| 8 |
Additionally, I cannot find any of the stages on the Live CD. It seems |
| 9 |
like they should be there, since it's 100 MB, but I have the CD mounted |
| 10 |
how (and livecd.loop on the loopback) and they just aren't there. Maybe |
| 11 |
this is by design. |
| 12 |
|
| 13 |
In any case, I got the stage1 using wget. Incidentally, I do it this |
| 14 |
way: |
| 15 |
|
| 16 |
wget -O - <stage tarball URL> | tar xvfj - |
| 17 |
|
| 18 |
This way there is no intermediate file. |
| 19 |
|
| 20 |
I still don't really have a good grip on SELinux, though. For example, |
| 21 |
once I'm in enforcing mode, it seems that I can't run emerge, even if |
| 22 |
I'm using the sysadm_r role. The reason for this seemed to be that |
| 23 |
/usr/bin/emerge was a symlink to ../lib/portage/bin/emerge. I added |
| 24 |
/usr/bin/emerge into the profile, and relabeled, and then it worked. |
| 25 |
|
| 26 |
Another related problem is with portage itself. Emerge won't let you |
| 27 |
merge packages unless you are actually root. With SELinux, it's not a |
| 28 |
matter of being root, but being in the sysadm_r role. So it prevents a |
| 29 |
normal user with the right role from merging packages, even though they |
| 30 |
have the correct privileges from a filesystem perspective; and it allows |
| 31 |
root to merge packages, even though root might not be in the sysadm_r |
| 32 |
role and NOT have the correct privileges. The root test is correct from |
| 33 |
a non-SELinux perspective, though. (Well, mostly. A user in the portage |
| 34 |
group ought to at least be able to build binary packages, I think.) |
| 35 |
|
| 36 |
On the systems I have now, I give someone else sudo access so they can |
| 37 |
update package. I don't know if sudo is really compatible with SELinux |
| 38 |
or not. But presently to do updates, you'd have to su, which requires |
| 39 |
giving out the root password, and then newrole -r sysadm_t. I thought |
| 40 |
one of the points of doing SELinux was that you could take all special |
| 41 |
privileges from root (i.e. sysadm_r, staff_r) and make them a normal |
| 42 |
user (or with even less privileges than a normal user). But it doesn't |
| 43 |
seem feasible without some portage changes. |
| 44 |
-- |
| 45 |
Andy Dustman <adustman@×××××××××.edu> |
| 46 |
Office of Information Technology, Terry College of Business, UGA |
| 47 |
|
| 48 |
|
| 49 |
-- |
| 50 |
gentoo-hardened@g.o mailing list |
Archives