From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PIpAF-00022B-6b for garchives@archives.gentoo.org; Wed, 17 Nov 2010 21:03:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E1F69E0827 for ; Wed, 17 Nov 2010 21:03:33 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id ACD6EE0175 for ; Wed, 17 Nov 2010 20:07:29 +0000 (UTC) Received: by ewy10 with SMTP id 10so1670969ewy.40 for ; Wed, 17 Nov 2010 12:07:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=KzDT6JDrILdISxoFVaWl0PUVO20u7CpsOGFHYSuAMBs=; b=wLGnCmPEymMJRfo90AYjbqTcATiMOjei5oe0L4XB6hvw6uQrTwq/aZiFZ0u6wDbMvJ UytQu8FdW2NDTpBSakft1/VN6WwJ+NGW3tOrT4UJbAnV+kPYWn1/JrblQTv+5va9nOYN Mk9dTYl29TymWSI4AeV2RFbplTsJrk9LbqtkI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=dp4q4/GPpyXKPp4u+yrL8nDId+uJOgigSfIvobrxR7i4o9saGLAFrSLbBsQl2c9JXr g608GH/ltKr/kthuXfc0kBWeMNpKsuqN9hoP2Ru371Hpk01Waq1ftAOItbYVva/xieKq E7804nv2x/cQclaTfWEN9HtQFk7sXNr6bK0ik= Received: by 10.213.103.74 with SMTP id j10mr8405647ebo.46.1290024447633; Wed, 17 Nov 2010 12:07:27 -0800 (PST) Received: from siphos.be ([83.101.67.57]) by mx.google.com with ESMTPS id q58sm2599351eeh.9.2010.11.17.12.07.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 17 Nov 2010 12:07:12 -0800 (PST) Sender: Sven Vermeulen Date: Wed, 17 Nov 2010 21:07:05 +0100 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux (targeted policy) and invalid context Message-ID: <20101117200705.GA9681@siphos.be> References: <4CE08989.9070600@giz-works.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline In-Reply-To: <4CE08989.9070600@giz-works.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 2e41f6d1-9332-40fd-8be7-239ba72fa647 X-Archives-Hash: e18e49cdef81aeaf313b1419a17eceee --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 14, 2010 at 07:14:49PM -0600, Chris Richards wrote: > Ok, first and foremost, I haven't tested targeted policy (I'm still=20 > sorting strict policy). > Second, the handbook states that you should use v2refpolicy. You are=20 > running the 20070928 policy, which is v1 policy and is very very old. =20 > I'm guessing you are working with an old system that hasn't been=20 > converted to v2refpolicy. > Third, even with v2refpolicy, the current version in the tree is now=20 > almost a year old and has issues (which is part of what I'm working to=20 > sort out). TBH, I'm not entirely certain it will boot in enforcing=20 > mode, although targeted policy will stand a better chance of working=20 > than strict policy. >=20 > I'm working as fast as I can. Unfortunately, my spare time is pretty,=20 > well, 'spare' and has been for some time. If you want to make your own= =20 > ebuild, you can find where to pull the latest release policy from=20 > http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get=20 > the current development policy from the git repository at=20 > http://oss.tresys.com/git/refpolicy.git. If you're really adventurous, you can try using the ebuilds available on https://github.com/sjvermeu/gentoo.overlay/. With those, together with the changes as mentioned in http://blog.siphos.be/2010/10/selinux-enforcing-for-console-activity/ I am able to boot in enforcing mode, strict policy.=20 To use the ebuilds (apart from setting http://github.com/sjvermeu/gentoo.overlay/raw/master/overlay.xml in your /etc/layman/layman.cfg file to be able to select sjvermeu), install sec-policy/selinux-policy (you'll need to unmask sec-policy/*) and you're almost ready to use ;-) I'm currently also having a few fixes not in the overlay yet (one for dhcpcd, one for gcc-config and one for portage) but am planning on integrating those as well. True, the current state in hardened is not easy to work with, and because not even the unstable packages are working, it's also hardly possible to create any documentation on it. However, I am planning on starting with documentation (even if based upon overlay ebuilds) soon - right after I get X working properly :p ) Wkr, Sven Vermeulen --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAkzkNekACgkQXfqz7M26L9tgXgCfWQkqUzFWu+3OJmmbuOjnB0sR dkkAn3yqacFKQDDMZ7HTWjgLYonoGiNd =A4Sg -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1--