Gentoo Hardening

62 Members
If you care too much about security and Gentoo, this is your place to talk about it. (Unofficial)21 Servers

Load older messages

24 Feb 2022
In reply to @jroy:matrix.jroy.ca
ok, so, I moved to hardened/selinux profile and rebuilt @world and kernel. if I reboot now, will I get locked out from SSH without configuring selinux or should it keep working ?

Depends if it's been configured to allow your user SSH access (including network access).

SELinux works like Android permissions (they're based on SELinux).

@inferenceus:matrix.orginferenceNo way to know without checking the policy.03:34:32
@inferenceus:matrix.orginferenceAnd warning...03:34:45
@jroy:matrix.jroy.caJulienI didn't configure anything, I only did https://wiki.gentoo.org/wiki/Hardened_Gentoo#Switching_to_a_Hardened_profile03:35:20
@inferenceus:matrix.orginference SELinux is difficult to configure to allow access. 03:34:58
@inferenceus:matrix.orginferenceThat's why I haven't done it yet.03:35:05
@jroy:matrix.jroy.caJulienI know, but I want to learn03:35:33
@jroy:matrix.jroy.caJulienI'm in no hurry03:35:38
@inferenceus:matrix.orginferenceDid you back up your system?03:35:19
@inferenceus:matrix.orginferenceIn case you need to fall back?03:35:23
@jroy:matrix.jroy.caJulienI have a fallback kernel/boot entry, but all my binaries were rebuilt with new flags.03:36:18
@inferenceus:matrix.orginferenceI think they essential binaries should be allowed, especially as root.03:35:59
@jroy:matrix.jroy.caJulienI do have a full system backup, too03:36:25
@inferenceus:matrix.orginferenceUsing SSH with root isn't ideal, but may work.03:36:08
@jroy:matrix.jroy.caJulieni have that disabled03:36:40
@inferenceus:matrix.orginference * I think the essential binaries should be allowed, especially as root.03:36:17
@jroy:matrix.jroy.caJulienI think I will add permissive to my boot command03:36:51
In reply to @jroy:matrix.jroy.ca
i have that disabled
Root disabled?
@inferenceus:matrix.orginferenceWhy don't you set it to permissive, back up in that state, then set to enforce and see what breaks?03:36:55
@inferenceus:matrix.orginferenceYou can restore to permissive.03:37:08
@jroy:matrix.jroy.caJulienAs long as I don't get locked out :D03:38:03
@jroy:matrix.jroy.caJulienYes, I will try that. Permissive, reboot, cross fingers03:38:20
@jroy:matrix.jroy.caJulienactually, there is much more I have to do03:41:52
@jroy:matrix.jroy.caJulienI shouldn't have followed the other page info.03:42:02
@jroy:matrix.jroy.caJuliendidn't do it in the right order. nothing broke though03:42:14
@inferenceus:matrix.orginferenceTrying to get a concept noted here.03:42:26
@inferenceus:matrix.orginferenceHow large does dm-verity need to be?03:42:34
@inferenceus:matrix.orginferenceAnd how to partition?03:42:43

I'm thinking:

/boot < RO
/ < RO
/home (or /user) < RW
/system (or /packages) <RW


There are no newer messages yet.

Back to Room ListRoom Version: 6