On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.
Since last meeting, the follow topics passed the revue.
- sec-policy/selinux-base-policy, which is the "master" of our SELinux policies and contains those SELinux modules that are somewhat indivisible (hence the name, "base"), is now at revision 8. I tend to describe the changes on the gentoo-hardened mailinglist, and this is not different for rev 8. I haven't stabilized the rev 6 one yet although I promised too, I'll try to find some time to do that this evening.
- We had a regression with newrole for some time. Luckily, Jory "Anarchy" Pratt found the issue. Drop the setuid bit from the binary, and the application works again as it should. This will be included in the next policycoreutils bump.
- The last available
sudo package
now builds with native SELinux support as well, which allows users
to add ROLE= and TYPE= information in the
sudoersfile. As such, users do not need to call newrole when they need to transition to a specific role for just a single command - sudo can now take care of that. - The older
selinux/v2refpolicy/*profiles have been deprecated. If you want to use a SELinux-enabled profile, you need to use a profile that ends with/selinux, such asdefault/linux/amd64/10.0/selinuxorhardened/linux/amd64/selinux. Of course we prefer you to use a hardened profile ;-) - Documentation-wise,
- the Gentoo Hardened SELinux Handbook has been updated to reflect the profile changes
- the SELinux bugreporting guide has been put online to inform users what kind of information is needed for us to fix issues or denials that they might see
- the SELinux FAQ has been updated with the questions Applications do not transition on a nosuid partition and Why do I always need to re-authenticate when operating init scripts?.
That's about it. Not a too busy month but progress anyhow.