24 Feb 2022 |
inference | In reply to @jroy:matrix.jroy.ca ok, so, I moved to hardened/selinux profile and rebuilt @world and kernel. if I reboot now, will I get locked out from SSH without configuring selinux or should it keep working ? Depends if it's been configured to allow your user SSH access (including network access).
SELinux works like Android permissions (they're based on SELinux).
| 03:34:23 |
inference | No way to know without checking the policy. | 03:34:32 |
inference | And warning... | 03:34:45 |
Julien | I didn't configure anything, I only did https://wiki.gentoo.org/wiki/Hardened_Gentoo#Switching_to_a_Hardened_profile | 03:35:20 |
inference | SELinux is difficult to configure to allow access. | 03:34:58 |
inference | That's why I haven't done it yet. | 03:35:05 |
Julien | I know, but I want to learn | 03:35:33 |
Julien | I'm in no hurry | 03:35:38 |
inference | Did you back up your system? | 03:35:19 |
inference | In case you need to fall back? | 03:35:23 |
Julien | I have a fallback kernel/boot entry, but all my binaries were rebuilt with new flags. | 03:36:18 |
inference | I think they essential binaries should be allowed, especially as root. | 03:35:59 |
Julien | I do have a full system backup, too | 03:36:25 |
inference | Using SSH with root isn't ideal, but may work. | 03:36:08 |
Julien | i have that disabled | 03:36:40 |
inference | * I think the essential binaries should be allowed, especially as root. | 03:36:17 |
Julien | I think I will add permissive to my boot command | 03:36:51 |
inference | In reply to @jroy:matrix.jroy.ca i have that disabled Root disabled? | 03:36:29 |
inference | Why don't you set it to permissive, back up in that state, then set to enforce and see what breaks? | 03:36:55 |
inference | You can restore to permissive. | 03:37:08 |
Julien | As long as I don't get locked out :D | 03:38:03 |
Julien | Yes, I will try that. Permissive, reboot, cross fingers | 03:38:20 |
Julien | https://wiki.gentoo.org/wiki/SELinux/Installation | 03:41:48 |
Julien | actually, there is much more I have to do | 03:41:52 |
Julien | I shouldn't have followed the other page info. | 03:42:02 |
Julien | didn't do it in the right order. nothing broke though | 03:42:14 |
inference | Trying to get a concept noted here. | 03:42:26 |
inference | How large does dm-verity need to be? | 03:42:34 |
inference | And how to partition? | 03:42:43 |
inference | I'm thinking:
/boot < RO
/ < RO
/home (or /user ) < RW
/system (or /packages ) <RW
| 03:43:46 |