mrl5

Hey All,
I've gone ahead and updated Funtoo Linux 1.4 to contain the latest implementation of SELinux from Gentoo. SELinux is working well under Funtoo now. To use it, see the SELinux page on the Funtoo wiki. Also reference the https://wiki.gentoo.org/wiki/SELinux/Installation and https://wiki.gentoo.org/wiki/SELinux pages for documentation reference. These Gentoo wiki pages were originally put together by SwiFT and are excellent, and the SELinux team has kept them up-to-date (I must give credit where credit is due ?. We need to work on our modest SELinux wiki  page here to improve it: https://www.funtoo.org/SELinux
If you are new to SELinux, here are the basic steps. Enable the SELinux mix-in, emerge the SELinux tools as well as policies, rebuild world and etc-update, apply security labels to files, enable in kernel in "permissive mode" -- where it just logs things but doesn't "block" anything, and then start to play.
In your /etc/boot.conf, you'll want to add "security=selinux enforcing=0" to your "params +=" line and re-run "ego boot update" to get the kernel booting properly. This is assuming you are using debian-sources or debian-sources-lts.
Funtoo is also helping perfinion (find him in #gentoo-base on freenode) in Gentoo test the SELinux-next security policies. Here is how you can test them:
1. Add the following to package.keywords: sec-policy/selinux-* **
2. Then emerge @selinux-rebuild to reinstall all the 9999 policies (to be used with 2.9 userspace)
3. Do a full relabel.
4. Reboot.
Then, you can run and start auditd which will generate logs of what SELinux activity is going on. After your initial reboot into the new SELinux, start auditd with empty logs, and keep it running as you go about your business. After a few days of using Funtoo as you normally would, these logs can be useful to the SELinux team to determine if the new policies are working as expected.
Of particular interest is the use of elogind under SELinux. Once using the new SELinux-next policies, 'ps auxfZ | grep logind' should be in the systemd_logind_t domain.
Thanks to perfinion and the SELinux team for moving SELinux forward! Let's help them ?
 
 
 
 
 
 
 

Please see the following for more info:
Release Notes: https://www.funtoo.org/Release_Notes/1.4-release
Upgrading from 1.3: https://www.funtoo.org/Upgrade_Instructions/1.4-release
Download and Install: https://www.funtoo.org/Install/Introduction

Thanks.  I hadn't realized that "PasswordAuthentication" doesn't affect PAM authentication.   I've always secured my machines by only allowing ssh access to accounts that I specifically configure.
It's @drobbins call but I still think it's a bad idea to configure ssh by default on machines where novice users may believe that their physical console is the only vector for someone to attack their trivial password.   There definitely should be some documentation in the install procedure for locking that down.

@drobbins nixed the sshd suggestion in FL-6294, but I  looked at the latest baselayout and it looks like the default configuration has PasswordAuthentication set to "no" which should minimize any risk.
I still think it's better not to have this running if it's not needed or specifically wanted.  My build process always includes setting openssh the configuration according to my standards but there's some risk there for the unaware if openssh is compromised.

Sorry for the questions?  
sshd running by default - did you file a bug report?
Have you all checked out the youtube videos on contributing?
Lets fix these things.  We are Funtoo, @drobbins, @Oleg Vinichenko and other regulars are the directors.  If it is broken fix it. 

So I had to update my desktop system from version 1.2 to 1.3 and I've chosen to do the fresh install from the stage3 (stage3-core2_64-1.3-release-std-2019-02-05). But.. During the process I've noticed some (at least for me) ugly things that I would like to inform developers about:
TL;DR:
metalog is NOT added to any runlevel by default. I think it should be added to default/boot runlevel by default sshd IS added to the default runlevel by default. I think it's bad - this should be disabled by default ... if you want to read further please be advised that I'll be grumpy from now on:
I've noticed that version 1.3 is out because there were no updates for a while yep it was announced but I'm not checking neither funtoo.org nor forums.funtoo.org on a regular basis - what happened with good old eselect news? I can not find any information when the support for 1.2 version ends - LTS schedule could help with planning the upgrade ... (please consider sth like this: https://nodejs.org/en/about/releases/ ) and yeah performing a fresh install is time consuming, at least for a desktop machine - so it would be cool to be aware early that end of support for 1.2 is coming and that it's recommended to do a fresh install I think that funtoo.org web page should be rearranged. Here is what I mean: there are a lot of useful articles there but often they are hidden and I can find them only via google there should be a section where you can see all of the articles examples: https://www.funtoo.org/Security https://www.funtoo.org/Installing_a_Logger forums.funtoo.org I was not able to write this post using vanilla firefox-bin-65.0 (w/o any addons) I had to do it by using google-chrome ... wow you've came that far now I'll be sentimental:
Gentoo was my first distro back in early 2000s When Daniel started Funtoo, for me it was something cool, something fresh I have a feeling that now the Funtoo Project is going in some weird direction (from end user perspective) that is different to what I was used to back in the days. People on the #funtoo IRC channel used to be more responsive I wrote this post in a good faith. I like funtoo but I'm close to the point where I will switch to other distro ... TBH it strongly depends how long and how smooth will be the process of building rest of desktop environment. Ofc everyone has his own point of view but I really wanted to give you some feedback. If I somehow missed something and somebody disagrees - I look forward to know your point of view.