Hi guys 'n gals
obligatory tl;dr:
Please check your package below this list and see if it (the package) has
a proper DEPEND and RDEPEND on the listed sec-policy/selinux-<module>
package(s)
Within the Gentoo Hardened project, we are working on getting the SELinux
support into shape. Recent evolutions are the stabilization of latest upstream
userspace utilities and policies as well as documentation improvements and even
some "human resource improvements" (read: fresh blood in our ranks).
Within SELinux, specific modules are used (called SELinux modules, because we
are not that creative in our naming) that contain the SELinux policy (what is
allowed) as well as labeling information for files (which we call file context
information). This labeling is very important in order for the policies to work
well - wrong labels will lead to applications running with wrong permissions
(which usually means "Application No Workie").
In Gentoo, unlike some other distributions, we try to keep the number of
loaded/installed modules to a minimum so that policy rebuilds as well as the
system overhead is limited. This results in a "base" policy (provided by
selinux-base-policy) and modules (provided by sec-policy/selinux-<modulename>).
To make
sure that installations of a package pull in the right SELinux module, the
proper dependencies must be defined.
In the list below you will find "package dependency" information. This means
that the given package should have both DEPEND and RDEPEND on the dependency
(which is always of the form sec-policy/selinux-<modulename> since dependencies
on sec-policy/selinux-base-policy are always satisfied the moment a user has
SELinux
enabled on his Gentoo system).
The dependency should be USE="selinux"-triggered (the selinux USE flag is masked
for non-SELinux profiles and mandatory on SELinux systems), like so:
IUSE="selinux"
DEPEND="selinux? ( sec-policy/selinux-<modulename> )"
RDEPEND="selinux? ( sec-policy/selinux-<modulename> )"
The dependency must be on both levels, because the SELinux module must be
installed before the package is installed (and in theory, RDEPEND could
trigger an installation afterwards): during the installation phase, Portage
labels the files on the system (which would get wrong labels if the module
isn't installed yet[1]). Also, DEPEND isn't sufficient due to binary package
support requirements.
Since there are quite a few packages that would need updates, I thought about
first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I
also wouldn't mind creating bugreports for each of them, but that would still be
best done after having mailed gentoo-dev ;-)
Wkr,
Sven Vermeulen
[1] I am aware that Portage currently installs RDEPEND before the package
itself, but that might change in the future and other package managers might
exhibit different behavior.
games-board/aisleriot sec-policy/selinux-games
sys-apps/apmd sec-policy/selinux-apm
net-dns/bind sec-policy/selinux-bind
net-wireless/bluez sec-policy/selinux-bluetooth
app-i18n/canna sec-policy/selinux-canna
app-cdr/cdrkit sec-policy/selinux-cdrecord
app-cdr/cdrtools sec-policy/selinux-cdrecord
app-antivirus/clamav sec-policy/selinux-clamav
net-im/climm sec-policy/selinux-games
mail-mta/courier sec-policy/selinux-courier
net-print/cups sec-policy/selinux-lpd
dev-vcs/cvs sec-policy/selinux-cvs
sys-process/daemontools sec-policy/selinux-daemontools
sys-process/daemontools-encore sec-policy/selinux-daemontools
mail-filter/dcc sec-policy/selinux-dcc
app-admin/denyhosts sec-policy/selinux-denyhosts
sys-devel/distcc sec-policy/selinux-distcc
net-dns/djbdns sec-policy/selinux-djbdns
app-arch/dpkg sec-policy/selinux-dpkg
app-cdr/dvd+rw-tools sec-policy/selinux-cdrecord
www-client/epiphany sec-policy/selinux-mozilla
x11-misc/expocity sec-policy/selinux-wm
net-analyzer/fail2ban sec-policy/selinux-fail2ban
app-arch/fastjar sec-policy/selinux-java
net-mail/fetchmail sec-policy/selinux-fetchmail
www-client/firefox-bin sec-policy/selinux-mozilla
dev-java/gcj-jdk sec-policy/selinux-java
dev-vcs/gitolite sec-policy/selinux-gitosis
dev-vcs/gitolite-gentoo sec-policy/selinux-gitosis
dev-vcs/gitosis sec-policy/selinux-gitosis
dev-vcs/gitosis-gentoo sec-policy/selinux-gitosis
virtual/gnat sec-policy/selinux-ada
gnome-base/gnome-applets sec-policy/selinux-cpufreqselector
gnome-extra/gnome-games sec-policy/selinux-games
