| 1 |
On Sun, Nov 14, 2010 at 07:14:49PM -0600, Chris Richards wrote: |
| 2 |
> Ok, first and foremost, I haven't tested targeted policy (I'm still |
| 3 |
> sorting strict policy). |
| 4 |
> Second, the handbook states that you should use v2refpolicy. You are |
| 5 |
> running the 20070928 policy, which is v1 policy and is very very old. |
| 6 |
> I'm guessing you are working with an old system that hasn't been |
| 7 |
> converted to v2refpolicy. |
| 8 |
> Third, even with v2refpolicy, the current version in the tree is now |
| 9 |
> almost a year old and has issues (which is part of what I'm working to |
| 10 |
> sort out). TBH, I'm not entirely certain it will boot in enforcing |
| 11 |
> mode, although targeted policy will stand a better chance of working |
| 12 |
> than strict policy. |
| 13 |
> |
| 14 |
> I'm working as fast as I can. Unfortunately, my spare time is pretty, |
| 15 |
> well, 'spare' and has been for some time. If you want to make your own |
| 16 |
> ebuild, you can find where to pull the latest release policy from |
| 17 |
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get |
| 18 |
> the current development policy from the git repository at |
| 19 |
> http://oss.tresys.com/git/refpolicy.git. |
| 20 |
|
| 21 |
If you're really adventurous, you can try using the ebuilds available on |
| 22 |
https://github.com/sjvermeu/gentoo.overlay/. With those, together with the |
| 23 |
changes as mentioned in |
| 24 |
http://blog.siphos.be/2010/10/selinux-enforcing-for-console-activity/ I am |
| 25 |
able to boot in enforcing mode, strict policy. |
| 26 |
|
| 27 |
To use the ebuilds (apart from setting |
| 28 |
http://github.com/sjvermeu/gentoo.overlay/raw/master/overlay.xml in your |
| 29 |
/etc/layman/layman.cfg file to be able to select sjvermeu), install |
| 30 |
sec-policy/selinux-policy (you'll need to unmask sec-policy/*) and you're |
| 31 |
almost ready to use ;-) |
| 32 |
|
| 33 |
I'm currently also having a few fixes not in the overlay yet (one for |
| 34 |
dhcpcd, one for gcc-config and one for portage) but am planning on |
| 35 |
integrating those as well. |
| 36 |
|
| 37 |
True, the current state in hardened is not easy to work with, and because |
| 38 |
not even the unstable packages are working, it's also hardly possible to |
| 39 |
create any documentation on it. However, I am planning on starting with |
| 40 |
documentation (even if based upon overlay ebuilds) soon - right after I get |
| 41 |
X working properly :p ) |
| 42 |
|
| 43 |
Wkr, |
| 44 |
Sven Vermeulen |
Archives