a to-be-maintained document. It's a good read
to refer people to when they ask what Gentoo Hardened actually does, but
misses some user-related content which might steer away a large number
of interested users.
Wkr,
Sven Vermeulen
pgpVKM8ctPiPh.pgp
Description: PGP signature
role. Once they are logged on, they can always use
newrole.
wkr,
Sven Vermeulen
pgpWmWMtaMl4Y.pgp
Description: PGP signature
the type enforcement features
of SELinux. MLS/MCS has not been touched yet.
Feedback is always welcome, including language mistakes, typos or just plain
lies.
Wkr,
Sven Vermeulen
pgpkLHTDcvYaK.pgp
Description: PGP signature
do not drift away from the
reference policy and are forced to keep track of it. Also, when a new release is
made, we can look at the individual patches to see which still need to be
included and which not.
Wkr,
Sven Vermeulen
pgpv3gXhISi0q.pgp
Description: PGP signature
On Mon, Jan 10, 2011 at 08:44:06AM -0500, Chris PeBenito wrote:
On 1/6/2011 5:32 PM, Sven Vermeulen wrote:
I've been working on bringing the SELinux handbook as currently available on
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more
up2date. It's somewhat
we then expect the administrator to manage his
own dontaudits?
Wkr,
Sven Vermeulen
.
What I do notice is that, if a module has an allow statement which is
cosmetic (not needed) it doesn't ever get removed because there's noone
trying to remove statements to see if they are really cosmetic (that's a
nice conundrum - how do I then know that a rule is cosmetic ;-)
Wkr,
Sven
as it sais
to the end user hey, if you enable this, you'll get less AVC denials but we
are not fully confident yet that they are true ignorable denials, unlike
the semodule -D approach which also disables all real ignorable dontaudit
denials.
Wkr,
Sven Vermeulen
On Sun, Jan 16, 2011 at 11:06:47AM -0600, Chris Richards wrote:
On 01/16/2011 09:09 AM, Sven Vermeulen wrote:
When writing security policies, it is important to first have a vision on
how the security policies should be made. Of course, final vision should be
with a systems' security
) or use a different naming
convention for those particular packages.
So, what are your thoughts on this?
Wkr,
Sven Vermeulen
haven't read
the discussion on this online (just heard from others about it). I also
don't mind if general consensus is not my preference as I think it is more
important that we set a rule/guideline for the developers to follow
strictly.
Wkr,
Sven Vermeulen
that as well
in the Gentoo Hardened SELinux Policy document [1].
By doing so, future developers immediately know how Gentoo Hardened works
(it is documented, so they don't need to start pondering how to call the
policy package for module foo).
Wkr,
Sven Vermeulen
[1] goo.gl/2U0Zr
On Sat, Feb 12, 2011 at 02:25:29PM -0600, Chris Richards wrote:
On 02/12/2011 02:03 PM, Sven Vermeulen wrote:
Actually, I'm rather hoping that if everyone agrees on the guideline that
SELinux policy packages are called selinux-modname withmodname being
the policy name used by the reference
-gnupg-X
Phase 3 (fade-out)
==
sec-policy/selinux-gnupg is removed from Portage tree.
BTW, the selinux-desktop one is a weird one and my suggestion would be to
purge it (it's not manageable).
Wkr,
Sven Vermeulen
stabilize) we
at least are more confident that that won't happen.
Wkr,
Sven Vermeulen
specific dynamic variables (doc=3chap=1)
Any objections to this?
Wkr,
Sven Vermeulen
On Thu, Mar 03, 2011 at 04:24:13AM +0100, klondike wrote:
2011/3/2 Sven Vermeulen sven.vermeu...@siphos.be:
[... Suggestion to make a SELinux FAQ document instead of having it as
a chapter in the SELinux Handbook ...]
Any objections to this?
Nope, maybe you'd like to blend
.
Wkr,
Sven Vermeulen
profile does /not/ allow multilib (you are
not allowed to set the multilib USE flag). There's no profile that
has a use.force on multilib.
Or I could be completely wrong in this small analysis.
I'm no profile/portage wizard though. Anyone up to the challenge?
Wkr,
Sven Vermeulen
having USE=ubac forced on by the
SELinux profiles (so a user would need to use.force it in their local profile
override location). Is that a situation you can live with?
Wkr,
Sven Vermeulen
handbook
in hardened-doc.git overlay.
