1 |
On 04/27/2011 02:46 PM, Sven Vermeulen wrote: |
2 |
> Hi guys 'n gals, |
3 |
> |
4 |
> Like I suggested in the "SELinux and no-multilib" thread [1], I would like |
5 |
> to take a stab at the SELinux Gentoo profiles to make them easy to manage |
6 |
> (and to get that weird (no)multilib thing back on track). As the thread |
7 |
> said, I am focussing on creating a "features/selinux" profile which, like |
8 |
> the "features/multilib" or "features/no-nptl" ones, cannot be used |
9 |
> directly but is used by a parent file within a profile. |
10 |
> |
11 |
> When a good "features/selinux" profile is created, we can then create |
12 |
> hardened/linux/amd64/selinux |
13 |
> hardened/linux/amd64/no-multilib/selinux |
14 |
> hardened/linux/x86/selinux |
15 |
> ... |
16 |
> profiles in which only a single file exists, namely "parent", with the |
17 |
> contents of |
18 |
> ../ |
19 |
> ../../../../features/selinux |
20 |
> |
21 |
> To verify that this is indeed possible, I've already started with a |
22 |
> "features/selinux" profile on my own overlay [2] and am currently testing |
23 |
> it (both a "hardened/linux/amd64/selinux" and ..."amd64/no-multilib/selinux" |
24 |
> guest) to see if they generate any issues. |
25 |
> |
26 |
> Until now, I have not found any issue. What I do find is that the |
27 |
> hardened/linux/amd64/* ones are more aligned with the hardened profiles |
28 |
> than the selinux/v2refpolicy/amd64/hardened profile (current |
29 |
> production-use profile) with respect to USE changes and such. |
30 |
> |
31 |
> In my opinion, this method has many advantages: |
32 |
> - the selinux profiles are close to their master profile (and as such |
33 |
> inherit the updates and management of those profiles) |
34 |
> - the new profiles can be used simultaneously with the old ones, allowing |
35 |
> for a transition period |
36 |
> - the SELinux specific changes are tied in a single location, making |
37 |
> administration a bit more easy (and we're all for easy, aren't we?) |
38 |
> - if new profiles would like to support a selinux-specific one as well, it |
39 |
> is far easier with a "features/selinux" approach than it is with the |
40 |
> current selinux/v2refpolicy/* I think |
41 |
> |
42 |
|
43 |
In general, I like this idea. I've spoken with PeBenito, and he |
44 |
indicates that the original design goal of the SELinux profiles was to |
45 |
create a minimal working SELinux system, which one could then build off |
46 |
of by customizing as necessary. However, this was all done prior to the |
47 |
work that has since been done to make the default minimal profiles a bit |
48 |
more rational. I <THINK> the base hardened and vanilla profiles are now |
49 |
more in the line of being minimalist profiles which are then built on to |
50 |
create the more full-featured profile sets, but someone who knows more |
51 |
about this than me will have to comment. |
52 |
|
53 |
> Now my question(s): |
54 |
> - Does anyone know of a problem with this approach? |
55 |
> - Does anyone have any objections if I (or someone else) puts this |
56 |
> information in hardened-dev.git (blueness, you did last profile updates |
57 |
> with a staging in hardened-dev.git, but in a separate branch [3], do you |
58 |
> think this approach is needed here as well or can this be put in the |
59 |
> master)? |
60 |
> - And if people have objections, any other ideas on how to tackle the |
61 |
> problem that current SELinux profiles do not support no-multilib (but do |
62 |
> not enable "multilib" USE flag) [4]? |
63 |
|
64 |
I'm looking into writing a little tool that will help facilitate this, |
65 |
giving us a 'profile explorer' that would enable use to see what a given |
66 |
profile looks like without having to actually switch to it and then do |
67 |
'emerge --info'. Kindof like a DOM explorer, but for Gentoo profiles. |
68 |
|
69 |
> Wkr, |
70 |
> Sven Vermeulen |
71 |
> |
72 |
> [1] http://thread.gmane.org/gmane.linux.gentoo.hardened/4820/focus=4824 |
73 |
> [2] https://github.com/sjvermeu/gentoo.overlay/tree/master/profiles |
74 |
> [3] https://bugs.gentoo.org/show_bug.cgi?id=344861 |
75 |
> [4] https://bugs.gentoo.org/show_bug.cgi?id=298434 and |
76 |
> https://bugs.gentoo.org/show_bug.cgi?id=346563 |
77 |
> |
78 |
> |
79 |
> |