* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-15 4:40 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-15 4:40 UTC (permalink / raw
To: gentoo-commits
commit: bae8227fa4d2ad4a423c35a51bb9b346e267d933
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Tue Feb 15 04:39:02 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Tue Feb 15 04:39:02 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=bae8227f
Updating the preview
---
html/roadmap.html | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/html/roadmap.html b/html/roadmap.html
index 5925cf0..e2d38b8 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -69,6 +69,11 @@ Finally we are working on keeping the hardened kernel sources up to date.
</li>
</ul>
<p><b>SELinux</b></p>
+<p>
+Currently the project supports x86 and AMD64 so support for other architectures
+has to be handled by upstream except when the issues can also be reproduced in
+any of those architectures. Aside work is being done in the following areas:
+</p>
<ul>
<li>
Strengthen and extend current policies.
@@ -82,6 +87,9 @@ Policy module support.
<li>
Additional Daemon Policies.
</li>
+<li>
+Updated documentation.
+</li>
</ul>
<p><b>RSBAC</b></p>
<p>
@@ -335,6 +343,11 @@ run.
<td class="tableinfo">pebenito</td>
<td class="tableinfo">In Progress</td>
</tr>
+ <tr>
+ <td class="tableinfo">Updated documentation</td>
+<td class="tableinfo">SwifT</td>
+ <td class="tableinfo">In Progress</td>
+ </tr>
</table>
<p class="secthead"><a name="doc_chap4_sect6">RSBAC</a></p>
<table class="ntable">
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-18 7:07 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-18 7:07 UTC (permalink / raw
To: gentoo-commits
commit: c71be11c35126736c4d03849fc5a4435fddeb395
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Feb 18 07:05:13 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Feb 18 07:05:13 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c71be11c
Adding steps to make sure the hardened compiler is enabled (bug #355383) (Updating preview)
---
html/hardenedfaq.html | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index 1128be5..3ecd556 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -261,6 +261,16 @@ toolchain so that you have a consistent base:
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Switch to hardened toolchain</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">emerge --oneshot binutils gcc virtual/libc</span>
+<span class="code-comment">Make sure the hardened toolchain is being used (gcc version may vary):</span>
+# gcc-config -l
+ [1] x86_64-pc-linux-gnu-4.4.4 *
+ [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
+ [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+ [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
+ [5] x86_64-pc-linux-gnu-4.4.4-vanilla
+<span class="code-comment">If the hardened version isn't chosen select it</span>
+# gcc-config x86_64-pc-linux-gnu-4.4.4
+<span class="code-comment">Keep emerging the system</span>
# <span class="code-input">emerge -e --keep-going system</span>
# <span class="code-input">emerge -e --keep-going world</span>
</pre></td></tr>
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-18 16:11 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-18 16:11 UTC (permalink / raw
To: gentoo-commits
commit: 60b6883f310a6177dc293222ac9ad9bb02358dfc
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Feb 18 16:11:26 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Feb 18 16:11:26 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=60b6883f
Updat preview
---
html/hardenedfaq.html | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index 381fafc..1d6bbea 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -150,6 +150,8 @@ You can use <span class="code" dir="ltr">gcc-config</span> to accomplish this:
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp</span>
<span class="code-comment">To turn off all hardened building switch to the vanilla profile:</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla</span>
+<span class="code-comment">You need to run this on the active sessions to set the changes</span>
+# <span class="code-input">source /etc/profile</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
@@ -270,6 +272,7 @@ toolchain so that you have a consistent base:
[5] x86_64-pc-linux-gnu-4.4.4-vanilla
<span class="code-comment">If the hardened version isn't chosen select it</span>
# <span class="code-input">gcc-config x86_64-pc-linux-gnu-4.4.4</span>
+# <span class="code-input">source /etc/profile</span>
<span class="code-comment">Keep emerging the system</span>
# <span class="code-input">emerge -e --keep-going system</span>
# <span class="code-input">emerge -e --keep-going world</span>
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-19 0:14 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 0:14 UTC (permalink / raw
To: gentoo-commits
commit: 75a0c8a9aec3a8def07aff1a5774c6348e5133f3
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 00:14:06 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 00:14:06 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=75a0c8a9
Small typo noticed by nimiux, thanks :D (Update preview)
---
html/hardenedfaq.html | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index 1d6bbea..16e14a8 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -72,7 +72,7 @@ why?</a></li>
<li><a href="#grsecinformation">Where is the homepage for Grsecurity?</a></li>
<li><a href="#grsecgentoodoc">What Gentoo documentation exists about Grsecurity?</a></li>
<li><a href="#grsectpe">How does TPE work?</a></li>
-<li><a href="#grsecnew">Can I use Grsecurity with a recent kernel not on the portage tree
+<li><a href="#grsecnew">Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
</a></li>
</ul>
<p class="secthead">SELinux Questions</p>
@@ -520,7 +520,7 @@ quickstart guide</a>.
We have written a <a href="proj/en/hardened/grsec-tpe.xml">document with some
information on how TPE works in the different settings</a>.
</p>
-<p class="secthead"><a name="grsecnew"></a><a name="doc_chap4_sect4">Can I use Grsecurity with a recent kernel not on the portage tree
+<p class="secthead"><a name="grsecnew"></a><a name="doc_chap4_sect4">Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
</a></p>
<p>
Usually we release a new version of hardened sources not long after a new
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-19 3:29 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 3:29 UTC (permalink / raw
To: gentoo-commits
commit: ddaf439d7d1ce086cca7c10e55f9c8fb4baa3813
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 03:29:26 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 03:29:26 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ddaf439d
Previews...
---
html/index.html | 43 ++++++++++++++++++++++++++++++++++++-------
1 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/html/index.html b/html/index.html
index 59fa8cf..a8993ba 100644
--- a/html/index.html
+++ b/html/index.html
@@ -23,10 +23,11 @@
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option>
<option value="#doc_chap2">2. Project Goals</option>
<option value="#doc_chap3">3. Developers</option>
-<option value="#doc_chap4">4. Subprojects</option>
-<option value="#doc_chap5">5. Resources</option>
-<option value="#doc_chap6">6. Herds</option>
-<option value="#doc_chap7">7. I Want to Participate</option></select>
+<option value="#doc_chap4">4. Contributors</option>
+<option value="#doc_chap5">5. Subprojects</option>
+<option value="#doc_chap6">6. Resources</option>
+<option value="#doc_chap7">7. Herds</option>
+<option value="#doc_chap8">8. I Want to Participate</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Project Description</p>
@@ -99,6 +100,34 @@ Gentoo once they've been tested for security and stability by the Hardened team.
All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>.
</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
+ </span>Contributors</p>
+<p>
+The following people although non-developer is actively contributing with the
+project:
+</p>
+<table class="ntable">
+<tr>
+<td class="infohead"><b>Contributor</b></td>
+<td class="infohead"><b>Nickname</b></td>
+<td class="infohead"><b>Role</b></td>
+</tr>
+<tr>
+<td class="tableinfo">Francisco Blas Izquierdo Riera</td>
+<td class="tableinfo">klondike</td>
+<td class="tableinfo">Documentation writing, support</td>
+</tr>
+<tr>
+<td class="tableinfo">Chris Richards</td>
+<td class="tableinfo">gizmo</td>
+<td class="tableinfo">Policy development, support (SELinux)</td>
+</tr>
+<tr>
+<td class="tableinfo">Sven Vermeulen</td>
+<td class="tableinfo">SwifT</td>
+<td class="tableinfo">Documentation writing, support (SELinux)</td>
+</tr>
+</table>
+<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>Subprojects</p>
<p>The hardened
project has the following subprojects:
@@ -154,7 +183,7 @@ Hardened Gentoo subprojects.
</td>
</tr>
</table>
-<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
+<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>Resources</p>
<p>Resources offered by the
hardened
@@ -245,7 +274,7 @@ GNU Stack Quickstart
</ul>
</li>
</ul>
-<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
+<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
</span>Herds</p>
<p>The hardened
project maintains the following herds:
@@ -262,7 +291,7 @@ GNU Stack Quickstart
<td class="tableinfo">Hardened Gentoo project packages and policy</td>
</tr>
</table>
-<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
+<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8.
</span>I Want to Participate</p>
<p>
To participate in the Hardened Gentoo project first join the mailing list at
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-19 17:01 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 17:01 UTC (permalink / raw
To: gentoo-commits
commit: 07cf5cd4ee82ee802103ec48c09efd988bc00a15
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 17:00:53 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 17:00:53 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=07cf5cd4
Updating previews (and pushing dates and versions)
---
html/hardenedfaq.html | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index 16e14a8..e9e3c13 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -539,7 +539,7 @@ SELinux specific FAQ</a>.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedfaq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-1-19</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-2-19</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
the gentoo-hardened mailing list.
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-02-21 21:55 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-02-21 21:55 UTC (permalink / raw
To: gentoo-commits
commit: 4543642c7b2f7aa8026ac9c864b152743bb62993
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Feb 21 21:55:06 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb 21 21:55:06 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4543642c
update preview
---
html/selinux-policy.html | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/html/selinux-policy.html b/html/selinux-policy.html
index de3c47d..b5e715c 100644
--- a/html/selinux-policy.html
+++ b/html/selinux-policy.html
@@ -25,7 +25,8 @@
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Principles</option>
<option value="#doc_chap2">2. SELinux Domains</option>
-<option value="#doc_chap3">3. SELinux Roles</option></select>
+<option value="#doc_chap3">3. SELinux Roles</option>
+<option value="#doc_chap4">4. SELinux Packages</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Principles</p>
@@ -185,6 +186,14 @@ SELinux systems, it is hard for a generic policy to create new roles that fit
the needs of most. We assume that, if there are such roles, then they are
managed and maintained by the reference policy.
</p>
+<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
+ </span>SELinux Packages</p>
+<p class="secthead"><a name="doc_chap4_sect1">Name SELinux Policy Packages After Their Module</a></p>
+<p>
+SELinux policy packages should be called after the module they implement (and
+not the Gentoo package for which the policy would be implemented). The name
+should use the <span class="path" dir="ltr">sec-policy/selinux-<modname></span> syntax.
+</p>
<br><p class="copyright">
The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons -
Attribution / Share Alike</a> license.
