Hi guys,
I've committed sec-policy/selinux-base-policy-2.20101213-r9 to the
hardened-development overlay. It has the following fixes since -r8:
- Allow Portage sandbox to ptrace (some package installs require this)
- Use xserver_domtrans instead of allowing siginh (cleaner policy)
- Fix issue that dhcpcd didn't work (could not find interfaces)
- Allow unconfined_t domain to transition to portage domains
The latter should fix bugs #355745 and #356533.
This is also the first (but definitely not the last) commit which I'm now
also testing various stuff with. The testing approach I use is to set up
Gentoo Hardened base, then update to SELinux (strict), install mysql,
install postgresql and then run some administrative tests:
portage - - - - Performing portage activities -
portage - 001 - Run emerge --info - success
portage - 002 - Run emerge -puDN world - success
portage - 003 - Run emerge cowsay - success
portage - 004 - Run emerge -C cowsay (remove) - success
portage - 005 - Run eselect profile list - success
portage - 006 - Run gcc-config -l - success
inittest - - - - Create temporary working database (gentoo) -
inittest - 001 - Load SQL file (restore database dump) - success
mysql - - - - Performing mysql command activities -
mysql - 001 - Create table (as admin) through mysql command - success
mysql - 002 - Show tables (as admin) - success
mysql - 003 - Drop table (as admin) - success
mysql - 004 - Describe table (as guest) - success
mysql - 005 - Select data from table (as guest) - success
mysql - 006 - Select data from table (as test) - success
mysql - 007 - Create table (as guest) - success
exittest - - - - Cleanup temporary working database (gentoo) -
exittest - 001 - Drop database gentoo - success
exittest - 002 - Revoke all (gentoo) privileges from guest account - success
exittest - 003 - Revoke all (gentoo) privileges from admin account - success
inittest - - - - Create temporary working database -
inittest - 001 - Create admin role - success
inittest - 002 - Create guest role - success
inittest - 003 - Load SQL file (restore database dump) - success
postgres - - - - Performing psql command activities -
postgres - 001 - Create table (as admin) through psql command - success
postgres - 002 - Describe test table (as admin) through psql command - success
postgres - 003 - Drop test table (as admin) through psql command - success
postgres - 004 - Describe table (as guest) through psql command - success
postgres - 005 - Query test data (as guest) through psql command - success
postgres - 006 - Testing invalid user access - success
exittest - - - - Cleanup temporary working database -
exittest - 001 - Drop test database - success
exittest - 002 - Drop admin user - success
exittest - 003 - Drop guest user - success
These tests are done for both strict and targeted policy (but always in
enforcing mode). The idea I have is to try and reproduce issues reported or
seen on the forums and try to automate those. If they can be automated, I
add them to the test scripts so that (1.) the issue is confirmed, and (2.)
regressions can be detected.
For the time being you'll see that the tests aren't advanced, but at least
it's a start and it can grow more easily ;-)
Wkr,
Sven Vermeulen