Wkr,
Sven Vermeulen
:-(
Chris R.: in https://bugs.gentoo.org/351712 the use of the wrappers was
suggested instead of symlinks (which would've caused the same problems here
I think) just for the reason that I'm writing out now. How did you resolve
the problem on your system?
Wkr,
Sven Vermeulen
On Sun, May 15, 2011 at 12:25:32AM +0200, Sven Vermeulen wrote:
I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git
overlay. It does not resolve all problems, but at least Gentoo Hardened with
SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook
has been
It is the /sbin/rc binary which uses the information in /lib64/rc/init.d (a
tmpfs mount). The tmpfs location has directories like started in which
symlinks exist to the files in /etc/init.d.
Wkr,
Sven Vermeulen
On Mon, May 16, 2011 at 2:49 AM, Tóth Attila at...@atoth.sote.hu wrote:
Just
of applying the projects in Gentoo Hardened imo.
Wkr,
Sven Vermeulen
[1] http://xrl.us/bkpo6j
[2] http://xrl.us/bkpo62
[3] http://xrl.us/bkpo73
, ... always appreciated.
Wkr,
Sven Vermeulen
developer mass -
in numbers, not in kilogram).
Wkr,
Sven Vermeulen
the necessary
file context definitions specific for lighttpd.
Wkr,
Sven Vermeulen
go to. I'll make the necessary preparations for it.
Wkr,
Sven Vermeulen
?
Could you
- setenforce 0
- /etc/init.d/dbus stop
- setenforce 1
- clear avc.log
- /etc/init.d/dbus start
And then send in your avc.log file? The excerpt you pasted earlier is too
big and spans multiple days, so is probably an amalgamation of different
issues (cosmetic or not).
Wkr,
Sven Vermeulen
with the string - bytes or string - unicode or ... changes
that occur). I might take another stab at this in the future, but for now
I've had about it :-(
Wkr,
Sven Vermeulen
/selinux-puppet-2.20101213-r1 [1] so if you
want to test things out, you can subscribe to the overlay or put the
necessary files in your own.
[1]
https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet
Wkr,
Sven Vermeulen
on it. Problem is that
the definitions are ambiguous.
Wkr,
Sven Vermeulen
be changed to
POLICY_TYPES=strict targeted mcs mls
otherwise the base policy could support MCS/MLS but the modules themselves
not.
Wkr,
Sven Vermeulen
to be built,
which was confirmed fixed by the reporter. It doesn't talk about encryption
or luks.
I guess you mean bug #361911, which is about cryptsetup. This one is still
open.
Wkr,
Sven Vermeulen
was semanage that
fubar'ed /etc/selinux labels).
Wkr,
Sven Vermeulen
| postlog
But again, please find out what procmail is doing so we can see that it gets
a proper fix ;-)
Wkr,
Sven Vermeulen
... assuming xdm works through some PAM configuration, can you tell me
how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
If it doesn't source system-auth (which is where we put the pam_selinux.so
call in) that might be the reason...
Wkr,
Sven Vermeulen
/hardened/linux/package.mask
Okay if those get removed?
Report courtesy of http://qa-reports.gentoo.org/output/invalid-mask.txt
Wkr,
Sven Vermeulen
logons?
Wkr,
Sven Vermeulen
staff_u:staff_r:staff_t
When I try it with kdm_t, I get an incorrect result as well (in my case, it
would use sysadm_t which is definitely not something I would like to happen
;-)
Wkr,
Sven Vermeulen
brings in patches in our policy that
upstream will never accept (and they're right not to accept it).
Hence I'll be working on that the upcoming days.
Wkr,
Sven Vermeulen
On Fri, Aug 19, 2011 at 08:51:48PM +, Sven Vermeulen wrote:
Okay, but what is this in-depth change that I was talking about. Well,
SELinux policies support labeled init scripts. For instance,
slapd_initrc_exec_t which allows the init script to run in an init script
domain specific
at its .te file.
So it looks as if we just need to add the proper optional_policy statements
here.
BTW, glad to hear you're seeing some free time in the near future ;-)
Wkr,
Sven Vermeulen
Unless you mean to support it without asking for re-authentication. In that
case, check out bug #365761. It contains a fix for this if you prepend
your runscript activities with run_init. However, it seems not to support
the use of rc-service though.
Wkr,
Sven Vermeulen
,
Sven Vermeulen
the old one (and still working), but for consistency sake,
portage now uses /etc/portage/package.FOOBAR where FOOBAR is the same
as the variable in make.conf (so accept_keywords, accept_licenses,
...)
Wkr,
Sven Vermeulen
On Wed, Oct 19, 2011 at 2:54 PM, J. Roeleveld jo...@antarean.org wrote:
To the latest ~amd64? Or to which version? :)
Latest is fine (for now ;-)
Wkr,
Sven Vermeulen
in permissive.
Wkr,
Sven Vermeulen
-modules/patches
Wkr,
Sven Vermeulen
information.
Wkr,
Sven Vermeulen
On Sat, Nov 12, 2011 at 11:55:47AM +0100, Rados??aw Smogura wrote:
I unmerged selinux-gnupg-2.20101213-r1 and installed selinux-gpg-2.20110726-
r2.
Good, that's confirmed then ;-) I've updated the dependency line in
selinux-gpg accordingly.
Wkr,
Sven Vermeulen
to match upstream style)
I have also cleaned out our previous policies in the main portage tree
(those before 2.20110627) which was quite some work (removal itself doesn't
take that much time, but verifying that one isn't going to break systems is)
but I'm glad that is now done.
Wkr,
Sven
=proj/hardened-docs.git;a=blob_plain;f=html/selinux-bugreporting.html;hb=HEAD
I'll add in a live example the moment I find one that fulfills these ;-) Not
saying there aren't any, just that I'm too lazy to find one right now.
Wkr,
Sven Vermeulen
, but with limited capability.
Hi Stan,
This isn't really the way it is meant to resolve. From your denials, I
gather that you were still running in staff_r role. You need to transition
to sysadm_r role first and then try to perform your administrative tasks.
Wkr,
Sven Vermeulen
in the first place.
At least, I don't have it on my systems. The only place where pam_selinux is
called is in the system-login definition for PAM (which is sourced by login,
slim and sshd PAM definitions).
Meh.
Sven Vermeulen
.
With the instructions given, you can even have your system validated (as far
as possible) automatically.
Wkr,
Sven Vermeulen
On Sun, Dec 11, 2011 at 02:20:43PM +0200, Alex Efros wrote:
On Sun, Dec 11, 2011 at 10:18:51AM +, Sven Vermeulen wrote:
Also consider hardening your system settings-wise. I would appreciate if you
take a look at
http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html
/Knowledge_Base:Main_Page)
Wkr,
Sven Vermeulen
,
Sven Vermeulen
this was previously nicely shielded off through the PAM
helpers). I don't know how to handle this case yet. I can definitely start
updating the policies so they work without PAM, but I'd first like to know
if there are people using SELinux without PAM...
Wkr,
Sven Vermeulen
filesystem type 'selinuxfs'
What is the output of zgrep SELINUX /proc/config.gz (or grep SELINUX
/usr/src/linux/.config)?
Wkr,
Sven Vermeulen
domains or switching to permissive first)
working (through dracut for the moment). Hopefully that'll work in the near
future :-(
Wkr,
Sven Vermeulen
,
Sven Vermeulen
installation instructions just for
that) and enable dontaudits again (semodule -B).
Wkr,
Sven Vermeulen
; # sysctl is triggering this
I'll need to check the commit history to see if there was a particular
reason why it is explicitly not set.
Wkr,
Sven Vermeulen
dovecot development (and then needs policy updates).
At first sight, I don't see the dovecot_t domain to be capable of doing much
with dovecot_etc_t if it is a directory:
allow dovecot_t dovecot_etc_t:file read_file_perms;
Wkr,
Sven Vermeulen
)
I will now focus on getting 2.20120215 in shape (together with the tools
release), stabilize the 2.20110726 ones (around r11 which has now been
around for a bit more than 30 days), work further on initramfs and our docs.
Wkr,
Sven Vermeulen
when we call sysctl (to sysctl_t or so). Individual initrc_t
domains (like sysctl_initrc_t) we don't support (yet).
Wkr,
Sven Vermeulen
to add
selinux-unconfined as well as an (optionally installable) module.
Wkr,
Sven Vermeulen
the simplicity
of strict. But I think it is better to start users with MCS. After all, much
of the online documentation already deals with categories levels.
Wkr,
Sven Vermeulen
can update the policy).
~# chcon -t xdm_exec_t /usr/sbin/gdm
If the system complains about an unknown type, make sure you have the
xserver module loaded:
~# emerge selinux-xserver
~# semodule -l | grep xserver
~# rlpkg gdm
~# ls -Z /usr/sbin/gdm
Wkr,
Sven Vermeulen
/apache start
or using rc-service
run_init rc-service apache start
But as I said, I'll look at it more closely tomorrow. It's probably a change
I forgot to forward-port or so...
