From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux (targeted policy) and invalid context
Date: Wed, 17 Nov 2010 21:07:05 +0100 [thread overview]
Message-ID: <20101117200705.GA9681@siphos.be> (raw)
In-Reply-To: <4CE08989.9070600@giz-works.com>
[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]
On Sun, Nov 14, 2010 at 07:14:49PM -0600, Chris Richards wrote:
> Ok, first and foremost, I haven't tested targeted policy (I'm still
> sorting strict policy).
> Second, the handbook states that you should use v2refpolicy. You are
> running the 20070928 policy, which is v1 policy and is very very old.
> I'm guessing you are working with an old system that hasn't been
> converted to v2refpolicy.
> Third, even with v2refpolicy, the current version in the tree is now
> almost a year old and has issues (which is part of what I'm working to
> sort out). TBH, I'm not entirely certain it will boot in enforcing
> mode, although targeted policy will stand a better chance of working
> than strict policy.
>
> I'm working as fast as I can. Unfortunately, my spare time is pretty,
> well, 'spare' and has been for some time. If you want to make your own
> ebuild, you can find where to pull the latest release policy from
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get
> the current development policy from the git repository at
> http://oss.tresys.com/git/refpolicy.git.
If you're really adventurous, you can try using the ebuilds available on
https://github.com/sjvermeu/gentoo.overlay/. With those, together with the
changes as mentioned in
http://blog.siphos.be/2010/10/selinux-enforcing-for-console-activity/ I am
able to boot in enforcing mode, strict policy.
To use the ebuilds (apart from setting
http://github.com/sjvermeu/gentoo.overlay/raw/master/overlay.xml in your
/etc/layman/layman.cfg file to be able to select sjvermeu), install
sec-policy/selinux-policy (you'll need to unmask sec-policy/*) and you're
almost ready to use ;-)
I'm currently also having a few fixes not in the overlay yet (one for
dhcpcd, one for gcc-config and one for portage) but am planning on
integrating those as well.
True, the current state in hardened is not easy to work with, and because
not even the unstable packages are working, it's also hardly possible to
create any documentation on it. However, I am planning on starting with
documentation (even if based upon overlay ebuilds) soon - right after I get
X working properly :p )
Wkr,
Sven Vermeulen
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2010-11-17 21:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-15 0:44 [gentoo-hardened] SELinux (targeted policy) and invalid context luc nac
2010-11-15 1:14 ` Chris Richards
2010-11-17 20:07 ` Sven Vermeulen [this message]
2010-11-17 20:41 ` luc nac
2010-11-17 21:30 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101117200705.GA9681@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox