From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1FA27138D1E for ; Mon, 13 Jul 2015 13:03:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3CC7AE094E; Mon, 13 Jul 2015 13:02:57 +0000 (UTC) Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 76A6DE0941 for ; Mon, 13 Jul 2015 13:02:56 +0000 (UTC) Received: by obre1 with SMTP id e1so41354obr.1 for ; Mon, 13 Jul 2015 06:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=U9twC15r9B5b9qKsCnpJoTkFG4tN63xYynN9whaTA+I=; b=e6RTGZsZlSbPdfiFsHuTT5ma6ly9PAwfXdtIGOah5lDIgtX5DO69WvBsWqBSIVek7G zkwIvTGtFREKk4gALt4uwhcjicO0Er6QahhTV10VANSUH+Rcyg/73l7Sdr9P9CLRR8uH ivJXdZHXq0igYho9/lPcSqGj3kHS3+BNwQ2teUhJ2Z962zWZ+1Gpb15EPHotrPZTluY8 fQkqtzcjTyw05aXGurQQ2fGgBkTjMujrKtroLlsoNHXjggoKBBBN1KpHi8fO6CchzZM4 O+9BAeqeCfYUA2KSxqEW9iGsFqfnzuu21tEijtdlbDvCd94C65QpgTBKJnHnpLoZCmss 7+ig== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.60.45.207 with SMTP id p15mr7551174oem.66.1436792575769; Mon, 13 Jul 2015 06:02:55 -0700 (PDT) Sender: sven.j.vermeulen@gmail.com Received: by 10.202.217.5 with HTTP; Mon, 13 Jul 2015 06:02:55 -0700 (PDT) In-Reply-To: <20150713113133.GA17362@meriadoc.Home> References: <20150712234603.GQ2951@dent.vctlabs.com> <20150713113133.GA17362@meriadoc.Home> Date: Mon, 13 Jul 2015 15:02:55 +0200 X-Google-Sender-Auth: hQAgcog1VbBTRlseh2rXC2pm4hA Message-ID: Subject: Re: [gentoo-hardened] Feedback on article recommending Gentoo for SELinux From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 2d6fae4d-3d56-431d-9b4a-a0cbaa5e7298 X-Archives-Hash: 1d585abfea57e91a3b3b46be2c777c40 On Mon, Jul 13, 2015 at 1:31 PM, Jason Zaman wrote: > Overall a good article. One thing which I would also point out together > with the move to CIL is that there is now no "base" module. In the 2.3 > and earlier userlands, all the important things were in "base.pp" and > then other things were added separately as modules. One of the reasons > why modifying ports works in the 2.4 userland is that there is no more > base, it is treated just like any other module now so the limitations of > eg ports must be in base no longer apply. I'd be careful with the "no base". This heavily depends on how the userland utilities will work with the CIL, which isn't fully clarified yet. > Secondly, related to "poor support for preserving local changes across > system updates". The tools now have the concept of priority so users can > easy completely replace a distro-provided module at a higher priority > (semodule -X 900 -i foo.pp). I haven't (yet) updated our selinux eclass > to install at a lower priority but will hopefully do that soon. We work with the default 400 (100 is for the migrated modules). Do you see a reason why we have to explicitly support a particular priority in our eclass? Wkr, Sven Vermeulen