From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3vtT-0008Sf-Ug for garchives@archives.gentoo.org; Sun, 27 Mar 2011 19:45:00 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6EE6B1C085; Sun, 27 Mar 2011 19:42:36 +0000 (UTC) Received: from mail-ey0-f181.google.com (mail-ey0-f181.google.com [209.85.215.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 1567F1C085 for ; Sun, 27 Mar 2011 19:42:35 +0000 (UTC) Received: by eyh5 with SMTP id 5so1218113eyh.40 for ; Sun, 27 Mar 2011 12:42:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=OswIclN29GZ7VTMTsreceETdwG6tlWs6F87dG1eI6to=; b=YfEQXRvG1aznsutJxc+Nepb5k1yzkNnesGytJxb7ow2w7/ewnnU5ogA2T+TxG97SYL 6D6i2OA5EhzloBMTSDjgsg4emtL1Q/EGd96Dr4fksgS4q3LIxrUYvQYmr6IICJc8CcRe wSBVnuzFtQz2p/HeyBTZ39MR5fo9aQV7QwRSE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=Fa4NIyYoq/p7OKSQGCk1280eBei8TJ6nHM25ioq2EYMb9a4eK+zodVvYMCdccETbvt xtf8BXzccv+xGdNQALw8t+uq6RyVIHJ5CBvRC5zlzbGGDdyrgEgudulS5AtiSaU8n2EN l/ym/zaPwnpGwRjFRSvWmgbQFCXxN+8CeTmxM= Received: by 10.213.22.70 with SMTP id m6mr874901ebb.78.1301254955187; Sun, 27 Mar 2011 12:42:35 -0700 (PDT) Received: from siphos.be ([83.101.67.57]) by mx.google.com with ESMTPS id v60sm2232508eeh.23.2011.03.27.12.42.32 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 27 Mar 2011 12:42:32 -0700 (PDT) Sender: Sven Vermeulen Date: Sun, 27 Mar 2011 21:42:18 +0200 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux and no-multilib Message-ID: <20110327194217.GA29814@siphos.be> References: <20110318061231.GB12690@siphos.be> <4D8344F1.50607@opensource.dyc.edu> <20110318154334.GA16627@siphos.be> <4D83E2E6.3010505@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4D83E2E6.3010505@gentoo.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: X-Archives-Hash: 46e441e373938d8ac894fa650deb41e2 On Fri, Mar 18, 2011 at 06:55:34PM -0400, Anthony G. Basile wrote: > You're not wrong, but this can be restructured to come better in line > with the rest of the hardened profiles. I have to do a careful analysis > of the stacking and see if we can get something similar out of simpler > stackings and then fix up what might be missed in the final layers of > the stack. My suggestion would be to 1. stabilize the current set of policies 2. remove the policies whose version is >= 3.0 (including those -2008* ones) 3. make a "features/selinux" profile (which contains all SELinux relevant aspects but is not a real profile in its own) 4. Create sublocations within the existing profiles for SELinux (like hardened/linux/amd64/selinux and hardened/linux/amd64/no-multilib/selinux) These sublocations would only have a single file called "parent" showing something like: ../ ../../../../features/selinux I just tried this on my no-multilib system as well as on a multilib one, and apart from USE="gdbm bzip2 urandom nptl justify -fortran" I have had no other changes (checked the different outputs of "emerge --info" as well as a "emerge -puDN world"). Wkr, Sven Vermeulen