From: wraeth <wraeth@privatdemail.net>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux on Desktop Profile
Date: Thu, 06 Mar 2014 00:40:21 +1100 [thread overview]
Message-ID: <1394026821.2265.19.camel@nemesis.wraeth.hopto.org> (raw)
In-Reply-To: <20140304162904.GC13432@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 2151 bytes --]
Okay, an update:
I'm writing this from my (sorta) SELinux-enabled machine now. :)
There were a few little bumps in the process (you may have seen
something in #gentoo-hardened), but for the most part the
Install/Migrate guide was good.
The two things that I will note I had to do are:
* Rebuild util-linux *
mount, provided by util-linux, does not have the functionality
required by SELinux when coming from a non-hardened stage. In order to
get this installed (without bricking anything) I had to:
emerge -1 libselinux (this will also pull in libsepol)
emerge -1O util-linux (-O required to prevent pols being pulled in)
This should happen just prior to the first reboot (and any initrd's
should be rebuilt to include the new mount binary, i guess).
* Select policy type *
This is more of a note on the documentation (I know it's out of date,
(or at least so the wiki says) but for reference nonetheless). I'm
taking the easy road in and have selected the 'targeted' policy type for
now. Because of this, running ``emerge -uDN @world`` prior to setting
the policy type in /etc/selinux/config causes emerge to attempt to set
the wrong policy, and fail the ebuild. This is in reference to code
listings 2.3 and 2.6 of the SELinux handbook.
Other than that, everything has gone smoothly except for one thing:
during boot, I'm getting:
systemd-remount-fs[733]: mount: /run not mounted or bad option
That being said, once booted, /run *is* mounted with:
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
The relevant line in fstab is:
tmpfs /run tmpfs mode=0755,nosuid,nodev,context=system_u:object_r:var_run_t 0 0
I'm not sure why this is (current thinking is perhaps a symptom of the
docs being outdated) and the system seems stable for the moment.
There are other errors in the logs (avc denials on udevd, for example)
but I'm not too worried for the moment - I'm remaining in permissive
mode specifically for that reason :)
Thanks to swift for the info on merging the profiles, and any advice or
suggestions on the above would be appreciated! :D
Cheers;
wraeth
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 230 bytes --]
next prev parent reply other threads:[~2014-03-05 13:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-04 10:17 [gentoo-hardened] SELinux on Desktop Profile wraeth
2014-03-04 16:29 ` Sven Vermeulen
2014-03-05 13:40 ` wraeth [this message]
2014-03-06 15:15 ` Sven Vermeulen
2014-03-06 23:17 ` wraeth
2014-03-07 7:56 ` wraeth
2014-03-11 9:42 ` wraeth
2014-03-11 14:34 ` Sven Vermeulen
2014-03-07 8:03 ` wraeth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1394026821.2265.19.camel@nemesis.wraeth.hopto.org \
--to=wraeth@privatdemail.net \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox