* [gentoo-hardened] SELinux progress
@ 2003-08-03 22:59 Chris PeBenito
0 siblings, 0 replies; only message in thread
From: Chris PeBenito @ 2003-08-03 22:59 UTC (permalink / raw
To: Hardened Gentoo Mail List
[-- Attachment #1: Type: text/plain, Size: 2389 bytes --]
There have been a few key advances for the SELinux integration efforts.
The portage support for labeling files has been submitted for inclusion
into portage. With this support, files will have the correct context
after being merged (assuming applicable policy has been loaded). Users
won't have to 'rlpkg' or 'make relabel' after each emerge. rlpkg will
still remain, just in case a package needs to be relabeled.
The category sec-policy has been created, and selinux-base-policy has
been moved there. With this new category, we'll now begin rolling out
policy for common daemons, such as apache, samba, postfix, etc. A
dependency for these policy ebuilds will be put in the respective
daemon's ebuild. So if you were to merge distcc, the distcc policy
(sec-policy/selinux-distcc) would be a dependency, and thus will be
merged first. This will allow easy policy installation, and all
packages will have their corresponding policy installed first. This is
all being done using selinux-policy.eclass. If you would like the new
policy to be automatically loaded, add "loadpolicy" to the FEATURES in
make.conf. Since the policy is so important, the eclass also creates a
backup tarball of the policy before merging the policy, and saves it
into /etc/security/selinux/src/policy-backup. If the newly merged
policy causes problems, the backup could be restored by the user. The
backups are safe to clean out, of course.
Since we're going to start rolling out daemon policy, we'll now be
looking for more devs. I need one or two people to help with the daemon
policies. So if you know how to write policy, or are up to the
challenge of learning it, let me know, or better yet, drop by the
channel (#gentoo-hardened) on freenode. The responsibilities of this
person would be to adapt the NSA example policy to work with Gentoo, or
write a policy if a NSA example doesn't exist. So this would be best
served by someone that has machine(s) to install these daemons for
testing. They will also serve as a backup to me on maintaining the
selinux userland (selinux-small), selinux-sources, and patched programs.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-08-03 22:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-03 22:59 [gentoo-hardened] SELinux progress Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox