From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3F95513873B for ; Tue, 4 Mar 2014 16:29:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 545FFE0AF1; Tue, 4 Mar 2014 16:29:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9B491E09AA for ; Tue, 4 Mar 2014 16:29:05 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id 9B3D433FA8D; Tue, 4 Mar 2014 16:29:04 +0000 (UTC) Date: Tue, 4 Mar 2014 16:29:04 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux on Desktop Profile Message-ID: <20140304162904.GC13432@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <1393928238.2275.12.camel@nemesis.wraeth.hopto.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <1393928238.2275.12.camel@nemesis.wraeth.hopto.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: ba54ca52-776a-4d7b-9afc-c29628235f49 X-Archives-Hash: fa8a66b093885afa1fb633c5cc2f816d On Tue, Mar 04, 2014 at 09:17:18PM +1100, wraeth wrote: > Not sure if this is the right list to ask in, but I figure I'll go ahead > and ask anyway. It's the right list ;-) > At the moment I'm currently on the 13.0/desktop/gnome/systemd profile, > and I'd like to enable SELinux. I know that there is a 13.0/selinux > profile (as well as the hardened profiles) but I was wondering if > there's any documentation (or perhaps someone can offer some guidance) > on doing this while maintaining the current profile. > > I've had a look at the SELinux handbook [1], however it only says to > perform the migration using the profiles (and the 'selinux' use flag is > always marked as "do not do this yourself"). > > My concern is that if I were to migrate to the 13.0/selinux profile, I > would also loose all of the profile default use flags, masks, etc. that > the current profile enables. > > I could go through the time and effort of identifying the changes > between the profiles, but that would be a lot of work for only a > potential success (I'd probably end up missing something); besides, I > don't feel that would be the "right" way to do it. > > Any suggestions or pointers would be greatly appreciated. What you can do is to put the files that are in the profiles/features/selinux location inside /etc/portage/profile. Make sure however that you don't overwrite any files you've put in there previously though (don't want you to lose your own modifications). Through this, your system will be "as if" you selected your profile with "/selinux" on it. We're not creating individual "/selinux" profiles for each and every possibility (yet), mostly because we're not able to test out all sets of combinations. In your case for instance, you're using systemd whose support in SELinux is still rapidly evolving (we're waiting for Fedora to upstream their patches, and then we take those in). Wkr, Sven Vermeulen