Summary: | [TRACKER] Restructuring of the SELinux Profiles | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Anthony Basile <blueness> |
Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | ago, bugs+gentoo |
Priority: | Normal | Keywords: | Tracker |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 346563 | ||
Bug Blocks: |
Description
Anthony Basile
2011-05-01 00:29:59 UTC
Here's the resulting selections for amd64: # eselect profile list Available profile symlink targets: [1] default/linux/amd64/10.0 [2] default/linux/amd64/10.0/desktop [3] default/linux/amd64/10.0/desktop/gnome [4] default/linux/amd64/10.0/desktop/kde [5] default/linux/amd64/10.0/developer [6] default/linux/amd64/10.0/no-multilib [7] default/linux/amd64/10.0/server [8] hardened/linux/amd64 [9] hardened/linux/amd64/selinux [10] hardened/linux/amd64/no-multilib [11] hardened/linux/amd64/no-multilib/selinux * Selections 9 and 11 are hardened amd64 + selinux feature. Here's the resulting selections for x86 # eselect profile list Available profile symlink targets: [1] default/linux/x86/10.0 [2] default/linux/x86/10.0/desktop [3] default/linux/x86/10.0/desktop/gnome [4] default/linux/x86/10.0/desktop/kde [5] default/linux/x86/10.0/developer [6] default/linux/x86/10.0/server [7] hardened/linux/x86 [8] hardened/linux/x86/selinux * Here are the resulting stackings for the tree profiles: amd64-multilib: # ./check_profiles_stack.py /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/10.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/amd64/selinux amd64-nomultilib: # ./check_profiles_stack.py /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/10.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/features/64bit-native /usr/portage/profiles/hardened/linux/amd64/no-multilib /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/amd64/no-multilib/selinux x86: # ./check_profiles_stack.py /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/arch/x86 /usr/portage/profiles/releases /usr/portage/profiles/releases/10.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/x86 /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/x86/selinux These are identical to the corresponding non-selinux hardened profiles, with the selinux feature added last (highest priority) in the stack. Finally, note that this structure solves the problem with amd64 nomultilib selinux. In the old profiles, the problem was that glibc was being built with mutlilib despite the fact that multilib was being turned off (notice the intermediate inheritance of features/multilib/lib32 in the nomultilib profile!). This would cause glibc's sanity to fail on libgcc which was mixed ABI. If no one sees any objection at this point, I'll add in a few days. (In reply to comment #3) > If no one sees any objection at this point, I'll add in a few days. Its in. 17 May 2011; Anthony G. Basile <blueness@gentoo.org> +features/selinux/make.defaults, +features/selinux/package.mask, +features/selinux/package.use.force, +features/selinux/package.use.mask, +features/selinux/packages, +features/selinux/profile.bashrc, +features/selinux/use.force, +features/selinux/use.mask, +features/selinux/virtuals, +hardened/linux/amd64/no-multilib/selinux/parent, +hardened/linux/amd64/selinux/parent, +hardened/linux/x86/selinux/parent, profiles.desc: Added new features/selinux profile. Bug #365483 These have finally been marked stable. So I'm closing this bug. At some point we may want to think about deprecating [12] selinux/2007.0/amd64 [13] selinux/2007.0/amd64/hardened [14] selinux/v2refpolicy/amd64 [15] selinux/v2refpolicy/amd64/desktop [16] selinux/v2refpolicy/amd64/developer [17] selinux/v2refpolicy/amd64/hardened [18] selinux/v2refpolicy/amd64/server and [9] selinux/2007.0/x86 [10] selinux/2007.0/x86/hardened [11] selinux/v2refpolicy/x86 [12] selinux/v2refpolicy/x86/desktop [13] selinux/v2refpolicy/x86/developer [14] selinux/v2refpolicy/x86/hardened [15] selinux/v2refpolicy/x86/server We'll open another bug for that when/if the time comes. (In reply to comment #5) > These have finally been marked stable. So I'm closing this bug. > > At some point we may want to think about deprecating > > [12] selinux/2007.0/amd64 > [13] selinux/2007.0/amd64/hardened > [14] selinux/v2refpolicy/amd64 > [15] selinux/v2refpolicy/amd64/desktop > [16] selinux/v2refpolicy/amd64/developer > [17] selinux/v2refpolicy/amd64/hardened > [18] selinux/v2refpolicy/amd64/server > > and > > [9] selinux/2007.0/x86 > [10] selinux/2007.0/x86/hardened > [11] selinux/v2refpolicy/x86 > [12] selinux/v2refpolicy/x86/desktop > [13] selinux/v2refpolicy/x86/developer > [14] selinux/v2refpolicy/x86/hardened > [15] selinux/v2refpolicy/x86/server > > We'll open another bug for that when/if the time comes. Done! And we've also added default/linux/x86/10.0 default/linux/amd64/10.0 for those who want selinux *without* hardened toolchain or pax enabled kernel. |