| 1 |
Hi, |
| 2 |
|
| 3 |
I've got a system which I am migrating to use selinux, so I had to |
| 4 |
switch to udev. I followed all the instructions, rebooted, udevd is |
| 5 |
running but /dev is mounted as ramfs (which does not support labelling |
| 6 |
AFAIK) instead of tmpfs. I tried to find where it is being mounted, but |
| 7 |
that isn't very clear (not in fstab, not in /etc/rc). Is it part |
| 8 |
of /sbin/init now? |
| 9 |
How do I switch to tmpfs for /dev? |
| 10 |
(obviously, I rebuilt a kernel with devfs not mounted automatically - |
| 11 |
would devfs show up as ramfs anyway?) |
| 12 |
|
| 13 |
A lot of the services are chrooted at the moment, I ended up having to |
| 14 |
change a lot of the .fc files to add "(/chroot/[myservice])?" in front |
| 15 |
of the file definitions. Is there any reason not to have this merged? |
| 16 |
(I know the benefit of having chroot is moot when you have selinux |
| 17 |
enabled - but when you're in between...) |
| 18 |
|
| 19 |
Portage triggers some policy violations that would be fixed by: |
| 20 |
allow portage_fetch_t portage_tmp_t:dir search; |
| 21 |
allow portage_fetch_t portage_tmp_t:file { getattr read }; |
| 22 |
allow portage_t tmpfs_t:filesystem getattr; |
| 23 |
Am i the only one seeing this? I see no reason not to merge them into |
| 24 |
portage.te. |
| 25 |
|
| 26 |
I've noticed that a lot of the services which can be used with a mysql |
| 27 |
backend (ie: spamd, postfix, etc) do not include policy for this since |
| 28 |
it is a package option (+mysql). Is there any way we can have this |
| 29 |
included in the .te files but conditional? |
| 30 |
Not necessarily using an "ifdef(`mysqld.te', `" (which would include it |
| 31 |
as soon as mysql is installed) but maybe a combination of the above + a |
| 32 |
flag? |
| 33 |
|
| 34 |
Is there any interest in merging the policies I have started building? |
| 35 |
Using mainly audit2allow (and a bit of thinking, and retro-fitting the |
| 36 |
macros which is the hard part), I have made policies for: amavis, |
| 37 |
setiathome, mdadm, saslauth, java, tomcat, fetchmail, psad, etc. |
| 38 |
|
| 39 |
|
| 40 |
Thanks |
| 41 |
Antoine |
| 42 |
|
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-hardened@g.o mailing list |
Archives