| 1 |
On Fri, 2004-01-30 at 13:27, Andy Dustman wrote: |
| 2 |
> I had my own problems with the recent LiveCD. It would get a good way |
| 3 |
> through the bootstrap and then it would lock up. Unfortunately, it |
| 4 |
> always seemed to do this when I wasn't watching, and by the time I |
| 5 |
> noticed, the screen would be blanked and pressing keys wouldn't revive |
| 6 |
> it. The solution was to use scripts/bootstrap-2.6.sh: That worked the |
| 7 |
> first time. I had intended to install gentoo-dev-sources anyway. |
| 8 |
|
| 9 |
I'll have to look into this bootstrap-2.6.sh, I'm not familar with it. |
| 10 |
Then I'll fix up the install guide. |
| 11 |
|
| 12 |
> Additionally, I cannot find any of the stages on the Live CD. It seems |
| 13 |
> like they should be there, since it's 100 MB, but I have the CD mounted |
| 14 |
|
| 15 |
The loopback isn't compressed, so thats why its 100MB. I decided not to |
| 16 |
put any stages on the livecd, since the livecd and the stages are still |
| 17 |
experimental. |
| 18 |
|
| 19 |
> I still don't really have a good grip on SELinux, though. For example, |
| 20 |
> once I'm in enforcing mode, it seems that I can't run emerge, even if |
| 21 |
> I'm using the sysadm_r role. The reason for this seemed to be that |
| 22 |
> /usr/bin/emerge was a symlink to ../lib/portage/bin/emerge. I added |
| 23 |
> /usr/bin/emerge into the profile, and relabeled, and then it worked. |
| 24 |
|
| 25 |
Hmm, this sounds odd. But as is, the policy is to have a separate |
| 26 |
portage_r role that can use portage, so there can be a separation of |
| 27 |
sysadm_r and portage. Then, optionally, there is an auto-transition for |
| 28 |
sysadm_t that can be uncommented. However, it doesn't seem that anyone |
| 29 |
wants to use the portage_r, so I'm strongly considering removing the |
| 30 |
role, and just using the more natural auto-transition. Are there any |
| 31 |
comments on this? |
| 32 |
|
| 33 |
> Another related problem is with portage itself. Emerge won't let you |
| 34 |
> merge packages unless you are actually root. With SELinux, it's not a |
| 35 |
> matter of being root, but being in the sysadm_r role. So it prevents a |
| 36 |
> normal user with the right role from merging packages, even though they |
| 37 |
> have the correct privileges from a filesystem perspective; and it allows |
| 38 |
|
| 39 |
If the user is not in the portage_t domain, then they don't have the |
| 40 |
correct privileges from a fs perspective. |
| 41 |
|
| 42 |
> (Well, mostly. A user in the portage |
| 43 |
> group ought to at least be able to build binary packages, I think.) |
| 44 |
|
| 45 |
The policy doesn't support this, and probably never will. Access to |
| 46 |
portage is tightly controlled, since it allows modification of all files |
| 47 |
on the system. |
| 48 |
|
| 49 |
> On the systems I have now, I give someone else sudo access so they can |
| 50 |
> update package. I don't know if sudo is really compatible with SELinux |
| 51 |
|
| 52 |
The requirements for running portage are root/su/sudo/uid 0, and either |
| 53 |
portage_r or a auto transition from sysadm_t to portage_t. |
| 54 |
|
| 55 |
> or not. But presently to do updates, you'd have to su, which requires |
| 56 |
> giving out the root password, and then newrole -r sysadm_t. |
| 57 |
|
| 58 |
Generally whats done is to newrole, then su/sudo. Even if you gave out |
| 59 |
the root password to certain privileged users, you can still remove root |
| 60 |
from the users file, and then root will be limited to user_r, as is done |
| 61 |
on the demo machine. Then if someone logs in as root, they can't really |
| 62 |
do anything beyond a regular user. But if you log in from another |
| 63 |
account that can newrole to sysadm_r, they can su/sudo and administrate |
| 64 |
the machine normally (which is what we do on the demo machine). The key |
| 65 |
is that SELinux maintains a user identity which is separate from the |
| 66 |
uid. The uid can change, but the identity doesn't. See the policy |
| 67 |
overview for more info. |
| 68 |
|
| 69 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-policy.xml |
| 70 |
|
| 71 |
There has been talk of trying to merge newrole and sudo, but nothing has |
| 72 |
materialized afaik. |
| 73 |
|
| 74 |
-- |
| 75 |
Chris PeBenito |
| 76 |
<pebenito@g.o> |
| 77 |
Developer, |
| 78 |
Hardened Gentoo Linux |
| 79 |
Embedded Gentoo Linux |
| 80 |
|
| 81 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 82 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives