Gentoo Archives: gentoo-hardened

From: Sven Vermeulen <swift@g.o>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] SELinux base policy rev 5 in hardened-dev
Date: Thu, 22 Mar 2012 19:29:35
Message-Id: 20120322192826.GA31442@gentoo.org
1 Hi guys,
2
3 I've pushed rev 5 of the base policy (and selinux-dhcp) to the hardened-dev
4 overlay. This one contains the following changes since rev 4:
5
6 <no bug> Do not audit getattr/search on user_home_dir_t stuff from within portage_fetch_t
7 <no bug> Do not audit getattr on udev netlink_kobject_uevent_sockets and unix_stream_sockets from within initrc (bootmisc)
8 <no bug> Allow init scripts (bootmisc) to clean up /tmp location
9 <no bug> Allow init scripts to delete stale syslog control sockets
10 <no bug> Allow bootmisc to mkdir/rmdir in /var/lib
11 <no bug> Allow mount to setsched on kernel_t
12 <no bug> Mark the selinuxfs mounts as mountpoints
13 <no bug> Do not audit searches by mount on unlabeled_t before it mounts on them
14 #389425 Update patch for DHCP regarding binding to generic UDP ports
15 <no bug> Support integrated run_init properly again
16 <no bug> Add in references to sysfs where SELinux access is used (dev_getattr_sysfs_fs)
17 <no bug> Mark /lib/rc/console as initrc_state_t to allow bootup to remove stale files in there
18 <no bug> Do not attempt to update base in selinux-base, wait for selinux-base-policy
19 <no bug> Allow nginx_t to list the content of its configuration directories
20 <no bug> Mark /var/lib/ip6tables as initrc_tmp_t to allow init script to save/restore
21
22 This is the first candidate for pushing to main tree (of the 20120215 policy
23 series). If there are no particular blockers in a few days, I'll do that
24 (and also do the last stabilization on the 20110726 series).
25
26 In the mean time, I'm going to start pushing out patches upstream so if
27 refpolicy wants some patches structured differently, I'll update them in our
28 tree as well.
29
30 Wkr,
31 Sven Vermeulen