From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q0hgP-0000s2-2Z for garchives@archives.gentoo.org; Fri, 18 Mar 2011 21:58:11 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 82BFB1C004; Fri, 18 Mar 2011 21:55:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4FE3F1C004 for ; Fri, 18 Mar 2011 21:55:43 +0000 (UTC) Received: from [192.168.3.7] (cpe-74-77-246-79.buffalo.res.rr.com [74.77.246.79]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 9987364600 for ; Fri, 18 Mar 2011 21:55:42 +0000 (UTC) Message-ID: <4D83E2E6.3010505@gentoo.org> Date: Fri, 18 Mar 2011 18:55:34 -0400 From: "Anthony G. Basile" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110311 Lightning/1.0b3pre Lanikai/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux and no-multilib References: <20110318061231.GB12690@siphos.be> <4D8344F1.50607@opensource.dyc.edu> <20110318154334.GA16627@siphos.be> In-Reply-To: <20110318154334.GA16627@siphos.be> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 8370fd15db0f32d78069332b7f577dd1 On 03/18/2011 11:43 AM, Sven Vermeulen wrote: > On Fri, Mar 18, 2011 at 07:41:37AM -0400, Anthony G. Basile wrote: >> Hi Sven, >> >> Did you identify what the wierdness was. I'd like to eventually clean >> up the profiles. Rather than > [...] >> I'd like the selinux to conform to the hardened/linux/amd64, ie change >> 10-16 to just >> >> selinux/v2refpolicy/amd64 >> selinux/v2refpolicy/amd64/no-multilib >> >> The /desktop /developer /server would not be deprecated, but present >> silently as they are for hardened/linux/amd64. > > No. > > Beneith is the current "inheritance" of the profile (using the "parent" > file and using the same order as presented in the file). > > selinux/v2refpolicy/amd64/hardened > `- selinux/v2refpolicy/amd64 > +- default/linux/amd64 > | +- base > | +- default/linux > | '- arch/amd64 > `- selinux/v2refpolicy > `- selinux > `- base > > "base" and "selinux" both have use.mask on "multilib". So one would > imagine that the current profile does /not/ allow multilib (you are > not allowed to set the "multilib" USE flag). There's no profile that > has a use.force on multilib. > > Or I could be completely wrong in this small analysis. > > I'm no profile/portage wizard though. Anyone up to the challenge? > > Wkr, > Sven Vermeulen You're not wrong, but this can be restructured to come better in line with the rest of the hardened profiles. I have to do a careful analysis of the stacking and see if we can get something similar out of simpler stackings and then fix up what might be missed in the final layers of the stack. This is still far off. First stabilization. -- Anthony G. Basile, Ph.D. Gentoo Developer