| 1 |
So as you may recall, about a year ago I spoke about switching over |
| 2 |
Gentoo SELinux to the reference policy with support for modular policy |
| 3 |
[1]. Unfortunately I was too optimistic about the time table and was |
| 4 |
hindered by an upstream bug [2], which was fixed only in the last couple |
| 5 |
months [3]. After a lot of testing and some help from users in the IRC |
| 6 |
channel, I believe we're finally ready for wide beta testing. One big |
| 7 |
catch is that this SELinux upgrade requires glibc 2.4, and since that is |
| 8 |
not available to hardened gcc users, those users will still have to |
| 9 |
wait. For those that are not using hardened gcc, the upgrade guide [4] |
| 10 |
is available. The SELinux handbook [5] has been updated with |
| 11 |
documentation on the new SELinux management infrastructure, so please |
| 12 |
browse it again to find the new parts. |
| 13 |
|
| 14 |
One thing to note is that SECMARK network controls should not be enabled |
| 15 |
as yet (the kernel option: NSA SELinux enable new secmark network |
| 16 |
controls by default). This is new in 2.6.18, but unfortunately there |
| 17 |
are still issues with these controls. The old controls will be used |
| 18 |
instead (ports/nodes/netifs) until the SECMARK issues are ironed out. |
| 19 |
|
| 20 |
Again, this should be considered beta quality, so this upgrade probably |
| 21 |
shouldn't be performed on production/critical systems. This doesn't |
| 22 |
mean that it is unsafe; I run this in enforcing on my server. If you |
| 23 |
are able, please test. I'm hoping this can be stabilized by the end of |
| 24 |
January. |
| 25 |
|
| 26 |
[1] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=113433863728029&w=2 |
| 27 |
[2] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=114497328517270&w=2 |
| 28 |
[3] http://marc.theaimsgroup.com/?l=gentoo-hardened&m=115949405116099&w=2 |
| 29 |
[4] http://www.gentoo.org/proj/en/hardened/selinux/selinux20061-upg.xml |
| 30 |
[5] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
| 31 |
|
| 32 |
|
| 33 |
-- |
| 34 |
Chris PeBenito |
| 35 |
<pebenito@g.o> |
| 36 |
Developer, |
| 37 |
Hardened Gentoo Linux |
| 38 |
|
| 39 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 40 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives