SELinux Gentoo/Hardened state 2011-12-19


Sven Vermeulen Mon 19 December 2011

On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.

Since last meeting, the follow topics passed the revue.

  • sec-policy/selinux-base-policy, which is the "master" of our SELinux policies and contains those SELinux modules that are somewhat indivisible (hence the name, "base"), is now at revision 8. I tend to describe the changes on the gentoo-hardened mailinglist, and this is not different for rev 8. I haven't stabilized the rev 6 one yet although I promised too, I'll try to find some time to do that this evening.
  • We had a regression with newrole for some time. Luckily, Jory "Anarchy" Pratt found the issue. Drop the setuid bit from the binary, and the application works again as it should. This will be included in the next policycoreutils bump.
  • The last available sudo package now builds with native SELinux support as well, which allows users to add ROLE= and TYPE= information in the sudoers file. As such, users do not need to call newrole when they need to transition to a specific role for just a single command - sudo can now take care of that.
  • The older selinux/v2refpolicy/* profiles have been deprecated. If you want to use a SELinux-enabled profile, you need to use a profile that ends with /selinux, such as default/linux/amd64/10.0/selinux or hardened/linux/amd64/selinux. Of course we prefer you to use a hardened profile ;-)
  • Documentation-wise,

That's about it. Not a too busy month but progress anyhow.