1 |
On 11/03/2011 09:44 PM, Stan Sander wrote: |
2 |
> I've been a unix/Linux systems administrator for over a decade, |
3 |
> and have been running Gentoo for at least the past 3 years. |
4 |
|
5 |
Only the first 15 years are rough. It gets easier after that. You've |
6 |
got 5 more to go :) Welcome! |
7 |
|
8 |
I'll let SwifT and other Selinuxers comment in detail on your policies. |
9 |
I would just caution that if you keep creating policies to make every |
10 |
violation disappear under all circumstanced then you're effectively |
11 |
disabling selinux. So you need to examine the consequence of each rule |
12 |
as you are doing, or asking us to do, which is good. |
13 |
|
14 |
@SwifT - did you ever migrate that doc on how to debug policies to the tree? |
15 |
|
16 |
Don't be afraid to open bugs as I said in my earlier @newbie email. |
17 |
|
18 |
As far as the rest of your system, you'll probably want to understand |
19 |
kernel and toolchain hardening as well: |
20 |
|
21 |
http://www.gentoo.org/proj/en/hardened/ |
22 |
|
23 |
In brief: |
24 |
|
25 |
kernel hardening = emerge hardened-sources and enable grsec/pax |
26 |
grsec = turning off certain operations which can be insecure |
27 |
(eg. mounting within chroots to break chroots) |
28 |
pax = enforcing constraints on allocated memory |
29 |
|
30 |
grsec also provides its own MAC system (RBAC) which you cannot have |
31 |
enabled at the same time as selinux. |
32 |
|
33 |
toolchain hardeneing = swtich to hardened profile as you have, re-emerge |
34 |
gcc/glibc/binutils, re-emerge @system then @world |
35 |
= ssp = protection against classic buffer overflows |
36 |
= pie = helps randomize process address space |
37 |
= fortify-sources = tighten up glibc |
38 |
|
39 |
-- |
40 |
Anthony G. Basile, Ph.D. |
41 |
Gentoo Linux Developer [Hardened] |
42 |
E-Mail : blueness@g.o |
43 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
44 |
GnuPG ID : D0455535 |