Talk:SELinux/Installation

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using ~~~~:
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 00:08, 11 October 2024 (UTC)
:: Your reply ~~~~

Update

Talk status
This discussion is done as of 2024-05-17.

Very interesting documentation for starting on it, but I think an update with new profile (17.0 stable and/or 17.1 exp) is needed. On new profiles, it seems the /tmp is on the context without edit fstab and with OpenRC. Also, is possible add a command for list actual context, for example check if the tmpfs really complies the rules? Regards. Mustela (talk) 09:31, 7 September 2018 (UTC)

Since the article's output of eselect profile list is recent, I'm willing to bet that this has been fixed long ago.
Waldo Lemmer 14:45, 17 May 2024 (UTC)

LSM

Talk status
This discussion is done as of 2024-03-08.

In the latest kernels, there is no “Default security module”. Instead one have to use “Ordered list of enabled LSMs”. The documentation should be updated accordingly. Sorry if I cannot do it myself, I am totally new at using SELinux and wouldn’t want to write something wrong. Stéphane, Gentoo in the Alps (talk) 17:04, 9 April 2021 (UTC)

As of 2024-03-08, the mentioned information is already in the article. --Lars Hint (talk) 10:55, 8 March 2024 (UTC)

SELinux related USE flags outdated

Talk status
This discussion is done as of 2024-03-08.

I'm not sure when this changed, but the listed USE flags are wrong for the sec-policy/selinux-base package. ILMostro (talk) 07:41, 24 November 2021 (UTC)

Confirmed. Fixed. --Lars Hint (talk) 11:10, 8 March 2024 (UTC)

PaX/grsecurity recommendation

Talk status
This discussion is done.

It is seriously recommended to use SELinux together with other hardening improvements (such as PaX / grSecurity).

Is the PaX/grsec recommendation still relevant considering they stopped giving the patches out for free? The hardened-sources kernel used to provide grsec, but that's long gone now and the only way to use it would be to provide the patches yourself. I feel like this recommendation would only confuse users who aren't familiar with the grsec story already. xxc3nsoredxx (talk) 04:15, 18 October 2022 (UTC)

This has been fixed.
Waldo Lemmer 14:44, 17 May 2024 (UTC)

When to reboot?

Talk status
This discussion is done as of 2024-03-08.

reboot after rebuild is mentioned, but nowhere in there a mark actually saying "reboot now"? --Damobrisbane (talk) 22:59, 7 March 2023 (UTC)

The reboot is required before relabeling. Now it's mentioned. --Lars Hint (talk) 10:50, 8 March 2024 (UTC)

Changing profile

Talk status
This is a good first discussion for new contributors as of 2024-05-17.

Not sure if that is the case for others, but changing your profile before emerging any base selinux package leads to errors when emerging them. If the profile is changed after the base packages have been emerged it does work. We should consider a change to the order of the installation steps. Please do test that on your own too. --BurningMemory (talk) 11:41, 17 May 2024 (UTC)

I tried to reproduce the issue, but everything works as expected, no compilation errors occurred. I used the default/linux/arm64/23.0/musl/hardened/selinux profile. Are you sure you didn't update the system immediately after changing the profile? And didn't perform a reboot until it was allowed in the article? --Lars Hint (talk) 18:04, 31 August 2024 (UTC)