| 1 |
On Tue, Mar 04, 2014 at 09:17:18PM +1100, wraeth wrote: |
| 2 |
> Not sure if this is the right list to ask in, but I figure I'll go ahead |
| 3 |
> and ask anyway. |
| 4 |
|
| 5 |
It's the right list ;-) |
| 6 |
|
| 7 |
> At the moment I'm currently on the 13.0/desktop/gnome/systemd profile, |
| 8 |
> and I'd like to enable SELinux. I know that there is a 13.0/selinux |
| 9 |
> profile (as well as the hardened profiles) but I was wondering if |
| 10 |
> there's any documentation (or perhaps someone can offer some guidance) |
| 11 |
> on doing this while maintaining the current profile. |
| 12 |
> |
| 13 |
> I've had a look at the SELinux handbook [1], however it only says to |
| 14 |
> perform the migration using the profiles (and the 'selinux' use flag is |
| 15 |
> always marked as "do not do this yourself"). |
| 16 |
> |
| 17 |
> My concern is that if I were to migrate to the 13.0/selinux profile, I |
| 18 |
> would also loose all of the profile default use flags, masks, etc. that |
| 19 |
> the current profile enables. |
| 20 |
> |
| 21 |
> I could go through the time and effort of identifying the changes |
| 22 |
> between the profiles, but that would be a lot of work for only a |
| 23 |
> potential success (I'd probably end up missing something); besides, I |
| 24 |
> don't feel that would be the "right" way to do it. |
| 25 |
> |
| 26 |
> Any suggestions or pointers would be greatly appreciated. |
| 27 |
|
| 28 |
What you can do is to put the files that are in the |
| 29 |
profiles/features/selinux location inside /etc/portage/profile. Make sure |
| 30 |
however that you don't overwrite any files you've put in there previously |
| 31 |
though (don't want you to lose your own modifications). |
| 32 |
|
| 33 |
Through this, your system will be "as if" you selected your profile with |
| 34 |
"/selinux" on it. |
| 35 |
|
| 36 |
We're not creating individual "/selinux" profiles for each and every |
| 37 |
possibility (yet), mostly because we're not able to test out all sets of |
| 38 |
combinations. In your case for instance, you're using systemd whose support |
| 39 |
in SELinux is still rapidly evolving (we're waiting for Fedora to upstream |
| 40 |
their patches, and then we take those in). |
| 41 |
|
| 42 |
Wkr, |
| 43 |
Sven Vermeulen |
Archives