1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 03/02/2011 12:48 PM, Sven Vermeulen wrote: |
5 |
> Hi guys, |
6 |
> |
7 |
> I've committed sec-policy/selinux-base-policy-2.20101213-r9 to the |
8 |
> hardened-development overlay. It has the following fixes since -r8: |
9 |
> - Allow Portage sandbox to ptrace (some package installs require this) |
10 |
> - Use xserver_domtrans instead of allowing siginh (cleaner policy) |
11 |
> - Fix issue that dhcpcd didn't work (could not find interfaces) |
12 |
> - Allow unconfined_t domain to transition to portage domains |
13 |
> |
14 |
> The latter should fix bugs #355745 and #356533. |
15 |
> |
16 |
> This is also the first (but definitely not the last) commit which I'm now |
17 |
> also testing various stuff with. The testing approach I use is to set up |
18 |
> Gentoo Hardened base, then update to SELinux (strict), install mysql, |
19 |
> install postgresql and then run some administrative tests: |
20 |
> |
21 |
> portage - - - - Performing portage activities - |
22 |
> portage - 001 - Run emerge --info - success |
23 |
> portage - 002 - Run emerge -puDN world - success |
24 |
> portage - 003 - Run emerge cowsay - success |
25 |
> portage - 004 - Run emerge -C cowsay (remove) - success |
26 |
> portage - 005 - Run eselect profile list - success |
27 |
> portage - 006 - Run gcc-config -l - success |
28 |
> inittest - - - - Create temporary working database (gentoo) - |
29 |
> inittest - 001 - Load SQL file (restore database dump) - success |
30 |
> mysql - - - - Performing mysql command activities - |
31 |
> mysql - 001 - Create table (as admin) through mysql command - success |
32 |
> mysql - 002 - Show tables (as admin) - success |
33 |
> mysql - 003 - Drop table (as admin) - success |
34 |
> mysql - 004 - Describe table (as guest) - success |
35 |
> mysql - 005 - Select data from table (as guest) - success |
36 |
> mysql - 006 - Select data from table (as test) - success |
37 |
> mysql - 007 - Create table (as guest) - success |
38 |
> exittest - - - - Cleanup temporary working database (gentoo) - |
39 |
> exittest - 001 - Drop database gentoo - success |
40 |
> exittest - 002 - Revoke all (gentoo) privileges from guest account - success |
41 |
> exittest - 003 - Revoke all (gentoo) privileges from admin account - success |
42 |
> inittest - - - - Create temporary working database - |
43 |
> inittest - 001 - Create admin role - success |
44 |
> inittest - 002 - Create guest role - success |
45 |
> inittest - 003 - Load SQL file (restore database dump) - success |
46 |
> postgres - - - - Performing psql command activities - |
47 |
> postgres - 001 - Create table (as admin) through psql command - success |
48 |
> postgres - 002 - Describe test table (as admin) through psql command - success |
49 |
> postgres - 003 - Drop test table (as admin) through psql command - success |
50 |
> postgres - 004 - Describe table (as guest) through psql command - success |
51 |
> postgres - 005 - Query test data (as guest) through psql command - success |
52 |
> postgres - 006 - Testing invalid user access - success |
53 |
> exittest - - - - Cleanup temporary working database - |
54 |
> exittest - 001 - Drop test database - success |
55 |
> exittest - 002 - Drop admin user - success |
56 |
> exittest - 003 - Drop guest user - success |
57 |
> |
58 |
> |
59 |
> These tests are done for both strict and targeted policy (but always in |
60 |
> enforcing mode). The idea I have is to try and reproduce issues reported or |
61 |
> seen on the forums and try to automate those. If they can be automated, I |
62 |
> add them to the test scripts so that (1.) the issue is confirmed, and (2.) |
63 |
> regressions can be detected. |
64 |
> |
65 |
> For the time being you'll see that the tests aren't advanced, but at least |
66 |
> it's a start and it can grow more easily ;-) |
67 |
> |
68 |
> Wkr, |
69 |
> Sven Vermeulen |
70 |
> |
71 |
|
72 |
Does this affect bug 328297, if at all? |
73 |
|
74 |
There will be some changes coming to PostgreSQL soon, once Mr. Chvatal |
75 |
(scarabeus) or Mr. Lauer (bonsaikitten) get the time to test and commit. |
76 |
|
77 |
The configuration files will be in /etc/postgresql-${SLOT}/. And |
78 |
src_test() works on it now with its socket created in ${T} and |
79 |
executables and miscellaneous files in ${S}/src/test/regress/. |
80 |
|
81 |
All of that works just fine on Hardened, but I'm not familiar with |
82 |
SELinux other than it's an additional security measure. |
83 |
|
84 |
Sincerely, |
85 |
Mr. Aaron W. Swenson |
86 |
-----BEGIN PGP SIGNATURE----- |
87 |
Version: GnuPG v2.0.16 (GNU/Linux) |
88 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
89 |
|
90 |
iF4EAREIAAYFAk1uxNgACgkQCOhwUhu5AEla2AD+LgsjRH7IWhHutaDaBhm7Jgc8 |
91 |
y2t71dwhN+4YYr763woBAI+UWeFaz14WAjV8CeNK2+DsfJauy35HP5bKYt97BFai |
92 |
=TOm8 |
93 |
-----END PGP SIGNATURE----- |