| Summary: | [TRACKER] stabilize selinux policies based on 2.20101213 | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sven Vermeulen <sven.vermeulen> |
| Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
| Status: | VERIFIED FIXED | ||
| Severity: | enhancement | CC: | prometheanfire, selinux |
| Priority: | Normal | Keywords: | Tracker |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 369845 | ||
| Bug Blocks: | |||
|
Description
Sven Vermeulen
2011-05-20 17:53:11 UTC
I would suggest the following approach for the stabilization: 1. Merge hardened-dev to main tree (includes the selinux eclass update) The hardened-dev overlay contains the policy updates that are affecting openrc support on Gentoo Hardened/SELinux. Without these (more specifically, without selinux-base-policy-2.20101213-r16) OpenRC support isn't what it should be (read: it won't work properly). 2. Stabilize the following packages - sys-libs/libselinux-2.0.94 - sys-apps/policycoreutils-2.0.82 - sys-libs/libsemanage-2.0.45 - sys-libs/libsepol-2.0.41 - app-admin/setools-3.3.7 - dev-python/sepolgen-1.0.23 - sys-apps/checkpolicy-2.0.21 - sys-process/vixie-cron-4.1-r11 The vixie-cron one needs a separate bug as this isn't in the hardened/selinux hands. 3. Wait for the appropriate stabilization period 4. Stabilize sec-policy/* where * is the latest version in the 2.20101213 series With the stabilization, clean up the old ebuilds within sec-policy that are not in the 2.20101213 series or that are deprecated due to the higher 2.20101213 ones (we already have too much versions in the tree currently). Also, take special care of the sec-policy/selinux-base-policy one: the files/ folder is too large due to the patches (after the stabilization, we need to migrate the patchbundles to dev.g.o) and also clean up the obsoleted modules.conf.* files (except the 20090730 ones) 5. Wait for the appropriate settling period 6. Update the SELinux profile to drop FEATURES="loadpolicy" This feature is still (ab)used by the current stable policy ebuilds, but has been dropped from the newer ones. Need to wait a bit so that people have the time to upgrade to the latest policies before the profiles change (as the profile change itself takes effect immediately when "emerge --sync" is ran). However, impact is small (FEATURES="loadpolicy" is only used when an old ebuild of the sec-policy/ category is installed, whereas after the stabilization, this shouldn't be the case anymore). Am I forgetting something? (In reply to comment #1) > I would suggest the following approach for the stabilization: > > 1. Merge hardened-dev to main tree (includes the selinux eclass update) > > The hardened-dev overlay contains the policy updates that are affecting openrc > support on Gentoo Hardened/SELinux. Without these (more specifically, without > selinux-base-policy-2.20101213-r16) OpenRC support isn't what it should be > (read: it won't work properly). > Done. > 3. Wait for the appropriate stabilization period
x86 says we can stabilize ourselves. I'm waiting on amd64, but Pebenito says he's always stabilized all selinux stuff.
vixie-cron is the only one we need to open a stable req for. I'll do so now.
- sys-libs/libselinux-2.0.94 - sys-apps/policycoreutils-2.0.82 - sys-libs/libsemanage-2.0.45 - sys-libs/libsepol-2.0.41 - app-admin/setools-3.3.7 - dev-python/sepolgen-1.0.23 - sys-apps/checkpolicy-2.0.21 Marked stable on amd64 and x86. Anthony also recently pushed the stabilized ebuilds for the policies.
> With the stabilization, clean up the old ebuilds within sec-policy that are not
> in the 2.20101213 series or that are deprecated due to the higher 2.20101213
> ones (we already have too much versions in the tree currently).
Yes policies recently stabilized and should be in the mirrors by now. I will do the cleanup in a few days when the dust settles.
> Yes policies recently stabilized and should be in the mirrors by now. I will > do the cleanup in a few days when the dust settles. I've cleaned up the policies, removing all pre 2.20101213. There is still a bit more work to be done removing older versions of sys-libs/libselinux and friends (see comment #1). vixie-cron stabilized for amd64 and x86. Since this was the last blocking issue, I'm closing the tracker. Next: open a new one for 20110726 ;-) |
