On 10/22/2013 02:06 PM, Anthony G. Basile wrote:
On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote:
4.0 Selinux
5.0 System Integrity
6.0 Profile
I'd like to specifically discuss bringing back the desktop profile by
user request.
The old desktop/server/developer profiles were removed for a good
reason. They cannot stack properly given their directory location and
conflicting inheritance requirements. We cannot bring them back as
they were else we will re-introduce the ancient multilib vs
non-mutlilib selinux issue in one manifestation or another.
Nonetheless, I think a desktop profile for hardened is possible along
the lines of what was done for selinux, ie put it in features. Only
if the desktop profile lands at the very bottom of the profile stack
will this work. Alternatively, you can duplicate the desktop profile
from default/linux in hardened/linux and do a simple inheritance from
its parent. This "duplication" would really not be much of a
duplication because there's probably stuff you want to tweak for your
own purposes.
I was going to remove those deprecated directories today, but I can
hold off. To be clear, I'm not against a hardened desktop profile,
just not the implementation we had which was broken.
Actually I was wrong in saying "only if it lands at the bottom of the
profile stack" ... That is in fact the problem:
/usr/portage/profiles/base
/usr/portage/profiles/default/linux
/usr/portage/profiles/arch/base
/usr/portage/profiles/features/multilib
/usr/portage/profiles/features/multilib/lib32
/usr/portage/profiles/arch/amd64
/usr/portage/profiles/releases
/usr/portage/profiles/eapi-5-files
/usr/portage/profiles/releases/13.0
/usr/portage/profiles/hardened/linux
/usr/portage/profiles/hardened/linux/amd64
/usr/portage/profiles/targets/desktop
/usr/portage/profiles/hardened/linux/amd64/desktop
So "profiles/targets/desktop" basically trump
"profiles/hardened/linux/amd64" which is the problem: a non-hardened
profile can undo the hardening. We have to get something like this:
/usr/portage/profiles/base
/usr/portage/profiles/default/linux
/usr/portage/profiles/arch/base
/usr/portage/profiles/features/multilib
/usr/portage/profiles/features/multilib/lib32
/usr/portage/profiles/arch/amd64
/usr/portage/profiles/releases
/usr/portage/profiles/eapi-5-files
/usr/portage/profiles/releases/13.0
/usr/portage/profiles/targets/desktop
/usr/portage/profiles/hardened/linux
/usr/portage/profiles/hardened/linux/amd64
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
