Questions

-Yes. However, for the time being, it is only supported through developer -profiles, meaning that the profiles should not be seen as very stable (t= heir -content can still change swiftly). Try out -hardened/linux/amd64/no-multilib/selinux and tell us what you get= . +Yes, just use the hardened/linux/amd64/no-multilib/selinux = profile +and you're all set.

However, when you add your own file contexts (using semanage), th= is does not apply. Instead, tools like restorecon will take the last hit -within the locally added file contexts! +within the locally added file contexts! You can check the content of the +locally added rules in /etc/selinux/strict/contexts/files/file_con= texts.local +(substitute strict with your SELinux type). +

+How do I make small changes (additions) to the policy? + + +

+If you are interested in the Gentoo Hardened SELinux development itself,= please +have a look at the SELinux +Development Guide and other documentation linked from the SELinux project page. +

+ +

+However, you will eventually need to keep some changes on your policy, d= ue to +how you have configured your system or when you need to allow something = that is +not going to be accepted as a distribution-wide policy change. In that c= ase, +read on. +

+ +

+Updates on the policy are only possible as long as you need to allow<= /e> +additional privileges. It is not possible to remove rules from the polic= y, only +enhance it. To maintain your own set of additional rules, create a file = in which +you will keep your changes. In the next example, I will use the term +fixlocal, substitute with whatever name you like - but keep= it +consistent. In the file (fixlocal.te) put in the following = text +(again, substitute fixlocal with your chosen name): +

+ +

+policy_module(fixlocal, 1.0)
+
+require {
+# Declarations of types, classes and permissions used
+
+}
+
+# Declaration of policy rules
+

+ +

+In this file, you can add rules as you like. In the next example, we add= three +rules: +

+ +

+ Allow mozilla_t the execmem privilege (based on a deni= al that + occurs when mozilla fails to start) +
+ Allow ssh_t to connect to any port rather than just the SSH p= ort +
+ Allows the user_t domain to send messages directly to the sys= tem + logger +

+ +

+policy_module(fixlocal, 1.0)
+
+require {
+  type mozilla_t;
+  type ssh_t;
+  type user_t;
+
+  class process { execmem };
+}
+
+# Grant mozilla the execmem privilege
+allow mozilla_t self:process { execmem };
+
+# Allow SSH client to connect to any port (as provided by the u=
ser through the=20
+# "ssh -p <portnum> ..." command)
+corenet_tcp_connect_all_ports(ssh_t)
+
+# Allow the user_t domain to send messages to the system logger=

+logging_send_syslog_msg(user_t)
+

+ +

+If you need to provide raw allow statements (like the one above for the +mozilla_t domain), make sure that the type (mozilla_t),=20 +class (process) and privilege (execmem) are mentioned in +the require { ... } paragraph. +

+ +

+When using interface names, make sure that the type (ssh_t and +user_t) is mentioned in the require { ... } paragraph. +

+ +

+To find the proper interface name (like corenet_tcp_connect_all_ports= +above), you can either look for it in the SELinux Reference Pol= icy +API online or, if sec-policy/selinux-base-policy is built w= ith the +doc USE flag, in /usr/share/doc/selinux-base-policy-.*/html= . +Of course, you can also ask for help in #gentoo-hardened on +irc.freenode.net, the mailinglist, forums, etc. to find the proper rules= and +statements for your case.

=20