On Sun, Nov 14, 2010 at 07:14:49PM -0600, Chris Richards wrote: > Ok, first and foremost, I haven't tested targeted policy (I'm still > sorting strict policy). > Second, the handbook states that you should use v2refpolicy. You are > running the 20070928 policy, which is v1 policy and is very very old. > I'm guessing you are working with an old system that hasn't been > converted to v2refpolicy. > Third, even with v2refpolicy, the current version in the tree is now > almost a year old and has issues (which is part of what I'm working to > sort out). TBH, I'm not entirely certain it will boot in enforcing > mode, although targeted policy will stand a better chance of working > than strict policy. > > I'm working as fast as I can. Unfortunately, my spare time is pretty, > well, 'spare' and has been for some time. If you want to make your own > ebuild, you can find where to pull the latest release policy from > http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get > the current development policy from the git repository at > http://oss.tresys.com/git/refpolicy.git. If you're really adventurous, you can try using the ebuilds available on https://github.com/sjvermeu/gentoo.overlay/. With those, together with the changes as mentioned in http://blog.siphos.be/2010/10/selinux-enforcing-for-console-activity/ I am able to boot in enforcing mode, strict policy. To use the ebuilds (apart from setting http://github.com/sjvermeu/gentoo.overlay/raw/master/overlay.xml in your /etc/layman/layman.cfg file to be able to select sjvermeu), install sec-policy/selinux-policy (you'll need to unmask sec-policy/*) and you're almost ready to use ;-) I'm currently also having a few fixes not in the overlay yet (one for dhcpcd, one for gcc-config and one for portage) but am planning on integrating those as well. True, the current state in hardened is not easy to work with, and because not even the unstable packages are working, it's also hardly possible to create any documentation on it. However, I am planning on starting with documentation (even if based upon overlay ebuilds) soon - right after I get X working properly :p ) Wkr, Sven Vermeulen