1 |
So as you may recall, about a year ago I spoke about switching over |
2 |
Gentoo SELinux to the reference policy with support for modular policy |
3 |
[1]. Unfortunately I was too optimistic about the time table and was |
4 |
hindered by an upstream bug [2], which was fixed only in the last couple |
5 |
months [3]. After a lot of testing and some help from users in the IRC |
6 |
channel, I believe we're finally ready for wide beta testing. One big |
7 |
catch is that this SELinux upgrade requires glibc 2.4, and since that is |
8 |
not available to hardened gcc users, those users will still have to |
9 |
wait. For those that are not using hardened gcc, the upgrade guide [4] |
10 |
is available. The SELinux handbook [5] has been updated with |
11 |
documentation on the new SELinux management infrastructure, so please |
12 |
browse it again to find the new parts. |
13 |
|
14 |
One thing to note is that SECMARK network controls should not be enabled |
15 |
as yet (the kernel option: NSA SELinux enable new secmark network |
16 |
controls by default). This is new in 2.6.18, but unfortunately there |
17 |
are still issues with these controls. The old controls will be used |
18 |
instead (ports/nodes/netifs) until the SECMARK issues are ironed out. |
19 |
|
20 |
Again, this should be considered beta quality, so this upgrade probably |
21 |
shouldn't be performed on production/critical systems. This doesn't |
22 |
mean that it is unsafe; I run this in enforcing on my server. If you |
23 |
are able, please test. I'm hoping this can be stabilized by the end of |
24 |
January. |
25 |
|
26 |
[1] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=113433863728029&w=2 |
27 |
[2] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=114497328517270&w=2 |
28 |
[3] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=115949405116099&w=2 |
29 |
[4] http://www.gentoo.org/proj/en/hardened/selinux/selinux20061-upg.xml |
30 |
[5] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
31 |
|
32 |
|
33 |
-- |
34 |
Chris PeBenito |
35 |
<pebenito@g.o> |
36 |
Developer, |
37 |
Hardened Gentoo Linux |
38 |
|
39 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
40 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |