View previous topic :: View next topic |
Author |
Message |
Super tux n00b
Joined: 11 Oct 2018 Posts: 9
|
Posted: Thu Oct 11, 2018 8:20 pm Post subject: Systemd SELinux |
|
|
Hello, from what i understand it is not possible to install SELinux with systemd on Gentoo, is that correct?
And Gentoo Hardened project is stopped, correct?
Then if i want hardened system, i am forced to use openrc?
What are my options if i want selinux or hardened with systemd? |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Oct 12, 2018 12:02 am Post subject: |
|
|
https://grsecurity.net/passing_the_baton.php
If you limit yourself to kernel 4.9 the patches still can be used.
There are still hardened profiles in Gentoo. Code: | eselect profile list | will show you what they are. The key difference is that if you want a newer kernel than 4.9 then you must do without the kernel changes.
As I don't use systemd on gentoo I can't help you with that part. |
|
Back to top |
|
|
Super tux n00b
Joined: 11 Oct 2018 Posts: 9
|
Posted: Mon Oct 15, 2018 7:47 pm Post subject: |
|
|
Ido not want lower kernel sources, i am on ~amd64 all the time ???? i am building box with seLinux.
Sad thing is, on strict policy i can not start kde plasma ????
The account is permission denied on alot of things like $ ls - /home
That is why plasma/xorg would not start, account can not read in home dir.
Account is in placed in different roles, and domains.
Root account can start plasma fine, do not run xorg as root.
On the targeted policy i can launch plasma as the regular non admin fine, however lightdm takes 30 seconde longer to load.
I want to know, the targeted policy can start x, strict policy not.
I allowed most of the AVC, and checked boolean with setsebool, idk,how the user account can start x on strict policy on gentoo seLinux by default in policy. So i can just have working X when rebuilding the packages.
Must be a boolean i have turned off?
I can post audit2allow -a later because right now the box is busy. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Oct 15, 2018 8:31 pm Post subject: |
|
|
My experience can't help you. I have never done selinux on an X-enabled system. I remember I had to do a huge amount of horsing around with it to get it to work even on a command line, but I can't remember what all that was and not sure it would still be the same hoops to jump through.
My SELinux went away when I finally decided that newer kernels were more important than SELinux features. So I'm way out of practice on that stuff now. |
|
Back to top |
|
|
Super tux n00b
Joined: 11 Oct 2018 Posts: 9
|
Posted: Tue Oct 16, 2018 8:23 pm Post subject: |
|
|
Hey, did you know you can combine gentoo profiles so i combined plasma profile with selinux profile.
X works out of the box on targeted profile.
Actually pretty nice, fully blown plasma/xfce/seLinux system.
In the end i kinda had to pick openrc to use selinux, however since it is possible to combine profiles, it should be possible to combine systemd selinux. |
|
Back to top |
|
|
problemqd n00b
Joined: 11 Nov 2018 Posts: 2
|
Posted: Sun Nov 11, 2018 3:08 pm Post subject: xorg-server 1.20.3 need compile with USE "suid" |
|
|
xorg-server 1.20.3 need compile with USE "suid" |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Nov 11, 2018 5:34 pm Post subject: Re: xorg-server 1.20.3 need compile with USE "suid" |
|
|
problemqd wrote: | xorg-server 1.20.3 need compile with USE "suid" | This is not relevant to the problem in this thread. Additionally, it is not correct in all cases. |
|
Back to top |
|
|
|