Wkr,
Sven Vermeulen
is (usually) for.
What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well?
Perhaps that one is used?
Wkr,
Sven Vermeulen
information about SELinux bug reporting, please see
http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml
Wkr,
Sven Vermeulen
staff_su_t security_t : filesystem getattr ;
Wkr,
Sven Vermeulen
. But there are
probably other applications or services that we offer that still do not have
a proper policy with it (after all, we have about 230 policy modules whereas
there are several thousand packages in our tree...
Wkr,
Sven Vermeulen
.
partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on
/dev/md1-7, which are formatted using ext4.
Do you have build in support for extended attributes in the kernel (for
these file systems)?
Wkr,
Sven Vermeulen
-a -r
Did the setfiles commands (mentioned in the installation instructions before
the rlpkg -a -r) succeed, or did they give the same error?
Wkr,
Sven Vermeulen
/etc/shadow:
hpl ~ # id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
context=staff_u:sysadm_r:sysadm_t
hpl ~ # cat /etc/shadow
cat: /etc/shadow: Permission denied
Wkr,
Sven Vermeulen
for my Skype:
paxctl -C /opt/skype/skype
paxctl -me /opt/skype/skype
Wkr,
Sven Vermeulen
for dhcpc (in sysnetwork)
no bugAllow sys_admin capability for init scripts (modify sysctl
settings)
If there are no vital issues on this the next day or so, I'll start moving
stuff to the main tree (~arch'ed) in the course of this weekend.
Wkr,
Sven Vermeulen
about it though...
Wkr,
Sven Vermeulen
see that udev isn't the first thing that is started
(and that, if it gets started in enforcing mode, it might already need a
correctly labeled /dev when running without unconfined domains).
Oh well, still lots of work ahead.
Wkr,
Sven Vermeulen
as it is much more lax than a
regular transition.
Wkr,
Sven Vermeulen
it create cronjob_t keys
Still, since rev 6 is two weeks ago and the init script stuff might be a bit
too blocking for some, and it's raining here, it's a good time to push this
out.
Wkr,
Sven Vermeulen
,
Sven Vermeulen
/include/Makefile samba4.pp
~# semodule -i samba4.pp
Perhaps you also have a .fc file that goes with it? If you do, that might
contain some references to sensitivity labels or so that only apply to MLS.
In that case, tell me what the .fc file looks like.
Wkr,
Sven Vermeulen
(like is done with mozilla and mozilla_plugin_t).
But I don't think it'll be hard to develop a chrome module. I might do it
just to make better documentation on how to develop modules yourself.
Wkr,
Sven Vermeulen
, are well capable
of being supported on a default server. Especially with more and more users
and organizations adopting unicode as the default character format rather
than the older ISO-* ones.
Wkr,
Sven Vermeulen
their patches from this tree instead, that should make development a bit
easier for them.
Wkr,
Sven Vermeulen
check with the QA folks a bit later (after
some more testing).
Wkr,
Sven Vermeulen
.
The eclass is currently still in hardened-dev overlay.
Wkr,
Sven Vermeulen
default context definitions
#410951 Use /usr/lib and /lib instead of the /usr/lib(64)? and
similar calls
Wkr,
Sven Vermeulen
duplicate file context definition for firefox
Nothing major, but since it contains a few needed fixes for ~arch systems I
didn't want to wait any further.
Wkr,
Sven Vermeulen
, interesting
- If so, is it best placed at the end of the SELinux Handbook, or kept as a
separate guide (and just documented in the handbook that it exists)?
Wkr,
Sven Vermeulen
will result in
a failure. Of course, substitute strict with your SELinux policy type you
have installed.
This also means that r9 and r10 are no candidates for stabilization. And
since r8 is fairly low on changes, r11 is the next stabilization candidate.
Wkr,
Sven Vermeulen
for
db_schema, I think.
You're right; the upstream patch didn't apply cleanly so I had to do some
stuff manually, and this one slipped.
There's also a ype_transition somewhere that should be type_transition.
Wkr,
Sven Vermeulen
now and again, especially before stabilization,
together with the Python2 and Python3 tests and other regressions that I've
documented.
Wkr,
Sven Vermeulen
profile)
- the util-linux and pam package versions are already quite old (stable
versions are a lot higher than those) and I don't see a need to fix
util-linux and pam in the system set for SELinux
I'll pun them in a few days if there are no objections.
Wkr,
Sven Vermeulen
Index: packages
1 - 100 of 200 matches
Mail list logo
