* [gentoo-hardened] SELinux news
@ 2005-12-11 22:01 Chris PeBenito
2005-12-29 22:20 ` Dale Pontius
0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2005-12-11 22:01 UTC (permalink / raw
To: Hardened Gentoo Mail List
[-- Attachment #1: Type: text/plain, Size: 2577 bytes --]
Here is some news on the SELinux front, current events and stuff that is
on the horizon.
XFS users should not use >=2.6.14 as a SELinux update caused breakage
[1], stay tuned for updates on this.
In the next couple months, there will be several changes in policy and
policy management. First, we will be moving to Reference Policy [2].
The NSA example policy has been superseded by this policy. It is not
quite ready yet for a strict policy (the current Gentoo policy is a
strict policy), but it will be soon. The effect of this is will be
noticeable to the users, as it can create a targeted and strict policy
from the same source tree, with no modifications; thus, we will begin
supporting the targeted policy, primarily for desktops. It also has
several new features; notably, it supports loadable policy modules,
which I'll discuss later.
This will bring along a change to the /etc/selinux directory structure
that Red Hat/Fedora has been using for a long time, and is now standard.
Finally, the last big change will be a switch over to loadable policy
modules [3], which were recently integrated upstream. They have a
management infrastructure (semanage), which will ease user's problems of
managing policy. Each policy ebuild will compile and install a set of
loadable modules instead of installing policy sources. Basically, the
policy is broken down into modules, then each of these modules are
linked together to create a full policy (e.g., policy.20). When adding
a policy the admin simply has to insert the module into the module store
(there is a tool, and portage can do it). Then the management tools
take the modules in the module store and link them all together to
create a complete policy. This is all transactional, so if the module's
dependencies are not met, the module insertion fails. So you aren't
left with a uncompilable/inconsistent/broken policy. This will also
make life easier for devs since everyone will have consistent policies,
and when reporting problems, we'll know exactly what policy you have,
without having to guess. More on this to come (and some docs).
[1] http://marc.theaimsgroup.com/?l=selinux&m=112653995009765&w=2
[2] http://serefpolicy.sourceforge.net
[3] http://sepolicy-server.sourceforge.net/index.php?page=modules
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux news
2005-12-11 22:01 [gentoo-hardened] SELinux news Chris PeBenito
@ 2005-12-29 22:20 ` Dale Pontius
2006-01-03 23:51 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Dale Pontius @ 2005-12-29 22:20 UTC (permalink / raw
To: gentoo-hardened
Chris PeBenito wrote:
>Here is some news on the SELinux front, current events and stuff that is
>on the horizon.
>
>XFS users should not use >=2.6.14 as a SELinux update caused breakage
>[1], stay tuned for updates on this.
>
>
I take it that since there has been no new news here, the just-released
hardened-sources-2.4.14-r2 doesn't fix this?
>In the next couple months, there will be several changes in policy and
>policy management. First, we will be moving to Reference Policy [2].
>The NSA example policy has been superseded by this policy. It is not
>quite ready yet for a strict policy (the current Gentoo policy is a
>strict policy), but it will be soon. The effect of this is will be
>noticeable to the users, as it can create a targeted and strict policy
>from the same source tree, with no modifications; thus, we will begin
>supporting the targeted policy, primarily for desktops. It also has
>several new features; notably, it supports loadable policy modules,
>which I'll discuss later.
>
>
I have a fair amount of software (leafnode, dovecot, smartd) for which
there is no policy, currently. At the moment it seems that "no policy,
no work-ee." I'm under the impression that in the new stuff, it can be
made more permissive about having no-policy stuff work. Is that true? Or
even if I'm about to start to have to learn to write policies, I may as
well wait and do it under the new base, I guess.
>[1] http://marc.theaimsgroup.com/?l=selinux&m=112653995009765&w=2
>[2] http://serefpolicy.sourceforge.net
>[3] http://sepolicy-server.sourceforge.net/index.php?page=modules
>
>
Looks like some reading...
Dale Pontius
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux news
2005-12-29 22:20 ` Dale Pontius
@ 2006-01-03 23:51 ` Chris PeBenito
2006-02-20 22:16 ` Andy Dustman
0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2006-01-03 23:51 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 897 bytes --]
On Thu, 2005-12-29 at 17:20 -0500, Dale Pontius wrote:
> Chris PeBenito wrote:
>
> >Here is some news on the SELinux front, current events and stuff that is
> >on the horizon.
> >
> >XFS users should not use >=2.6.14 as a SELinux update caused breakage
> >[1], stay tuned for updates on this.
> >
> >
> I take it that since there has been no new news here, the just-released
> hardened-sources-2.4.14-r2 doesn't fix this?
Correct. However, I did find out today that there is a fix, but it
won't be integrated upstream until 2.6.16, as it was too late for
2.6.15. I'm going to see if I can create a patch for the interim.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux news
2006-01-03 23:51 ` Chris PeBenito
@ 2006-02-20 22:16 ` Andy Dustman
2006-02-21 2:08 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Andy Dustman @ 2006-02-20 22:16 UTC (permalink / raw
To: gentoo-hardened
On 1/3/06, Chris PeBenito <pebenito@gentoo.org> wrote:
> On Thu, 2005-12-29 at 17:20 -0500, Dale Pontius wrote:
> > Chris PeBenito wrote:
> >
> > >Here is some news on the SELinux front, current events and stuff that is
> > >on the horizon.
> > >
> > >XFS users should not use >=2.6.14 as a SELinux update caused breakage
> > >[1], stay tuned for updates on this.
> > >
> > >
> > I take it that since there has been no new news here, the just-released
> > hardened-sources-2.4.14-r2 doesn't fix this?
>
> Correct. However, I did find out today that there is a fix, but it
> won't be integrated upstream until 2.6.16, as it was too late for
> 2.6.15. I'm going to see if I can create a patch for the interim.
Did this patch ever get created? And since it seems we are not far
from having 2.6.16 released, about how long thereafter should we
expect to see a new hardened-sources?
--
The Pythonic Principle: Python works the way it does
because if it didn't, it wouldn't be Python.
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux news
2006-02-20 22:16 ` Andy Dustman
@ 2006-02-21 2:08 ` Chris PeBenito
0 siblings, 0 replies; 5+ messages in thread
From: Chris PeBenito @ 2006-02-21 2:08 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 1347 bytes --]
On Mon, 2006-02-20 at 17:16 -0500, Andy Dustman wrote:
> On 1/3/06, Chris PeBenito <pebenito@gentoo.org> wrote:
> > On Thu, 2005-12-29 at 17:20 -0500, Dale Pontius wrote:
> > > Chris PeBenito wrote:
> > >
> > > >Here is some news on the SELinux front, current events and stuff that is
> > > >on the horizon.
> > > >
> > > >XFS users should not use >=2.6.14 as a SELinux update caused breakage
> > > >[1], stay tuned for updates on this.
> > > >
> > > >
> > > I take it that since there has been no new news here, the just-released
> > > hardened-sources-2.4.14-r2 doesn't fix this?
> >
> > Correct. However, I did find out today that there is a fix, but it
> > won't be integrated upstream until 2.6.16, as it was too late for
> > 2.6.15. I'm going to see if I can create a patch for the interim.
>
> Did this patch ever get created? And since it seems we are not far
> from having 2.6.16 released, about how long thereafter should we
> expect to see a new hardened-sources?
No. It was dependent on a larger XFS update, so I felt it was better to
wait for 2.6.16.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-02-21 2:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-11 22:01 [gentoo-hardened] SELinux news Chris PeBenito
2005-12-29 22:20 ` Dale Pontius
2006-01-03 23:51 ` Chris PeBenito
2006-02-20 22:16 ` Andy Dustman
2006-02-21 2:08 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox