On Fri, Mar 18, 2011 at 06:55:34PM -0400, Anthony G. Basile wrote:
> You're not wrong, but this can be restructured to come better in line
> with the rest of the hardened profiles. I have to do a careful analysis
> of the stacking and see if we can get something similar out of simpler
> stackings and then fix up what might be missed in the final layers of
> the stack.
My suggestion would be to
1. stabilize the current set of policies
2. remove the policies whose version is >= 3.0 (including those -2008* ones)
3. make a "features/selinux" profile (which contains all SELinux relevant
aspects but is not a real profile in its own)
4. Create sublocations within the existing profiles for SELinux (like
hardened/linux/amd64/selinux and hardened/linux/amd64/no-multilib/selinux)
These sublocations would only have a single file called "parent" showing
something like:
../
../../../../features/selinux
I just tried this on my no-multilib system as well as on a multilib one, and
apart from USE="gdbm bzip2 urandom nptl justify -fortran" I have had no
other changes (checked the different outputs of "emerge --info" as well as a
"emerge -puDN world").
Wkr,
Sven Vermeulen
