| 1 |
On 11/03/2011 09:44 PM, Stan Sander wrote: |
| 2 |
> I've been a unix/Linux systems administrator for over a decade, |
| 3 |
> and have been running Gentoo for at least the past 3 years. |
| 4 |
|
| 5 |
Only the first 15 years are rough. It gets easier after that. You've |
| 6 |
got 5 more to go :) Welcome! |
| 7 |
|
| 8 |
I'll let SwifT and other Selinuxers comment in detail on your policies. |
| 9 |
I would just caution that if you keep creating policies to make every |
| 10 |
violation disappear under all circumstanced then you're effectively |
| 11 |
disabling selinux. So you need to examine the consequence of each rule |
| 12 |
as you are doing, or asking us to do, which is good. |
| 13 |
|
| 14 |
@SwifT - did you ever migrate that doc on how to debug policies to the tree? |
| 15 |
|
| 16 |
Don't be afraid to open bugs as I said in my earlier @newbie email. |
| 17 |
|
| 18 |
As far as the rest of your system, you'll probably want to understand |
| 19 |
kernel and toolchain hardening as well: |
| 20 |
|
| 21 |
http://www.gentoo.org/proj/en/hardened/ |
| 22 |
|
| 23 |
In brief: |
| 24 |
|
| 25 |
kernel hardening = emerge hardened-sources and enable grsec/pax |
| 26 |
grsec = turning off certain operations which can be insecure |
| 27 |
(eg. mounting within chroots to break chroots) |
| 28 |
pax = enforcing constraints on allocated memory |
| 29 |
|
| 30 |
grsec also provides its own MAC system (RBAC) which you cannot have |
| 31 |
enabled at the same time as selinux. |
| 32 |
|
| 33 |
toolchain hardeneing = swtich to hardened profile as you have, re-emerge |
| 34 |
gcc/glibc/binutils, re-emerge @system then @world |
| 35 |
= ssp = protection against classic buffer overflows |
| 36 |
= pie = helps randomize process address space |
| 37 |
= fortify-sources = tighten up glibc |
| 38 |
|
| 39 |
-- |
| 40 |
Anthony G. Basile, Ph.D. |
| 41 |
Gentoo Linux Developer [Hardened] |
| 42 |
E-Mail : blueness@g.o |
| 43 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 44 |
GnuPG ID : D0455535 |
Archives