Summary: | sec-policy/selinux-base-policy "unconfined" USE flag should be set by default | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Maciej S. Szmigiero <mail> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r12 | ||
Package list: | Runtime testing required: | --- |
Description
Maciej S. Szmigiero
2013-02-23 17:11:43 UTC
Enabling by default makes many users lose a lot of SELinux protections (I'd have a similar bug report, asking not to set it by default). You're right however that setting the targeted policy and not using USE="unconfined" breaks a system though. I'm going to check if USE="unconfined" is set if one of the selected policies is "targeted", while making sure it isn't included in the "strict" build. Hmm, I see that on sec-policy/selinux-base-policy "unconfined" USE flag only pulls in sec-policy/selinux-unconfined. Do you mean sec-policy/selinux-base where "unconfined" USE flag seems to change default user to unconfined_u on non-targeted and non-strict policies? Once it pulls in selinux-unconfined, it means that the unconfined module is loaded in /all/ policy stores, including strict, mcs or mls, even if the user wants to use strict policies rather than the more lax "targeted" one. Hence I need to make sure that, if we pull it in, it only installs it into the targeted, mls and mcs stores, and that it stays out of the strict one. Also, only if the selected store is "targeted" should we make USE="unconfined" mandatory; for mcs/mls it is optional (hence updates on the documentation are needed as well). I've updated the selinux eclass to not load unconfined when the policy store is "strict", and I'll have USE="unconfined" marked as a default for the packages (IUSE="+unconfined") since we also have targeted as a default policy type. Ok, selinux-base-policy now checks for USE=unconfined if POLICY_TYPES=targeted is set. If it isn't, it fails the build (during dependency check, so early on - not in the middle of a build). Fixed in selinux-base-policy-2.20120725-r12 stabilized |