| 1 |
There are several bits of news: |
| 2 |
|
| 3 |
* The updated livecd and stages have been moved to the mirrors: |
| 4 |
http://gentoo.oregonstate.edu/experimental/hardened/ |
| 5 |
|
| 6 |
* I'm going to be releasing a new base-policy that has one large change |
| 7 |
plus (in addition to a few minor fixes), which changes the behavior or |
| 8 |
sysadm_r. I have removed sysadm_r's access from almost all files except |
| 9 |
the obvious ones, such as in /etc, /root, /usr/src, etc. This is to |
| 10 |
increase the separation between portage_t and sysadm_t. The |
| 11 |
admin_separation tunable controls this behavior. Since we are |
| 12 |
security-oriented, this is default on. Of course, those who want the |
| 13 |
previous behavior can disable admin_separation to regain the access. |
| 14 |
The daemon policies in portage will soon be updated accordingly. |
| 15 |
|
| 16 |
* The NSA has stopped maintaining the 2.4 SELinux patches. We will try |
| 17 |
to update them as long as we can; however, this means that the days are |
| 18 |
numbered for selinux-sources, and hardened-sources-2.4.*/with |
| 19 |
USE=selinux. 2.4 Users are encouraged to begin evaluating 2.6 for use. |
| 20 |
|
| 21 |
* The 2.6.8 kernel will have some new SELinux classes for security |
| 22 |
enhanced X. The problem is that these will collide with our PaX |
| 23 |
support. This means that the kernel and the policy will have to be |
| 24 |
updated at the same time, as the kernel will not load a policy whose |
| 25 |
headers don't match its own. When 2.6.8 comes out, I will put out a |
| 26 |
policy with the new headers, and also bump all kernels that have the PaX |
| 27 |
SELinux hooks. Fortunately the PaX headers have been accepted upstream, |
| 28 |
so this won't happen again. 2.6.8 will also bring policy version 18, |
| 29 |
since fine-grained netlink socket support has been added. |
| 30 |
|
| 31 |
-- |
| 32 |
Chris PeBenito |
| 33 |
<pebenito@g.o> |
| 34 |
Developer, |
| 35 |
Hardened Gentoo Linux |
| 36 |
Embedded Gentoo Linux |
| 37 |
|
| 38 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 39 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives