Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

SELinux base policy rev 11 in hardened-dev

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


swift at gentoo

May 28, 2012, 2:13 AM

Post #1 of 3 (298 views)
Permalink
SELinux base policy rev 11 in hardened-dev

Hi guys 'n girls,

The next iteration of our policies is now in the hardened-dev overlay. For
~arch users, this is one you will probably need to install through a small
workaround, but first the changes:

#417937 Do not audit access to device_t:chr_file by dmesg
#417857 Support dynamic /run directories
#413719 Correct udev context in /run/udev
<no bug> Backporting SEPostgresql changes
<no bug> Update udev file contexts (udevadm and udevd binaries)
#417821 Mark /etc/selinux/*/modules as semanage_store_t (fixes permission issue on .../modules/tmp)

~arch users will, if they have -r9 or -r10 installed, need to do the
following steps first:

"""
setenforce 0
semanage fcontext -a -t semanage_store_t "/etc/selinux/strict/modules"
restorecon -R /etc/selinux/strict/modules
setenforce 1
"""

This is because otherwise any attempt to load the new policy will result in
a failure. Of course, substitute "strict" with your SELinux policy type you
have installed.

This also means that r9 and r10 are no candidates for stabilization. And
since r8 is fairly low on changes, r11 is the next stabilization candidate.

Wkr,
Sven Vermeulen


h.v.bruinehsen at fu-berlin

May 29, 2012, 8:30 AM

Post #2 of 3 (272 views)
Permalink
Re: SELinux base policy rev 11 in hardened-dev [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28.05.2012 11:13, Sven Vermeulen wrote:
> Hi guys 'n girls,
>
> The next iteration of our policies is now in the hardened-dev
> overlay. For ~arch users, this is one you will probably need to
> install through a small workaround, but first the changes:
>
> #417937 Do not audit access to device_t:chr_file by dmesg
> #417857 Support dynamic /run directories #413719
> Correct udev context in /run/udev <no bug> Backporting
> SEPostgresql changes <no bug> Update udev file contexts
> (udevadm and udevd binaries) #417821 Mark
> /etc/selinux/*/modules as semanage_store_t (fixes permission issue
> on .../modules/tmp)
>
> ~arch users will, if they have -r9 or -r10 installed, need to do
> the following steps first:
>
> """ setenforce 0 semanage fcontext -a -t semanage_store_t
> "/etc/selinux/strict/modules" restorecon -R
> /etc/selinux/strict/modules setenforce 1 """
>
> This is because otherwise any attempt to load the new policy will
> result in a failure. Of course, substitute "strict" with your
> SELinux policy type you have installed.
>
> This also means that r9 and r10 are no candidates for
> stabilization. And since r8 is fairly low on changes, r11 is the
> next stabilization candidate.
>
> Wkr, Sven Vermeulen
>

Hi,

I've got some problems with r11 on mcs. The error is:

Creating mcs base module base.conf
Compiling mcs base module
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:2184:ERROR 'permission execute is not defined' at token ';'
on line 2184:
( h1 dom h2 );
mlsconstrain db_schema { drop getattr setattr relabelfrom execute }
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1

The error is introduced in
"0098-all-sepostgresql_updates_backport-r11.patch".

In older versions db_schema is db_language (which by the way is in the
older versions defined two times). If I remove the "execute" from
db_schema it builds. I don't know if db_schema needs execute, if not
it should be dropped, otherwise execute should be defined for
db_schema, I think.

WKR

Hinnerk van Bruinehsen



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPxOuhAAoJEJwwOFaNFkYc1hkIAI0IPqIVub5DgflWjMaxo2dW
fWFsXmtyDWQ6peRf+FgKszwDe+XHw1IL9bW9UdVDd7/ClN+8tJnTm5Da1cd5txN4
gx+QyUiahw6WL4sgb9aQZo+Fkfm1YpdU3VsFvjtLbxvmiRG6LHAuwY7e8nvEDC5h
REkpjMc/F5tWaT0WGd8UobYzY75MABGaH94ZwInIkl3KVPT8dMM6OSJ8Z4tmeWaT
q45moIerdk5mQFu/cYcB3V/29QSx3Z3nI/Ehk547RWoAvBqCNyn6GknpF0nh+jYb
q4N28fsnnHnj55g39LHZJqV2IqfRzIsWsgcUmJKzCI7As7VMePLNZtlB0shl7/Y=
=mCYS
-----END PGP SIGNATURE-----


swift at gentoo

May 29, 2012, 11:08 AM

Post #3 of 3 (276 views)
Permalink
Re: SELinux base policy rev 11 in hardened-dev [In reply to]

On Tue, May 29, 2012 at 05:30:41PM +0200, Hinnerk van Bruinehsen wrote:
> I've got some problems with r11 on mcs. The error is:
>
> Creating mcs base module base.conf
> Compiling mcs base module
> /usr/bin/checkmodule: loading policy configuration from base.conf
> base.conf:2184:ERROR 'permission execute is not defined' at token ';'
> on line 2184:
> ( h1 dom h2 );
> mlsconstrain db_schema { drop getattr setattr relabelfrom execute }
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
> The error is introduced in
> "0098-all-sepostgresql_updates_backport-r11.patch".
>
> In older versions db_schema is db_language (which by the way is in the
> older versions defined two times). If I remove the "execute" from
> db_schema it builds. I don't know if db_schema needs execute, if not
> it should be dropped, otherwise execute should be defined for
> db_schema, I think.

You're right; the upstream patch didn't apply cleanly so I had to do some
stuff manually, and this one slipped.

There's also a "ype_transition" somewhere that should be "type_transition".

Wkr,
Sven Vermeulen

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.