This bug will be used to track the progress of the restructuring of the hardened selinux profiles. The idea is to transform them into a feature along the lines of features/multilib. The proposed change would make stacking of profiles more intuitive and easier to manage. The current proposed updated profiles are at http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=shortlog;h=refs/heads/profiles-selinux When development there has progress sufficiently, they will be moved to the tree, and deprecation of the older profiles will begin. Reproducible: Always
Here's the resulting selections for amd64: # eselect profile list Available profile symlink targets: [1] default/linux/amd64/10.0 [2] default/linux/amd64/10.0/desktop [3] default/linux/amd64/10.0/desktop/gnome [4] default/linux/amd64/10.0/desktop/kde [5] default/linux/amd64/10.0/developer [6] default/linux/amd64/10.0/no-multilib [7] default/linux/amd64/10.0/server [8] hardened/linux/amd64 [9] hardened/linux/amd64/selinux [10] hardened/linux/amd64/no-multilib [11] hardened/linux/amd64/no-multilib/selinux * Selections 9 and 11 are hardened amd64 + selinux feature. Here's the resulting selections for x86 # eselect profile list Available profile symlink targets: [1] default/linux/x86/10.0 [2] default/linux/x86/10.0/desktop [3] default/linux/x86/10.0/desktop/gnome [4] default/linux/x86/10.0/desktop/kde [5] default/linux/x86/10.0/developer [6] default/linux/x86/10.0/server [7] hardened/linux/x86 [8] hardened/linux/x86/selinux *
Here are the resulting stackings for the tree profiles: amd64-multilib: # ./check_profiles_stack.py /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/10.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/amd64/selinux amd64-nomultilib: # ./check_profiles_stack.py /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/10.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/features/64bit-native /usr/portage/profiles/hardened/linux/amd64/no-multilib /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/amd64/no-multilib/selinux x86: # ./check_profiles_stack.py /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/arch/x86 /usr/portage/profiles/releases /usr/portage/profiles/releases/10.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/x86 /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/x86/selinux These are identical to the corresponding non-selinux hardened profiles, with the selinux feature added last (highest priority) in the stack. Finally, note that this structure solves the problem with amd64 nomultilib selinux. In the old profiles, the problem was that glibc was being built with mutlilib despite the fact that multilib was being turned off (notice the intermediate inheritance of features/multilib/lib32 in the nomultilib profile!). This would cause glibc's sanity to fail on libgcc which was mixed ABI.
If no one sees any objection at this point, I'll add in a few days.
(In reply to comment #3) > If no one sees any objection at this point, I'll add in a few days. Its in. 17 May 2011; Anthony G. Basile <blueness@gentoo.org> +features/selinux/make.defaults, +features/selinux/package.mask, +features/selinux/package.use.force, +features/selinux/package.use.mask, +features/selinux/packages, +features/selinux/profile.bashrc, +features/selinux/use.force, +features/selinux/use.mask, +features/selinux/virtuals, +hardened/linux/amd64/no-multilib/selinux/parent, +hardened/linux/amd64/selinux/parent, +hardened/linux/x86/selinux/parent, profiles.desc: Added new features/selinux profile. Bug #365483
These have finally been marked stable. So I'm closing this bug. At some point we may want to think about deprecating [12] selinux/2007.0/amd64 [13] selinux/2007.0/amd64/hardened [14] selinux/v2refpolicy/amd64 [15] selinux/v2refpolicy/amd64/desktop [16] selinux/v2refpolicy/amd64/developer [17] selinux/v2refpolicy/amd64/hardened [18] selinux/v2refpolicy/amd64/server and [9] selinux/2007.0/x86 [10] selinux/2007.0/x86/hardened [11] selinux/v2refpolicy/x86 [12] selinux/v2refpolicy/x86/desktop [13] selinux/v2refpolicy/x86/developer [14] selinux/v2refpolicy/x86/hardened [15] selinux/v2refpolicy/x86/server We'll open another bug for that when/if the time comes.
(In reply to comment #5) > These have finally been marked stable. So I'm closing this bug. > > At some point we may want to think about deprecating > > [12] selinux/2007.0/amd64 > [13] selinux/2007.0/amd64/hardened > [14] selinux/v2refpolicy/amd64 > [15] selinux/v2refpolicy/amd64/desktop > [16] selinux/v2refpolicy/amd64/developer > [17] selinux/v2refpolicy/amd64/hardened > [18] selinux/v2refpolicy/amd64/server > > and > > [9] selinux/2007.0/x86 > [10] selinux/2007.0/x86/hardened > [11] selinux/v2refpolicy/x86 > [12] selinux/v2refpolicy/x86/desktop > [13] selinux/v2refpolicy/x86/developer > [14] selinux/v2refpolicy/x86/hardened > [15] selinux/v2refpolicy/x86/server > > We'll open another bug for that when/if the time comes. Done! And we've also added default/linux/x86/10.0 default/linux/amd64/10.0 for those who want selinux *without* hardened toolchain or pax enabled kernel.