@@ -205,7 +214,7 @@ managed and maintained by the reference policy.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-policy.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated January 21, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated February 21, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Developing a set of security rules is or should always be done with a common set
of principles and rules in mind. This document explains the policy used by
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-03-09 18:14 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-03-09 18:14 UTC (permalink / raw
To: gentoo-commits
commit: ad4fc99fe01266f83003e97bd271577dc118ef64
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 9 18:14:33 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 9 18:14:33 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ad4fc99f
updating preview
---
html/selinux-faq.html | 261 +++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 261 insertions(+), 0 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
new file mode 100644
index 0000000..291467a
--- /dev/null
+++ b/html/selinux-faq.html
@@ -0,0 +1,261 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+ Gentoo Hardened SELinux Frequently Asked Questions</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Gentoo Hardened SELinux Frequently Asked Questions</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Questions</option>
+<option value="#doc_chap2">2. General SELinux Support Questions</option>
+<option value="#doc_chap3">3. Using SELinux</option>
+<option value="#doc_chap4">4. SELinux Kernel Error Messages</option>
+<option value="#doc_chap5">5. SELinux and Gentoo</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Questions</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+Using SELinux requires administrators a more thorough knowledge of their
+system and a good idea on how processes should behave. Next to the <a href="selinux/selinux-handbook.html">Gentoo Hardened SELinux
+handbook</a>, a proper FAQ allows us to inform and help users in their
+day-to-day SELinux experience.
+</p>
+<p>
+The FAQ is an aggregation of solutions found on IRC, mailinglists, forums
+and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but
+general SELinux questions that are popping up regularly will be incorporated
+as well.
+</p>
+<p class="secthead">General SELinux Support Questions</p>
+<ul>
+<li><a href="#features">Does SELinux enforce resource limits?</a></li>
+<li><a href="#grsecurity">Can I use SELinux with grsecurity (and PaX)?</a></li>
+<li><a href="#pie-ssp">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></li>
+<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>
+<li><a href="#filesystem">Can I use SELinux with any file system?</a></li>
+<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>
+</ul>
+<p class="secthead">Using SELinux</p>
+<ul>
+<li><a href="#enable_selinux">How do I enable SELinux?</a></li>
+<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
+<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
+</ul>
+<p class="secthead">SELinux Kernel Error Messages</p>
+<ul><li><a href="#register_security">I get a register_security error message when booting</a></li></ul>
+<p class="secthead">SELinux and Gentoo</p>
+<ul>
+<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
+<li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
+</ul>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+ </span>General SELinux Support Questions</p>
+<p class="secthead"><a name="features"></a><a name="doc_chap2_sect1">Does SELinux enforce resource limits?</a></p>
+<p>
+No, resource limits are outside the scope of an access control system. If you
+are looking for this type of support, take a look at technologies like
+grsecurity, cgroups, pam and the like.
+</p>
+<p class="secthead"><a name="grsecurity"></a><a name="doc_chap2_sect2">Can I use SELinux with grsecurity (and PaX)?</a></p>
+<p>
+Definitely, we even recommend it. However, it is suggested that grsecurity's
+ACL support is not used as it would be redundant to SELinux's access control.
+</p>
+<p class="secthead"><a name="pie-ssp"></a><a name="doc_chap2_sect3">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></p>
+<p>
+Definitely. We also suggest to use PaX to take full advantage of the PIE
+features of the compiler.
+</p>
+<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">Can I use SELinux and RSBAC?</a></p>
+<p>
+We don't know. If you try this combination, we would be very interested
+in its results.
+</p>
+<p class="secthead"><a name="filesystem"></a><a name="doc_chap2_sect5">Can I use SELinux with any file system?</a></p>
+<p>
+SELinux requires access to a file's security context to operate properly.
+To do so, SELinux uses <span class="emphasis">extended file attributes</span> which needs to be
+properly supported by the underlying file system. If the file system supports
+extended file attributes and you have configured your kernel to enable this
+support, then SELinux will work on those file systems.
+</p>
+<p>
+General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs
+support extended attributes (but don't forget to enable it in the kernel
+configuration) as well as tmpfs (for instance used by udev). If your file
+system collection is limited to this set, then you should have no issues.
+</p>
+<p>
+Ancillary file systems such as vfat and iso9660 are supported too, but with
+an important caveat: all files in each file system will have the same SELinux
+security context information since these file systems do not support extended
+file attributes.
+</p>
+<p>
+Network file systems can be supported in the same manner as ancillary file
+systems (all files share the same security context). However, some development
+has been made in supported extended file attributes on the more popular file
+systems such as NFS. Although this is far from production-ready, it does look
+like we will eventually support these file systems on SELinux fully as well.
+</p>
+<p class="secthead"><a name="nomultilib"></a><a name="doc_chap2_sect6">Can I use SELinux with AMD64 no-multilib?</a></p>
+<p>
+No. The SELinux profiles inherit from the base amd64 profiles, requiring
+multilib support. Early tests trying to enable SELinux on a no-multilib
+profile show that it will not be supported without additional development
+effort being required.
+</p>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
+ </span>Using SELinux</p>
+<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>
+<p>
+This is explained in the <a href="selinux/selinux-handbook.html">SELinux Handbook</a>
+in the chapter on <span class="emphasis">Using Gentoo/Hardened SELinux</span>.
+</p>
+<p class="secthead"><a name="switch_status"></a><a name="doc_chap3_sect2">How do I switch between permissive and enforcing?</a></p>
+<p>
+The easiest way is to use the <span class="code" dir="ltr">setenforce</span> command. With <span class="code" dir="ltr">setenforce
+0</span> you tell SELinux to run in permissive mode. Similarly, with
+<span class="code" dir="ltr">setenforce 1</span> you tell SELinux to run in enforcing mode.
+</p>
+<p>
+You can also add a kernel option <span class="code" dir="ltr">enforcing=0</span> or <span class="code" dir="ltr">enforcing=1</span>
+in the bootloader configuration (or during the startup routine of the system).
+This allows you to run SELinux in permissive or enforcing mode from the start
+of the system.
+</p>
+<p>
+The default state of the system is kept in <span class="path" dir="ltr">/etc/selinux/config</span>.
+</p>
+<p class="secthead"><a name="disable_selinux"></a><a name="doc_chap3_sect3">How do I disable SELinux completely?</a></p>
+<p>
+It might be possible that running SELinux in permissive mode is not sufficient
+to properly fix any issue you have. To disable SELinux completely, you need to
+edit <span class="path" dir="ltr">/etc/selinux/config</span> and set <span class="code" dir="ltr">SELINUX=disabled</span>. Next,
+reboot your system.
+</p>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
+When you have been running your system with SELinux disabled, you must boot
+in permissive mode first and relabel your entire file system. Activities ran
+while SELinux was disabled might have created new files or removed the labels
+from existing files, causing these files to be available with no security
+context.
+</p></td></tr></table>
+<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
+ </span>SELinux Kernel Error Messages</p>
+<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
+<p>
+During boot-up, the following message pops up:
+</p>
+<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel message on register_security</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+There is already a security framework initialized, register_security failed.
+Failure registering capabilities with the kernel
+selinux_register_security: Registering secondary module capability
+Capability LSM initialized
+</pre></td></tr>
+</table>
+<p>
+This is nothing to worry about (and perfectly normal).
+</p>
+<p>
+This means that the Capability LSM module couldn't register as the primary
+module, since SELinux is the primary module. The third message means that it
+registers with SELinux as a secondary module.
+</p>
+<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
+ </span>SELinux and Gentoo</p>
+<p class="secthead"><a name="no_module"></a><a name="doc_chap5_sect1">I get a missing SELinux module error when using emerge</a></p>
+<p>
+When trying to use <span class="code" dir="ltr">emerge</span>, the following error message is displayed:
+</p>
+<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Error message from emerge on the SELinux module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+!!! SELinux module not found. Please verify that it was installed.
+</pre></td></tr>
+</table>
+<p>
+This indicates that the portage SELinux module is missing or damaged. Recent
+Portage versions provide this module out-of-the-box, but the security contexts
+of the necessary files might be wrong on your system. Try relabelling the files
+of the portage package:
+</p>
+<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Relabel all portage files</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">rlpkg portage</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="loadpolicy"></a><a name="doc_chap5_sect2">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></p>
+<p>
+When running emerge, the following error is shown:
+</p>
+<a name="doc_chap5_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.3: Emerge error on loadpolicy</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+FEATURES variable contains unknown value(s): loadpolicy
+</pre></td></tr>
+</table>
+<p>
+This is a remnant of the older SELinux policy module set where policy packages
+might require this FEATURE to be available. Although the more recent packages
+do not support this FEATURE value anymore, these are still in the ~arch phase
+so the current SELinux profile still offers this value. Portage however already
+knows that this FEATURE is not supported anymore and complains.
+</p>
+<p>
+We recommend you to use the ~arch versions of all packages in the sec-policy
+category, and set <span class="code" dir="ltr">FEATURES="-loadpolicy"</span> to disable this (cosmetic)
+error.
+</p>
+<p>
+Once the newer policy modules are stabilized, the SELinux profile will be updated
+to remove this setting.
+</p>
+<br><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated March 19, 2011</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+Frequently Asked Questions on SELinux integration with Gentoo Hardened.
+The FAQ is a collection of solutions found on IRC, mailinglist, forums or
+elsewhere
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+ <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a>
+<br><i>Author</i><br><br>
+ <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-03-26 23:49 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-03-26 23:49 UTC (permalink / raw
To: gentoo-commits
commit: 90b33de5c0a094654b8bcc8d38a862466ffd5516
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Mar 26 23:49:08 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Mar 26 23:49:08 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=90b33de5
Redoing previews
---
html/grsec-tpe.html | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/html/grsec-tpe.html b/html/grsec-tpe.html
index 08c7a59..d0fb84b 100644
--- a/html/grsec-tpe.html
+++ b/html/grsec-tpe.html
@@ -151,15 +151,15 @@ world writable (and nothing more).
To make things even clearer we have executed a small test suite on each of the
possible setups.
</p>
-<p class="secthead"><a name="doc_chap1_sect1">The test suite</a></p>
+<p class="secthead"><a name="doc_chap3_sect2">The test suite</a></p>
<p>
The test suite consist of a series of directories with different names each with
different permissions and ownership. These directories have exactly the same
contents: a set of files again with different permissions and ownership each.
The files are just a simple bash script printing OK.
</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example directory structure</p></td></tr>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Example directory structure</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
.:
total 48
@@ -362,7 +362,7 @@ For commodity this files and a small testrunning script <span class="code" dir="
provided in a <a href="grsec-tpedemo.tbz">compressed tar.bz2
archive</a>. Remember to keep the permissions when extracting it.
</p></td></tr></table>
-<p class="secthead"><a name="doc_chap1_sect1">Example Results</a></p>
+<p class="secthead"><a name="doc_chap3_sect3">Example Results</a></p>
<p>
Below are the results for each execution attempt on each of the presented
setups. user1 is in the group set by the GID, while user2 isn't. A YES means the
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-03-27 0:55 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-03-27 0:55 UTC (permalink / raw
To: gentoo-commits
commit: 609b6e97f22a74f23de82e34a4fe5a8af3c73999
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sun Mar 27 00:55:42 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sun Mar 27 00:55:42 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=609b6e97
Redoing previews
---
html/hardenedfaq.html | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index e9e3c13..af801c7 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -517,7 +517,7 @@ quickstart guide</a>.
</p>
<p class="secthead"><a name="grsectpe"></a><a name="doc_chap4_sect3">How does TPE work?</a></p>
<p>
-We have written a <a href="proj/en/hardened/grsec-tpe.xml">document with some
+We have written a <a href="grsec-tpe.html">document with some
information on how TPE works in the different settings</a>.
</p>
<p class="secthead"><a name="grsecnew"></a><a name="doc_chap4_sect4">Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-03-27 1:00 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-03-27 1:00 UTC (permalink / raw
To: gentoo-commits
commit: 0086a54e8247c6b1deaff0f3d70aa0bc20d6c31c
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sun Mar 27 01:01:00 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sun Mar 27 01:01:00 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=0086a54e
Updating previews
---
html/grsec-tpe.html | 4 ++--
html/{grsec-tpedemo.tbz => grsec-tpedemo.tar.bz2} | Bin 1317 -> 1317 bytes
html/index2.html | 6 ++++++
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/html/grsec-tpe.html b/html/grsec-tpe.html
index d0fb84b..b1925a6 100644
--- a/html/grsec-tpe.html
+++ b/html/grsec-tpe.html
@@ -359,8 +359,8 @@ total 48
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
For commodity this files and a small testrunning script <span class="code" dir="ltr">trytpe</span> are
-provided in a <a href="grsec-tpedemo.tbz">compressed tar.bz2
-archive</a>. Remember to keep the permissions when extracting it.
+provided in a <a href="grsec-tpedemo.tar.bz2">compressed
+tar.bz2 archive</a>. Remember to keep the permissions when extracting it.
</p></td></tr></table>
<p class="secthead"><a name="doc_chap3_sect3">Example Results</a></p>
<p>
diff --git a/html/grsec-tpedemo.tbz b/html/grsec-tpedemo.tar.bz2
similarity index 100%
rename from html/grsec-tpedemo.tbz
rename to html/grsec-tpedemo.tar.bz2
diff --git a/html/index2.html b/html/index2.html
index 62a72d1..5d0955e 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -97,6 +97,12 @@ Gentoo once they've been tested for security and stability by the Hardened team.
</tr>
<tr>
<td class="tableinfo"></td>
+ <td class="tableinfo">blueness
+</td>
+ <td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
+ </tr>
+ <tr>
+ <td class="tableinfo"></td>
<td class="tableinfo">pebenito</td>
<td class="tableinfo">Lead ( Policy, x86, AMD64 )</td>
</tr>
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-04-23 11:35 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-04-23 11:35 UTC (permalink / raw
To: gentoo-commits
commit: bdb128145f81f05f094fb220d4df1a1768458779
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 23 11:32:27 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Apr 23 11:32:27 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=bdb12814
update previews
---
html/selinux-development.html | 654 ++++++++++++++++++++++++++++++++++++++---
1 files changed, 618 insertions(+), 36 deletions(-)
diff --git a/html/selinux-development.html b/html/selinux-development.html
index 72f7a56..9767824 100644
--- a/html/selinux-development.html
+++ b/html/selinux-development.html
@@ -97,6 +97,12 @@ highlights...
<span class="emphasis">interface file</span> which can then be called by other modules. This
includes the necessary permissions to allow domain transitions
</li>
+ <li>
+ SELinux uses attributes to make multiple domains manageable. Domains can
+ have certain permissions against all domains or types that are given a
+ particular attribute. Be aware of this when you start assigning attributes
+ to your own types or domains.
+ </li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Setting Up Your Environment</p>
@@ -209,14 +215,14 @@ one:
<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Setting up a local workspace</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">mkdir dev/local</span>
-~$ <span class="code-input">cp -r dev/hardened/strict dev/local/</span>
+~$ <span class="code-input">cd dev/hardened</span>
+~$ <span class="code-input">cp -r strict strict.local/</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect4">Navigating the policy workspace</a></p>
<p>
The main location you will work with is
-<span class="path" dir="ltr">dev/local/strict/policy/modules</span>. This location is subdivided in
+<span class="path" dir="ltr">dev/hardened/strict.local/policy/modules</span>. This location is subdivided in
categories:
</p>
<dl>
@@ -244,7 +250,7 @@ Inside the categories, the modules are available using their three files
<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Listing the available sudo files</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/local/strict/policy/modules/admin</span>
+~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules/admin</span>
~$ <span class="code-input">ls sudo.*</span>
sudo.fc sudo.if sudo.te
</pre></td></tr>
@@ -257,7 +263,7 @@ To build a module, go to the location where the module code is. Then, run
<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Building the portage module</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/local/strict/policy/modules/admin</span>
+~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules/admin</span>
~$ <span class="code-input">make -f ../../../support/Makefile.devel portage.pp</span>
</pre></td></tr>
</table>
@@ -272,7 +278,7 @@ If you want to build the base policy, run <span class="code" dir="ltr">make base
<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: Building the base policy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/local/strict</span>
+~$ <span class="code-input">cd dev/hardened/strict.local</span>
~$ <span class="code-input">make base</span>
</pre></td></tr>
</table>
@@ -406,7 +412,9 @@ find the AVC denials you are looking for.
<p>
The next step is to see if we are dealing with the right security contexts. This
does require a bit of insight in how both the application (that is failing) and
-the policy relate to each other.
+the policy relate to each other. In essence, you want to make sure that the
+process is running in the right domain and is trying to work on the right target
+type.
</p>
<p>
Say you are having issues with SELinux (re)labeling and you notice the following
@@ -557,7 +565,7 @@ creating an additional domain or type can be beneficial.
<p>
A noticeable example is Portage' support for CVS/SVN/GIT ebuilds (the so-called
live ebuilds). These ebuilds get their repository and store it in the
-<span class="path" dir="ltr">distfiles/svn+src</span> location, which was by default labelled
+<span class="path" dir="ltr">distfiles/svn+src</span> location, which was by default labeled
<span class="path" dir="ltr">portage_ebuild_t</span> with only read-access for the
<span class="path" dir="ltr">portage_sandbox_t</span> domain. However, with those live ebuilds, the
<span class="path" dir="ltr">portage_sandbox_t</span> domain also needs write privileges to this
@@ -573,67 +581,641 @@ need to create the proper interface functions in the target domain and call
these functions from the source domain.
</p>
<p>
-TODO extend this explanation, use a common example, like mysql_stream_connect in
-postfix.
+Interface functions are the APIs that a module provides towards other SELinux
+modules when they need to interact with the domains. For instance, the
+<span class="path" dir="ltr">mysql</span> module provides, amongst other functions, the
+<span class="code" dir="ltr">mysql_stream_connect</span> interface:
+</p>
+<a name="doc_chap3_pre12"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.12: mysql_stream_connect interface</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+########################################
+## <summary>
+## Connect to MySQL using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_stream_connect',`
+ gen_require(`
+ type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+ ')
+
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+')
+</pre></td></tr>
+</table>
+<p>
+The interface declares that the domain passed on as its first (and only)
+argument gets the rights offered by <span class="code" dir="ltr">stream_connect_pattern</span>, which is a
+macro (defined in <span class="path" dir="ltr">policy/support/ipc_patterns.spt</span> that looks like
+so:
+</p>
+<a name="doc_chap3_pre13"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.13: stream_connect_pattern</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+define(`stream_connect_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file write_sock_file_perms;
+ allow $1 $4:unix_stream_socket connectto;
+')
+</pre></td></tr>
+</table>
+<p>
+Modules that need to interact with MySQL through a Unix domain stream socket
+(<span class="path" dir="ltr">/var/run/mysqld/mysqld.sock</span>) will need the proper permissions to
+work with the target type (<span class="path" dir="ltr">mysqld_var_run_t</span>). Modules cannot just
+set <span class="emphasis">allow</span> statements towards <span class="path" dir="ltr">mysqld_var_run_t</span> as they do not
+know this type. Instead, they call the <span class="code" dir="ltr">mysql_stream_connect</span> interface,
+like the <span class="path" dir="ltr">postfix.te</span> file does:
</p>
+<a name="doc_chap3_pre14"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.14: Postfix module calling mysql_stream_connect</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+optional_policy(`
+ mysql_stream_connect(postfix_master_t)
+ mysql_stream_connect(postfix_cleanup_t)
+ mysql_stream_connect(postfix_local_t)
+')
+</pre></td></tr>
+</table>
<p>
-TODO explain that changes in the interface require rebuilds and reinstallations
-of the base (package, not only .pp file, due to includes). tell that this is the
-reason why selinux-base-policy has that many revisions.
+If the change you need is adding existing interface calls to the module (in
+the <span class="path" dir="ltr">.te</span> file) then you should be able to test it easily by building
+the changed module and loading it. However, if you need to change the interface
+of your module itself (in the <span class="path" dir="ltr">.if</span> file) you will eventually need
+to rebuild the base policy and even provide and install a new
+<span class="path" dir="ltr">sec-policy/selinux-base-policy</span> package as the interfaces are placed
+in <span class="path" dir="ltr">/usr/share/selinux/strict/include</span>. This is one of the reasons
+why the <span class="path" dir="ltr">sec-policy/selinux-base-policy</span> package in Gentoo Hardened
+has a high revision number (and many updates).
</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>No Domain Exists (Yet)</p>
<p class="secthead"><a name="doc_chap4_sect1">Reuse existing domains</a></p>
<p>
-TODO talk about potentially reusing domains (like apache module providing the
-various httpd_* domains which can be reused by lighttpd). Talk about assigning
-the proper labels to the files to see if that is sufficient.
+If you are facing problems because you run an application which has no domain
+itself (and hence is probably running in the <span class="path" dir="ltr">user_t</span>,
+<span class="path" dir="ltr">staff_t</span> or <span class="path" dir="ltr">sysadm_t</span> domains - or even tries to run in
+the <span class="path" dir="ltr">initrc_t</span> domain), you will need to create one. But before we do
+that, it might be possible that the application can work within the domain
+definition of a different application.
</p>
-<p class="secthead"><a name="doc_chap4_sect2">Copy from existing domains</a></p>
<p>
-TODO talk about finding a similar module (apps or service) and start from a
-(slimmed-down) domain. Not recommended as it might already open too much, but it
-is a good start, if not to just look at with every denial you get later. Keep it
-short, most information is in next section.
+One example here is lighttpd. This lightweight HTTPd service "uses" the
+definitions offered by the <span class="path" dir="ltr">apache</span> module. By marking its executable
+file <span class="path" dir="ltr">httpd_exec_t</span> it runs in the <span class="path" dir="ltr">httpd_t</span> domain and
+uses the same policy like Apache. By labeling the files according to the
+<span class="path" dir="ltr">apache.fc</span> definitions (but now for lighttpd) it might Just Work
+™
+</p>
+<p>
+Reusing existing domains requires that you at least consider the following
+aspects:
+</p>
+<ul>
+ <li>
+ Will the application run on the same system as the application for which the
+ domain is originally intended? If so, then both might run in the same domain
+ (and as such have more privileges towards each other than intended) which
+ might not be what you want.
+ </li>
+ <li>
+ Do you need to enhance (read: add additional privileges) the master domain?
+ If so, make sure that you don't add more privileges than the original domain
+ would ever need to the extend that these privileges become a security risk.
+ </li>
+</ul>
+<p class="secthead"><a name="doc_chap4_sect2">(Do Not) Copy from existing domains</a></p>
+<p>
+If reusing existing domains introduces too many risks, you'll need to create a
+new domain for the application. Many people would be inclined to copy the domain
+definition of a similar application and work from there. Although this is a
+viable approach, it is considered a bad practice because you start by providing
+privileges to the domain that are never needed, and removing privileges from a
+domain later is very difficult. Even more, if you are not the author of the
+modules, most developers will not even try to remove them as they assume that
+the author of the domain had a good reason to add it in the first place. This is
+one of the reasons why upstream takes great care in accepting patches - they
+must be properly documented before they are accepted.
+</p>
+<p>
+Instead, create a domain from scratch but take a close eye on the domain you
+belief is very similar. Issues that arise during the module development might be
+quickly resolved by looking at how the original domain is defined.
</p>
<p class="secthead"><a name="doc_chap4_sect3">Starting from scratch</a></p>
<p>
-TODO talk about defining the proper domains, set proper types (like file_type or
-application_type), refer to refpolicy guidelines
+To start the development of a new module from scratch, first identify the
+domain(s) you want to have. An application that, in its entire lifespan only
+constitutes of a single process, will most likely only have one domain. For
+instance, the Skype client will have just <span class="path" dir="ltr">skype_t</span>. However,
+applications that have multiple processes running might need multiple domains
+too. For instance, the Postfix application runs a master
+(<span class="path" dir="ltr">postfix_master_t</span>), queue manager (<span class="path" dir="ltr">postfix_qmgr_t</span>) and
+pickup service (<span class="path" dir="ltr">postfix_pickup_t</span>), but depending on the commands
+you execute, it will also have (short-lived) processes running as
+<span class="path" dir="ltr">postfix_cleanup_t</span>, <span class="path" dir="ltr">postfix_bounce_t</span>, etc.) It is
+considered a best practice to start with a fine-grained model for domains
+and only later decide if merging multiple domains into one is beneficial.
+Splitting domains later is more difficult. Don't forget to look at the
+client-side aspect too!
+</p>
+<p>
+Next, define the types that each domain interacts with. This of course includes
+the binary (like <span class="path" dir="ltr">skype_exec_t</span>) but do not forget resources like
+</p>
+<ul>
+ <li>
+ The configuration file(s) in <span class="path" dir="ltr">/etc</span> (f.i.
+ <span class="path" dir="ltr">postfix_etc_t</span>)
+ </li>
+ <li>
+ PID files (f.i. <span class="path" dir="ltr">sshd_var_run_t</span>)
+ </li>
+ <li>
+ Spool files (f.i. <span class="path" dir="ltr">postfix_spool_t</span>)
+ </li>
+ <li>
+ Variable data files (f.i. <span class="path" dir="ltr">snmpd_var_lib_t</span>)
+ </li>
+ <li>
+ Log files (f.i. <span class="path" dir="ltr">zebra_log_t</span>)
+ </li>
+ <li>
+ Cache files (f.i. <span class="path" dir="ltr">squid_cache_t</span>)
+ </li>
+ <li>
+ (User) content files (f.i. <span class="path" dir="ltr">httpd_sys_content_t</span> and
+ <span class="path" dir="ltr">httpd_user_content_t</span>)
+ </li>
+</ul>
+<p>
+Also, try to separate types that are used by other domains as well. This way,
+the other domains can only interact with those files or resources that are
+labeled accordingly, rather than interact with a broad spectrum of files. The
+distinction that the <span class="path" dir="ltr">apache</span> module makes between system-provided
+content (like phpmyadmin files) and user-provided content (in the
+<span class="path" dir="ltr">public_html</span> directory in the users' home directories) seems (and
+is) very logical, but one could wrongly say that for Apache itself, the access
+controls are the same. Although that might be true, both types are clearly used
+in different ways so this mandates the use of different domains.
+</p>
+<p>
+Once you have defined those types too, start writing down the intra-domain
+permissions. Right now is a good time to look at other modules to see how they
+do things. Start with defining the accesses towards the domains.
+</p>
+<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Snippet from the spamassassin module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+type spamassassin_t;
+type spamassassin_exec_t;
+application_domain(spamassassin_t, spamassassin_exec_t)
+ubac_constrained(spamassassin_t)
+</pre></td></tr>
+</table>
+<p>
+This small snippet defines many things. The first two lines just mention the new
+types (the <span class="path" dir="ltr">spamassassin_t</span> domain and
+<span class="path" dir="ltr">spamassassin_exec_t</span> type). The <span class="code" dir="ltr">application_domain</span> interface
+marks <span class="path" dir="ltr">spamassassin_t</span> as an application domain type (it gets the
+<span class="path" dir="ltr">application_domain_type</span> and <span class="path" dir="ltr">domain</span> attributes and a
+few default permissions (like allowing that it sends SIGCHLD and SIGNULL to
+init). It also marks <span class="path" dir="ltr">spamassassin_exec_t</span> as an applications'
+executable type (<span class="path" dir="ltr">application_exec_type</span> and <span class="path" dir="ltr">exec_type</span>
+attributes) so that it can be executed by regular users (these domains have
+execute rights against all resources that have the
+<span class="path" dir="ltr">application_exec_type</span> attribute set. Finally, it marks the
+<span class="path" dir="ltr">spamassassin_t</span> domain as a constrained domain for user-based access
+controls. In other words, if SELinux users <span class="path" dir="ltr">user_u</span> and
+<span class="path" dir="ltr">staff_u</span> launch the application in <span class="path" dir="ltr">spamassassin_t</span>
+domains, then the domains are segregated from each other (the intra-domain rules
+inside <span class="path" dir="ltr">spamassassin_t</span> are only valid for communication within the
+same SELinux user, not between SELinux users).
+</p>
+<p>
+Attributes are an important aspect in SELinux policy development. They make
+managing the domains easier, but you should always consider the implications
+when you add an attribute to one of your types. It usually means that a whole
+lot of permissions are suddenly granted between other domains and yours.
+</p>
+<p>
+Next, set the proper intra-domain permissions. For instance, allow your domain
+to read its configuration files as well as more access inside its own
+<span class="path" dir="ltr">/var/lib</span> location:
+</p>
+<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Snippet from openca module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+allow openca_ca_t openca_etc_t:file read_file_perms;
+allow openca_ca_t openca_etc_t:dir list_dir_perms;
+
+manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+</pre></td></tr>
+</table>
+<p>
+The majority of work in developing SELinux policy modules is using and choosing
+the right interfaces. Having a few functions available to browse through all the
+available information is always interesting, so you might want to use the
+following function definitions (definitely not mandatory - this is only to help
+people skim through the policy definitions):
+</p>
+<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: SELinux policy development function definitions</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+POLICY_LOCATION="http://www.gentoo.org/path/to/your/refpolicy";
+
+# sefindif - Find interface definitions that have a string that matches the
+# given regular expression
+sefindif() {
+ REGEXP="$1";
+ cd ${POLICY_LOCATION}/policy/modules;
+ for FILE in */*.if;
+ do
+ awk "http://www.gentoo.org/(interface\(|template\()/ { NAME=\$NF; P=0 }; /${REGEXP}/ { if (P==0) {P=1; print NAME}; print };" ${FILE} | sed -e "s:^:${FILE}\: :g";
+ done
+}
+
+# seshowif - Show the interface definition
+seshowif() {
+ INTERFACE="$1";
+ cd ${POLICY_LOCATION}/policy/modules;
+ for FILE in */*.if;
+ do
+ grep -A 9999 "\(interface(\`${INTERFACE}'\|template(\`${INTERFACE}'\)" ${FILE} | grep -B 9999 -m 1 "^')";
+ done
+}
+
+# sefinddef - Find macro definitions that have a string that matches the given
+# regular expression
+sefinddef() {
+ REGEXP="$1";
+ grep -H "define(\`.*${REGEXP}.*" ${POLICY_LOCATION}/policy/support/* | sed -e 's:.*\/\([^(]*\):\1:g'
+}
+
+# seshowdef - Show the macro definition
+seshowdef() {
+ MACRONAME="$1";
+ cd ${POLICY_LOCATION}/policy/support;
+ for FILE in *.spt;
+ do
+ grep -A 9999 "define(\`${MACRONAME}'" ${FILE} | grep -B 999 -m 1 "')";
+ done
+}
+</pre></td></tr>
+</table>
+<p>
+These functions can then be used to find the information / interfaces you are
+looking for. For instance, you need the application to read the postfix
+configuration files:
+</p>
+<a name="doc_chap4_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.4: Looking for the interface(s) needed</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">sefindif postfix_etc_t</span>
+services/postfix.if: template(`postfix_domain_template',`
+services/postfix.if: allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+services/postfix.if: read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+services/postfix.if: read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+<span class="code-comment">services/postfix.if: interface(`postfix_read_config',`
+services/postfix.if: type postfix_etc_t;
+services/postfix.if: read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+services/postfix.if: read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)</span>
+services/postfix.if: interface(`postfix_config_filetrans',`
+services/postfix.if: type postfix_etc_t;
+services/postfix.if: filetrans_pattern($1, postfix_etc_t, $2, $3)
+
+~$ <span class="code-input">seshowif postfix_read_config</span>
+interface(`postfix_read_config',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ files_search_etc($1)
+')
+</pre></td></tr>
+</table>
+<p>
+Same thing if you want to look for the correct macro definition (usually, if you
+notice something but you cannot find it as an interface, then it is most likely
+a macro):
+</p>
+<a name="doc_chap4_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.5: Looking for the right macros</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Suppose you need to read, write, connect, ... to a socket</span>
+~$ <span class="code-input">sefinddef connect</span>
+ipc_patterns.spt:define(`stream_connect_pattern',`
+<span class="code-comment">obj_perm_sets.spt:define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')</span>
+obj_perm_sets.spt:define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+obj_perm_sets.spt:define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+<span class="code-comment"># To see what the ps_process_pattern is about</span>
+~$ <span class="code-input">seshowdef ps_process_pattern</span>
+define(`ps_process_pattern',`
+ allow $1 $2:dir list_dir_perms;
+ allow $1 $2:file read_file_perms;
+ allow $1 $2:lnk_file read_lnk_file_perms;
+ allow $1 $2:process getattr;
+')
+</pre></td></tr>
+</table>
+<p>
+As we strive to bring most of our patches upstream, please do consider the <a href="http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute">contribution
+guidelines</a> of the reference policy project. The project has a documented
+style guide, naming convention and an online API reference (for the various
+interfaces).
+</p>
+<p>
+Note that, the moment you create a new module, you'll need to create the proper
+role interfaces (if it is an application that is directly called from a user
+domain). Take a look at <span class="code" dir="ltr">tvtime_role</span> and how it is used in the
+<span class="path" dir="ltr">staff.te</span> and <span class="path" dir="ltr">sysadm.te</span> role definitions.
</p>
<p class="secthead"><a name="doc_chap4_sect4">Testing new modules</a></p>
<p>
-TODO talk about users trying to do maximum testing (all the way). Also, if they
-want to support unconfined domains too, how they can do this (and should test).
+When you test your application, test it in as many ways as possible. If your
+application is a command-line application, run it both from a regular terminal
+(tty) as well as a virtual one (in an xterm). See if it still works if you run
+it in a screen session. Try out all functions and features that the application
+supports.
+</p>
+<p>
+This rigorous testing is necessary because SELinux denies everything that isn't
+explicitly allowed. If you do not test certain features, chances are that the
+module does not provide the necessary permissions and as such, users will be
+impacted.
</p>
+<p>
+To test out a new module, load it (<span class="code" dir="ltr">semodule -i modulename.pp</span>) and relabel
+the files affiliated with the application (either through <span class="code" dir="ltr">rlpkg</span> or using
+<span class="code" dir="ltr">restorecon</span>). Consider the following testing activities if applicable (not
+all domains are interactive domains, so please read the activities with your
+domain definition in mind):
+</p>
+<ul>
+ <li>
+ Sending signals to the application (if you need to be able to kill it, try
+ killing it)
+ </li>
+ <li>
+ Run it both as a regular user (<span class="path" dir="ltr">user_u</span>) as well as
+ administrative users (if applicable). If your domain needs to support
+ unconfined domains/users, run it from an unconfined user domain too.
+ </li>
+ <li>
+ Run it from a terminal, console, screen, sudo, ...
+ </li>
+ <li>
+ Change the applications' configuration file (including rendering it useless
+ with syntax errors) and look at the applications' behavior. Especially
+ syntax failures as that might trigger the application to log things at
+ places that you haven't discovered earlier.
+ </li>
+</ul>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>Policy Guidelines</p>
+<p class="secthead"><a name="doc_chap5_sect1">Cosmetic denials</a></p>
<p>
-TODO dealing with cosmetic denials
+When working on policy modules, you'll notice that the application is trying to
+do things which are denied, but have no obvious effect on the applications
+functionality. This is to be expected: many applications do not handle file
+descriptors properly (file descriptor leaks are common) or applications read
+attributes of files but don't do anything with it. You'll notice that you learn
+a lot from the application while writing its policy ;-)
</p>
<p>
-TODO resources - gentoo selinux policy, refpolicy guidelines
+Gentoo Hardened's idea here is to only allow what is actually needed by the
+application. Cosmetic denials are to be <span class="code" dir="ltr">dontaudit</span>'ed. Gentoo Hardened
+uses the <span class="code" dir="ltr">gentoo_try_dontaudit</span> boolean for this:
+</p>
+<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Example usage of gentoo_try_dontaudit</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Hide sshd_t calling module_request from the kernel_t domain</span>
+tunable_policy(`gentoo_try_dontaudit',`
+ kernel_dontaudit_request_load_module(sshd_t)
+')
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap5_sect2">Gentoo Hardened SELinux policy</a></p>
+<p>
+To streamline the policy development efforts, Gentoo Hardened as a <a href="selinux-policy.xml">SELinux Policy</a> document explaining the
+principles used during policy development and the implementation guidelines we
+strive to follow during development.
+</p>
+<p>
+Such a policy is important because we want to have a consistent security policy
+that users and developers can relate to. By following the policy, we hope that
+other developers can quickly jump in and work on it further.
</p>
<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>Submitting Patches</p>
+<p class="secthead"><a name="doc_chap6_sect1">File context patches</a></p>
+<p>
+If you are able to fix a problem by adding the proper file contexts (using
+<span class="code" dir="ltr">semanage fcontext -a</span>), please consider the following:
+</p>
+<ul>
+ <li>
+ If the location for which you set the context deviates from the standard
+ location as either intended by the project or Gentoo itself, it might be
+ best to document it in the forums or elsewhere. We will not change file
+ contexts to match every ones configuration, unless the file context change
+ is apparent for each installation.
+ </li>
+ <li>
+ Developers might not immediately push file context changes in new policy
+ module packages to keep the amount of policy module changes low. Instead,
+ these changes can be stacked and pushed when other changes occur as well.
+ </li>
+</ul>
<p>
-TODO differentiate between base patch and module patch.
+If you believe that the change is needed for everyone using Gentoo Hardened with
+SELinux, create a <a href="https://bugs.gentoo.org">bugreport</a> and assign
+it to <span class="code" dir="ltr">selinux@gentoo.org</span>. In the bugreport, mention the file context you
+think is necessary and why.
</p>
+<p class="secthead"><a name="doc_chap6_sect2">Module patches</a></p>
<p>
-TODO perhaps talk about file context patches. Perhaps we will not make a new
-build release for it, but stage it to be included in the next release when a
-non-filecontext patch is added?
+Module patches with changes that are intra-module (and have no effect outside)
+are best generated from the <span class="path" dir="ltr">policy/modules</span> location:
+</p>
+<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Example generating patch for modular changes</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules</span>
+~$ <span class="code-input">diff -ut ../../../strict/policy/modules/services/openct.te services/openct.te</span>
+--- ../../../../strict/policy/modules/services/openct.te 2011-04-22 23:28:17.932918002 +0200
++++ services/openct.te 2011-04-23 09:55:08.156918002 +0200
+@@ -47,6 +47,10 @@
+
+ miscfiles_read_localization(openct_t)
+
++tunable_policy(`gentoo_try_dontaudit',`
++ kernel_dontaudit_read_system_state(openct_t)
++')
++
+ userdom_dontaudit_use_unpriv_user_fds(openct_t)
+ userdom_dontaudit_search_user_home_dirs(openct_t)
+</pre></td></tr>
+</table>
+<p>
+Attach this patch to the <a href="https://bugs.gentoo.org">bugreport</a>
+explaining why it is needed. If you think the patch itself is not obvious, make
+sure that the necessary comments are in place <span class="emphasis">inside the patch</span> for future
+reference.
+</p>
+<p>
+Please have a separate patch file per module (do not combine multiple modules in
+a single patch).
+</p>
+<p class="secthead"><a name="doc_chap6_sect3">Base policy patches</a></p>
+<p>
+If a patch extends a single module, or it includes interface changes on a
+module, you'll need to create a patch for the base policy. In this case, the
+patch is best made from the upper location.
+</p>
+<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Generating a base policy patch</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/hardened/strict.local</span>
+~$ <span class="code-input">diff -ut ../strict/policy/modules/services/openct.if policy/modules/services/openct.if</span>
+--- ../strict/policy/modules/services/openct.if 2011-04-22 23:28:17.918918002 +0200
++++ policy/modules/services/openct.if 2011-04-23 10:01:38.753918001 +0200
+@@ -15,7 +15,7 @@
+ type openct_t;
+ ')
+
+- allow $1 openct_t:process signull;
++ allow $1 openct_t:process { signull sigchld };
+ ')
+
+ ########################################
+</pre></td></tr>
+</table>
+<p>
+Attach this patch to the <a href="https://bugs.gentoo.org">bugreport</a>
+explaining why it is needed. If you think the patch itself is not obvious, make
+sure that the necessary comments are in place <span class="emphasis">inside the patch</span> for future
+reference.
+</p>
+<p>
+Please have a separate patch file per major change (do not combine multiple
+unrelated changes in a single patch).
</p>
<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
</span>Running Your Own Policy</p>
+<p class="secthead"><a name="doc_chap7_sect1">Creating a local overlay</a></p>
+<p>
+If you want to use your own policy rather than Gentoo's, we seriously recommend
+to use a local overlay which uses the same package names and constructs. This
+allows your policy to integrate properly with the other Gentoo packages (which
+might depend on the SELinux packages). For instance, when you install openldap,
+it will still properly depend on the <span class="path" dir="ltr">sec-policy/selinux-ldap</span>
+package even if you provide it completely.
+</p>
+<p>
+To do so, first create a local overlay and copy the content of the
+<span class="path" dir="ltr">sec-policy</span> category inside it.
+</p>
+<a name="doc_chap7_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.1: Creating a local overlay</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">mkdir dev/overlay</span>
+~$ <span class="code-input">cp -r /usr/portage/sec-policy dev/overlay</span>
+</pre></td></tr>
+</table>
+<p>
+Next, tell Portage to not synchronise the <span class="path" dir="ltr">sec-policy</span> category of
+the main tree anymore. To do so, create the file
+<span class="path" dir="ltr">/etc/portage/rsync_excludes</span> with the following content:
+</p>
+<a name="doc_chap7_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.2: Rsync exclusion information</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+sec-policy/
+</pre></td></tr>
+</table>
+<p>
+Finally, add your current overlay by editing <span class="path" dir="ltr">/etc/make.conf</span>:
+</p>
+<a name="doc_chap7_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.3: Editing make.conf</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+PORTDIR_OVERLAY="${PORTDIR_OVERLAY} /home/user/dev/overlay"
+</pre></td></tr>
+</table>
+<p>
+From now onwards, Gentoo Portage will only use your local overlay (you can
+remove <span class="path" dir="ltr">/usr/portage/sec-policy</span> if you don't want Portage to even
+reuse the current set of packages.
+</p>
+<p class="secthead"><a name="doc_chap7_sect2">Updating module packages</a></p>
<p>
-TODO describe how to create your own overlay with modules and patchbundles. Also
-usable for developers to stage their ebuild / patch submissions before actually
-putting in git repo. Ensure that naming is consistent (so that ebuild
-dependencies of packages remain).
+To create or update a module package, you can use the following skeleton for the
+ebuilds:
</p>
+<a name="doc_chap7_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.4: Skeleton for ebuilds, example for postfix</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+<span class="code-comment"># Set the MODS variable to the refpolicy name used, so services/postfix.te gives "postfix"</span>
+MODS="postfix"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for postfix"
+
+KEYWORDS="~amd64 ~x86"
+
+<span class="code-comment"># POLICY_PATCH is optional (only when you have a patch), without it just uses the
+# refpolicy version.</span>
+POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"
+</pre></td></tr>
+</table>
+<p>
+The patch(es) that you can put in the <span class="path" dir="ltr">files/</span> location (and referred to
+in the <span class="code" dir="ltr">POLICY_PATCH</span>) should be made as defined earlier in this document.
+You can put multiple patches in this variable if you want.
+</p>
+<p>
+Don't forget to run <span class="code" dir="ltr">repoman manifest</span> with every change, and run
+<span class="code" dir="ltr">repoman scan</span> to check for potential mistakes.
+</p>
+<p class="secthead"><a name="doc_chap7_sect3">Updating base package</a></p>
+<p>
+To provide updates on the base policy, it is recommended to keep all patches you
+made centrally in a directory (say <span class="path" dir="ltr">dev/hardened/base-patches</span>). When
+you want to create a new <span class="path" dir="ltr">sec-policy/selinux-base-policy</span> release,
+create a patchbundle from your patch directory, put the bundle in the
+<span class="path" dir="ltr">files</span> location, create the updated ebuild and try it out.
+</p>
+<a name="doc_chap7_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.5: Building a base policy package</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/hardened/base-patches</span>
+~$ <span class="code-input">tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r13.tar.bz2 *</span>
+~$ <span class="code-input">cd ../overlay/sec-policy/selinux-base-policy</span>
+~$ <span class="code-input">cp selinux-base-policy-2.20101213-r12.ebuild selinux-base-policy-2.20101213-r13.ebuild</span>
+</pre></td></tr>
+</table>
<p>
-TODO describe how to exclude sec-policy in regular rsync
+Don't forget to run <span class="code" dir="ltr">repoman manifest</span> and <span class="code" dir="ltr">repoman scan</span>. You can
+then install <span class="path" dir="ltr">sec-policy/selinux-base-policy-2.20101213-r13</span> and test
+it out.
</p>
<br><p class="copyright">
The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons -
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-04-25 23:38 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-04-25 23:38 UTC (permalink / raw
To: gentoo-commits
commit: a42fdc59c5c2067ec8544f25c6a699f5a9e51b6d
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Mon Apr 25 23:37:05 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Mon Apr 25 23:37:05 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a42fdc59
Previews...
---
html/index.html | 3 +++
html/index2.html | 3 +++
2 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/html/index.html b/html/index.html
index c3f4ea2..ec23d0f 100644
--- a/html/index.html
+++ b/html/index.html
@@ -271,6 +271,9 @@ GNU Stack Quickstart
<li>
<a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
</li>
+ <li>
+ <a href="selinux-faq.html">Gentoo SELinux FAQ</a>
+ </li>
</ul>
</li>
</ul>
diff --git a/html/index2.html b/html/index2.html
index 5d0955e..f2d47ca 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -240,6 +240,9 @@ GNU Stack Quickstart</a>
<li>
<a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
</li>
+ <li>
+ <a href="selinux-faq.html">Gentoo SELinux FAQ</a>
+ </li>
</ul>
</li>
</ul>
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-05-01 20:24 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-05-01 20:24 UTC (permalink / raw
To: gentoo-commits
commit: a547a0055cd566d3766c7285bb24c0b050dd4932
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 1 20:24:07 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 1 20:24:07 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a547a005
Update previews
---
html/selinux-faq.html | 50 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 49 insertions(+), 1 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 9dc1bfb..42ccef9 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -68,6 +68,10 @@ as well.
LD_PRELOAD cannot be preloaded: ignored'
</a></li>
<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
+<li><a href="#cronfails">
+ Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+ FAILED (crontabs/root)'
+</a></li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>General SELinux Support Questions</p>
@@ -337,11 +341,55 @@ This is also necessary if you logged on to your system as root but through SSH.
The default behavior is that SSH sets the lowest role for the particular user
when logged on. And you shouldn't allow remote root logins anyhow.
</p>
+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">
+ Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+ FAILED (crontabs/root)'
+</a></p>
+<p>
+When you hit the mentioned error with a root crontab or an administrative
+users' crontab, but not with a regular users' crontab, then check the context of
+the crontab file:
+</p>
+<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
+</pre></td></tr>
+</table>
+<p>
+Next, check what the default context is for the given user (in this case, root)
+when originating from the <span class="code" dir="ltr">crond_t</span> domain:
+</p>
+<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">getseuser root system_u:system_r:crond_t</span>
+seuser: root, level (null)
+Context 0 root:sysadm_r:cronjob_t
+Context 1 root:staff_r:cronjob_t
+</pre></td></tr>
+</table>
+<p>
+As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user.
+However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the
+above example is for the SELinux user staff_u. Hence, cron will not be able to
+read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one).
+</p>
+<p>
+To fix this, change the user of the file to root:
+</p>
+<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
+</pre></td></tr>
+</table>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 30, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-05-03 20:23 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-05-03 20:23 UTC (permalink / raw
To: gentoo-commits
commit: ae48452f5bb0dbe181a5949c6018de93e9dc146e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 3 20:23:04 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 3 20:23:04 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae48452f
Update previews
---
html/selinux-faq.html | 32 +++++++++++++++++++++++++++++++-
1 files changed, 31 insertions(+), 1 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 42ccef9..cb068d4 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -49,6 +49,7 @@ as well.
<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>
<li><a href="#filesystem">Can I use SELinux with any file system?</a></li>
<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>
+<li><a href="#ubac">What is UBAC exactly?</a></li>
</ul>
<p class="secthead">Using SELinux</p>
<ul>
@@ -129,6 +130,35 @@ Theoretically, definitely. However, the current selinux profiles in the Portage
tree are not no-multilib capable. Work is on the way however to make the
profiles more flexible and support no-multilib soon.
</p>
+<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>
+<p>
+UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints
+when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span>
+marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only
+have the allowed privileges in effect if they both run with the same SELinux
+user context.
+</p>
+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># The SELinux allow rule</span>
+allow foo_t bar_t:file { read };
+
+<span class="code-comment"># This will succeed:</span>
+staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t
+
+<span class="code-comment"># This will be prohibited:</span>
+user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t
+</pre></td></tr>
+</table>
+<p>
+Of course, this is not always the case. Besides the earlier mentioned
+requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source
+domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the
+<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source
+or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also
+not be in effect.
+</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>Using SELinux</p>
<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>
@@ -389,7 +419,7 @@ To fix this, change the user of the file to root:
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-05-03 21:06 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-05-03 21:06 UTC (permalink / raw
To: gentoo-commits
commit: 607e42ed495a347aca44a4f2ec0cbb728503b550
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 3 21:06:35 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 3 21:06:35 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=607e42ed
Update previews
---
html/selinux-faq.html | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index cb068d4..89d9f5b 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -415,6 +415,10 @@ To fix this, change the user of the file to root:
~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
</pre></td></tr>
</table>
+<p>
+Another fix would be to disable UBAC completely. This is accomplished with
+<span class="code" dir="ltr">USE="-ubac"</span>.
+</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-05-04 22:03 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 23+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-05-04 22:03 UTC (permalink / raw
To: gentoo-commits
commit: 658b91b7598b97799d18712eee0ae7747e86eb10
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Wed May 4 21:44:54 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Wed May 4 21:44:54 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=658b91b7
updating previews
---
html/etdyn.html | 18 +++++++++---------
html/gnu-stack.html | 8 ++++----
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/html/etdyn.html b/html/etdyn.html
index 99ea501..ca94085 100644
--- a/html/etdyn.html
+++ b/html/etdyn.html
@@ -11,13 +11,13 @@
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
- </title>
+ ETDYN guide</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
-<br><h1></h1>
+<br><h1>ETDYN guide</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
@@ -100,8 +100,8 @@
care about gcrt1.o). It is no coincidence that crt1.o is not linked into
shared libraries as this object contains (among others) the low-level entry
point and startup code that invokes the C library startup code which in
- turn calls main().
- <table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Initiating the building of ET_DYN executables on Gentoo does not require us to put -shared in our CFLAGS or LDFLAGS</p></td></tr></table></p>
+ turn calls main(). </p>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Initiating the building of ET_DYN executables on Gentoo does not require us to put -shared in our CFLAGS or LDFLAGS</p></td></tr></table>
<p>Making crt1.o position independent is easy, we just have to make use of the
GOT (in keeping with the tradition of the glibc naming convention for the
position independent version of the extra object files, we will call it
@@ -133,15 +133,15 @@
the other systemwide crt* files are.</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>ET_DYN ELF executables (The Gentoo Way)</p>
-<p>On Gentoo this is accomplished by merging <span class="code-input">hardened-gcc</span>: </p>
+<p>On Gentoo this is accomplished by merging <span class="code" dir="ltr">hardened-gcc</span>: </p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Emerging hardened-gcc</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code" dir="ltr"># emerge hardened-gcc</span>
+# <span class="code-input">emerge hardened-gcc</span>
</pre></td></tr>
</table>
-<p><span class="code-input">hardened-gcc</span> is an umbrella package for non-mainstream gcc modifications
- The <span class="code-input">hardened-gcc</span> packages was initially created by Alexander Gabert
+<p><span class="code" dir="ltr">hardened-gcc</span> is an umbrella package for non-mainstream gcc modifications
+ The <span class="code" dir="ltr">hardened-gcc</span> packages was initially created by Alexander Gabert
for this special purpose we are serving here: rolling out the etdyn
specs file and interp.o together with the position independent
crt1S.o. But this package is not limited to that purpose.
@@ -163,7 +163,7 @@
<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Example files</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code" dir="ltr"># file /sbin/chpax</span>
+# <span class="code-input">file /sbin/chpax</span>
/sbin/chpax: ELF 32-bit LSB shared object, Intel 80386, version 1 \
(GNU/Linux), stripped
/sbin/chpax: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for \
diff --git a/html/gnu-stack.html b/html/gnu-stack.html
index fd6caf0..d784de3 100644
--- a/html/gnu-stack.html
+++ b/html/gnu-stack.html
@@ -339,7 +339,7 @@ If no one can seem to answer your question, give me a poke either on irc
<td class="infohead"><b>Arch</b></td> <td class="infohead"><b>Status</b></td>
</tr>
<tr>
-<td class="tableinfo">alpha</td> <td class="tableinfo">gcc generates proper .note.GNU-stack, but final link results in exec stack</td>
+<td class="tableinfo">alpha</td> <td class="tableinfo">fully supported (gcc-4.4.x/glibc-2.11)</td>
</tr>
<tr>
<td class="tableinfo">amd64</td> <td class="tableinfo">fully supported</td>
@@ -363,10 +363,10 @@ If no one can seem to answer your question, give me a poke either on irc
<td class="tableinfo">mips</td> <td class="tableinfo">gcc-3.4.x does not generate .note.GNU-stack</td>
</tr>
<tr>
-<td class="tableinfo">ppc</td> <td class="tableinfo">gcc generates proper .note.GNU-stack, but final link results in exec stack</td>
+<td class="tableinfo">ppc</td> <td class="tableinfo">fully supported (gcc-4.4.x/glibc-2.11)</td>
</tr>
<tr>
-<td class="tableinfo">ppc64</td> <td class="tableinfo">gcc generates proper .note.GNU-stack, but final link results in exec stack</td>
+<td class="tableinfo">ppc64</td> <td class="tableinfo">fully supported (gcc-4.4.x/glibc-2.11)</td>
</tr>
<tr>
<td class="tableinfo">s390</td> <td class="tableinfo">fully supported</td>
@@ -397,7 +397,7 @@ If no one can seem to answer your question, give me a poke either on irc
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="gnu-stack.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 27, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated March 17, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Handbook for proper GNU Stack management in ELF systems</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
<a href="mailto:vapier@gentoo.org" class="altlink"><b>Mike Frysinger</b></a>
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-06-01 21:26 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-06-01 21:26 UTC (permalink / raw
To: gentoo-commits
commit: e7fa04f8f6314d69f5d7c61aa3f7a6c9aa796012
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 1 21:26:23 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jun 1 21:26:23 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e7fa04f8
update previews
---
html/roadmap.html | 3 ---
html/support-state.html | 3 ---
2 files changed, 0 insertions(+), 6 deletions(-)
diff --git a/html/roadmap.html b/html/roadmap.html
index 8a3e0e1..804f4e8 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -17,9 +17,6 @@
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
-<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
- This document is a work in progress and should not be considered official yet.
- </p></td></tr></table>
<br><h1>Gentoo Hardened Roadmap</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
diff --git a/html/support-state.html b/html/support-state.html
index 45c51bd..1ddfa9e 100644
--- a/html/support-state.html
+++ b/html/support-state.html
@@ -17,9 +17,6 @@
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
-<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
- This document is a work in progress and should not be considered official yet.
- </p></td></tr></table>
<br><h1>Gentoo Hardened Support State</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-07-13 22:04 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-07-13 22:04 UTC (permalink / raw
To: gentoo-commits
commit: a9b9af734ea599de9b1b1f44ee12a94f134b7a8f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 13 22:02:54 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 13 22:02:54 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a9b9af73
update previews
---
html/selinux-faq.html | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index f3c097c..3a511e5 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -97,9 +97,11 @@ features of the compiler.
</p>
<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">Can I use SELinux and RSBAC?</a></p>
<p>
-Yes, SELinux and RSBAC can be used together, but it is not recommended. The
-RSBAC framework that is added to the Linux Security Modules framework (which
-is used by SELinux) impacts performance for little added value.
+Yes, SELinux and RSBAC can be used together, but it is not recommended.
+Both frameworks (RSBAC and the SELinux implementation on top of Linux' Linux
+Security Modules framework) have a slight impact on system performance.
+Enabling them both only hinders performance more, for little added value since
+they both offer similar functionality.
</p>
<p>
In most cases, it makes more sense to use RSBAC without SELinux, or SELinux
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-07-15 16:09 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-07-15 16:09 UTC (permalink / raw
To: gentoo-commits
commit: 28ed45b76704f6a589420248c78d2225a00a9806
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jul 15 16:07:35 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Jul 15 16:07:35 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=28ed45b7
update previews
---
html/roadmap.html | 34 +++++++++++++++++-----------------
1 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/html/roadmap.html b/html/roadmap.html
index ae59a97..0df3dc7 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -127,28 +127,28 @@ Hardened has made, such as tool selection.
<tr>
<td class="tableinfo">Document the Hardened Toolchain</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-keyword">In Progress</span></td>
+ <td class="tableinfo">In Progress</td>
<td class="tableinfo">Zorry</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Comparative analysis of security approaches taken by distributions</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Rework grSecurity documentation</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Update/rewrite propolice documentation</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
@@ -184,14 +184,14 @@ handling CFLAG filters for a hardened toolchain in a proper way.
<tr>
<td class="tableinfo">Document the toolchain feature set</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">In progress</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Describe the grSecurity RBAC system</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
@@ -201,7 +201,7 @@ handling CFLAG filters for a hardened toolchain in a proper way.
<tr>
<td class="tableinfo">Release hardened-sources-2.6.37</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-keyword">Done</span></td>
+ <td class="tableinfo">Done</td>
<td class="tableinfo">blueness</td>
<td class="tableinfo"></td>
</tr>
@@ -228,7 +228,7 @@ is in need for attention.
the existing grSecurity2 document needs to be converted to Handbook XML
</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
@@ -237,7 +237,7 @@ is in need for attention.
the features of PAX and grSecurity need to be described and documented
</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
@@ -246,7 +246,7 @@ is in need for attention.
the RBAC system needs to be covered documentation-wise in much more detail
</td>
<td class="tableinfo"></td>
- <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
@@ -287,22 +287,22 @@ of the packages.
</tr>
<tr>
<td class="tableinfo">Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</td>
- <td class="tableinfo">2011-07-15</td>
- <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">2011-07-18</td>
+ <td class="tableinfo">In progress</td>
<td class="tableinfo">blueness, SwifT</td>
<td class="tableinfo"><a href="https://bugs.gentoo.org/370927">#370927</a></td>
</tr>
<tr>
<td class="tableinfo">Stabilize the new SELinux profile structure</td>
- <td class="tableinfo">2011-07-15</td>
- <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">2011-08-01</td>
+ <td class="tableinfo">In progress</td>
<td class="tableinfo">blueness, SwifT</td>
<td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
</tr>
<tr>
<td class="tableinfo">Add support for MCS (driver is virtualization)</td>
- <td class="tableinfo">2011-08-01</td>
- <td class="tableinfo"><span class="code-keyword">On track</span></td>
+ <td class="tableinfo">2011-08-15</td>
+ <td class="tableinfo">On track</td>
<td class="tableinfo">SwifT</td>
<td class="tableinfo"></td>
</tr>
@@ -311,7 +311,7 @@ of the packages.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 10, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated July 15, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
A roadmap that plots current needs and goals of the
Hardened Gentoo project.
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-09-03 12:11 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-09-03 12:11 UTC (permalink / raw
To: gentoo-commits
commit: c41ed54f18aa1d31747ed605d5e5bc9c7d18b938
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep 3 12:10:11 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Sep 3 12:10:11 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c41ed54f
Update previews
---
html/selinux-faq.html | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index ea9f968..5e2161a 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -254,6 +254,11 @@ The most specific means, in order of tests:
line B is more specific
</li>
</ol>
+<p>
+However, when you add your own file contexts (using <span class="code" dir="ltr">semanage</span>), this does
+not apply. Instead, tools like <span class="code" dir="ltr">restorecon</span> will take the <span class="emphasis">last</span> hit
+within the locally added file contexts!
+</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>SELinux Kernel Error Messages</p>
<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
@@ -560,7 +565,7 @@ version, or force set it to the higher version.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 3, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2011-09-04 19:13 Sven Vermeulen
0 siblings, 0 replies; 23+ messages in thread
From: Sven Vermeulen @ 2011-09-04 19:13 UTC (permalink / raw
To: gentoo-commits
commit: 7338144ab2abc1d1a6b63c163c2ebf17e8456e11
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep 4 19:12:54 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep 4 19:12:54 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=7338144a
Update previews
---
html/selinux-faq.html | 107 ++++++++++++++++++++++++++++++++++++++++++++++---
1 files changed, 101 insertions(+), 6 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 5e2161a..611eaf5 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -59,6 +59,7 @@ as well.
<li><a href="#matchcontext">
How do I know which file context rule is used for a particular file?
</a></li>
+<li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li>
</ul>
<p class="secthead">SELinux Kernel Error Messages</p>
<ul>
@@ -140,10 +141,8 @@ like we will eventually support these file systems on SELinux fully as well.
</p>
<p class="secthead"><a name="nomultilib"></a><a name="doc_chap2_sect6">Can I use SELinux with AMD64 no-multilib?</a></p>
<p>
-Yes. However, for the time being, it is only supported through developer
-profiles, meaning that the profiles should not be seen as very stable (their
-content can still change swiftly). Try out
-<span class="code" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> and tell us what you get.
+Yes, just use the <span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> profile
+and you're all set.
</p>
<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>
<p>
@@ -257,7 +256,103 @@ The most specific means, in order of tests:
<p>
However, when you add your own file contexts (using <span class="code" dir="ltr">semanage</span>), this does
not apply. Instead, tools like <span class="code" dir="ltr">restorecon</span> will take the <span class="emphasis">last</span> hit
-within the locally added file contexts!
+within the locally added file contexts! You can check the content of the
+locally added rules in <span class="path" dir="ltr">/etc/selinux/strict/contexts/files/file_contexts.local</span>
+(substitute <span class="path" dir="ltr">strict</span> with your SELinux type).
+</p>
+<p class="secthead"><a name="localpolicy"></a><a name="doc_chap3_sect5">How do I make small changes (additions) to the policy?</a></p>
+<p>
+If you are interested in the Gentoo Hardened SELinux development itself, please
+have a look at the <a href="selinux-development.html">SELinux
+Development Guide</a> and other documentation linked from the <a href="selinux/index.html">SELinux project page</a>.
+</p>
+<p>
+However, you will eventually need to keep some changes on your policy, due to
+how you have configured your system or when you need to allow something that is
+not going to be accepted as a distribution-wide policy change. In that case,
+read on.
