| 1 |
On 04/27/2011 02:46 PM, Sven Vermeulen wrote: |
| 2 |
> Hi guys 'n gals, |
| 3 |
> |
| 4 |
> Like I suggested in the "SELinux and no-multilib" thread [1], I would like |
| 5 |
> to take a stab at the SELinux Gentoo profiles to make them easy to manage |
| 6 |
> (and to get that weird (no)multilib thing back on track). As the thread |
| 7 |
> said, I am focussing on creating a "features/selinux" profile which, like |
| 8 |
> the "features/multilib" or "features/no-nptl" ones, cannot be used |
| 9 |
> directly but is used by a parent file within a profile. |
| 10 |
> |
| 11 |
> When a good "features/selinux" profile is created, we can then create |
| 12 |
> hardened/linux/amd64/selinux |
| 13 |
> hardened/linux/amd64/no-multilib/selinux |
| 14 |
> hardened/linux/x86/selinux |
| 15 |
> ... |
| 16 |
> profiles in which only a single file exists, namely "parent", with the |
| 17 |
> contents of |
| 18 |
> ../ |
| 19 |
> ../../../../features/selinux |
| 20 |
> |
| 21 |
> To verify that this is indeed possible, I've already started with a |
| 22 |
> "features/selinux" profile on my own overlay [2] and am currently testing |
| 23 |
> it (both a "hardened/linux/amd64/selinux" and ..."amd64/no-multilib/selinux" |
| 24 |
> guest) to see if they generate any issues. |
| 25 |
> |
| 26 |
> Until now, I have not found any issue. What I do find is that the |
| 27 |
> hardened/linux/amd64/* ones are more aligned with the hardened profiles |
| 28 |
> than the selinux/v2refpolicy/amd64/hardened profile (current |
| 29 |
> production-use profile) with respect to USE changes and such. |
| 30 |
> |
| 31 |
> In my opinion, this method has many advantages: |
| 32 |
> - the selinux profiles are close to their master profile (and as such |
| 33 |
> inherit the updates and management of those profiles) |
| 34 |
> - the new profiles can be used simultaneously with the old ones, allowing |
| 35 |
> for a transition period |
| 36 |
> - the SELinux specific changes are tied in a single location, making |
| 37 |
> administration a bit more easy (and we're all for easy, aren't we?) |
| 38 |
> - if new profiles would like to support a selinux-specific one as well, it |
| 39 |
> is far easier with a "features/selinux" approach than it is with the |
| 40 |
> current selinux/v2refpolicy/* I think |
| 41 |
> |
| 42 |
|
| 43 |
In general, I like this idea. I've spoken with PeBenito, and he |
| 44 |
indicates that the original design goal of the SELinux profiles was to |
| 45 |
create a minimal working SELinux system, which one could then build off |
| 46 |
of by customizing as necessary. However, this was all done prior to the |
| 47 |
work that has since been done to make the default minimal profiles a bit |
| 48 |
more rational. I <THINK> the base hardened and vanilla profiles are now |
| 49 |
more in the line of being minimalist profiles which are then built on to |
| 50 |
create the more full-featured profile sets, but someone who knows more |
| 51 |
about this than me will have to comment. |
| 52 |
|
| 53 |
> Now my question(s): |
| 54 |
> - Does anyone know of a problem with this approach? |
| 55 |
> - Does anyone have any objections if I (or someone else) puts this |
| 56 |
> information in hardened-dev.git (blueness, you did last profile updates |
| 57 |
> with a staging in hardened-dev.git, but in a separate branch [3], do you |
| 58 |
> think this approach is needed here as well or can this be put in the |
| 59 |
> master)? |
| 60 |
> - And if people have objections, any other ideas on how to tackle the |
| 61 |
> problem that current SELinux profiles do not support no-multilib (but do |
| 62 |
> not enable "multilib" USE flag) [4]? |
| 63 |
|
| 64 |
I'm looking into writing a little tool that will help facilitate this, |
| 65 |
giving us a 'profile explorer' that would enable use to see what a given |
| 66 |
profile looks like without having to actually switch to it and then do |
| 67 |
'emerge --info'. Kindof like a DOM explorer, but for Gentoo profiles. |
| 68 |
|
| 69 |
> Wkr, |
| 70 |
> Sven Vermeulen |
| 71 |
> |
| 72 |
> [1] http://thread.gmane.org/gmane.linux.gentoo.hardened/4820/focus=4824 |
| 73 |
> [2] https://github.com/sjvermeu/gentoo.overlay/tree/master/profiles |
| 74 |
> [3] https://bugs.gentoo.org/show_bug.cgi?id=344861 |
| 75 |
> [4] https://bugs.gentoo.org/show_bug.cgi?id=298434 and |
| 76 |
> https://bugs.gentoo.org/show_bug.cgi?id=346563 |
| 77 |
> |
| 78 |
> |
| 79 |
> |
Archives