1 |
There are several bits of news: |
2 |
|
3 |
* The updated livecd and stages have been moved to the mirrors: |
4 |
http://gentoo.oregonstate.edu/experimental/hardened/ |
5 |
|
6 |
* I'm going to be releasing a new base-policy that has one large change |
7 |
plus (in addition to a few minor fixes), which changes the behavior or |
8 |
sysadm_r. I have removed sysadm_r's access from almost all files except |
9 |
the obvious ones, such as in /etc, /root, /usr/src, etc. This is to |
10 |
increase the separation between portage_t and sysadm_t. The |
11 |
admin_separation tunable controls this behavior. Since we are |
12 |
security-oriented, this is default on. Of course, those who want the |
13 |
previous behavior can disable admin_separation to regain the access. |
14 |
The daemon policies in portage will soon be updated accordingly. |
15 |
|
16 |
* The NSA has stopped maintaining the 2.4 SELinux patches. We will try |
17 |
to update them as long as we can; however, this means that the days are |
18 |
numbered for selinux-sources, and hardened-sources-2.4.*/with |
19 |
USE=selinux. 2.4 Users are encouraged to begin evaluating 2.6 for use. |
20 |
|
21 |
* The 2.6.8 kernel will have some new SELinux classes for security |
22 |
enhanced X. The problem is that these will collide with our PaX |
23 |
support. This means that the kernel and the policy will have to be |
24 |
updated at the same time, as the kernel will not load a policy whose |
25 |
headers don't match its own. When 2.6.8 comes out, I will put out a |
26 |
policy with the new headers, and also bump all kernels that have the PaX |
27 |
SELinux hooks. Fortunately the PaX headers have been accepted upstream, |
28 |
so this won't happen again. 2.6.8 will also bring policy version 18, |
29 |
since fine-grained netlink socket support has been added. |
30 |
|
31 |
-- |
32 |
Chris PeBenito |
33 |
<pebenito@g.o> |
34 |
Developer, |
35 |
Hardened Gentoo Linux |
36 |
Embedded Gentoo Linux |
37 |
|
38 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
39 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |