| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 03/02/2011 12:48 PM, Sven Vermeulen wrote: |
| 5 |
> Hi guys, |
| 6 |
> |
| 7 |
> I've committed sec-policy/selinux-base-policy-2.20101213-r9 to the |
| 8 |
> hardened-development overlay. It has the following fixes since -r8: |
| 9 |
> - Allow Portage sandbox to ptrace (some package installs require this) |
| 10 |
> - Use xserver_domtrans instead of allowing siginh (cleaner policy) |
| 11 |
> - Fix issue that dhcpcd didn't work (could not find interfaces) |
| 12 |
> - Allow unconfined_t domain to transition to portage domains |
| 13 |
> |
| 14 |
> The latter should fix bugs #355745 and #356533. |
| 15 |
> |
| 16 |
> This is also the first (but definitely not the last) commit which I'm now |
| 17 |
> also testing various stuff with. The testing approach I use is to set up |
| 18 |
> Gentoo Hardened base, then update to SELinux (strict), install mysql, |
| 19 |
> install postgresql and then run some administrative tests: |
| 20 |
> |
| 21 |
> portage - - - - Performing portage activities - |
| 22 |
> portage - 001 - Run emerge --info - success |
| 23 |
> portage - 002 - Run emerge -puDN world - success |
| 24 |
> portage - 003 - Run emerge cowsay - success |
| 25 |
> portage - 004 - Run emerge -C cowsay (remove) - success |
| 26 |
> portage - 005 - Run eselect profile list - success |
| 27 |
> portage - 006 - Run gcc-config -l - success |
| 28 |
> inittest - - - - Create temporary working database (gentoo) - |
| 29 |
> inittest - 001 - Load SQL file (restore database dump) - success |
| 30 |
> mysql - - - - Performing mysql command activities - |
| 31 |
> mysql - 001 - Create table (as admin) through mysql command - success |
| 32 |
> mysql - 002 - Show tables (as admin) - success |
| 33 |
> mysql - 003 - Drop table (as admin) - success |
| 34 |
> mysql - 004 - Describe table (as guest) - success |
| 35 |
> mysql - 005 - Select data from table (as guest) - success |
| 36 |
> mysql - 006 - Select data from table (as test) - success |
| 37 |
> mysql - 007 - Create table (as guest) - success |
| 38 |
> exittest - - - - Cleanup temporary working database (gentoo) - |
| 39 |
> exittest - 001 - Drop database gentoo - success |
| 40 |
> exittest - 002 - Revoke all (gentoo) privileges from guest account - success |
| 41 |
> exittest - 003 - Revoke all (gentoo) privileges from admin account - success |
| 42 |
> inittest - - - - Create temporary working database - |
| 43 |
> inittest - 001 - Create admin role - success |
| 44 |
> inittest - 002 - Create guest role - success |
| 45 |
> inittest - 003 - Load SQL file (restore database dump) - success |
| 46 |
> postgres - - - - Performing psql command activities - |
| 47 |
> postgres - 001 - Create table (as admin) through psql command - success |
| 48 |
> postgres - 002 - Describe test table (as admin) through psql command - success |
| 49 |
> postgres - 003 - Drop test table (as admin) through psql command - success |
| 50 |
> postgres - 004 - Describe table (as guest) through psql command - success |
| 51 |
> postgres - 005 - Query test data (as guest) through psql command - success |
| 52 |
> postgres - 006 - Testing invalid user access - success |
| 53 |
> exittest - - - - Cleanup temporary working database - |
| 54 |
> exittest - 001 - Drop test database - success |
| 55 |
> exittest - 002 - Drop admin user - success |
| 56 |
> exittest - 003 - Drop guest user - success |
| 57 |
> |
| 58 |
> |
| 59 |
> These tests are done for both strict and targeted policy (but always in |
| 60 |
> enforcing mode). The idea I have is to try and reproduce issues reported or |
| 61 |
> seen on the forums and try to automate those. If they can be automated, I |
| 62 |
> add them to the test scripts so that (1.) the issue is confirmed, and (2.) |
| 63 |
> regressions can be detected. |
| 64 |
> |
| 65 |
> For the time being you'll see that the tests aren't advanced, but at least |
| 66 |
> it's a start and it can grow more easily ;-) |
| 67 |
> |
| 68 |
> Wkr, |
| 69 |
> Sven Vermeulen |
| 70 |
> |
| 71 |
|
| 72 |
Does this affect bug 328297, if at all? |
| 73 |
|
| 74 |
There will be some changes coming to PostgreSQL soon, once Mr. Chvatal |
| 75 |
(scarabeus) or Mr. Lauer (bonsaikitten) get the time to test and commit. |
| 76 |
|
| 77 |
The configuration files will be in /etc/postgresql-${SLOT}/. And |
| 78 |
src_test() works on it now with its socket created in ${T} and |
| 79 |
executables and miscellaneous files in ${S}/src/test/regress/. |
| 80 |
|
| 81 |
All of that works just fine on Hardened, but I'm not familiar with |
| 82 |
SELinux other than it's an additional security measure. |
| 83 |
|
| 84 |
Sincerely, |
| 85 |
Mr. Aaron W. Swenson |
| 86 |
-----BEGIN PGP SIGNATURE----- |
| 87 |
Version: GnuPG v2.0.16 (GNU/Linux) |
| 88 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 89 |
|
| 90 |
iF4EAREIAAYFAk1uxNgACgkQCOhwUhu5AEla2AD+LgsjRH7IWhHutaDaBhm7Jgc8 |
| 91 |
y2t71dwhN+4YYr763woBAI+UWeFaz14WAjV8CeNK2+DsfJauy35HP5bKYt97BFai |
| 92 |
=TOm8 |
| 93 |
-----END PGP SIGNATURE----- |
Archives