| View previous topic :: View next topic |
| Author |
Message |
spindle
Apprentice
Joined: 01 Dec 2003
Posts: 245
|
 Posted: Thu Mar 24, 2011 10:24 pm Post subject: [SOLVED] Hardened Server Install: which profile? |
 |
|
I'm nearly done with a hardened server install on an amd64 machine although I'm currently set to the selinux/2007.0/amd64/hardened profile but I'm thinking I should be using selinux/v2refpolicy/amd64/hardened but when I try to switch to this one I notice that some sec-policy packages are masked which seems odd. How do I decide which one to use?
| Code: |
clerk2 ~ # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/desktop
[3] default/linux/amd64/10.0/desktop/gnome
[4] default/linux/amd64/10.0/desktop/kde
[5] default/linux/amd64/10.0/developer
[6] default/linux/amd64/10.0/no-multilib
[7] default/linux/amd64/10.0/server
[8] hardened/linux/amd64
[9] hardened/linux/amd64/no-multilib
[10] selinux/2007.0/amd64
[11] selinux/2007.0/amd64/hardened *
[12] selinux/v2refpolicy/amd64
[13] selinux/v2refpolicy/amd64/desktop
[14] selinux/v2refpolicy/amd64/developer
[15] selinux/v2refpolicy/amd64/hardened
[16] selinux/v2refpolicy/amd64/server
clerk2 ~ # eselect profile set 15
clerk2 ~ # emerge -pvuDN system world
FEATURES variable contains unknown value(s): loadpolicy
These are the packages that would be merged, in order:
Calculating dependencies... done!
Total: 0 packages, Size of downloads: 0 kB
!!! The following installed packages are masked:
- sec-policy/selinux-mysql-20080525 (masked by: package.mask)
/usr/portage/profiles/selinux/v2refpolicy/package.mask:
# force version 2.YYYYMMDD policy over version YYYYMMDD policy
- sec-policy/selinux-screen-20080525 (masked by: package.mask)
- sec-policy/selinux-logrotate-20080525 (masked by: package.mask)
- sec-policy/selinux-apache-20080525 (masked by: package.mask)
- sec-policy/selinux-base-policy-20080525 (masked by: package.mask)
- sec-policy/selinux-ntp-20080525 (masked by: package.mask)
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.
|
Also I always get these messages when I run emerge or other gentoo tools. I've searched around but I couldn't find a fix for this. Maybe it's related to the profile...
| Code: | FEATURES variable contains unknown value(s): loadpolicy
|
Last edited by spindle on Sun Mar 27, 2011 4:17 pm; edited 1 time in total |
|
| Back to top |
|
 |
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri Mar 25, 2011 12:25 am Post subject: |
|
|
| Code: |
[8] hardened/linux/amd64
|
this should be all you need. You can still use the selinux pieces in your kernel, still deploy their RBAC if you need, but this is the profile you should choose.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
spindle
Apprentice
Joined: 01 Dec 2003
Posts: 245
|
| Posted: Sun Mar 27, 2011 4:17 pm Post subject: |
|
|
| I was able to use the selinux/v2refpolicy/amd64/hardened profile by fixing the package masking for these the sec-policy category, see here. |
|
| Back to top |
|
|
|
Installing Gentoo
