On Mon, Jun 9, 2014 at 7:43 PM, Michael Orlitzky wrote:
>
> On 06/07/2014 08:55 PM, Anthony G. Basile wrote:
> >
> > When running with a pax kernel, you must enable EMUTRAMP in your Kconfig
> > and you must paxmark your python exe's with E. Note: EMUTRAMP is on by
> > default and the ebuild autom
On Tue, Jul 15, 2014 at 06:02:32PM +, Sven Vermeulen wrote:
> jump into the proper changes (together with perfinion and other developers),
^.^
> Role segregation
>
>
> Which roles to make available?
> --
>
> My opinion: I don't mind to support the
On 6 Aug 2014 12:30, "Sven Vermeulen" wrote:
>
> Hi all
>
> Our live sec-policy/selinux-* packages (the ones with the - version)
> have been using our git repository for some time. Although users could
> always override these with packagename_LIVE_REPO, it meant that they had
to
> generate suc
On Tue, Aug 05, 2014 at 05:48:23AM +0300, Alex Efros wrote:
> Hi!
>
> On Thu, Jun 26, 2014 at 08:57:12AM -0400, Anthony G. Basile wrote:
> > Thanks Alex, perfinion hit this bug and fixed it. Can you test with
> > install-xattr-. I don't want to push out a minor bump just for one
> > patch
On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote:
> Hello all
>
> In March, I reported some issues with SELinux contexts in /run. (I seem
> to have misplaced the email -- archive at
> http://article.gmane.org/gmane.linux.gentoo.hardened/6180).
>
> It look like Sven added the function
On Thu, Aug 21, 2014 at 06:13:01PM +, Sven Vermeulen wrote:
> During a discussion about dependencies and SELinux labeling, I noticed that
> we might want to improve how we currently handle pure policy-related
> dependencies.
>
> What we want to get at, is that the installation of a SELinux pol
On Thu, Aug 21, 2014 at 06:46:37PM +, Sven Vermeulen wrote:
> On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote:
> > > Something like so (which we can do in the selinux-policy-2.eclass):
> > >
> > > pkg_postinst() {
> > > # Find all pack
On Thu, Dec 18, 2014 at 08:09:01PM -0500, Anthony G. Basile wrote:
> Hi fellow hardened devs:
>
> I'm sorry for missing the meeting but things came up and the day got
> hectic. It is an important meeting because we were to discuss:
>
> 1) what we want with toolchain.eclass - There is a move to
On Fri, Feb 27, 2015 at 08:04:52PM +0200, Alex Efros wrote:
> Hi!
>
> On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote:
> > Somewhat sarcastic but actually true. I don't recommend running
> > production applications inside of Gentoo based containers.
>
> This makes sense for Gentoo,
On Wed, Mar 04, 2015 at 11:04:34PM +0100, Luis Ressel wrote:
> On Wed, 4 Mar 2015 20:21:08 +
> Sven Vermeulen wrote:
>
> > 1. I can temporarily ignore the issue, perhaps hiding the cosmetic
> > denial behind dontaudit statements
> > 2. I can restrictively add to kernel_t those rules that do n
On Sat, Jun 20, 2015 at 08:09:08PM +0200, Simon Maurer wrote:
> Hi,
> I tried to use selinux with systemd, but without much success. Looks
> like the whole transitioning is broken. (Most daemons are stuck in the
> init_t domain) What I don't understand is, while more and more disros
> switching to
On Sun, Jul 12, 2015 at 04:46:03PM -0700, S. Lockwood-Childs wrote:
> I'd appreciate feedback on a blog-style article[1] talking about
> how CIL is going to improve SELinux policy maintenance, and in
> particular, the last section where I try to point out how good Gentoo
> is for experimenting wi
On Mon, Jul 13, 2015 at 03:02:55PM +0200, Sven Vermeulen wrote:
> On Mon, Jul 13, 2015 at 1:31 PM, Jason Zaman wrote:
> > Secondly, related to "poor support for preserving local changes across
> > system updates". The tools now have the concept of priority so users can
&g
On Thu, Oct 15, 2015 at 12:44:40PM +0200, Luis Ressel wrote:
> ---
> policy/modules/contrib/portage.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/contrib/portage.if
> b/policy/modules/contrib/portage.if
> index 640a63b..c98a763 100644
> --- a/policy/m
On Mon, Oct 19, 2015 at 02:04:06PM +0200, Luis Ressel wrote:
> According to its documentation, portage_ro_role expects a role for $1
> and a type for $2, just like other _role interfaces. However, the policy
> directives inside the interface don't match its documentation and expect
> $1 to be a typ
Hi all,
Lots of people have been asking about systemd selinux policy support. It
is finally almost here! The basic support was added upstream a few days
ago and is now merged into our repo. If anyone wants to test it and let
me know how it works (or even better, send patches upstream) that'd be
aw
On Sat, Nov 12, 2016 at 04:45:23PM +, Robert Sharp wrote:
> Hi there,
>
> is this the best place to raise questions about SELinux, or would I be
> better trying chat? I am making a big effort to get to enforcing strict
> on a simple server and I am struggling a little.
Here is good, there i
On Wed, Nov 23, 2016 at 12:58:34PM +, Robert Sharp wrote:
> Hi,
>
> just done my weekly update and I noticed the following AVCs occurred
> that suggest something missing in the portage policy?
>
> type=PROCTITLE msg=audit(1479900756.052:3548):
> proctitle=6370002D61002D2D7265666C696E6B3D617
On Wed, Nov 23, 2016 at 03:16:44PM +, Robert Sharp wrote:
>
> On 23/11/16 14:37, Jason Zaman wrote:
> > Are you on ~arch or stable? did you just upgrade to the 2.6 userland?
> > What versions do you have installed of these:
> > sys-libs/libsepol
> > sy
On Wed, Nov 23, 2016 at 04:59:03PM +, Robert Sharp wrote:
>
> On 23/11/16 15:58, Jason Zaman wrote:
> > Either is fine, but im probably just gonna stabilize the 2.6 userspace
> > in a couple weeks so that one is likely easier. and setools4 is waaay
> > better than 3
On Wed, Nov 23, 2016 at 05:20:59PM +, Robert Sharp wrote:
> On 23/11/16 16:59, Robert Sharp wrote:
> >
> > On 23/11/16 15:58, Jason Zaman wrote:
> >> Either is fine, but im probably just gonna stabilize the 2.6 userspace
> >> in a couple weeks so that one
On Thu, Nov 24, 2016 at 03:29:54PM +, Robert Sharp wrote:
> On 23/11/16 17:30, Jason Zaman wrote:
> > On Wed, Nov 23, 2016 at 05:20:59PM +, Robert Sharp wrote:
> >> On 23/11/16 16:59, Robert Sharp wrote:
> >>> On 23/11/16 15:58, Jason Zaman wrote:
> >
On Thu, Nov 24, 2016 at 09:13:35PM +, Robert Sharp wrote:
> On 24/11/16 17:07, Jason Zaman wrote:
> > That warning is harmless, i'll remove the line from the policy later.
> > for now ignore it or manually remove the line to silence the warning.
> > http://blog.per
On Fri, Nov 25, 2016 at 10:16:24AM +, Robert Sharp wrote:
> Hi,
>
> I can run rkhunter as root with role sysadm_r and there are no issues,
> but when I run it from a cron job I get lots of AVCs because the source
> context is system_cronjob_t. I am using vixie-cron and running rkhunter
> fr
On Thu, Dec 01, 2016 at 10:24:21AM +, Robert Sharp wrote:
> Hi,
>
>
> I've looked at the Gentoo SELinux web pages etc, the SELinux Handbook
> and through the Reference Policy and I cannot find the answer to a
> simple question.
>
> I am writing a small policy for my backup system and I wan
On 9 Dec 2016 16:29, "Robert Sharp" wrote:
Just updated all my SELinux policies to 20161023-r1 as they are now stable,
which undid one little fix, so I thought I would mention it.
Sysnetwork.te does not cover the possibility that dhcpcd may run resolvconf
from the dhcpc_script_t domain, which it
On Mon, Jan 30, 2017 at 10:35:18PM +, Robert Sharp wrote:
> Just when I thought I was getting near to switching on strict and all of
> a sudden my cron jobs are throwing AVCs all over.
>
>
> The gist of it is all the same, for example:
> scontext=user_u:user_r:cronjob_t tcontext=system_u:ob
On Fri, Feb 03, 2017 at 02:54:28PM +, Robert Sharp wrote:
> Hi,
> just emerged the new setools-4.1.0 and it falls over. I do not have X on
> this machine and it seems to fail when patching to remove the gui? Here
> are the details.
I fixed it yesterday, re-emerge and it'll work now.
Thanks,
On Thu, Apr 13, 2017 at 12:02:24PM +0100, Robert Sharp wrote:
> Is there a difference between policies that appear to be in core but
> also have their own ebuilds? For example: selinux-ddclient versus
> policy/modules/contrib/dnsmasq.* and selinux-ddclient versus
> policy/modules/contrib/ddclien
On Wed, Apr 19, 2017 at 02:12:36PM +0100, Robert Sharp wrote:
> I had a problem with Dnsmasq that led to my last post on understanding
> where policies come from. Now that I know and have had dnsmasq
> comfortably running with udp comms to unbound on port 553, I have run
> into the original prob
On Thu, Aug 10, 2017 at 09:16:53AM +0100, Robert Sharp wrote:
> Had emerge of setools failure this morning:
>
> 1 out of 1 hunk FAILED -- saving rejects to file setup.py.rej
> [ !! ]
> * ERROR: app-admin/setools-4.1.1::gentoo failed (prepare phase):
> * patch -p1 failed with
> /var/tmp/p
Sounds good to me. I'm traveling so great if you can do it :-)
On Dec 2, 2017 17:20, "Sven Vermeulen" wrote:
> On the chat it was noticed that we don't have a hardened/selinux profile
> anymore. Is it OK if I add it, with a parent of
> ..
> ../../../../../features/selinux
>
> This is for (pr
32 matches
Mail list logo
