Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Considering Switching to Gentoo
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Sun May 19, 2019 7:02 pm    Post subject: Considering Switching to Gentoo Reply with quote

Hello,

I was thinking of switching to Gentoo from Arch. I am interested in source based distributions and feel like Gentoo is something I can learn to love. That said I only want to take the plunge if some of my concerns below are dealt with. As a non-Gentoo user, some of this information is either hard to google, or only return older conversations possibly out of date.

- I want systemd with Gnome alongside selinux. The official Wiki says use selinux with systemd at your own risk. It further points to a bug tracking page with various claims of success or failures. I just want to hear from a couple of people who actually have this setup working and are OK with it. If the setup is good enough for at least a couple of people right now, I think that could ease my concerns. Please note I am not looking to flamewar the choice or debate the merits of this particular setup :) -- it's what I want. I am simply looking to hear from some people who have got it working that I have nothing to worry about.

- I am a bit worried that some of the packages look older compared to other distros. Particular in this case Gnome 3.30 vs 3.32. Arch has 3.32, but what's that I hear you say, Arch is more bleeding edge? Ok, Fedora has 3.32. Ubuntu has 3.32. OpenSuse as 3.32, etc. I don't know if it is because Gentoo isn't as popular and so lacks resources, or that it is slower on the uptake by design. If it's the latter I would be okay with an answer like that. I would be turned off it is the former, to be honest about it. In any event if I can easily upgrade the packages myself then it's a non-issue (there's a keyword in that sentence). I would like to be pointed in the right direction in how I can upgrade an official package myself, get a sense of the actual work involved, etc.

Thank you for your time!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7281
Location: almost Mile High in the USA

PostPosted: Sun May 19, 2019 7:10 pm    Post subject: Reply with quote

I really wish I can say otherwise but a lot of the Gentoo userbase (note: not saying developers) are anti-systemd. Because of this, Gnome has been a fairly low priority as there are a lot of tie-ins to systemd. However recently a compatibility layer was introduced such that Gentoo can support both systemd (Gnome native) or using the traditional init system using a translation layer. Because of the dual compatibility system and testing that needs to be done with both, there will be lag on Gnome versions.

If you absolutely need the latest Gnome, Gentoo may not be the right distribution to use - and Fedora likely be your best choice as they seem to be the closest to Gnome development.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Sun May 19, 2019 7:27 pm    Post subject: Reply with quote

eccerr0r wrote:
I really wish I can say otherwise but a lot of the Gentoo userbase (note: not saying developers) are anti-systemd. Because of this, Gnome has been a fairly low priority as there are a lot of tie-ins to systemd. However recently a compatibility layer was introduced such that Gentoo can support both systemd (Gnome native) or using the traditional init system using a translation layer. Because of the dual compatibility system and testing that needs to be done with both, there will be lag on Gnome versions.

If you absolutely need the latest Gnome, Gentoo may not be the right distribution to use - and Fedora likely be your best choice as they seem to be the closest to Gnome development.

Thank you for the reply. I guess it makes sense that gnome is lagging if Gentoo treats systemd more as an afterthought to begin with, and actually I am okay with that reasoning. I can live with that if I ever switch. It's not that I would always want the latest gnome, but sometimes the new versions they push out are worth upgrading to sooner rather than later. 3.32 to me is one such version and has a lot of performance enhancements. In any case I would want the latest version eventually. if that's before Gentoo releases it, could be but maybe not always. So I guess I want to ask how easy it would be for me to go out of tree with something like Gnome, see if there is a howto or something I didn't catch in my searching.
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 7216
Location: Austria

PostPosted: Sun May 19, 2019 7:28 pm    Post subject: Reply with quote

eccerr0r wrote:
However recently a compatibility layer was introduced such that Gentoo can support both systemd (Gnome native) or using the traditional init system using a translation layer. Because of the dual compatibility system and testing that needs to be done with both, there will be lag on Gnome versions.

Err, no. Gnome now has upstream support for logind independent of it being from systemd or provided by elogind. The init system is irrelevant now. If a Gnome versio bump is arriving late, it certainly is not because of supporting more than systemd.

Regarding Gnome out-of-tree there are I believe at least two overlays providing (less well tested) Gnome releases ahead of Gnome team.
_________________
backend.cpp:92:2: warning: #warning TODO - this error message is about as useful as a cooling unit in the arctic
Back to top
View user's profile Send private message
skellr
l33t
l33t


Joined: 18 Jun 2005
Posts: 901
Location: The Village, Portmeirion

PostPosted: Sun May 19, 2019 7:45 pm    Post subject: Reply with quote

I'm sure there is an overlay "repo" for get live builds from the upstream HEAD 3.33 3.33.1 or whatever it is now/tomorrow...
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 939

PostPosted: Sun May 19, 2019 8:02 pm    Post subject: Reply with quote

If you read about how overlays work and with layman it should be rather painless to get gnome-3.32 as you wish.

For example with gnome-next overlay:
https://gpo.zugaina.org/gnome-base/gnome

As being myself on openrc I took advantage of dantrells work who enabled us using gnome (3.32) without the need of systemd, I cannot give you an answer on how well above gnome works. All I can tell is, that managing overlays with layman or by creating a local overlay with packages you may want to use but that are not (yet) being available in main tree is rather convenient.
Back to top
View user's profile Send private message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Sun May 19, 2019 8:26 pm    Post subject: Reply with quote

Thanks all, it seems overlays were exactly what I was looking for. This can address the Gnome question.

All that is left is seeing how well users got systemd and selinux to work together before diving in.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W

PostPosted: Sun May 19, 2019 8:32 pm    Post subject: Reply with quote

akuma_xyz,

That's not a distro question, its down to systemd and selinux if you choose Gnome with systemd.

What is your threat model that has selinux as a part of the response?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Sun May 19, 2019 8:43 pm    Post subject: Reply with quote

NeddySeagoon wrote:
akuma_xyz,

That's not a distro question, its down to systemd and selinux if you choose Gnome with systemd.

What is your threat model that has selinux as a part of the response?

Thanks. It looks like a distro question to me in the sense that I am trying to a) interpret the wiki, b) express concerns over a bug tracking page, and c) try to get a feel for how other Gentoo users have fared with these two technologies being used together. In no small part this is also going to come down to the policies maintained by Gentoo devs and how they packaged both. So maybe you are right in the sense that Gentoo is not really responsible for either, but it fells like a fair question to ask Gentoo users what their experiences have been with this setup anyway. I think the technology is intriguing and I want to use it. No I do not run an NSA server if that is what you are asking.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W

PostPosted: Sun May 19, 2019 9:06 pm    Post subject: Reply with quote

akuma_xyz,

When you decide that you need selinux, or any hardening at all, its usually because you have some perceived threats you want to defend against.

Many users come here asking about whole drive encryption, selinux and other hardening technologies for no better reason than they have heard about them and they are shiny.
The real reason for doing any of these things is because you have conducted a threat analysis and one ore more of these technologies mitigates your perceived threats.
I was wondering what threat selinux mitigated for you?

Security in like the layers of an onion. You can't keep a determined well equipped attacker out, only make it clear that their are easer targets.
In the end It comes down to this xkcd

Personally, don't use gnome, systemd or selinux but that's probably another discussion.

-- edit --

Its not a distro question as Gentoo follows ${UPSTREAM} as closely as possible.
Gentoo tries hard not to carry distro patches without pushing them upstream.
Other distros have more resources and can carry their own patch sets.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Sun May 19, 2019 9:17 pm    Post subject: Reply with quote

NeddySeagoon wrote:
akuma_xyz,

When you decide that you need selinux, or any hardening at all, its usually because you have some perceived threats you want to defend against.

Many users come here asking about whole drive encryption, selinux and other hardening technologies for no better reason than they have heard about them and they are shiny.
The real reason for doing any of these things is because you have conducted a threat analysis and one ore more of these technologies mitigates your perceived threats.
I was wondering what threat selinux mitigated for you?

Security in like the layers of an onion. You can't keep a determined well equipped attacker out, only make it clear that their are easer targets.
In the end It comes down to this xkcd

Personally, don't use gnome, systemd or selinux but that's probably another discussion.

That makes sense, thanks. Maybe a use case I have for selinux is that I want to whitelist access to certain folders beyond dac rules, something apparmor can't do for example without jumping through some pretty gnarly loops. For example I was thinking my development stuff I would access thru a systemd-nspawn container and have selinux restrict access somehow to anything and everything outside of that container. I came up with about 8 or so contexts I would want, such as paying bills, etc. It's a work in progress, may not end up doing that at all, and even if I don't I still find it interesting. My experience with selinux isn't major or anything but I have been playing with it on and off for years, it's not really something I read last week in hacker news. I do use luks, beyond that I am probably not as security conscious as I should be.

If I could get this up and running on Gentoo, being a source based distro, I would be ecstatic as the first day I switched to Linux.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W

PostPosted: Sun May 19, 2019 9:30 pm    Post subject: Reply with quote

akuma_xyz,

Start out with an gentoo selinux stage3 and see how it goes.
Until you start to play with it, you won't know if its for you. Once you dip a toe in the water, you will have some more specific questions to ask.

No need to commit hardware. A VM install will let you get your feet wet. You cam move to real hardware later.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Sun May 19, 2019 9:48 pm    Post subject: Reply with quote

NeddySeagoon wrote:
akuma_xyz,

Start out with an gentoo selinux stage3 and see how it goes.
Until you start to play with it, you won't know if its for you. Once you dip a toe in the water, you will have some more specific questions to ask.

No need to commit hardware. A VM install will let you get your feet wet. You cam move to real hardware later.

Thanks, I think you are right. There probably isn't really a ton of people with this setup to give me feedback. I probably will go ahead and play around with this on a VM for a few days and try to see for myself. Now I know the theory behind upgrading e.g. Gnome if I ever wanted to, that time feels worthwhile now.

Thanks again,
Back to top
View user's profile Send private message
skellr
l33t
l33t


Joined: 18 Jun 2005
Posts: 901
Location: The Village, Portmeirion

PostPosted: Sun May 19, 2019 10:23 pm    Post subject: Reply with quote

akuma_xyz wrote:
There probably isn't really a ton of people with this setup to give me feedback.

I don't think so either. (they probably don't visit the forums, but prefer the mailing lists)The Arch community would realistically be better for that scenario. Probably going to run into a few bugs.

We do welcome the help. :)
Back to top
View user's profile Send private message
erm67
Guru
Guru


Joined: 01 Nov 2005
Posts: 443
Location: EU

PostPosted: Mon May 20, 2019 5:53 am    Post subject: Reply with quote

One upon a time selinux used to work fine on gentoo but it no longer does. A lot of problems come from the implementation used by gentoo, most other distro uses a single package to ship all or most policies available, this reflects how the policies are shipped upstream btw, in gentoo instead every time you install a package a sub package containing the policy for that package only is downloaded. This is problematic since it requires a lot of work by a developer, and every time an incompatible change in the kernel selinux driver requires new policies (and it happens) your system will be a mess and be maybe unbootable with selinux enabled. You'll have to wait until the developer downoads all policies one by one and packages them and it is also problematic to emerge them sometimes. Other distro just download all updated policies and install them in one step. And the poor gentoo dev (not blaming him really, it is the task that is stupid) doesn't really repackage all the policies available upstream so in some cases you'll have to create ebuild for policies missing in gentoo but available upstream.
For this reason selinux is almost unusable on gentoo :-) At least if want it always on.
I use a regular profile, enable selinux in the kernel and install all policies at once with a local ebuild and configure them manually, works for me but it is not perferct as well.
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
akuma_xyz
n00b
n00b


Joined: 19 May 2019
Posts: 7

PostPosted: Mon May 20, 2019 9:48 pm    Post subject: Reply with quote

erm67 wrote:
One upon a time selinux used to work fine on gentoo but it no longer does. A lot of problems come from the implementation used by gentoo, most other distro uses a single package to ship all or most policies available, this reflects how the policies are shipped upstream btw, in gentoo instead every time you install a package a sub package containing the policy for that package only is downloaded. This is problematic since it requires a lot of work by a developer, and every time an incompatible change in the kernel selinux driver requires new policies (and it happens) your system will be a mess and be maybe unbootable with selinux enabled. You'll have to wait until the developer downoads all policies one by one and packages them and it is also problematic to emerge them sometimes. Other distro just download all updated policies and install them in one step. And the poor gentoo dev (not blaming him really, it is the task that is stupid) doesn't really repackage all the policies available upstream so in some cases you'll have to create ebuild for policies missing in gentoo but available upstream.
For this reason selinux is almost unusable on gentoo :-) At least if want it always on.
I use a regular profile, enable selinux in the kernel and install all policies at once with a local ebuild and configure them manually, works for me but it is not perferct as well.

Hmm thanks, that is a concern. Truth be told right now I am thinking more "building blocks" than actual "implementation" if that makes sense. As in how far along is selinux integrated with Gentoo and systemd vs. how much work is left to get to a place I am comfortable with. As far as I can tell, rhel is probably the only outfit to have truly nailed this anyway, and since I don't use their stuff anymore I am not expecting a 100% out of the box solution. Coming from Arch, it looks like Gentoo's support for selinux is miles ahead and not nearly as mature. Everything selinux is in the aur and the policy is really just vanilla reference with compatibility issues. Besides I am starting to realize Gentoo is a lot closer to what I want out of Linux, so even if I can't get this setup to work I'll likely be switching anyway. If the setup doesn't work out, sucks but I lose nothing because I am not actually using it on Arch right now either.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum