It has been months since my SELinux system ran in enforcing mode. I would like to return to the fold, but there's work to be done, first. This is a home/learning machine, so the security isn't as big an issue as it would be in another environment. But one of these days I'd like to make it an OpenVPN endpoint, so I can get access from work or travel, and I want it back on SELinux before letting it live on the Internet, even behind my hardware firewall/router.
1: I run several pieces of software that have no policy, for starters there's Dovecot IMAP, smartmontools, and leafnode. I understand that the targeted policy will make this easier, and it's coming soon, but is there any idea when. Given a major change coming soon, I'd just as soon wait, rather than do any work twice. 2: I've had a very bad time getting avc warnings - to the point that I'm not sure I've ever gotten any, after booting native. Part of the problem was the way I partitioned, and had /var be a symlink. But that's fixed now, I've done the relabel, and still no warnings. A few months back I juggled the partitioning, did another relabel, and still no warnings. I'm not really sure where to start debugging this one. 3: I'm running xfs, so I'm stuck back at 2.6.11-hardened-r15. I understand that this will be fixed with 2.6.16, and there's a ~x86 hardened out now. At the moment, I presume I can wait for a stable, but I'm curious about how it's coming. Actually, right now I wouldn't have much choice about which kernel to run, since the last stable hardened 2.6 kernel that works with xfs is off the end of the belt. 4: This machine is a k6-3. In other words, I've begun to look at distcc in order to get better compile times. But this means that I've also got to install crossdev, get an i586 hardened gcc installed on the other machine(s) that I may use to compile. Is there anything special, any gotchas, to adding a hardened compiler, over an above reading the distcc and crossdev documentation? 5: I find SELinux intimidating enough, but is there any way for the lesser-knowledged to assist? Thanks, Dale Pontius -- [email protected] mailing list
