On 03/27/2011 03:42 PM, Sven Vermeulen wrote: > On Fri, Mar 18, 2011 at 06:55:34PM -0400, Anthony G. Basile wrote: >> You're not wrong, but this can be restructured to come better in line >> with the rest of the hardened profiles. I have to do a careful analysis >> of the stacking and see if we can get something similar out of simpler >> stackings and then fix up what might be missed in the final layers of >> the stack. > > My suggestion would be to > > 1. stabilize the current set of policies > 2. remove the policies whose version is >= 3.0 (including those -2008* ones) > 3. make a "features/selinux" profile (which contains all SELinux relevant > aspects but is not a real profile in its own) > 4. Create sublocations within the existing profiles for SELinux (like > hardened/linux/amd64/selinux and hardened/linux/amd64/no-multilib/selinux) > > These sublocations would only have a single file called "parent" showing > something like: > ../ > ../../../../features/selinux > > I just tried this on my no-multilib system as well as on a multilib one, and > apart from USE="gdbm bzip2 urandom nptl justify -fortran" I have had no > other changes (checked the different outputs of "emerge --info" as well as a > "emerge -puDN world"). > > Wkr, > Sven Vermeulen
I agree with this plan. I really like step 4. -- Anthony G. Basile, Ph.D. Gentoo Developer
