Re: [gentoo-hardened] denied RWX mmap by layman

On Mon, Jun 9, 2014 at 7:43 PM, Michael Orlitzky m...@gentoo.org wrote: On 06/07/2014 08:55 PM, Anthony G. Basile wrote: When running with a pax kernel, you must enable EMUTRAMP in your Kconfig and you must paxmark your python exe's with E. Note: EMUTRAMP is on by default and the ebuild

Re: [gentoo-hardened] Update on SELinux eclass to support different git repo or branch

On 6 Aug 2014 12:30, Sven Vermeulen sw...@gentoo.org wrote: Hi all Our live sec-policy/selinux-* packages (the ones with the - version) have been using our git repository for some time. Although users could always override these with packagename_LIVE_REPO, it meant that they had to

Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage

On Tue, Aug 05, 2014 at 05:48:23AM +0300, Alex Efros wrote: Hi! On Thu, Jun 26, 2014 at 08:57:12AM -0400, Anthony G. Basile wrote: Thanks Alex, perfinion hit this bug and fixed it. Can you test with install-xattr-. I don't want to push out a minor bump just for one patch until we

Re: [gentoo-hardened] Incorrect contexts in /run revisited

On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote: Hello all In March, I reported some issues with SELinux contexts in /run. (I seem to have misplaced the email -- archive at http://article.gmane.org/gmane.linux.gentoo.hardened/6180). It look like Sven added the functionality

Re: [gentoo-hardened] RFC: Improving support for (re)labeling packages when SELinux dependency is added

On Thu, Aug 21, 2014 at 06:13:01PM +, Sven Vermeulen wrote: During a discussion about dependencies and SELinux labeling, I noticed that we might want to improve how we currently handle pure policy-related dependencies. What we want to get at, is that the installation of a SELinux policy

Re: [gentoo-hardened] RFC: Improving support for (re)labeling packages when SELinux dependency is added

On Thu, Aug 21, 2014 at 06:46:37PM +, Sven Vermeulen wrote: On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote: Something like so (which we can do in the selinux-policy-2.eclass): pkg_postinst() { # Find all packages with this package in their RDEPEND PKGSET

Re: [gentoo-hardened] missing the meeting

On Thu, Dec 18, 2014 at 08:09:01PM -0500, Anthony G. Basile wrote: Hi fellow hardened devs: I'm sorry for missing the meeting but things came up and the day got hectic. It is an important meeting because we were to discuss: 1) what we want with toolchain.eclass - There is a move to get

Re: [gentoo-hardened] Re: docker updates

On Fri, Feb 27, 2015 at 08:04:52PM +0200, Alex Efros wrote: Hi! On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote: Somewhat sarcastic but actually true. I don't recommend running production applications inside of Gentoo based containers. This makes sense for Gentoo, but my

Re: [gentoo-hardened] systemd + selinux

On Sat, Jun 20, 2015 at 08:09:08PM +0200, Simon Maurer wrote: Hi, I tried to use selinux with systemd, but without much success. Looks like the whole transitioning is broken. (Most daemons are stuck in the init_t domain) What I don't understand is, while more and more disros switching to

Re: [gentoo-hardened] Feedback on article recommending Gentoo for SELinux

On Sun, Jul 12, 2015 at 04:46:03PM -0700, S. Lockwood-Childs wrote: I'd appreciate feedback on a blog-style article[1] talking about how CIL is going to improve SELinux policy maintenance, and in particular, the last section where I try to point out how good Gentoo is for experimenting with

Re: [gentoo-hardened] Feedback on article recommending Gentoo for SELinux

On Mon, Jul 13, 2015 at 03:02:55PM +0200, Sven Vermeulen wrote: On Mon, Jul 13, 2015 at 1:31 PM, Jason Zaman perfin...@gentoo.org wrote: Secondly, related to poor support for preserving local changes across system updates. The tools now have the concept of priority so users can easy

[gentoo-hardened] Call for testers: SELinux + SystemD

Hi all, Lots of people have been asking about systemd selinux policy support. It is finally almost here! The basic support was added upstream a few days ago and is now merged into our repo. If anyone wants to test it and let me know how it works (or even better, send patches upstream) that'd be

Re: [gentoo-hardened] [PATCH] contrib/portage: Fix portage_ro_role interface

On Mon, Oct 19, 2015 at 02:04:06PM +0200, Luis Ressel wrote: > According to its documentation, portage_ro_role expects a role for $1 > and a type for $2, just like other _role interfaces. However, the policy > directives inside the interface don't match its documentation and expect > $1 to be a

Re: [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache

On Thu, Oct 15, 2015 at 12:44:40PM +0200, Luis Ressel wrote: > --- > policy/modules/contrib/portage.if | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/contrib/portage.if > b/policy/modules/contrib/portage.if > index 640a63b..c98a763 100644 > ---

Re: [gentoo-hardened] Setools 4.1.0 emerge failure

On Fri, Feb 03, 2017 at 02:54:28PM +, Robert Sharp wrote: > Hi, > just emerged the new setools-4.1.0 and it falls over. I do not have X on > this machine and it seems to fail when patching to remove the gui? Here > are the details. I fixed it yesterday, re-emerge and it'll work now.

Re: [gentoo-hardened] SELinux cronjobs in wrong context?

On Mon, Jan 30, 2017 at 10:35:18PM +, Robert Sharp wrote: > Just when I thought I was getting near to switching on strict and all of > a sudden my cron jobs are throwing AVCs all over. > > > The gist of it is all the same, for example: > scontext=user_u:user_r:cronjob_t

Re: [gentoo-hardened] Portage-related AVCs

On Wed, Nov 23, 2016 at 12:58:34PM +, Robert Sharp wrote: > Hi, > > just done my weekly update and I noticed the following AVCs occurred > that suggest something missing in the portage policy? > > type=PROCTITLE msg=audit(1479900756.052:3548): >

Re: [gentoo-hardened] Portage-related AVCs

On Wed, Nov 23, 2016 at 04:59:03PM +, Robert Sharp wrote: > > On 23/11/16 15:58, Jason Zaman wrote: > > Either is fine, but im probably just gonna stabilize the 2.6 userspace > > in a couple weeks so that one is likely easier. and setools4 is waaay > > better tha

Re: [gentoo-hardened] Portage-related AVCs

On Wed, Nov 23, 2016 at 05:20:59PM +, Robert Sharp wrote: > On 23/11/16 16:59, Robert Sharp wrote: > > > > On 23/11/16 15:58, Jason Zaman wrote: > >> Either is fine, but im probably just gonna stabilize the 2.6 userspace > >> in a couple weeks so that o

Re: [gentoo-hardened] Portage-related AVCs

On Thu, Nov 24, 2016 at 09:13:35PM +, Robert Sharp wrote: > On 24/11/16 17:07, Jason Zaman wrote: > > That warning is harmless, i'll remove the line from the policy later. > > for now ignore it or manually remove the line to silence the warning. > > http://blog.perfinio

Re: [gentoo-hardened] SELinux and rkhunter

On Fri, Nov 25, 2016 at 10:16:24AM +, Robert Sharp wrote: > Hi, > > I can run rkhunter as root with role sysadm_r and there are no issues, > but when I run it from a cron job I get lots of AVCs because the source > context is system_cronjob_t. I am using vixie-cron and running rkhunter >

Re: [gentoo-hardened] Portage-related AVCs

On Thu, Nov 24, 2016 at 03:29:54PM +, Robert Sharp wrote: > On 23/11/16 17:30, Jason Zaman wrote: > > On Wed, Nov 23, 2016 at 05:20:59PM +, Robert Sharp wrote: > >> On 23/11/16 16:59, Robert Sharp wrote: > >>> On 23/11/16 15:58, Jason Zaman wrote: > >

Re: [gentoo-hardened] Questions about SELinux

On Sat, Nov 12, 2016 at 04:45:23PM +, Robert Sharp wrote: > Hi there, > > is this the best place to raise questions about SELinux, or would I be > better trying chat? I am making a big effort to get to enforcing strict > on a simple server and I am struggling a little. Here is good, there

Re: [gentoo-hardened] SELinux sysnetwork policy update?

On 9 Dec 2016 16:29, "Robert Sharp" wrote: Just updated all my SELinux policies to 20161023-r1 as they are now stable, which undid one little fix, so I thought I would mention it. Sysnetwork.te does not cover the possibility that dhcpcd may run resolvconf from the

Re: [gentoo-hardened] Policies and Ports - how to define access?

On Thu, Dec 01, 2016 at 10:24:21AM +, Robert Sharp wrote: > Hi, > > > I've looked at the Gentoo SELinux web pages etc, the SELinux Handbook > and through the Reference Policy and I cannot find the answer to a > simple question. > > I am writing a small policy for my backup system and I

Re: [gentoo-hardened] Dnsmasq starts in wrong context after interface cycling?

On Wed, Apr 19, 2017 at 02:12:36PM +0100, Robert Sharp wrote: > I had a problem with Dnsmasq that led to my last post on understanding > where policies come from. Now that I know and have had dnsmasq > comfortably running with udp comms to unbound on port 553, I have run > into the original

Re: [gentoo-hardened] Core Policy versus selinux ebuilds

On Thu, Apr 13, 2017 at 12:02:24PM +0100, Robert Sharp wrote: > Is there a difference between policies that appear to be in core but > also have their own ebuilds? For example: selinux-ddclient versus > policy/modules/contrib/dnsmasq.* and selinux-ddclient versus >

Re: [gentoo-hardened] Enabling hardened/selinux profile OK?

Sounds good to me. I'm traveling so great if you can do it :-) On Dec 2, 2017 17:20, "Sven Vermeulen" wrote: > On the chat it was noticed that we don't have a hardened/selinux profile > anymore. Is it OK if I add it, with a parent of > .. > ../../../../../features/selinux