From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q0Y5V-0005Nr-Ca for garchives@archives.gentoo.org; Fri, 18 Mar 2011 11:43:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0C88E1C001; Fri, 18 Mar 2011 11:41:30 +0000 (UTC) Received: from virtual.dyc.edu (virtual.dyc.edu [67.222.116.22]) by pigeon.gentoo.org (Postfix) with ESMTP id 9733E1C001 for ; Fri, 18 Mar 2011 11:41:30 +0000 (UTC) Received: from [192.168.3.7] (cpe-74-77-246-79.buffalo.res.rr.com [74.77.246.79]) by virtual.dyc.edu (Postfix) with ESMTPSA id C51F174C024 for ; Fri, 18 Mar 2011 07:41:29 -0400 (EDT) Message-ID: <4D8344F1.50607@opensource.dyc.edu> Date: Fri, 18 Mar 2011 07:41:37 -0400 From: "Anthony G. Basile" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110311 Lightning/1.0b3pre Lanikai/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux and no-multilib References: <20110318061231.GB12690@siphos.be> In-Reply-To: <20110318061231.GB12690@siphos.be> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 260cfcc87b5166f9872c29670b8a866e Hi Sven, Did you identify what the wierdness was. I'd like to eventually clean up the profiles. Rather than [1] default/linux/amd64/10.0 [2] default/linux/amd64/10.0/desktop [3] default/linux/amd64/10.0/desktop/gnome [4] default/linux/amd64/10.0/desktop/kde [5] default/linux/amd64/10.0/developer [6] default/linux/amd64/10.0/no-multilib [7] default/linux/amd64/10.0/server [8] hardened/linux/amd64 [9] hardened/linux/amd64/no-multilib [10] selinux/2007.0/amd64 [11] selinux/2007.0/amd64/hardened [12] selinux/v2refpolicy/amd64 [13] selinux/v2refpolicy/amd64/desktop [14] selinux/v2refpolicy/amd64/developer [15] selinux/v2refpolicy/amd64/hardened * [16] selinux/v2refpolicy/amd64/server I'd like the selinux to conform to the hardened/linux/amd64, ie change 10-16 to just selinux/v2refpolicy/amd64 selinux/v2refpolicy/amd64/no-multilib The /desktop /developer /server would not be deprecated, but present silently as they are for hardened/linux/amd64. On 03/18/2011 02:12 AM, Sven Vermeulen wrote: > Hi all, > > I had no issues turing a no-multilib (hardened/linux/amd64/no-multilib) > system into a SELinux enabled one. I did not however change profiles, as the > feedback I've received earlier indicates that the profiles might have > some... weird things happening ;-) > > So I just made local overrides in /etc/portage/profile: > > - make.defaults > USE="selinux -acl" > FEATURES="selinux sesandbox sfperms" > PORTAGE_T="portage_t" > PORTAGE_FETCH_T="portage_fetch_t" > PORTAGE_SANDBOX_T="portage_sandbox_t" > - package.mask > * Unmask sec-policy/* > * Mask sec-policy/selinux-*-3 and higher (to force the use of the > 2.20101213 ones) > * Unmask setools, sepolgen, checkpolicy, libselinux, libsemanage, > policycoreutils > - package.use.force > sys-apps/portage python2 > - package.use.mask > sys-apps/portage python3 > - profile.bashrc > SANDBOX_WRITE="${SANDBOXWRITE}:/selinux/" > SANDBOX_WRITE="${SANDBOXWRITE}:/proc/self/" > - use.force > selinux > - use.mask > -hardened > -selinux > emul-linux-x86 > multilib > x264 > tcc > > Runs in enforcing mode (strict policy), gcc -v shows "--disable-multilib". > > Wkr, > Sven Vermeulen -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197