+</p>
+<p>
+Updates on the policy are only possible as long as you need to <span class="emphasis">allow</span>
+additional privileges. It is not possible to remove rules from the policy, only
+enhance it. To maintain your own set of additional rules, create a file in which
+you will keep your changes. In the next example, I will use the term
+<span class="path" dir="ltr">fixlocal</span>, substitute with whatever name you like - but keep it
+consistent. In the file (<span class="path" dir="ltr">fixlocal.te</span>) put in the following text
+(again, substitute <span class="path" dir="ltr">fixlocal</span> with your chosen name):
+</p>
+<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: fixlocal.te content</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+policy_module(fixlocal, 1.0)
+
+require {
+<span class="code-comment"># Declarations of types, classes and permissions used</span>
+
+}
+
+<span class="code-comment"># Declaration of policy rules</span>
+</pre></td></tr>
+</table>
+<p>
+In this file, you can add rules as you like. In the next example, we add three
+rules:
+</p>
+<ol>
+ <li>
+ Allow <span class="code" dir="ltr">mozilla_t</span> the <span class="code" dir="ltr">execmem</span> privilege (based on a denial that
+ occurs when mozilla fails to start)
+ </li>
+ <li>
+ Allow <span class="code" dir="ltr">ssh_t</span> to connect to any port rather than just the SSH port
+ </li>
+ <li>
+ Allows the <span class="code" dir="ltr">user_t</span> domain to send messages directly to the system
+ logger
+ </li>
+</ol>
+<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: fixlocal.te content</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+policy_module(fixlocal, 1.0)
+
+require {
+ type mozilla_t;
+ type ssh_t;
+ type user_t;
+
+ class process { execmem };
+}
+
+<span class="code-comment"># Grant mozilla the execmem privilege</span>
+allow mozilla_t self:process { execmem };
+
+<span class="code-comment"># Allow SSH client to connect to any port (as provided by the user through the
+# "ssh -p <portnum> ..." command)</span>
+corenet_tcp_connect_all_ports(ssh_t)
+
+<span class="code-comment"># Allow the user_t domain to send messages to the system logger</span>
+logging_send_syslog_msg(user_t)
+</pre></td></tr>
+</table>
+<p>
+If you need to provide raw allow statements (like the one above for the
+<span class="code" dir="ltr">mozilla_t</span> domain), make sure that the type (<span class="code" dir="ltr">mozilla_t</span>),
+class (<span class="code" dir="ltr">process</span>) and privilege (<span class="code" dir="ltr">execmem</span>) are mentioned in
+the <span class="code" dir="ltr">require { ... }</span> paragraph.
+</p>
+<p>
+When using interface names, make sure that the type (<span class="code" dir="ltr">ssh_t</span> and
+<span class="code" dir="ltr">user_t</span>) is mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph.
+</p>
+<p>
+To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span>
+above), you can either look for it in the <a href="http://oss.tresys.com/docs/refpolicy/api/">SELinux Reference Policy
+API</a> online or, if <span class="code" dir="ltr">sec-policy/selinux-base-policy</span> is built with the
+<span class="emphasis">doc</span> USE flag, in <span class="path" dir="ltr">/usr/share/doc/selinux-base-policy-.*/html</span>.
+Of course, you can also ask for help in <span class="code" dir="ltr">#gentoo-hardened</span> on
+irc.freenode.net, the mailinglist, forums, etc. to find the proper rules and
+statements for your case.
</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>SELinux Kernel Error Messages</p>
@@ -565,7 +660,7 @@ version, or force set it to the higher version.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 3, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/
@ 2012-07-10 19:45 Michael Palimaka
0 siblings, 0 replies; 23+ messages in thread
From: Michael Palimaka @ 2012-07-10 19:45 UTC (permalink / raw
To: gentoo-commits
commit: 7cb0a52930fe11c06cd3cbea392d3ce5748916f0
Author: Michael Palimaka <kensington <AT> gentoo <DOT> org>
AuthorDate: Tue Jul 10 19:44:40 2012 +0000
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Tue Jul 10 19:44:40 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=7cb0a529
Update previews.
---
html/apparmor.html | 222 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 222 insertions(+), 0 deletions(-)
diff --git a/html/apparmor.html b/html/apparmor.html
new file mode 100644
index 0000000..291adb9
--- /dev/null
+++ b/html/apparmor.html
@@ -0,0 +1,222 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+ Gentoo AppArmor Guide</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
+ This document is a work in progress and should not be considered official yet.
+ </p></td></tr></table>
+<br><h1>Gentoo AppArmor Guide</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
+<option value="#doc_chap2">2. Initial setup</option>
+<option value="#doc_chap3">3. Working with profiles</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Introduction</p>
+<p>
+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
+</p>
+<p>
+For each file path you specify, AppArmor will permit it only the permissions you grant.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample profile</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# ------------------------------------------------------------------
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/klogd {
+ #include <abstractions/base>
+
+ capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+ capability syslog,
+
+ network inet stream,
+
+ /boot/System.map* r,
+ @{PROC}/kmsg r,
+ @{PROC}/kallsyms r,
+ /dev/tty rw,
+
+ /sbin/klogd rmix,
+ /var/log/boot.msg rwl,
+ /{,var/}run/klogd.pid krwl,
+ /{,var/}run/klogd/klogd.pid krwl,
+ /{,var/}run/klogd/kmsg r,
+}
+</pre></td></tr>
+</table>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+ </span>Initial setup</p>
+<p class="secthead"><a name="doc_chap2_sect1">Kernel patching</a></p>
+<p>
+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
+it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
+profiles - deactivation, listing, init script etc. will not work.
+</p>
+<p>
+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <span class="code" dir="ltr">hardened-sources</span>,
+the patches will not cleanly apply. For convenience, a rebased version of the patches is
+<a href="https://github.com/kensington/apparmor-grsec/tarball/master">available</a>.
+</p>
+<p class="secthead"><a name="doc_chap2_sect2">Install utilities</a></p>
+<p>
+The AppArmor userspace utilities currently live in the
+<a href="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</a>.
+You should install layman, and then add the <span class="code" dir="ltr">hardened-dev</span> overlay:
+
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install userspace utilities</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">layman -a hardened-dev</span>
+# <span class="code-input">emerge apparmor-utils</span>
+<span class="code-comment">You will probably also wish to install some profiles to get started:</span>
+# <span class="code-input">emerge apparmor-profiles</span>
+</pre></td></tr>
+</table>
+
+</p>
+<p class="secthead"><a name="doc_chap2_sect3">Further configuration</a></p>
+<p>
+You may wish to edit the configuation files located in <span class="code" dir="ltr">/etc/apparmor</span>, however
+the default values will suit most users.
+</p>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
+ </span>Working with profiles</p>
+<p>
+Profiles are stored as simple text files in <span class="code" dir="ltr">/etc/apparmor.d</span>. They may take any name, and may be stored
+in subdirectories - you may organise them however it suits you.
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Sample profile directory listing</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+/etc/apparmor.d $ <span class="code-input">ls</span>
+abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd
+apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd
+bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd
+disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd
+local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
+</pre></td></tr>
+</table>
+<p>
+Profiles are referred to by name, including any parent subdirectories if present.
+</p>
+<p class="secthead"><a name="doc_chap3_sect2">Manual control</a></p>
+<p>
+To activate a profile, simply set it to enforce mode.
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile activation</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">aa-enforce usr.sbin.dnsmasq</span>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
+</pre></td></tr>
+</table>
+</p>
+<p>
+Similarly, to deactive a profile, simply set it to complain mode.
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Manual profile deactivation</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">aa-complain usr.sbin.dnsmasq</span>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
+</pre></td></tr>
+</table>
+</p>
+<p>
+The current status of your profiles may be viewed using <span class="code" dir="ltr">aa-status</span>.
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Profile status listing</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">aa-status</span>
+apparmor module is loaded.
+6 profiles are loaded.
+5 profiles are in enforce mode.
+ /bin/ping
+ /sbin/klogd
+ /sbin/syslog-ng
+ /usr/sbin/dnsmasq
+ /usr/sbin/identd
+1 profiles are in complain mode.
+ /usr/sbin/lspci
+1 processes have profiles defined.
+1 processes are in enforce mode.
+ /usr/sbin/dnsmasq (12905)
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+</pre></td></tr>
+</table>
+</p>
+<p class="secthead"><a name="doc_chap3_sect3">Automatic control</a></p>
+<p>
+The provided init script will automatically load all profiles located in your profile directory.
+Unless specifically specified otherwise, each profile will be loaded in enforce mode.
+</p>
+<br><p class="copyright">
+ The contents of this document, unless otherwise expressly stated, are
+ licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
+ </p>
+<!--
+ <rdf:RDF xmlns="http://web.resource.org/cc/"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+
+ <License rdf:about="http://creativecommons.org/licenses/by-sa/3.0/">
+
+ <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+ <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+ <requires rdf:resource="http://web.resource.org/cc/Notice" />
+ <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+ <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+ <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+ </License>
+ </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="apparmor.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated July 10, 2012</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+This guide provides a brief overview of AppArmor, and gives information
+on how to install and configure it on Gentoo.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+ <a href="mailto:kensington@gentoo.org" class="altlink"><b>Michael Palimaka</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
^ permalink raw reply related [flat|nested] 23+ messages in thread
end of thread, other threads:[~2012-07-10 19:45 UTC | newest]
Thread overview: 23+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-19 17:01 [gentoo-commits] proj/hardened-docs:master commit in: html/ Francisco Blas Izquierdo Riera
-- strict thread matches above, loose matches on Subject: below --
2012-07-10 19:45 Michael Palimaka
2011-09-04 19:13 Sven Vermeulen
2011-09-03 12:11 Sven Vermeulen
2011-07-15 16:09 Sven Vermeulen
2011-07-13 22:04 Sven Vermeulen
2011-06-01 21:26 Sven Vermeulen
2011-05-04 22:03 Francisco Blas Izquierdo Riera
2011-05-03 21:06 Sven Vermeulen
2011-05-03 20:23 Sven Vermeulen
2011-05-01 20:24 Sven Vermeulen
2011-04-25 23:38 Francisco Blas Izquierdo Riera
2011-04-23 11:35 Sven Vermeulen
2011-03-27 1:00 Francisco Blas Izquierdo Riera
2011-03-27 0:55 Francisco Blas Izquierdo Riera
2011-03-26 23:49 Francisco Blas Izquierdo Riera
2011-03-09 18:14 Sven Vermeulen
2011-02-21 21:55 Sven Vermeulen
2011-02-19 3:29 Francisco Blas Izquierdo Riera
2011-02-19 0:14 Francisco Blas Izquierdo Riera
2011-02-18 16:11 Francisco Blas Izquierdo Riera
2011-02-18 7:07 Francisco Blas Izquierdo Riera
2011-02-15 4:40 Francisco Blas Izquierdo Riera
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox