View previous topic :: View next topic |
Author |
Message |
spindle Apprentice
Joined: 01 Dec 2003 Posts: 245
|
Posted: Thu Mar 24, 2011 10:24 pm Post subject: [SOLVED] Hardened Server Install: which profile? |
|
|
I'm nearly done with a hardened server install on an amd64 machine although I'm currently set to the selinux/2007.0/amd64/hardened profile but I'm thinking I should be using selinux/v2refpolicy/amd64/hardened but when I try to switch to this one I notice that some sec-policy packages are masked which seems odd. How do I decide which one to use?
Code: |
clerk2 ~ # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/desktop
[3] default/linux/amd64/10.0/desktop/gnome
[4] default/linux/amd64/10.0/desktop/kde
[5] default/linux/amd64/10.0/developer
[6] default/linux/amd64/10.0/no-multilib
[7] default/linux/amd64/10.0/server
[8] hardened/linux/amd64
[9] hardened/linux/amd64/no-multilib
[10] selinux/2007.0/amd64
[11] selinux/2007.0/amd64/hardened *
[12] selinux/v2refpolicy/amd64
[13] selinux/v2refpolicy/amd64/desktop
[14] selinux/v2refpolicy/amd64/developer
[15] selinux/v2refpolicy/amd64/hardened
[16] selinux/v2refpolicy/amd64/server
clerk2 ~ # eselect profile set 15
clerk2 ~ # emerge -pvuDN system world
FEATURES variable contains unknown value(s): loadpolicy
These are the packages that would be merged, in order:
Calculating dependencies... done!
Total: 0 packages, Size of downloads: 0 kB
!!! The following installed packages are masked:
- sec-policy/selinux-mysql-20080525 (masked by: package.mask)
/usr/portage/profiles/selinux/v2refpolicy/package.mask:
# force version 2.YYYYMMDD policy over version YYYYMMDD policy
- sec-policy/selinux-screen-20080525 (masked by: package.mask)
- sec-policy/selinux-logrotate-20080525 (masked by: package.mask)
- sec-policy/selinux-apache-20080525 (masked by: package.mask)
- sec-policy/selinux-base-policy-20080525 (masked by: package.mask)
- sec-policy/selinux-ntp-20080525 (masked by: package.mask)
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.
|
Also I always get these messages when I run emerge or other gentoo tools. I've searched around but I couldn't find a fix for this. Maybe it's related to the profile...
Code: | FEATURES variable contains unknown value(s): loadpolicy
|
Last edited by spindle on Sun Mar 27, 2011 4:17 pm; edited 1 time in total |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Fri Mar 25, 2011 12:25 am Post subject: |
|
|
Code: |
[8] hardened/linux/amd64
|
this should be all you need. You can still use the selinux pieces in your kernel, still deploy their RBAC if you need, but this is the profile you should choose. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
spindle Apprentice
Joined: 01 Dec 2003 Posts: 245
|
Posted: Sun Mar 27, 2011 4:17 pm Post subject: |
|
|
I was able to use the selinux/v2refpolicy/amd64/hardened profile by fixing the package masking for these the sec-policy category, see here. |
|
Back to top |
|
|
|