public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] Adding a new selinux profile to default/linux/{amd64,x86}/10.0
@ 2011-12-07 14:07 Anthony G. Basile
  2011-12-07 18:44 ` Mike Frysinger
  0 siblings, 1 reply; 3+ messages in thread
From: Anthony G. Basile @ 2011-12-07 14:07 UTC (permalink / raw
  To: Gentoo Development

Hi everyone,

Some time ago the selinux team restructured the selinux profiles and
made a features/selinux which could be stacked on the hardened profiles
for x86/amd64.  At that time I also tested and found that it stacked
fine on default/linux/{amd64,x86}/10.0.  I'm emailing the list to see if
there's any reason why we shouldn't add
default/linux/{amd64,x86}/10.0/selinux.  Currently I prefer adding it
directly to 10.0 rather than 10.0/server because the status of the later
is uncertain.  Selinux on the desktops is not being strongly supported
so its not appropriate there either, leaving only 10.0/selinux.  If
added eselect profile list would show

  [1]   default/linux/amd64/10.0
  [2]   default/linux/amd64/10.0/selinux
  [3]   default/linux/amd64/10.0/desktop
  [4]   default/linux/amd64/10.0/desktop/gnome
  [5]   default/linux/amd64/10.0/desktop/kde
  [6]   default/linux/amd64/10.0/developer
  [7]   default/linux/amd64/10.0/no-multilib
  [8]   default/linux/amd64/10.0/server
  [9]   hardened/linux/amd64 *
  [10]   hardened/linux/amd64/selinux
  [11]  hardened/linux/amd64/no-multilib
  [12]  hardened/linux/amd64/no-multilib/selinux

Any objections?

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-dev] Adding a new selinux profile to default/linux/{amd64,x86}/10.0
  2011-12-07 14:07 [gentoo-dev] Adding a new selinux profile to default/linux/{amd64,x86}/10.0 Anthony G. Basile
@ 2011-12-07 18:44 ` Mike Frysinger
  2011-12-08  0:16   ` Anthony G. Basile
  0 siblings, 1 reply; 3+ messages in thread
From: Mike Frysinger @ 2011-12-07 18:44 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: Text/Plain, Size: 1340 bytes --]

On Wednesday 07 December 2011 09:07:41 Anthony G. Basile wrote:
> Some time ago the selinux team restructured the selinux profiles and
> made a features/selinux which could be stacked on the hardened profiles
> for x86/amd64.  At that time I also tested and found that it stacked
> fine on default/linux/{amd64,x86}/10.0.  I'm emailing the list to see if
> there's any reason why we shouldn't add
> default/linux/{amd64,x86}/10.0/selinux.  Currently I prefer adding it
> directly to 10.0 rather than 10.0/server because the status of the later
> is uncertain.  Selinux on the desktops is not being strongly supported
> so its not appropriate there either, leaving only 10.0/selinux.  If
> added eselect profile list would show
> 
>   [1]   default/linux/amd64/10.0
>   [2]   default/linux/amd64/10.0/selinux
>   [3]   default/linux/amd64/10.0/desktop
>   [4]   default/linux/amd64/10.0/desktop/gnome
>   [5]   default/linux/amd64/10.0/desktop/kde
>   [6]   default/linux/amd64/10.0/developer
>   [7]   default/linux/amd64/10.0/no-multilib
>   [8]   default/linux/amd64/10.0/server
>   [9]   hardened/linux/amd64 *
>   [10]   hardened/linux/amd64/selinux
>   [11]  hardened/linux/amd64/no-multilib
>   [12]  hardened/linux/amd64/no-multilib/selinux

we have the selinux/ root.  is that no longer necessary ?
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-dev] Adding a new selinux profile to default/linux/{amd64,x86}/10.0
  2011-12-07 18:44 ` Mike Frysinger
@ 2011-12-08  0:16   ` Anthony G. Basile
  0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2011-12-08  0:16 UTC (permalink / raw
  To: gentoo-dev

On 12/07/2011 01:44 PM, Mike Frysinger wrote:
> On Wednesday 07 December 2011 09:07:41 Anthony G. Basile wrote:
>> Some time ago the selinux team restructured the selinux profiles and
>> made a features/selinux which could be stacked on the hardened profiles
>> for x86/amd64.  At that time I also tested and found that it stacked
>> fine on default/linux/{amd64,x86}/10.0.  I'm emailing the list to see if
>> there's any reason why we shouldn't add
>> default/linux/{amd64,x86}/10.0/selinux.  Currently I prefer adding it
>> directly to 10.0 rather than 10.0/server because the status of the later
>> is uncertain.  Selinux on the desktops is not being strongly supported
>> so its not appropriate there either, leaving only 10.0/selinux.  If
>> added eselect profile list would show
>>
>>   [1]   default/linux/amd64/10.0
>>   [2]   default/linux/amd64/10.0/selinux
>>   [3]   default/linux/amd64/10.0/desktop
>>   [4]   default/linux/amd64/10.0/desktop/gnome
>>   [5]   default/linux/amd64/10.0/desktop/kde
>>   [6]   default/linux/amd64/10.0/developer
>>   [7]   default/linux/amd64/10.0/no-multilib
>>   [8]   default/linux/amd64/10.0/server
>>   [9]   hardened/linux/amd64 *
>>   [10]   hardened/linux/amd64/selinux
>>   [11]  hardened/linux/amd64/no-multilib
>>   [12]  hardened/linux/amd64/no-multilib/selinux
> 
> we have the selinux/ root.  is that no longer necessary ?
> -mike

We deprecated that when we moved to the features/selinux.  The point was
to avoid duplication and maintain all selinux profile stuff in one
place, then just stack it on top of other profiles like we did with [10]
and [12] above.  We now want to extend it to [2].

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-12-08  0:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-07 14:07 [gentoo-dev] Adding a new selinux profile to default/linux/{amd64,x86}/10.0 Anthony G. Basile
2011-12-07 18:44 ` Mike Frysinger
2011-12-08  0:16   ` Anthony G. Basile

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox