On Fri, 22 Feb 2013 19:27:00 +
Sven Vermeulen wrote:
> I also notice a lot of capability (mknod) requests in the denials -
> again, without noticeable change in behavior. Very awkward to debug -
> I can't just dontaudit it (not convinced they aren't needed) nor
> allow (not convinced they are
Haven't looked into this specific message, but I guess you shouldn't
worry about it too much. The denials (ulimits) would also occur on
gentoo-sources (or every other kernel, for that matter), they just
wouldn't be recorded. And most probably it's the same with the
segfault. It happens always, you
By the way: If you value your mental health and are not one of those
insanes^Wgeniuses, I'd recommend you to stay away from the toolchain
build process. Far away.
;)
--
Luis
ara...@aixah.de
signature.asc
Description: PGP signature
Yes, these are the vanilla configs. See
https://bugs.gentoo.org/show_bug.cgi?id=375853, it's also documented in
the ChangeLog. The hardened config files can now be found
at
/usr/share/doc/syslog-ng-3.4.2/syslog-ng.{conf.gentoo,logrotate}.hardened.bz2 .
signature.asc
Description: PGP signature
o the correct domain (initrc_t) beforce
execv()'ing the script.
Are there any plans to change this?
Regards,
Luis
--
Luis Ressel
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
signature.asc
Description: PGP signature
course of
action be preferred?
Regards,
Luis Ressel
--
Luis Ressel
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
signature.asc
Description: PGP signature
ion.
What do you think about this? Is it just overcomplicated or a good way
to go? Also, do you know of other programs which have problems with
GRKERNSEC_SYSFS_RESTRICT? I'd be willing to write the eclass if you
like the idea.
Regards,
Luis Ressel
--
Luis Ressel
GPG fpr: F08D 2AF6 655E 25DE 52BC E5
hey are member
> of said group without that group being the primary group, etc.
I'll do that.
Regards,
Luis Ressel
signature.asc
Description: PGP signature
but that seems a
bit messy.)
Regards,
Luis Ressel
signature.asc
Description: PGP signature
the sysfs gid configurable, let's see if
grsecurity will incorporate it...
Regards,
Luis Ressel
signature.asc
Description: PGP signature
, but still worse than the ~2 minutes in the good
ol' days with vanilla install). I'll test more ebuilds in the next days.
PS: I wonder if sys-apps/paxctl could be removed from the @system set
now, as it's obsolete and superseded by elfix.
Regards,
Luis Ressel
signature.asc
Description: PGP signature
t least not in a simple way. This
doesn't work on systems like mine which don't respect PT_PAX flags.
I'm currently working on a patch for sbcl (there are selinux-related
issues as well), but please have a look at the other ebuilds.
[1] $ echo /usr/portage/*/*/*.ebuild|xargs -n1000 grep -P 'paxctl(?!-ng)'|cut
-d: -f1
Regards,
Luis Ressel
signature.asc
Description: PGP signature
isp/sbcl to
work (there are SELinux issues as well), I'll file the bug about
its paxctl usage in a short while.
It's been helpful that you mentioned paxmark.sh, I didn't know about
that script before.
I'll see if I can have a look at more of the potentially problematic
LF headers, doesn't preserve xattrs; therefore, a separate
pax-mark in src_install() is required.
I bet there are more bugs like this one in other packages.
Btw: Should such bugs block #427888?
Regards,
Luis Ressel
signature.asc
Description: PGP signature
er a different way to centrally manage the patches
> (they sometimes become too large to be put in the ${FILESDIR} so I
> moved towards a patchbundle)?
>
> Wkr,
> Sven Vermeulen
>
>
It would be certainly helpful for downstream users/developers like me.
Regards,
Luis Ressel
signature.asc
Description: PGP signature
On Wed, 6 Aug 2014 00:53:41 +0200
Luis Ressel wrote:
> On Tue, 5 Aug 2014 12:47:32 +
> Sven Vermeulen wrote:
>
> > Hi all
> >
> > Is it ok if I create a branch in the hardened-dev repo (called
> > "selinux-userland") which contains the patches fo
That sounds great! Up to now, I compiled and loaded my patched policy
manually, but I think I'll switch over to using the -'s and
configuring them to use my own repo.
Regards,
Luis
signature.asc
Description: PGP signature
patchset.git
> proj/hardened-patchset.git) keep patches separately.
> Perhaps hardened-selinuxpatchset?
>
> Amadeusz
>
>
I'd rather not have to keep track of yet another repository. What's
wrong with a branch? Using "git checkout --orphan newbranch", one can
create completely independent branches.
Regards,
Luis ressel
signature.asc
Description: PGP signature
VBox VM just as a
> learning exercise and which I understand it won't be as secure as
> doing it on bare metal I'd be very interested in hearing about others
> experience in this area.
I've never used Virtualbox, but I know hardened-sources kernels work
very well in KVM environments. That said, it's certainly a wise
decision to test substantive system changes beforehand in a virtualized
environment.
Regards,
Luis Ressel
PS: Wow, that mail I've just written somehow reminds me of Duncan.
signature.asc
Description: PGP signature
refer not to diverge further from
upstream if we can avoid it.
5. seems to be the cleanest solution, but I've got to dig around a bit
in the refpolicy to estimate the amount of work it'd require.
If we want a temporary fix, I'd go with 3. It's only a tiny change, so
it wouldn
Only some of the binaries in /usr/lib/postgresql-.../bin should be
marked postgresql_exec_t (e.g. pg_ctl), the others (e.g. psql) should
get a bin_t marking so they're user-accessible. refpolicy applies
correct labels since last year (commit 3738cf10), but this ifdef block
still overrides them on G
actually expect $1 to be a type.
So, we should either
1) replace $1 with $2 inside the interface, or
2) rename the interface to something without _role and fix the
documentation.
Regards,
Luis Ressel
---
policy/modules/contrib/portage.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index 962dcca..e9de28e 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -410,6 +410,8 @@ inter
Create portage_read_srcrepo and portage_read_log interfaces.
---
policy/modules/contrib/portage.if | 40 +++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index 4652319..962dcca 100644
--- a
The portage_compile_domain interface used portage_sandbox_t without
requiring it.
---
policy/modules/contrib/portage.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index c98a763..4652319 100644
--- a
---
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index 640a63b..c98a763 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -511,6 +
According to its documentation, portage_ro_role expects a role for $1
and a type for $2, just like other _role interfaces. However, the policy
directives inside the interface don't match its documentation and expect
$1 to be a type.
This interface isn't used anywhere in the policy, so no other fix
On Sun, 13 Nov 2016 16:29:00 -0600
R0b0t1 wrote:
> If there is no policy package installed and there is not one in the
> tree, you are on your own until one is written. I would double check
> to ensure one exists because: 1) To the best of my knowledge, there
> are logging policies available, and
On Thu, 24 Nov 2016 15:29:54 +
Robert Sharp wrote:
> [snip]
> If so, is there a way to avoid listing all the policy packages
> in my accept_keywords file?
>
Yes, there is. You can use globs in package.accepts_keywords; for
example "sec-policy/*"
Regards,
Luis
nally I've never tried making su work with SELinux.
"sudo -r sysadm_r -t sysadm_t" works like a charm.
Regards,
Luis Ressel
pgpPP56t5YQ_2.pgp
Description: OpenPGP digital signature
Hello,
in case anyone hasn't read in on LWN yet, here's what I'm talking
about: https://grsecurity.net/passing_the_baton.php
In short, the grsecurity upstream folks decided they don't give a shit
about the benefits of open source anymore even though their work
wouldn't even possible without those
On Sat, 29 Apr 2017 18:52:56 +0200
Javier Juan Martinez Cabezon wrote:
> It's not one PaX alternative as its only one of its features but rsbac
> recently implemented native W or X and seems to work fine
If you're only looking for userland W^X, SELinux has some support for
that, too (I don't kno
On Sat, 29 Apr 2017 17:56:10 +0200
Daniel Cegiełka wrote:
> By the way, I don't know what the Gentoo Hardened or Alpine Linux
> have done wrong, that now are left out in the cold.
That's the part I don't get either. Since the only possible motivation
I can think of for this move is to generate m
On Mon, 1 May 2017 09:38:43 +
Sven Vermeulen wrote:
> The obvious step is indeed to stop further *current* development on
> hardened-sources. I don't know how many additional patchsets are being
> implemented in it (blueness? Zorry?) so I don't know if it means that
> hardened-sources in tota
On Tue, 2 May 2017 17:56:22 +0200
Daniel Cegiełka wrote:
> grep -r -e paxmark -e pax_kernel /usr/portage/
pax.?mark actually, since the eclass helper is called pax-mark. :)
I'd hold off on removing those for at least a few months, though.
Regards,
Luis
pgpmepOaL7otT.pgp
Description: OpenPGP d
Hi,
I don't have much to add, but I'd like to clear two misunderstandings
here:
On Mon, 8 May 2017 20:08:07 +0200
Miroslav Rovis wrote:
> And really since late in 2016 no more entries in the Changelog. Pls.
> note that I'm only stating the facts, not complaining.
AFAIK the Changelogs aren't up
This has been sitting in our policy since 2012 (aaa0f803d), but it's
obviously a typo.
---
policy/modules/system/miscfiles.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/miscfiles.fc
b/policy/modules/system/miscfiles.fc
index 42ac30bda..b32e4e262 1006
On Wed, 23 Aug 2017 12:13:31 -0500
Parker Schmitt wrote:
> Have we thought about paying spender to give us patches? We could
> agree to a license that requires it to be on Gentoojust a thought
Yeah, that won't work. spender and PaX team have made the experience
that if they publish their cod
a bit further for gzip).
Cheers,
Luis Ressel
39 matches
Mail list logo
