1 |
Hi, |
2 |
|
3 |
I've got a system which I am migrating to use selinux, so I had to |
4 |
switch to udev. I followed all the instructions, rebooted, udevd is |
5 |
running but /dev is mounted as ramfs (which does not support labelling |
6 |
AFAIK) instead of tmpfs. I tried to find where it is being mounted, but |
7 |
that isn't very clear (not in fstab, not in /etc/rc). Is it part |
8 |
of /sbin/init now? |
9 |
How do I switch to tmpfs for /dev? |
10 |
(obviously, I rebuilt a kernel with devfs not mounted automatically - |
11 |
would devfs show up as ramfs anyway?) |
12 |
|
13 |
A lot of the services are chrooted at the moment, I ended up having to |
14 |
change a lot of the .fc files to add "(/chroot/[myservice])?" in front |
15 |
of the file definitions. Is there any reason not to have this merged? |
16 |
(I know the benefit of having chroot is moot when you have selinux |
17 |
enabled - but when you're in between...) |
18 |
|
19 |
Portage triggers some policy violations that would be fixed by: |
20 |
allow portage_fetch_t portage_tmp_t:dir search; |
21 |
allow portage_fetch_t portage_tmp_t:file { getattr read }; |
22 |
allow portage_t tmpfs_t:filesystem getattr; |
23 |
Am i the only one seeing this? I see no reason not to merge them into |
24 |
portage.te. |
25 |
|
26 |
I've noticed that a lot of the services which can be used with a mysql |
27 |
backend (ie: spamd, postfix, etc) do not include policy for this since |
28 |
it is a package option (+mysql). Is there any way we can have this |
29 |
included in the .te files but conditional? |
30 |
Not necessarily using an "ifdef(`mysqld.te', `" (which would include it |
31 |
as soon as mysql is installed) but maybe a combination of the above + a |
32 |
flag? |
33 |
|
34 |
Is there any interest in merging the policies I have started building? |
35 |
Using mainly audit2allow (and a bit of thinking, and retro-fitting the |
36 |
macros which is the hard part), I have made policies for: amavis, |
37 |
setiathome, mdadm, saslauth, java, tomcat, fetchmail, psad, etc. |
38 |
|
39 |
|
40 |
Thanks |
41 |
Antoine |
42 |
|
43 |
|
44 |
-- |
45 |
gentoo-hardened@g.o mailing list |