| 1 |
It has been months since my SELinux system ran in enforcing mode. I |
| 2 |
would like to return to the fold, but there's work to be done, first. |
| 3 |
This is a home/learning machine, so the security isn't as big an issue |
| 4 |
as it would be in another environment. But one of these days I'd like to |
| 5 |
make it an OpenVPN endpoint, so I can get access from work or travel, |
| 6 |
and I want it back on SELinux before letting it live on the Internet, |
| 7 |
even behind my hardware firewall/router. |
| 8 |
|
| 9 |
1: I run several pieces of software that have no policy, for starters |
| 10 |
there's Dovecot IMAP, smartmontools, and leafnode. I understand that the |
| 11 |
targeted policy will make this easier, and it's coming soon, but is |
| 12 |
there any idea when. Given a major change coming soon, I'd just as soon |
| 13 |
wait, rather than do any work twice. |
| 14 |
|
| 15 |
2: I've had a very bad time getting avc warnings - to the point that I'm |
| 16 |
not sure I've ever gotten any, after booting native. Part of the problem |
| 17 |
was the way I partitioned, and had /var be a symlink. But that's fixed |
| 18 |
now, I've done the relabel, and still no warnings. A few months back I |
| 19 |
juggled the partitioning, did another relabel, and still no warnings. |
| 20 |
I'm not really sure where to start debugging this one. |
| 21 |
|
| 22 |
3: I'm running xfs, so I'm stuck back at 2.6.11-hardened-r15. I |
| 23 |
understand that this will be fixed with 2.6.16, and there's a ~x86 |
| 24 |
hardened out now. At the moment, I presume I can wait for a stable, but |
| 25 |
I'm curious about how it's coming. Actually, right now I wouldn't have |
| 26 |
much choice about which kernel to run, since the last stable hardened |
| 27 |
2.6 kernel that works with xfs is off the end of the belt. |
| 28 |
|
| 29 |
4: This machine is a k6-3. In other words, I've begun to look at distcc |
| 30 |
in order to get better compile times. But this means that I've also got |
| 31 |
to install crossdev, get an i586 hardened gcc installed on the other |
| 32 |
machine(s) that I may use to compile. Is there anything special, any |
| 33 |
gotchas, to adding a hardened compiler, over an above reading the distcc |
| 34 |
and crossdev documentation? |
| 35 |
|
| 36 |
5: I find SELinux intimidating enough, but is there any way for the |
| 37 |
lesser-knowledged to assist? |
| 38 |
|
| 39 |
Thanks, |
| 40 |
Dale Pontius |
| 41 |
-- |
| 42 |
gentoo-hardened@g.o mailing list |
Archives