Oct 22, 2013, 7:24 PM
Post #5 of 6
(2297 views)
Permalink
On 10/22/2013 07:52 PM, Rick "Zero_Chaos" Farina wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/22/2013 02:15 PM, Anthony G. Basile wrote:
>> On 10/22/2013 02:06 PM, Anthony G. Basile wrote:
>>> On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote:
>>>> 4.0 Selinux 5.0 System Integrity 6.0 Profile I'd like to
>>>> specifically discuss bringing back the desktop profile by user
>>>> request.
>>>>
>>>>
>>> The old desktop/server/developer profiles were removed for a
>>> good reason. They cannot stack properly given their directory
>>> location and conflicting inheritance requirements. We cannot
>>> bring them back as they were else we will re-introduce the
>>> ancient multilib vs non-mutlilib selinux issue in one
>>> manifestation or another.
>>>
>>> Nonetheless, I think a desktop profile for hardened is possible
>>> along the lines of what was done for selinux, ie put it in
>>> features. Only if the desktop profile lands at the very bottom
>>> of the profile stack will this work. Alternatively, you can
>>> duplicate the desktop profile from default/linux in
>>> hardened/linux and do a simple inheritance from its parent. This
>>> "duplication" would really not be much of a duplication because
>>> there's probably stuff you want to tweak for your own purposes.
>>>
>>> I was going to remove those deprecated directories today, but I
>>> can hold off. To be clear, I'm not against a hardened desktop
>>> profile, just not the implementation we had which was broken.
>>>
>> Actually I was wrong in saying "only if it lands at the bottom of
>> the profile stack" ... That is in fact the problem:
>>
>> /usr/portage/profiles/base /usr/portage/profiles/default/linux
>> /usr/portage/profiles/arch/base
>> /usr/portage/profiles/features/multilib
>> /usr/portage/profiles/features/multilib/lib32
>> /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases
>> /usr/portage/profiles/eapi-5-files
>> /usr/portage/profiles/releases/13.0
>>
>> /usr/portage/profiles/hardened/linux
>> /usr/portage/profiles/hardened/linux/amd64
>> /usr/portage/profiles/targets/desktop
>> /usr/portage/profiles/hardened/linux/amd64/desktop
>>
>> So "profiles/targets/desktop" basically trump
>> "profiles/hardened/linux/amd64" which is the problem: a
>> non-hardened profile can undo the hardening. We have to get
>> something like this:
>>
>>
>> /usr/portage/profiles/base /usr/portage/profiles/default/linux
>> /usr/portage/profiles/arch/base
>> /usr/portage/profiles/features/multilib
>> /usr/portage/profiles/features/multilib/lib32
>> /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases
>> /usr/portage/profiles/eapi-5-files
>> /usr/portage/profiles/releases/13.0
>>
>> /usr/portage/profiles/targets/desktop
>> /usr/portage/profiles/hardened/linux
>> /usr/portage/profiles/hardened/linux/amd64
>>
> I was essentially thinking to make a /desktop directory in each
> profile and then parent would be targets/desktop and .. to ensure
> hardened overrides default. Certainly it is not perfect and some
> things from desktop may be lost, but it's a lot better than not having
> a desktop profile at all.
>
> - -Zero
If the parent file has
..
../../../../targets/desktop
then you get the above order with targets/desktop trumping
hardened/amd64 which is bad. If the order is
../../../../targets/desktop
..
then you get and even worse stacking where target/desktop is prior to base.
/usr/portage/profiles/targets/desktop
/usr/portage/profiles/base
/usr/portage/profiles/default/linux
/usr/portage/profiles/arch/base
/usr/portage/profiles/features/multilib
/usr/portage/profiles/features/multilib/lib32
/usr/portage/profiles/arch/amd64
/usr/portage/profiles/releases
/usr/portage/profiles/eapi-5-files
/usr/portage/profiles/releases/13.0
/usr/portage/profiles/hardened/linux
/usr/portage/profiles/hardened/linux/amd64
/usr/portage/profiles/hardened/linux/amd64/desktop
Because of the way stacking works, you cannot get the desired order by
inheriting both target/desktop and hardened. As I said, we removed
those profiles for a good reason.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA