-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/02/2011 12:48 PM, Sven Vermeulen wrote:
> Hi guys,
>
> I've committed sec-policy/selinux-base-policy-2.20101213-r9 to the
> hardened-development overlay. It has the following fixes since -r8:
> - Allow Portage sandbox to ptrace (some package installs require this)
> - Use xserver_domtrans instead of allowing siginh (cleaner policy)
> - Fix issue that dhcpcd didn't work (could not find interfaces)
> - Allow unconfined_t domain to transition to portage domains
>
> The latter should fix bugs #355745 and #356533.
>
> This is also the first (but definitely not the last) commit which I'm now
> also testing various stuff with. The testing approach I use is to set up
> Gentoo Hardened base, then update to SELinux (strict), install mysql,
> install postgresql and then run some administrative tests:
>
> portage - - - - Performing portage activities -
> portage - 001 - Run emerge --info -
> success
> portage - 002 - Run emerge -puDN world -
> success
> portage - 003 - Run emerge cowsay -
> success
> portage - 004 - Run emerge -C cowsay (remove) -
> success
> portage - 005 - Run eselect profile list -
> success
> portage - 006 - Run gcc-config -l -
> success
> inittest - - - - Create temporary working database (gentoo) -
> inittest - 001 - Load SQL file (restore database dump) -
> success
> mysql - - - - Performing mysql command activities -
> mysql - 001 - Create table (as admin) through mysql command -
> success
> mysql - 002 - Show tables (as admin) -
> success
> mysql - 003 - Drop table (as admin) -
> success
> mysql - 004 - Describe table (as guest) -
> success
> mysql - 005 - Select data from table (as guest) -
> success
> mysql - 006 - Select data from table (as test) -
> success
> mysql - 007 - Create table (as guest) -
> success
> exittest - - - - Cleanup temporary working database (gentoo) -
> exittest - 001 - Drop database gentoo -
> success
> exittest - 002 - Revoke all (gentoo) privileges from guest account -
> success
> exittest - 003 - Revoke all (gentoo) privileges from admin account -
> success
> inittest - - - - Create temporary working database -
> inittest - 001 - Create admin role -
> success
> inittest - 002 - Create guest role -
> success
> inittest - 003 - Load SQL file (restore database dump) -
> success
> postgres - - - - Performing psql command activities -
> postgres - 001 - Create table (as admin) through psql command -
> success
> postgres - 002 - Describe test table (as admin) through psql command -
> success
> postgres - 003 - Drop test table (as admin) through psql command -
> success
> postgres - 004 - Describe table (as guest) through psql command -
> success
> postgres - 005 - Query test data (as guest) through psql command -
> success
> postgres - 006 - Testing invalid user access -
> success
> exittest - - - - Cleanup temporary working database -
> exittest - 001 - Drop test database -
> success
> exittest - 002 - Drop admin user -
> success
> exittest - 003 - Drop guest user -
> success
>
>
> These tests are done for both strict and targeted policy (but always in
> enforcing mode). The idea I have is to try and reproduce issues reported or
> seen on the forums and try to automate those. If they can be automated, I
> add them to the test scripts so that (1.) the issue is confirmed, and (2.)
> regressions can be detected.
>
> For the time being you'll see that the tests aren't advanced, but at least
> it's a start and it can grow more easily ;-)
>
> Wkr,
> Sven Vermeulen
>
Does this affect bug 328297, if at all?
There will be some changes coming to PostgreSQL soon, once Mr. Chvatal
(scarabeus) or Mr. Lauer (bonsaikitten) get the time to test and commit.
The configuration files will be in /etc/postgresql-${SLOT}/. And
src_test() works on it now with its socket created in ${T} and
executables and miscellaneous files in ${S}/src/test/regress/.
All of that works just fine on Hardened, but I'm not familiar with
SELinux other than it's an additional security measure.
Sincerely,
Mr. Aaron W. Swenson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAk1uxNgACgkQCOhwUhu5AEla2AD+LgsjRH7IWhHutaDaBhm7Jgc8
y2t71dwhN+4YYr763woBAI+UWeFaz14WAjV8CeNK2+DsfJauy35HP5bKYt97BFai
=TOm8
-----END PGP SIGNATURE-----