gnome-base/gnome-shell sec-policy/selinux-wm
app-crypt/gnupg sec-policy/selinux-gpg
www-servers/gorg sec-policy/selinux-gorg
gpe-base/gpe-dm sec-policy/selinux-xserver
net-print/hplip sec-policy/selinux-cups
x11-apps/iceauth sec-policy/selinux-xserver
net-misc/icecast sec-policy/selinux-icecast
net-nntp/inn sec-policy/selinux-inn
kde-base/katomic sec-policy/selinux-games
kde-base/kbattleship sec-policy/selinux-games
sys-apps/kbd sec-policy/selinux-loadkeys
kde-base/kblackbox sec-policy/selinux-games
kde-base/kbounce sec-policy/selinux-games
kde-base/kgoldrunner sec-policy/selinux-games
kde-base/kgpg sec-policy/selinux-gpg
net-wireless/kismet sec-policy/selinux-kismet
kde-base/kjumpingcube sec-policy/selinux-games
kde-base/klickety sec-policy/selinux-games
kde-base/klines sec-policy/selinux-games
kde-base/kmahjongg sec-policy/selinux-games
kde-base/kmines sec-policy/selinux-games
kde-base/kolf sec-policy/selinux-games
kde-base/konquest sec-policy/selinux-games
kde-base/kpat sec-policy/selinux-games
kde-base/kreversi sec-policy/selinux-games
kde-base/kshisen sec-policy/selinux-games
kde-base/kspaceduel sec-policy/selinux-games
kde-base/ktron sec-policy/selinux-games
kde-base/ktuberling sec-policy/selinux-games
app-emulation/libvirt sec-policy/selinux-xen
www-client/links sec-policy/selinux-links
kde-base/lskat sec-policy/selinux-games
dev-db/mariadb sec-policy/selinux-mysql
net-misc/memcached sec-policy/selinux-memcached
x11-wm/metacity sec-policy/selinux-wm
sys-apps/mlocate sec-policy/selinux-slocate
www-servers/mongrel sec-policy/selinux-apache
media-sound/mpd sec-policy/selinux-mpd
sys-cluster/mpich2 sec-policy/selinux-mpd
media-video/mplayer sec-policy/selinux-mplayer
media-video/mplayer2 sec-policy/selinux-mplayer
net-analyzer/mrtg sec-policy/selinux-mrtg
mail-client/mutt sec-policy/selinux-mutt
dev-db/mysql sec-policy/selinux-mysql
media-libs/nas sec-policy/selinux-soundserver
net-misc/netcf sec-policy/selinux-ncftool
net-ftp/netkit-ftpd sec-policy/selinux-publicfile
mail-mta/netqmail sec-policy/selinux-qmail
net-analyzer/ntop sec-policy/selinux-ntop
net-misc/nxserver-freeedition sec-policy/selinux-nx
net-misc/nxserver-freenx sec-policy/selinux-nx
x11-wm/openbox sec-policy/selinux-wm
net-misc/openconnect sec-policy/selinux-vpn
net-nntp/pan sec-policy/selinux-pan
sys-boot/plymouth sec-policy/selinux-plymouthd
app-admin/prelude-lml sec-policy/selinux-prelude
app-admin/prelude-manager sec-policy/selinux-prelude
mail-filter/procmail sec-policy/selinux-procmail
net-ftp/proftpd sec-policy/selinux-ftp
www-servers/publicfile sec-policy/selinux-publicfile
media-sound/pulseaudio sec-policy/selinux-pulseaudio
app-admin/puppet sec-policy/selinux-puppet
dev-python/pyzor sec-policy/selinux-pyzor
app-emulation/qemu sec-policy/selinux-qemu
app-emulation/qemu-kvm sec-policy/selinux-qemu
www-apps/roundup sec-policy/selinux-roundup
app-arch/rpm sec-policy/selinux-rpm
app-shells/rssh sec-policy/selinux-rssh
net-fs/samba sec-policy/selinux-samba
app-misc/screen sec-policy/selinux-screen
net-mail/serialmail sec-policy/selinux-daemontools
net-im/skype sec-policy/selinux-skype
net-nntp/slrn sec-policy/selinux-slrnpull
mail-filter/spamassassin sec-policy/selinux-spamassassin
net-misc/stunnel sec-policy/selinux-stunnel
net-nntp/suck sec-policy/selinux-inn
net-misc/taylor-uucp sec-policy/selinux-uucp
media-sound/timidity++ sec-policy/selinux-timidity
net-irc/tirc sec-policy/selinux-irc
net-misc/tor sec-policy/selinux-tor
media-tv/tvtime sec-policy/selinux-tvtime
x11-wm/twm sec-policy/selinux-wm
sys-apps/ucspi-tcp sec-policy/selinux-ucspitcp
sys-apps/usermode-utilities sec-policy/selinux-uml
www-servers/varnish sec-policy/selinux-varnishd
net-misc/vde sec-policy/selinux-vde
media-video/vlc sec-policy/selinux-mplayer
app-emulation/vmware-workstation sec-policy/selinux-vmware
net-analyzer/vnstat sec-policy/selinux-vnstatd
app-admin/webalizer sec-policy/selinux-webalizer
app-emulation/wine sec-policy/selinux-wine
net-analyzer/wireshark sec-policy/selinux-wireshark
net-wireless/wpa_supplicant sec-policy/selinux-networkmanager
x11-apps/xauth sec-policy/selinux-xserver
media-video/xine-ui sec-policy/selinux-mplayer
x11-base/xorg-server sec-policy/selinux-xprint
x11-base/xorg-server sec-policy/selinux-xprint
x11-misc/xscreensaver sec-policy/selinux-xscreensaver
sys-apps/yum sec-policy/selinux-rpm
