Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

SELinux base policy rev 14 in hardened-dev

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


swift at gentoo

Jul 10, 2012, 12:14 PM

Post #1 of 1 (208 views)
Permalink
SELinux base policy rev 14 in hardened-dev

Hi golks,

Revision 14 of the SELinux policies is now in hardened-dev overlay. I will,
from now on, bump all SELinux ebuilds as that seems to be necessary to
support changes in the policies (well, not always, but the moment an
interface is updated that is called by many/all modules, it is not
sufficient to just reload them, you need to rebuild them).

Luckily, it seems that Portage is working out some support for these cases
and I *think* I can have all ebuilds depend on selinux-base-policy with that
SLOT-abi-stuff that has been on the mailinglist a while back. That might
automatically rebuild the packages, and as such removes the need to bump all
other module packages.

That being said, this revision includes the following changes:

#410961 Get the descriptions for booleans properly displayed
<no bug> Backport nss_domain attribute patch
<no bug> Backport blueman policy
<no bug> Backport bcfg2 policy
#424359 Allow udev init script to generate correct labels on data &
rules.d (/run/udev)
<no bug> Backport support/ related commits
<no bug> Backport packagekit file contexts
<no bug> Refactor dracut domain policy
<no bug> Refactor fixes for udev and init support for /run directory

Bug #424359 especially is important for the users that noticed their Xorg
not accepting keyboard commands (or even mouse input, although I couldn't
reproduce it for mice). A quick fix with earlier policies is to "restorecon
-Rv /run" but this policy update makes it that this isn't necessary anymore.

There is another tracker still open (#424173) which I'll use to track other
bugs related to the introduction of /run. However, for those wondering - I
can't handle the comment in the tracker itself, there is too much cruft in
it. Bugreports for the SELinux policy should be quite isolated so that
updates can be made in a progressive approach. This is needed if we want to
still keep pushing our changes upstream.

Speaking of upstream, I *might* switch from the refpolicy builds to our own
policy builds. I'm seriously considering adding more comments to our
policies to make it easier to support in the future, as well as enhance the
documentation from it. But that means the patches are less likely to get
accepted as-is by the reference policy. That's however not really a problem,
since I've been manually moving changes upstream anyhow.

Using our own builds also makes the deployment faster, since we're currently
already at 118 patch sets (for a total of 186 patches) of which 36 patchsets
have been accepted upstream, 8 are waiting submission, 61 have not been sent
out (either because they don't match the coding style or need refinement)
and 4 are not going to be sent out (as they don't match the reference
policy's focus).

The reason I'm not doing it immediately is because I want to make sure, for
myself, that I can keep on pushing our changes upstream, helping the rest of
the SELinux community with our updates. That's also the only change, since
backporting changes from refpolicy to our tree is fairly easy (as you can
see from rev 14, many backports) so we stay on track (and up2date).

That being said, please give revision 14 a go. I'm going to push it to the
main tree in a couple of days and am considering fast-moving this to stable
(not wait the usual 30 days) since the current stable doesn't play well with
the /run changes (of which rev12, 13 and 14 contain very important patches
for).

Wkr,
Sven Vermeulen

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.