public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] SELinux base policy r20 in hardened-dev.git, now with MCS/MLS
@ 2011-07-21 19:42 Sven Vermeulen
  0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2011-07-21 19:42 UTC (permalink / raw
  To: gentoo-hardened

Hi all,

I've pushed selinux-base-policy-2.20101213-r20 to the hardened-dev overlay.
This update contains the following changes since r19:

- Introduces a boolean called "gentoo_wait_requests", which is by default
  enabled. This boolean governs policy changes that are currently in place
  to work around problems, but which are reported upstream and - when fixed
  - should be cleared/removed.
  The use of a boolean allows (1.) developers to test the upstream patches,
  (2.) users to test upstream overlays and (3.) users to verify that, when
  the policy will be fixed, everything still works.
  This boolean is also documented in Gentoo Hardened's module information
  for the "portage" domain (in hardened-doc.git)
- Switch the boolean for Portage' NFS support from gentoo_portage_allow_nfs
  to gentoo_portage_use_nfs (tracks upstream better)
- Removes an ugly hack that was introduced to support OpenRC, where we had
  intermediate domains (like sysadm_initrc_notrans_t) to try and work around
  the all-binaries-refer-to-/sbin/rc style (thanks to PeBenito for the
  solution)
- Support NFS v4 (where rpc.statd uses TCP) (bug #375617)
- Remove haveged_t definition, use entropyd_t instead (requested upstream)
- Fix iptables save/restore routines (bug #211374)
- Support MCS/MLS

Further it has more cosmetic improvements on
- portage policy definition (refpolicy style updates)
- improve nginx definitions (bug #368795)

The MCS/MLS support is new. I was quite surprised that MCS was relatively
easy to set up. If you want to use it, read the (updated) documentation in
the hardened-docs overlay (handbook has been updated accordingly). In short:
you can select the SELinux policy type through the SELINUXTYPE setting in
/etc/selinux/config and POLICY_TYPES variable in /etc/make.conf. 

Beware that MLS is also possible, but very experimental (I can't get it
working in enforcing just yet). MCS seems to work pretty well (booted in
enforcing and ran a few regression tests to make sure). For the time being,
most development will still focus on strict, but MCS will be tested more and
more (especially for those specific cases where MCS is mandatory, like with
the SELinux sandbox).

However, there is one but: in order to fully support MCS/MLS, the
selinux-policy-2.eclass needs to be patched: the four instances that you'll
find in it of 
	POLICY_TYPES="strict targeted"
must be changed to
	POLICY_TYPES="strict targeted mcs mls"
otherwise the base policy could support MCS/MLS but the modules themselves
not.

Wkr,
	Sven Vermeulen



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2011-07-21 19:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-21 19:42 [gentoo-hardened] SELinux base policy r20 in hardened-dev.git, now with MCS/MLS Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox