[gentoo-commits] proj/hardened-docs:master commit in: xml/

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     4f67a1ee562cff31fd8f66d0d16ae06e38073268
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Tue Feb 15 04:38:38 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Tue Feb 15 04:38:38 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4f67a1ee

Adding some suggestions from gizmo and me to the SELinux subproject

---
 xml/roadmap.xml |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index e9cc26a..6304c12 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -75,7 +75,6 @@ needed. There may be ways to strengthen the current implementation or areas of
 code that can be cleaned up to allow changes to be pushed upstream easier.
 </p>
 
-<!-- TODO: has the eclass been updated -->
 <p>
 As a side effect of the previous hardened toolchain, many ebuilds currently
 filter hardened CFLAGS such as -fPIE and -fstack-protector. Work will also be
@@ -113,6 +112,12 @@ Finally we are working on keeping the hardened kernel sources up to date.
 
 <p><b>SELinux</b></p>
 
+<p>
+Currently the project supports x86 and AMD64 so support for other architectures
+has to be handled by upstream except when the issues can also be reproduced in
+any of those architectures. Aside work is being done in the following areas:
+</p>
+
 <ul>
 <li>
 Strengthen and extend current policies.
@@ -126,6 +131,9 @@ Policy module support.
 <li>
 Additional Daemon Policies.
 </li>
+<li>
+Updated documentation.
+</li>
 </ul>
 
 <p><b>RSBAC</b></p>
@@ -364,6 +372,10 @@ run.
     <ti>Additional Daemon Policies</ti><ti>pebenito</ti>
     <ti>In Progress</ti>
   </tr>
+  <tr>
+    <ti>Updated documentation</ti><ti>SwifT</ti>
+    <ti>In Progress</ti>
+  </tr>
 </table>
 </body>
 </section>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     d97880a3d3734c480a610e44598f8031a41c2419
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Feb 18 07:04:17 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Feb 18 07:04:17 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d97880a3

Adding steps to make sure the hardened compiler is enabled (bug #355383)

---
 xml/hardenedfaq.xml |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 1703bc3..f17ca22 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -300,6 +300,16 @@ toolchain so that you have a consistent base:
 
 <pre caption="Switch to hardened toolchain">
 # <i>emerge --oneshot binutils gcc virtual/libc</i>
+<comment>Make sure the hardened toolchain is being used (gcc version may vary):</comment>
+# gcc-config -l 
+ [1] x86_64-pc-linux-gnu-4.4.4 *
+ [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
+ [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+ [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
+ [5] x86_64-pc-linux-gnu-4.4.4-vanilla
+<comment>If the hardened version isn't chosen select it</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4
+<comment>Keep emerging the system</comment>
 # <i>emerge -e --keep-going system</i>
 # <i>emerge -e --keep-going world</i>
 </pre>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     a287591eee5c644eb57fdb995e270f99d2d05eb3
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Feb 18 16:10:58 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Feb 18 16:10:58 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a287591e

Adding references to source /etc/profiles

---
 xml/hardenedfaq.xml |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index a424dfb..5f4eb64 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -309,6 +309,7 @@ toolchain so that you have a consistent base:
  [5] x86_64-pc-linux-gnu-4.4.4-vanilla
 <comment>If the hardened version isn't chosen select it</comment>
 # <i>gcc-config x86_64-pc-linux-gnu-4.4.4</i>
+# <i>source /etc/profile</i>
 <comment>Keep emerging the system</comment>
 # <i>emerge -e --keep-going system</i>
 # <i>emerge -e --keep-going world</i>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     653b2fd1f81e79f621e5545c8b6ba9ca922b0488
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Feb 18 23:16:23 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Feb 18 23:16:23 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=653b2fd1

Adding the source /etc/profile

---
 xml/hardenedfaq.xml |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 5f4eb64..29f8b92 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -158,6 +158,8 @@ You can use <c>gcc-config</c> to accomplish this:
 # <i>gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp</i>
 <comment>To turn off all hardened building switch to the vanilla profile:</comment>
 # <i>gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla</i>
+<comment>You need to run this on the active sessions to set the changes</comment>
+# <i>source /etc/profile</i>
 </pre>
 
 <note>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     a300d09d4cab41a5dab15fac6ba02c235994dc5e
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 00:13:42 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 00:13:42 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a300d09d

Small typo noticed by nimiux, thanks :D

---
 xml/hardenedfaq.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 29f8b92..9955c76 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -658,7 +658,7 @@ information on how TPE works in the different settings</uri>.
 </section>
 
 <section id="grsecnew">
-<title>Can I use Grsecurity with a recent kernel not on the portage tree
+<title>Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
 </title>
 <body>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     a9c359d30ec4744134cba46e0935478d742c2cb7
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 03:22:56 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 03:22:56 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a9c359d3

Updating previews (and pushing dates and versions)

---
 xml/hardenedfaq.xml |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 9955c76..094a235 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -31,8 +31,8 @@ Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
 the gentoo-hardened mailing list.
 </abstract>
 
-<version>3.2</version>
-<date>2011-1-19</date>
+<version>3.3</version>
+<date>2011-2-19</date>
 
 <faqindex>
 <title>Questions</title>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     f71b46fc9730d261788066ec16d9e93f11f52501
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 03:29:12 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 03:29:12 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=f71b46fc

Adding contributors

---
 xml/index.xml |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index 5f0346f..e4e5b61 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -127,6 +127,29 @@ GNU Stack Quickstart
 
 <herd name="hardened" />
 
+<extrachapter position="devs">
+<title>Contributors</title>
+<section>
+<body>
+
+<p>
+The following people although non-developer is actively contributing with the
+project:
+</p>
+<table>
+<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
+<tr><ti>Francisco Blas Izquierdo Riera</ti><ti>klondike</ti>
+<ti>Documentation writing, support</ti></tr>
+<tr><ti>Chris Richards</ti><ti>gizmo</ti>
+<ti>Policy development, support (SELinux)</ti></tr>
+<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti>
+<ti>Documentation writing, support (SELinux)</ti></tr>
+</table>
+
+</body>
+</section>
+</extrachapter>
+
 <extrachapter position="bottom">
 <title>I Want to Participate</title>
 <section>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     4fc5e1f497ac1d2209f186685ebfba7f2a9da950
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Feb 21 21:54:39 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb 21 21:54:39 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4fc5e1f4

Add naming convention

---
 xml/selinux-policy.xml |   19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-policy.xml b/xml/selinux-policy.xml
index d97121b..b2532ef 100644
--- a/xml/selinux-policy.xml
+++ b/xml/selinux-policy.xml
@@ -19,8 +19,8 @@ Gentoo Hardened in order to consistenly develop its security policy rules.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1</version>
-<date>2011-01-21</date>
+<version>2</version>
+<date>2011-02-21</date>
 
 <chapter>
 <title>Principles</title>
@@ -230,4 +230,19 @@ managed and maintained by the reference policy.
 </body>
 </section>
 </chapter>
+<chapter>
+<title>SELinux Packages</title>
+<section>
+<title>Name SELinux Policy Packages After Their Module</title>
+<body>
+
+<p>
+SELinux policy packages should be called after the module they implement (and
+not the Gentoo package for which the policy would be implemented). The name
+should use the <path>sec-policy/selinux-&lt;modname&gt;</path> syntax.
+</p>
+
+</body>
+</section>
+</chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     e580d17b44b008730b38cbc3f01d901301eebc9a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Feb 24 21:24:08 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Feb 24 21:24:08 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e580d17b

fix english grammar

---
 xml/index.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index 8f376f1..12bcc31 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -133,7 +133,7 @@ GNU Stack Quickstart
 <body>
 
 <p>
-The following people although non-developer is actively contributing with the
+The following people although non-developer are actively contributing to the
 project:
 </p>
 <table>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     d9dddc6fc658e24501db0021153c639a45377ae4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Feb 24 21:25:11 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Feb 24 21:25:11 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d9dddc6f

Fix e-mail address

---
 xml/grsecurity.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/grsecurity.xml b/xml/grsecurity.xml
index 5cc8abc..4517f10 100644
--- a/xml/grsecurity.xml
+++ b/xml/grsecurity.xml
@@ -8,7 +8,7 @@
   <mail link="solar@gentoo.org">solar</mail>
 </author>
 <author title="Author">
-  <mail link="swift@gentoo.org">Sven Vermeulen</mail>
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
 </author>
 
 <abstract>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     3f79440f821f821a4bfadb27bfb200cd999ad278
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 26 09:32:59 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 26 09:32:59 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3f79440f

Add reason why selinux-modname is chosen as naming convention

---
 xml/selinux-policy.xml |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-policy.xml b/xml/selinux-policy.xml
index b2532ef..c9d5218 100644
--- a/xml/selinux-policy.xml
+++ b/xml/selinux-policy.xml
@@ -19,8 +19,8 @@ Gentoo Hardened in order to consistenly develop its security policy rules.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>2</version>
-<date>2011-02-21</date>
+<version>3</version>
+<date>2011-02-26</date>
 
 <chapter>
 <title>Principles</title>
@@ -242,6 +242,13 @@ not the Gentoo package for which the policy would be implemented). The name
 should use the <path>sec-policy/selinux-&lt;modname&gt;</path> syntax.
 </p>
 
+<p>
+By using the upstream module name, we ensure that no collisions occur
+(neither package name collisions as well as file collisions during 
+installations) and follow upstream strictly. It also keeps the naming
+of the packages clean.
+</p>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     52f1c7c20b38cc869c542c655c19c03b60ec0b91
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar  9 18:13:09 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar  9 18:13:09 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=52f1c7c2

Adding SELinux FAQ

---
 xml/selinux-faq.xml |  297 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 297 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
new file mode 100644
index 0000000..a23bbd6
--- /dev/null
+++ b/xml/selinux-faq.xml
@@ -0,0 +1,297 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide link="/proj/en/hardened/selinux-faq.xml" lang="en">
+<title>Gentoo Hardened SELinux Frequently Asked Questions</title>
+<author title="Author">
+  <mail link="pebenito@gentoo.org">Chris PeBenito</mail>
+</author>
+<author title="Author">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+Frequently Asked Questions on SELinux integration with Gentoo Hardened.
+The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
+elsewhere
+</abstract>
+
+<version>1</version>
+<date>2011-03-19</date>
+
+<faqindex>
+<title>Questions</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<p>
+Using SELinux requires administrators a more thorough knowledge of their
+system and a good idea on how processes should behave. Next to the <uri 
+link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo Hardened SELinux
+handbook</uri>, a proper FAQ allows us to inform and help users in their 
+day-to-day SELinux experience.
+</p>
+
+<p>
+The FAQ is an aggregation of solutions found on IRC, mailinglists, forums
+and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but 
+general SELinux questions that are popping up regularly will be incorporated
+as well.
+</p>
+
+</body>
+</section>
+</faqindex>
+
+<chapter>
+<title>General SELinux Support Questions</title>
+<section id="features">
+<title>Does SELinux enforce resource limits?</title>
+<body>
+
+<p>
+No, resource limits are outside the scope of an access control system. If you 
+are looking for this type of support, take a look at technologies like
+grsecurity, cgroups, pam and the like.
+</p>
+
+</body>
+</section>
+<section id="grsecurity">
+<title>Can I use SELinux with grsecurity (and PaX)?</title>
+<body>
+
+<p>
+Definitely, we even recommend it. However, it is suggested that grsecurity's
+ACL support is not used as it would be redundant to SELinux's access control.
+</p>
+
+</body>
+</section>
+<section id="pie-ssp">
+<title>Can I use SELinux and the hardened compiler (with PIE-SSP)?</title>
+<body>
+
+<p>
+Definitely. We also suggest to use PaX to take full advantage of the PIE
+features of the compiler.
+</p>
+
+</body>
+</section>
+<section id="rsbac">
+<title>Can I use SELinux and RSBAC?</title>
+<body>
+
+<p>
+We don't know. If you try this combination, we would be very interested
+in its results.
+</p>
+
+</body>
+</section>
+<section id="filesystem">
+<title>Can I use SELinux with any file system?</title>
+<body>
+
+<p>
+SELinux requires access to a file's security context to operate properly.
+To do so, SELinux uses <e>extended file attributes</e> which needs to be 
+properly supported by the underlying file system. If the file system supports
+extended file attributes and you have configured your kernel to enable this
+support, then SELinux will work on those file systems.
+</p>
+
+<p>
+General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs
+support extended attributes (but don't forget to enable it in the kernel
+configuration) as well as tmpfs (for instance used by udev). If your file
+system collection is limited to this set, then you should have no issues.
+</p>
+
+<p>
+Ancillary file systems such as vfat and iso9660 are supported too, but with
+an important caveat: all files in each file system will have the same SELinux
+security context information since these file systems do not support extended
+file attributes. 
+</p>
+
+<p>
+Network file systems can be supported in the same manner as ancillary file
+systems (all files share the same security context). However, some development
+has been made in supported extended file attributes on the more popular file
+systems such as NFS. Although this is far from production-ready, it does look
+like we will eventually support these file systems on SELinux fully as well.
+</p>
+
+</body>
+</section>
+<section id="nomultilib">
+<title>Can I use SELinux with AMD64 no-multilib?</title>
+<body>
+
+<p>
+No. The SELinux profiles inherit from the base amd64 profiles, requiring
+multilib support. Early tests trying to enable SELinux on a no-multilib
+profile show that it will not be supported without additional development
+effort being required.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Using SELinux</title>
+<section id="enable_selinux">
+<title>How do I enable SELinux?</title>
+<body>
+
+<p>
+This is explained in the <uri 
+link="/proj/en/hardened/selinux/selinux-handbook.xml">SELinux Handbook</uri>
+in the chapter on <e>Using Gentoo/Hardened SELinux</e>.
+</p>
+
+</body>
+</section>
+<section id="switch_status">
+<title>How do I switch between permissive and enforcing?</title>
+<body>
+
+<p>
+The easiest way is to use the <c>setenforce</c> command. With <c>setenforce 
+0</c> you tell SELinux to run in permissive mode. Similarly, with 
+<c>setenforce 1</c> you tell SELinux to run in enforcing mode.
+</p>
+
+<p>
+You can also add a kernel option <c>enforcing=0</c> or <c>enforcing=1</c>
+in the bootloader configuration (or during the startup routine of the system). 
+This allows you to run SELinux in permissive or enforcing mode from the start 
+of the system.
+</p>
+
+<p>
+The default state of the system is kept in <path>/etc/selinux/config</path>.
+</p>
+
+</body>
+</section>
+<section id="disable_selinux">
+<title>How do I disable SELinux completely?</title>
+<body>
+
+<p>
+It might be possible that running SELinux in permissive mode is not sufficient
+to properly fix any issue you have. To disable SELinux completely, you need to
+edit <path>/etc/selinux/config</path> and set <c>SELINUX=disabled</c>. Next,
+reboot your system.
+</p>
+
+<impo>
+When you have been running your system with SELinux disabled, you must boot 
+in permissive mode first and relabel your entire file system. Activities ran
+while SELinux was disabled might have created new files or removed the labels
+from existing files, causing these files to be available with no security
+context.
+</impo>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>SELinux Kernel Error Messages</title>
+<section id="register_security">
+<title>I get a register_security error message when booting</title>
+<body>
+
+<p>
+During boot-up, the following message pops up:
+</p>
+
+<pre caption="Kernel message on register_security">
+There is already a security framework initialized, register_security failed.
+Failure registering capabilities with the kernel
+selinux_register_security: Registering secondary module capability
+Capability LSM initialized
+</pre>
+
+<p>
+This is nothing to worry about (and perfectly normal).
+</p>
+
+<p>
+This means that the Capability LSM module couldn't register as the primary 
+module, since SELinux is the primary module. The third message means that it
+registers with SELinux as a secondary module.
+</p>
+
+</body>
+</section>
+</chapter>
+<chapter>
+<title>SELinux and Gentoo</title>
+<section id="no_module">
+<title>I get a missing SELinux module error when using emerge</title>
+<body>
+
+<p>
+When trying to use <c>emerge</c>, the following error message is displayed:
+</p>
+
+<pre caption="Error message from emerge on the SELinux module">
+!!! SELinux module not found. Please verify that it was installed.
+</pre>
+
+<p>
+This indicates that the portage SELinux module is missing or damaged. Recent 
+Portage versions provide this module out-of-the-box, but the security contexts
+of the necessary files might be wrong on your system. Try relabelling the files
+of the portage package:
+</p>
+
+<pre caption="Relabel all portage files">
+~# <i>rlpkg portage</i>
+</pre>
+
+</body>
+</section>
+<section id="loadpolicy">
+<title>I get 'FEATURES variable contains unknown value(s): loadpolicy'</title>
+<body>
+
+<p>
+When running emerge, the following error is shown:
+</p>
+
+<pre caption="Emerge error on loadpolicy">
+FEATURES variable contains unknown value(s): loadpolicy
+</pre>
+
+<p>
+This is a remnant of the older SELinux policy module set where policy packages
+might require this FEATURE to be available. Although the more recent packages
+do not support this FEATURE value anymore, these are still in the ~arch phase 
+so the current SELinux profile still offers this value. Portage however already
+knows that this FEATURE is not supported anymore and complains.
+</p>
+
+<p>
+We recommend you to use the ~arch versions of all packages in the sec-policy
+category, and set <c>FEATURES="-loadpolicy"</c> to disable this (cosmetic)
+error.
+</p>
+
+<p>
+Once the newer policy modules are stabilized, the SELinux profile will be updated
+to remove this setting.
+</p>
+
+</body>
+</section>
+</chapter>
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     ea68c33e025b2648aa661e8eea77c6d37182aef8
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Mar 26 23:48:47 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Mar 26 23:48:47 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ea68c33e

Fixing some xmllint complaints

---
 xml/grsec-tpe.xml |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/xml/grsec-tpe.xml b/xml/grsec-tpe.xml
index 670f38a..7492945 100644
--- a/xml/grsec-tpe.xml
+++ b/xml/grsec-tpe.xml
@@ -26,6 +26,7 @@ suite.
 
 <chapter>
 <title>Introduction</title>
+<section>
 <body>
 
 <p>
@@ -56,6 +57,7 @@ status.
 </note>
 
 </body>
+</section>
 </chapter>
 <chapter>
 <title>The different setups</title>
@@ -176,6 +178,7 @@ world writable (and nothing more).
 </chapter>
 <chapter>
 <title>Testing the different restrictions</title>
+<section>
 <body>
 
 <p>
@@ -184,6 +187,7 @@ possible setups.
 </p>
 
 </body>
+</section>
 <section>
 <title>The test suite</title>
 <body>
@@ -2455,6 +2459,7 @@ means the permission to execute the file was denied.
 </chapter>
 <chapter>
 <title>Conclusion</title>
+<section>
 <body>
 
 <p>
@@ -2693,5 +2698,6 @@ still be modified by that user.
 </p>
 
 </body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     4ee1dafcbf592cca258e5cd259b5fdbbbfccc8d6
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sun Mar 27 00:55:25 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sun Mar 27 00:55:25 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4ee1dafc

Fixing link to TPE doc

---
 xml/hardenedfaq.xml |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 094a235..9bb7318 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -650,7 +650,8 @@ quickstart guide</uri>.
 <body>
 
 <p>
-We have written a <uri link="proj/en/hardened/grsec-tpe.xml">document with some
+We have written a <uri
+link="http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml">document with some
 information on how TPE works in the different settings</uri>.
 </p>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     2844624b4931450af8171d616078262f3d9ce9ef
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sun Mar 27 00:58:45 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sun Mar 27 00:58:45 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2844624b

Fixing link to the demo

---
 xml/grsec-tpe.xml                                |    5 +++--
 xml/{grsec-tpedemo.tbz => grsec-tpedemo.tar.bz2} |  Bin 1317 -> 1317 bytes
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/xml/grsec-tpe.xml b/xml/grsec-tpe.xml
index 7492945..b0b24fa 100644
--- a/xml/grsec-tpe.xml
+++ b/xml/grsec-tpe.xml
@@ -398,8 +398,9 @@ total 48
 
 <note>
 For commodity this files and a small testrunning script <c>trytpe</c> are
-provided in a <uri link="/proj/en/hardened/grsec-tpedemo.tbz">compressed tar.bz2
-archive</uri>. Remember to keep the permissions when extracting it.
+provided in a <uri
+link="http://www.gentoo.org/proj/en/hardened/grsec-tpedemo.tar.bz2">compressed
+tar.bz2 archive</uri>. Remember to keep the permissions when extracting it.
 </note>
 </body>
 </section>

diff --git a/xml/grsec-tpedemo.tbz b/xml/grsec-tpedemo.tar.bz2
similarity index 100%
rename from xml/grsec-tpedemo.tbz
rename to xml/grsec-tpedemo.tar.bz2

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     331a831832b4425c6f5c44da63c9425ae4f9cee1
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sun Mar 27 01:07:23 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sun Mar 27 01:09:51 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=331a8318

Fixing links v2

---
 xml/grsec-tpe.xml   |    6 +++---
 xml/hardenedfaq.xml |   18 +++++++-----------
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/xml/grsec-tpe.xml b/xml/grsec-tpe.xml
index b0b24fa..e784f65 100644
--- a/xml/grsec-tpe.xml
+++ b/xml/grsec-tpe.xml
@@ -21,8 +21,8 @@ suite.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1.1</version>
-<date>2011-1-19</date>
+<version>1.2</version>
+<date>2011-3-27</date>
 
 <chapter>
 <title>Introduction</title>
@@ -399,7 +399,7 @@ total 48
 <note>
 For commodity this files and a small testrunning script <c>trytpe</c> are
 provided in a <uri
-link="http://www.gentoo.org/proj/en/hardened/grsec-tpedemo.tar.bz2">compressed
+link="/proj/en/hardened/grsec-tpedemo.tar.bz2">compressed
 tar.bz2 archive</uri>. Remember to keep the permissions when extracting it.
 </note>
 </body>

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 9bb7318..fe64a6c 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -31,8 +31,8 @@ Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
 the gentoo-hardened mailing list.
 </abstract>
 
-<version>3.3</version>
-<date>2011-2-19</date>
+<version>3.4</version>
+<date>2011-3-27</date>
 
 <faqindex>
 <title>Questions</title>
@@ -429,8 +429,7 @@ That is <uri link="http://pax.grsecurity.net">the homepage for PaX</uri>.
 
 <p>
 Currently the only Gentoo documentation that exists about PaX is a <uri
-link="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml"> PaX quickstart
-guide</uri>.
+link="/proj/en/hardened/pax-quickstart.xml"> PaX quickstart guide</uri>.
 </p>
 
 </body>
@@ -638,8 +637,7 @@ That is the <uri link="http://www.grsecurity.net">homepage for Grsecurity</uri>.
 
 <p>
 The most current documentation for Grsecurity is a <uri
-link="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Grsecurity2
-quickstart guide</uri>.
+link="/proj/en/hardened/grsecurity.xml">Grsecurity2 quickstart guide</uri>.
 </p>
 
 </body>
@@ -650,8 +648,7 @@ quickstart guide</uri>.
 <body>
 
 <p>
-We have written a <uri
-link="http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml">document with some
+We have written a <uri link="/proj/en/hardened/grsec-tpe.xml">document with some
 information on how TPE works in the different settings</uri>.
 </p>
 
@@ -681,9 +678,8 @@ support kernel sources not coming from the portage tree.
 <body>
 
 <p>
-There is a <uri
-link="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;chap=3">
-SELinux specific FAQ</uri>.
+There is a <uri link="/proj/en/hardened/selinux-faq.xml"> SELinux specific FAQ
+</uri>.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Matthew Thode]

commit:     23dda4bdfebfe697e5dca3dcac505d705a5c71c9
Author:     Matthew Thode <mthode <AT> mthode <DOT> org>
AuthorDate: Tue Apr  5 18:26:50 2011 +0000
Commit:     Matthew Thode <mthode <AT> mthode <DOT> org>
CommitDate: Tue Apr  5 18:26:50 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=23dda4bd

added a table to the hardened-virt guide for kernel options on guests

---
 xml/hardened-virtualization.xml |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/xml/hardened-virtualization.xml b/xml/hardened-virtualization.xml
index 606c6fd..916b798 100644
--- a/xml/hardened-virtualization.xml
+++ b/xml/hardened-virtualization.xml
@@ -83,6 +83,29 @@ virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and
 CONFIG_PAX_MEMORY_UDEREF, have been successfull.
 </p>
 
+<table>
+	<tr>
+		<th>guest kerel config breakout</th>
+	</tr>
+	<tr>
+		<th rowspan=2></th>
+		<th colspan=2>CPU</th>
+		<th>AMD</th>
+		<th>INTEL</th>
+	</tr>
+	<tr>
+		<th>CONFIG_PAX_KERNEXEC</th>
+		<ti>Y</ti>
+		<ti>Y</ti>
+	</tr>
+	<tr>
+		<th>CONFIG_PAX_MEMORY_UDEREF</th>
+		<ti>Y</ti>
+		<ti>N</ti>
+	</tr>   
+</table>
+
+
 <p>
 For the host, however, one must disable both CONFIG_PAX_KERNEXEC and
 CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Matthew Thode]

commit:     b5a9baf81ec9ac08f7cbc12a6c2401d3945e6609
Author:     Matthew Thode <mthode <AT> mthode <DOT> org>
AuthorDate: Tue Apr  5 18:42:42 2011 +0000
Commit:     Matthew Thode <mthode <AT> mthode <DOT> org>
CommitDate: Tue Apr  5 18:42:42 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b5a9baf8

added VMWare Workstation findings

---
 xml/hardened-virtualization.xml |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/xml/hardened-virtualization.xml b/xml/hardened-virtualization.xml
index 916b798..84e18b1 100644
--- a/xml/hardened-virtualization.xml
+++ b/xml/hardened-virtualization.xml
@@ -145,11 +145,13 @@ regards. It employs a hypervisor which boots a specialize host's kernel
 <body>
 
 <p>
-TODO
+VMWare Workstation needs to link precompiled binaries against system
+libraries in order to function.  Because Gentoo Hardened uses more secure
+functions of GCC, VMWare Workstation cannot link against it.  Because
+VMWare Workstation cannot link, it does not function.  In fact, using
+VMWare Workstation at all on Hardened Gentoo led to a hard system reset.
 </p>
 
-<!-- TODO Complete this part -->
-
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     90c19235df648470c7a0a5736c3bb9bfbaece271
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 10:49:18 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 10:49:18 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=90c19235

Add conflicting specification section in FAQ

---
 xml/selinux-faq.xml |   54 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index a23bbd6..d8fd52c 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>1</version>
-<date>2011-03-19</date>
+<version>2</version>
+<date>2011-04-22</date>
 
 <faqindex>
 <title>Questions</title>
@@ -293,5 +293,55 @@ to remove this setting.
 
 </body>
 </section>
+<section id="conflicting_types">
+<title>During rlpkg I get 'conflicting specifications for ... and ..., using ...'</title>
+<body>
+
+<p>
+When trying to relabel a package (<c>rlpkg packagename</c>) or system (<c>rlpkg
+-a -r</c>) you get a message similar to the following:
+</p>
+
+<pre caption="rlpkg complaining about conflicting specifications">
+filespec_add: conflicting specifications for /usr/bin/getconf and 
+/usr/lib64/misc/glibc/getconf/XBS5_LP64_OFF64, using
+system_u:object_r:lib_t
+</pre>
+
+<p>
+This is most likely caused by hard linked files. Remember, SELinux uses the
+extended attributes in the file system to store the security context of a file.
+If two separate paths point to the same file using hard links (i.e. the files
+share the same inode) then both files will have the same security context.
+</p>
+
+<p>
+The solution depends on the particular case; in order of most likely to happen
+and resolve:
+</p>
+
+<ol>
+  <li>
+    Although both files are the same, they are not used in the same context. 
+    In such cases, it is recommended to remove one of the files and then copy
+    the other file back to the first (<c>rm B; cp A B</c>). This way, both
+    files have different inodes and can be labelled accordingly.
+  </li>
+  <li>
+    Both files are used for the same purpose; in this case, it might be better
+    to label the file which would not be labelled correctly (say a binary
+    somewhere in a <path>/usr/lib64</path> location) using <c>semanage</c>
+    (<c>semanage fcontext -a -t correct_domain_t /usr/lib64/path/to/file</c>)
+  </li>
+</ol>
+
+<p>
+It is also not a bad idea to report (after verifying if it hasn't been reported
+first) this on <uri link="https://bugs.gentoo.org">Gentoo's bugzilla</uri> so 
+that the default policies are updated accordingly.
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     c8497cca968a1698bdb437d86ff5f2ad3a6a594b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 11:14:42 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 11:14:42 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c8497cca

English sentence correction

---
 xml/selinux-faq.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index d8fd52c..964ff06 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -195,7 +195,7 @@ reboot your system.
 When you have been running your system with SELinux disabled, you must boot 
 in permissive mode first and relabel your entire file system. Activities ran
 while SELinux was disabled might have created new files or removed the labels
-from existing files, causing these files to be available with no security
+from existing files, causing these files to be available without security
 context.
 </impo>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     82a261cbed077f1a3bfff9c027a61bd01db76a42
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 19:17:18 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 19:17:18 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=82a261cb

Add faq on libsandbox and portage

---
 xml/selinux-faq.xml |   45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 44 insertions(+), 1 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 964ff06..cda3a15 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,7 +17,7 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>2</version>
+<version>3</version>
 <date>2011-04-22</date>
 
 <faqindex>
@@ -343,5 +343,48 @@ that the default policies are updated accordingly.
 
 </body>
 </section>
+<section id="portage_libsandbox">
+<title>
+  During package installation, ld.so complains 'object 'libsandbox.so' from 
+  LD_PRELOAD cannot be preloaded: ignored'
+</title>
+<body>
+
+<p>
+During installation of a package, you might see the following error message:
+</p>
+
+<pre caption="Error message during package installation">
+&gt;&gt; Installing (1 of 1) net-dns/host-991529
+&gt;&gt;&gt; Setting SELinux security labels
+ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
+</pre>
+
+<p>
+This message should <e>only</e> occur after the <e>Setting SELinux security
+labels</e> message. It happens because SELinux tells glibc to disable 
+<c>LD_PRELOAD</c> (and other environment variables that are considered 
+potentially harmful) during domain transitions. Here, portage calls the
+<c>setfiles</c> command (part of a SELinux installation) and as such 
+transitions from portage_t to setfiles_t, which clears the environment
+variable.
+</p>
+
+<p>
+We believe that it is safer to trust the SELinux policy here (as setfiles runs
+in its own confined domain anyhow) rather than updating the policy to allow
+transitioning between portage_t to setfiles_t without clearing these 
+environment variables. Note that <e>libsandbox.so is not disabled during builds
+and merges</e>, only during the activity where Portage labels the files it 
+just merged.
+</p>
+
+<p>
+So the error is in our opinion cosmetic and can be ignored (but sadly not
+hidden).
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     b774ee435efa9acf1e4f0027c6ebb2a1b3358ef2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 22:34:59 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 22:34:59 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b774ee43

Draft selinux development document (still busy)

---
 xml/selinux-development.xml |  790 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 790 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-development.xml b/xml/selinux-development.xml
new file mode 100644
index 0000000..d2fccc3
--- /dev/null
+++ b/xml/selinux-development.xml
@@ -0,0 +1,790 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
+
+<guide link="/proj/en/hardened/selinux-development.xml" lang="en">
+<title>Gentoo Hardened SELinux Development</title>
+<author title="Author">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+When planning to help Gentoo Hardened in the development of SELinux policies,
+or when trying to debug existing policies, this document should help you get
+acquainted with the necessary resources, trips and tricks to get along.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2011-04-22</date>
+
+<chapter>
+<title>Introduction</title>
+<section>
+<title>About this document...</title>
+<body>
+
+<p>
+Dealing with Mandatory Access Control is never easy. SELinux might be available
+by default with Linux, enabling it can provide serious headaches - let alone
+developing policies for it. Within Gentoo Hardened, we strive to offer a default
+policy that is flexible enough to match the requirements of most of you (our 
+users) yet remain manageable by the limited number of developers that we have.
+To ensure that the policy we offer is up to date, we definitely need help from
+end users and other developers, because developing policies requires intimate 
+knowledge of the products they are written for. With over several thousand 
+packages, this is just not feasible for a handful of us. Hence, this Gentoo
+Hardened SELinux Development guide.
+</p>
+
+<p>
+Within this document, we will try to explain how to set up an environment ready
+to build policies yourself and provide patches to Gentoo Hardened. We also cover
+how to deal with malfunctioning domains and even how to create your own, new 
+domains from scratch (if we need to). Further down, we give an overview of the 
+guidelines that we try to follow during the policy developments and finally
+talk about how to properly create patches and submit them to our <uri 
+link="https://bugs.gentoo.org">bugzilla</uri> service.
+</p>
+
+<p>
+For those who want to run Gentoo Hardened with their own policies, we've also
+added a chapter on just that. We know that our policy does not match everyone's
+requirements, so we definitely want to help you run your own too.
+</p>
+
+</body>
+</section>
+<section>
+<title>Intended audience</title>
+<body>
+
+<p>
+This document is a must-read for everyone willing to provide patches or develop
+the Gentoo Hardened SELinux policies.
+</p>
+
+<p>
+Other SELinux advanced users might find this document interesting as well.
+</p>
+
+</body>
+</section>
+<section>
+<title>What you need to know</title>
+<body>
+
+<p>
+This document does assume prior knowledge on SELinux policies and the way the
+reference policy works. For those that need a quick recap, here are the
+highlights...
+</p>
+
+<ul>
+  <li>
+    SELinux uses <e>domains</e> and <e>types</e> to differentiate its various
+    security objects. A domain is usually referred to as the security context
+    of a process (or group of processes) whereas a type is usually referred to
+    as the label given to a particular resource (file, directory, network
+    interface, socket, network port, ...).
+  </li>
+  <li>
+    <e>SELinux policies</e> describe what interaction is allowed between a
+    domain and the other domains and types it needs to work with. If no policy
+    allows for a particular activity, then the activity is denied.
+  </li>
+  <li>
+    The structure in which policies are written are called <e>SELinux policy
+    modules</e> which contain three parts: a <e>type enforcement file</e> (with
+    suffix <path>.te</path>) that contains the intra-module permissions, an
+    <e>interface file</e> (with suffix <path>.if</path>) that contains the
+    inter-module permissions and a <e>file contexts file</e> (with suffix
+    <path>.fc</path>) that contains the file context definitions for all file
+    resources that are labeled with the type or types defined in the module
+  </li>
+  <li>
+    Inter-domain privileges must be declared through functions in the
+    <e>interface file</e> which can then be called by other modules. This
+    includes the necessary permissions to allow domain transitions
+  </li>
+</ul>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Setting Up Your Environment</title>
+<section>
+<title>Patching the reference policy</title>
+<body>
+
+<p>
+Gentoo Hardened builds its policy upon the <uri 
+link="http://oss.tresys.com/projects/refpolicy">reference policy</uri> as
+provided by <uri link="http://www.tresys.com">Tresys</uri> and managed through
+an active <uri
+link="http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute">community</uri>.
+I suggest to use two workspaces when dealing with SELinux policies for Gentoo
+Hardened: the <path>hardened</path> one for the Gentoo patched policy, and a 
+<path>local</path> one in which you work and make your patches in.
+</p>
+
+<p>
+Of course, using a source control system like git can be helpful too. For now,
+Gentoo Hardened doesn't have a git repository where its policies are based from
+(yet). That might sound a bit dull, but it forces the developers to remain as
+close to upstream as possible (and contribute the changes upstream too so that
+newer releases include them automatically). You can definitely use a source
+control system yourself - the only reason we do not use it in this document is
+that it is easier to document without ;-)
+</p>
+
+<p>
+Let's create the first workspace:
+</p>
+
+<pre caption="Creating the SELinux policy workspace">
+~$ <i>mkdir dev/hardened</i>
+~$ <i>cd dev/hardened</i>
+~$ <i>ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r12.ebuild compile</i>
+~$ <i>cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12/work/* .</i>
+~$ <i>rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12</i>
+</pre>
+
+<p>
+As result, you should have two or three directories in 
+<path>dev/hardened</path> called <path>refpolicy</path> and <path>strict</path>
+and/or <path>targeted</path>. The only one of interest is the
+<path>strict</path> and/or <path>targeted</path> one, depending on the policy
+type you are working with. In the remainder of the document, I'm assuming you
+work with <path>strict</path>.
+</p>
+
+<p>
+Now the <path>dev/hardened</path> workspace is patched with the Gentoo Hardened
+SELinux patches applicable to the base policy. Gentoo Hardened has two "flavors"
+of patches:
+</p>
+
+<ol>
+  <li>
+    <e>Base policy patches</e> contain the patches for the SELinux modules that
+    take part of the base policy as well as all interface patches for the
+    modules
+  </li>
+  <li>
+    <e>Module-specific patches</e> that contain the permissions affecting the
+    domains and types that are defined in a single module (for instance, all
+    interaction between <path>portage_t</path> and <path>portage_exec_t</path>
+    or even <path>portage_t</path> and <path>portage_fetch_t</path>)
+  </li>
+</ol>
+
+<p>
+The base policy patches are important to have available at all times. The
+module-specific ones can be added when you work with that particular module.
+</p>
+
+<p>
+Every time a new revision comes out, you'll need to clean the
+<path>dev/hardened</path> workspace and rebuild it.
+</p>
+
+</body>
+</section>
+<section>
+<title>Add specific module files</title>
+<body>
+
+<p>
+To update your policy workspace, use the same tactic as describes
+earlier, but now for the specific SELinux policy module package (like
+<path>selinux-postfix</path>).
+</p>
+
+<pre caption="Updating the dev/hardened workspace">
+~$ <i>ls dev/hardened/strict/policy/modules/*/postfix.te</i>
+dev/hardened/strict/policy/modules/services/postfix.te
+<comment>                                   ^^^^^^^^</comment>
+~$ <i>ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild compile</i>
+
+<comment># Next, we copy the postfix.te and postfix.fc files.
+# Do NOT copy the postfix.if file (as the one available there is a stub)</comment>
+~$ <i>cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.te \
+  dev/hardened/strict/policy/modules/services/</i>
+<comment>                                     ^^^^^^^^</comment>
+~$ <i>cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.fc \
+  dev/hardened/strict/policy/modules/services/</i>
+<comment>                                     ^^^^^^^^</comment>
+~$ <i>rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12</i>
+</pre>
+
+<p>
+Finally, clean up the workspace (as it contains built policies and other
+material we do not want to see in our patches)
+</p>
+
+<pre caption="Cleaning up the workspace">
+~$ <i>cd dev/hardened/strict</i>
+~$ <i>make clean</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Setting up a local workspace</title>
+<body>
+
+<p>
+Setting up a local workspace is easy: just copy the <path>dev/hardened</path>
+one:
+</p>
+
+<pre caption="Setting up a local workspace">
+~$ <i>mkdir dev/local</i>
+~$ <i>cp -r dev/hardened/strict dev/local/</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Navigating the policy workspace</title>
+<body>
+
+<p>
+The main location you will work with is
+<path>dev/local/strict/policy/modules</path>. This location is subdivided in
+categories:
+</p>
+
+<dl>
+  <dt>admin</dt>
+  <dd>Administrative SELinux policy modules (portage, logrotate, sudo, ...)</dd>
+  <dt>apps</dt>
+  <dd>Application SELinux policy modules (evolution, mozilla, screen, ...)</dd>
+  <dt>kernel</dt>
+  <dd>Kernel specific SELinux policy domains (corenetwork, kernel, ...)</dd>
+  <dt>roles</dt>
+  <dd>Domains specific to SELinux roles (sysadm, user, staff, ...)</dd>
+  <dt>services</dt>
+  <dd>Daemon SELinux policy modules (postfix, apache, squid, ...)</dd>
+  <dt>system</dt>
+  <dd>Core SELinux policy modules (selinuxutil, mount, iptables, ...)</dd>
+</dl>
+
+<p>
+The categorization is arbitrary and serves no purpose other than keeping the
+modules a but separated. Each module must have a unique name, regardless of the
+category!
+</p>
+
+<p>
+Inside the categories, the modules are available using their three files
+</p>
+
+<pre caption="Listing the available sudo files">
+~$ <i>cd dev/local/strict/policy/modules/admin</i>
+~$ <i>ls sudo.*</i>
+sudo.fc    sudo.if     sudo.te
+</pre>
+
+</body>
+</section>
+<section>
+<title>Building a module</title>
+<body>
+
+<p>
+To build a module, go to the location where the module code is. Then, run
+<c>make</c> with the development Makefile as provided by the reference policy.
+</p>
+
+<pre caption="Building the portage module">
+~$ <i>cd dev/local/strict/policy/modules/admin</i>
+~$ <i>make -f ../../../support/Makefile.devel portage.pp</i>
+</pre>
+
+<p>
+You now have a <path>portage.pp</path> file available which you can load (using
+<c>semodule -i portage.pp</c>).
+</p>
+
+</body>
+</section>
+<section>
+<title>Building the base policy</title>
+<body>
+
+<p>
+If you want to build the base policy, run <c>make base</c>.
+</p>
+
+<pre caption="Building the base policy">
+~$ <i>cd dev/local/strict</i>
+~$ <i>make base</i>
+</pre>
+
+<p>
+The result should be a <path>base.pp</path> file that you can load using
+<c>semodule -b base.pp</c>. However, if you intend to do a bit more than just
+test this base policy quickly, it is seriously recommended to create your own
+Gentoo overlay for your own <path>selinux-base-policy</path> and install that
+one as installing a base policy is not only about the policy module itself, but
+also about the include files that will then be stored in
+<path>/usr/share/selinux/strict/include</path>.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>A Domain Does Not Function Properly</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<p>
+The most likely problem that you are hitting is that a domain does exist in
+Gentoo Hardened SELinux, but that it isn't functioning as it should. To solve
+this problem, it is adviseable to use the following sequence of investigations:
+</p>
+
+<ol>
+  <li>
+    Is it really SELinux that is restraining your system?
+  </li>
+  <li>
+    Is the problem related to wrong resource labels / security contexts?
+  </li>
+  <li>
+    Is the problem related to intra-module permissions?
+  </li>
+  <li>
+    Is the problem related to inter-module permissions?
+  </li>
+</ol>
+
+</body>
+</section>
+<section>
+<title>Check if SELinux is to blame</title>
+<body>
+
+<p>
+Make sure that the problem you are seeing is a SELinux-triggered problem. An
+easy way to find out is to run SELinux in permissive mode and try again:
+</p>
+
+<pre caption="Switching to permissive mode">
+~# <i>setenforce 0</i>
+</pre>
+
+<p>
+This only works if the problem is <e>not</e> to do with a SELinux-aware
+application (unlike <c>init</c> or <c>sudo</c> which are linked to the
+libselinux library). SELinux-aware applications might alter their behavior if
+SELinux is set on the system regardless of it running in permissive mode or not.
+A prime example is <c>vixie-cron</c> (as can be seen in <uri
+link="https://bugs.gentoo.org/show_bug.cgi?id=257111">bug #257111</uri>). But
+for applications that are not SELinux aware, this is the easiest method to find
+out if SELinux is to blame or not.
+</p>
+
+<p>
+If running your system in permissive mode works around the problem, read on. If
+it doesn't, check the regular permissions (<c>strace</c>'ing the application
+might be a good idea too).
+</p>
+
+</body>
+</section>
+<section>
+<title>Get the proper AVC denials</title>
+<body>
+
+<p>
+Assuming that we now know that SELinux is to blame, we need to make sure that we
+get the proper AVC denials. Either locate the proper denials in
+<path>/var/log/avc.log</path> (or <path>audit.log</path>) around the time that
+you encountered the issue, or run <c>tail -f /var/log/avc.log</c> and reproduce
+the problem.
+</p>
+
+<pre caption="Example denials">
+~# <i>tail -f /var/log/avc.log</i>
+Apr 22 15:03:33 www1 kernel: [16053.303739] type=1400 audit(1303477413.188:283):
+avc:  denied  { dac_read_search } for  pid=21758 comm="rm" capability=2
+scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t
+tclass=capability
+</pre>
+
+<p>
+Analyzing the meaning of the AVC denial is covered by <uri 
+link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=3#avclog">Looking
+at the AVC Log</uri> in the Gentoo Hardened SELinux handbook. The denial should
+give you a pointer where to look for. However, it is possible that no denial is
+occurring, or at least no relevant ones.
+</p>
+
+<p>
+A first step to get potentially more denials is to switch the
+<c>gentoo_try_dontaudit</c> boolean off. This boolean is used by the Gentoo
+Hardened SELinux developers to hide denials which they assume are cosmetic. As
+these developers are known to have a human side (as well), they are known to
+make mistakes ;-)
+</p>
+
+<pre caption="Disabling gentoo's dontaudit statements">
+~# <i>setsebool gentoo_try_dontaudit off</i>
+</pre>
+
+<p>
+Retry getting the proper AVC denials.
+</p>
+
+<p>
+If it still doesn't work, you can disable all <e>dontaudit</e> statements:
+</p>
+
+<pre caption="Disabling all dontaudit statements">
+~# <i>semodule -R -D -B</i>
+</pre>
+
+<p>
+Retry getting the proper AVC denials.
+</p>
+
+<p>
+The moment you get the denials you are looking for, isolate them and then undo
+the changes you made earlier:
+</p>
+
+<pre caption="Resetting the auditing defaults">
+~# <i>setsebool gentoo_try_dontaudit on</i>
+~# <i>semodule -R -B</i>
+</pre>
+
+<p>
+If you still do not see any denials, then check out the <c>dmesg</c> output for
+other problems. It is possible that SELinux is not even getting to the point of
+the policy, which you will not notice by looking at the AVC denials alone.
+However, the chance of this to happen is very slim - most of the time, you'll
+find the AVC denials you are looking for.
+</p>
+
+</body>
+</section>
+<section>
+<title>Deducing the correct security contexts</title>
+<body>
+
+<p>
+The next step is to see if we are dealing with the right security contexts. This
+does require a bit of insight in how both the application (that is failing) and
+the policy relate to each other.
+</p>
+
+<p>
+Say you are having issues with SELinux (re)labeling and you notice the following
+AVC denial:
+</p>
+
+<pre caption="AVC denial for setfiles">
+Apr 16 14:39:57 testsys kernel: [  115.778484] type=1400
+audit(1302957597.827:224): avc:  denied  { create } for  pid=3584
+comm="setfiles" scontext=root:sysadm_r:<comment>sysadm_t</comment> tcontext=root:sysadm_r:sysadm_t
+tclass=netlink_audit_socket
+</pre>
+
+<p>
+In this case, <c>setfiles</c> is running in the <path>sysadm_t</path> domain
+even though it should run in <path>setfiles_t</path>. So check the security
+context of the <c>setfiles</c> binary as well as the transition rules:
+</p>
+
+<pre caption="Checking setfiles context and rules">
+~# <i>ls -lZ /sbin/setfiles</i>
+-rwxr-xr-x. 1 root root <comment>system_u:object_r:bin_t</comment> 26464 Apr  9 22:22 /sbin/setfiles
+~# <i>sesearch -s sysadm_t -t setfiles_t -c process -p transition -A -d</i>
+Found 1 semantic av rules:
+    allow sysadm_t setfiles_t : process transition ;
+~# <i>sesearch -s sysadm_t -t setfiles_exec_t -c file -p execute -A -d</i>
+...
+~# <i>sesearch -s setfiles_t -t setfiles_exec_t -c file -p entrypoint -A -d</i>
+...
+</pre>
+
+<p>
+In the above (forced) situation, the problem is with the security context of the
+binary - it should have been <path>setfiles_exec_t</path> instead of
+<path>bin_t</path>. Usually, entry points are named similarly (like
+<path>portage_exec_t</path> or <path>sudo_exec_t</path>). If you are not certain
+about which domain it should be, use <c>sesearch</c>
+</p>
+
+<pre caption="Using sesearch to find the entrypoint type for a domain">
+~# <i>sesearch -s setfiles_t -c file -p entrypoint -A -d</i>
+Found 1 semantic av rules:
+   allow setfiles_t setfiles_exec_t : file { ioctl ... execute entrypoint open } ;
+</pre>
+
+<p>
+The <c>sesearch</c> utility is extremely powerful to query the SELinux policy
+(which is currently in memory). I also advise you to use the <c>-C</c> switch to
+see which rules are trigged by certain SELinux booleans:
+</p>
+
+<pre caption="Looking for boolean-triggered settings">
+~# <i>sesearch -s named_t -t named_zone_t -c file -A -d -C</i>
+Found 2 semantic av rules:
+   allow named_t named_zone_t : file { ioctl read getattr lock open } ; 
+DT allow named_t named_zone_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ named_write_master_zones ]
+</pre>
+
+<p>
+In the above example, the <path>named_t</path> domain only has write privileges
+on files labeled <path>named_zone_t</path> if the
+<path>named_write_master_zones</path> boolean is set (which it currently isn't,
+otherwise the line would stat with ET instead of DT).
+</p>
+
+<p>
+To gain a bit of insight in the various, available domains, use <c>seinfo</c>:
+</p>
+
+<pre caption="Getting a list of available domains">
+~# <i>seinfo -t | grep named</i>
+   named_var_run_t
+   named_checkconf_exec_t
+   named_conf_t
+   named_initrc_exec_t
+   named_log_t
+   named_exec_t
+   named_zone_t
+   named_t
+   named_cache_t
+   named_tmp_t
+</pre>
+
+<p>
+To gain a bit of insight in the (current) file context rules, use
+<c>semanage</c>:
+</p>
+
+<pre caption="Getting the list of current file context rules">
+~# <i>semanage fcontext -l | grep named</i>
+/etc/bind(/.*)?                                    all files        system_u:object_r:named_zone_t 
+/etc/bind/named\.conf                              regular file     system_u:object_r:named_conf_t 
+/etc/rc\.d/init\.d/named                           regular file     system_u:object_r:named_initrc_exec_t 
+/etc/rc\.d/init\.d/unbound                         regular file     system_u:object_r:named_initrc_exec_t 
+/etc/rndc.*                                        regular file     system_u:object_r:named_conf_t 
+/etc/unbound(/.*)?                                 all files        system_u:object_r:named_conf_t 
+/usr/sbin/lwresd                                   regular file     system_u:object_r:named_exec_t 
+/usr/sbin/named                                    regular file     system_u:object_r:named_exec_t 
+/usr/sbin/named-checkconf                          regular file     system_u:object_r:named_checkconf_exec_t 
+/usr/sbin/unbound                                  regular file     system_u:object_r:named_exec_t 
+/var/bind(/.*)?                                    all files        system_u:object_r:named_cache_t 
+/var/bind/pri(/.*)?                                all files        system_u:object_r:named_zone_t 
+/var/log/named.*                                   regular file     system_u:object_r:named_log_t 
+/var/run/bind(/.*)?                                all files        system_u:object_r:named_var_run_t 
+/var/run/named(/.*)?                               all files        system_u:object_r:named_var_run_t 
+/var/run/ndc                                       socket           system_u:object_r:named_var_run_t 
+/var/run/unbound(/.*)?                             all files        system_u:object_r:named_var_run_t 
+</pre>
+
+<p>
+Most of the time, fixing domain issues is a matter of relabeling files (or
+updating the configuration to match the contexts already defined - both work).
+</p>
+
+</body>
+</section>
+<section>
+<title>Intra-module permissions are missing</title>
+<body>
+
+<p>
+It is possible that you get a denial between correct security contexts, but
+that the permission is just never granted. In this case, you can choose between
+two things:
+</p>
+
+<ol>
+  <li>
+    Enhance the module so that the particular permission is granted, or
+  </li>
+  <li>
+    Enhance the module with an additional type where the permission is granted,
+    and assign this type/label to the related resources
+  </li>
+</ol>
+
+<p>
+In both cases you will need to edit the module files (most likely the
+<path>.te</path> file), build the module, load it, perhaps even relabel the
+files or the package and retry. It is also a good idea to take a look at
+upstream (latest refpolicy repository or the repositories of Fedora and co) and
+see if they have already solved this problem or not.
+</p>
+
+<p>
+Granting additional permissions between existing domains is the easiest, but
+might introduce additional problems: if this permission is only needed in a
+particular case yet you grant it for all files and resources related to those
+domains, then you are opening up the policy beyond what is necessary. Often,
+creating an additional domain or type can be beneficial.
+</p>
+
+<p>
+A noticeable example is Portage' support for CVS/SVN/GIT ebuilds (the so-called
+live ebuilds). These ebuilds get their repository and store it in the
+<path>distfiles/svn+src</path> location, which was by default labelled
+<path>portage_ebuild_t</path> with only read-access for the
+<path>portage_sandbox_t</path> domain. However, with those live ebuilds, the
+<path>portage_sandbox_t</path> domain also needs write privileges to this
+location. Rather than allowing <path>portage_sandbox_t</path> write privileges
+to <path>portage_ebuild_t</path>, a new type was created called
+<path>portage_svnsrc_t</path> for just this location and the rights are
+transferred towards type.
+</p>
+
+</body>
+</section>
+<section>
+<title>Inter-module permissions are needed</title>
+<body>
+
+<p>
+If the solution for the problem requires permissions between modules, then you
+need to create the proper interface functions in the target domain and call
+these functions from the source domain.
+</p>
+
+<p>
+TODO extend this explanation, use a common example, like mysql_stream_connect in
+postfix.
+</p>
+
+<p>
+TODO explain that changes in the interface require rebuilds and reinstallations
+of the base (package, not only .pp file, due to includes). tell that this is the
+reason why selinux-base-policy has that many revisions.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>No Domain Exists (Yet)</title>
+<section>
+<title>Reuse existing domains</title>
+<body>
+
+<p>
+TODO talk about potentially reusing domains (like apache module providing the
+various httpd_* domains which can be reused by lighttpd). Talk about assigning
+the proper labels to the files to see if that is sufficient.
+</p>
+
+</body>
+</section>
+<section>
+<title>Copy from existing domains</title>
+<body>
+
+<p>
+TODO talk about finding a similar module (apps or service) and start from a
+(slimmed-down) domain. Not recommended as it might already open too much, but it
+is a good start, if not to just look at with every denial you get later. Keep it
+short, most information is in next section.
+</p>
+
+</body>
+</section>
+<section>
+<title>Starting from scratch</title>
+<body>
+
+<p>
+TODO talk about defining the proper domains, set proper types (like file_type or
+application_type), refer to refpolicy guidelines
+</p>
+
+</body>
+</section>
+<section>
+<title>Testing new modules</title>
+<body>
+
+<p>
+TODO talk about users trying to do maximum testing (all the way). Also, if they
+want to support unconfined domains too, how they can do this (and should test).
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Policy Guidelines</title>
+<section>
+<body>
+
+<p>
+TODO dealing with cosmetic denials
+</p>
+
+<p>
+TODO resources - gentoo selinux policy, refpolicy guidelines
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Submitting Patches</title>
+<section>
+<body>
+
+<p>
+TODO differentiate between base patch and module patch.
+</p>
+
+<p>
+TODO perhaps talk about file context patches. Perhaps we will not make a new
+build release for it, but stage it to be included in the next release when a
+non-filecontext patch is added?
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Running Your Own Policy</title>
+<section>
+<body>
+
+<p>
+TODO describe how to create your own overlay with modules and patchbundles. Also
+usable for developers to stage their ebuild / patch submissions before actually
+putting in git repo. Ensure that naming is consistent (so that ebuild
+dependencies of packages remain).
+</p>
+
+<p>
+TODO describe how to exclude sec-policy in regular rsync
+</p>
+
+</body>
+</section>
+</chapter>
+
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     50809689f04a6762a7f456e5b6b033f3baeae9b5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 23 08:18:39 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Apr 23 08:18:39 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=50809689

various updates

---
 xml/selinux-development.xml |  574 ++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 544 insertions(+), 30 deletions(-)

diff --git a/xml/selinux-development.xml b/xml/selinux-development.xml
index d2fccc3..c4ee4b5 100644
--- a/xml/selinux-development.xml
+++ b/xml/selinux-development.xml
@@ -110,6 +110,12 @@ highlights...
     <e>interface file</e> which can then be called by other modules. This
     includes the necessary permissions to allow domain transitions
   </li>
+  <li>
+    SELinux uses attributes to make multiple domains manageable. Domains can
+    have certain permissions against all domains or types that are given a
+    particular attribute. Be aware of this when you start assigning attributes
+    to your own types or domains.
+  </li>
 </ul>
 
 </body>
@@ -245,8 +251,8 @@ one:
 </p>
 
 <pre caption="Setting up a local workspace">
-~$ <i>mkdir dev/local</i>
-~$ <i>cp -r dev/hardened/strict dev/local/</i>
+~$ <i>cd dev/hardened</i>
+~$ <i>cp -r strict strict.local/</i>
 </pre>
 
 </body>
@@ -257,7 +263,7 @@ one:
 
 <p>
 The main location you will work with is
-<path>dev/local/strict/policy/modules</path>. This location is subdivided in
+<path>dev/hardened/strict.local/policy/modules</path>. This location is subdivided in
 categories:
 </p>
 
@@ -287,7 +293,7 @@ Inside the categories, the modules are available using their three files
 </p>
 
 <pre caption="Listing the available sudo files">
-~$ <i>cd dev/local/strict/policy/modules/admin</i>
+~$ <i>cd dev/hardened/strict.local/policy/modules/admin</i>
 ~$ <i>ls sudo.*</i>
 sudo.fc    sudo.if     sudo.te
 </pre>
@@ -304,7 +310,7 @@ To build a module, go to the location where the module code is. Then, run
 </p>
 
 <pre caption="Building the portage module">
-~$ <i>cd dev/local/strict/policy/modules/admin</i>
+~$ <i>cd dev/hardened/strict.local/policy/modules/admin</i>
 ~$ <i>make -f ../../../support/Makefile.devel portage.pp</i>
 </pre>
 
@@ -324,7 +330,7 @@ If you want to build the base policy, run <c>make base</c>.
 </p>
 
 <pre caption="Building the base policy">
-~$ <i>cd dev/local/strict</i>
+~$ <i>cd dev/hardened/strict.local</i>
 ~$ <i>make base</i>
 </pre>
 
@@ -486,7 +492,9 @@ find the AVC denials you are looking for.
 <p>
 The next step is to see if we are dealing with the right security contexts. This
 does require a bit of insight in how both the application (that is failing) and
-the policy relate to each other.
+the policy relate to each other. In essence, you want to make sure that the
+process is running in the right domain and is trying to work on the right target
+type.
 </p>
 
 <p>
@@ -666,14 +674,76 @@ these functions from the source domain.
 </p>
 
 <p>
-TODO extend this explanation, use a common example, like mysql_stream_connect in
-postfix.
+Interface functions are the APIs that a module provides towards other SELinux
+modules when they need to interact with the domains. For instance, the
+<path>mysql</path> module provides, amongst other functions, the
+<c>mysql_stream_connect</c> interface:
 </p>
 
+<pre caption="mysql_stream_connect interface">
+########################################
+## &lt;summary&gt;
+##      Connect to MySQL using a unix domain stream socket.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      &lt;summary&gt;
+##      Domain allowed access.
+##      &lt;/summary&gt;
+## &lt;/param&gt;
+## &lt;rolecap/&gt;
+#
+interface(`mysql_stream_connect',`
+        gen_require(`
+                type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+        ')
+
+        stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+        stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+')
+</pre>
+
 <p>
-TODO explain that changes in the interface require rebuilds and reinstallations
-of the base (package, not only .pp file, due to includes). tell that this is the
-reason why selinux-base-policy has that many revisions.
+The interface declares that the domain passed on as its first (and only)
+argument gets the rights offered by <c>stream_connect_pattern</c>, which is a
+macro (defined in <path>policy/support/ipc_patterns.spt</path> that looks like
+so:
+</p>
+
+<pre caption="stream_connect_pattern">
+define(`stream_connect_pattern',`
+        allow $1 $2:dir search_dir_perms;
+        allow $1 $3:sock_file write_sock_file_perms;
+        allow $1 $4:unix_stream_socket connectto;
+')
+</pre>
+
+<p>
+Modules that need to interact with MySQL through a Unix domain stream socket
+(<path>/var/run/mysqld/mysqld.sock</path>) will need the proper permissions to
+work with the target type (<path>mysqld_var_run_t</path>). Modules cannot just
+set <e>allow</e> statements towards <path>mysqld_var_run_t</path> as they do not
+know this type. Instead, they call the <c>mysql_stream_connect</c> interface,
+like the <path>postfix.te</path> file does:
+</p>
+
+<pre caption="Postfix module calling mysql_stream_connect">
+optional_policy(`
+        mysql_stream_connect(postfix_master_t)
+        mysql_stream_connect(postfix_cleanup_t)
+        mysql_stream_connect(postfix_local_t)
+')
+</pre>
+
+<p>
+If the change you need is adding existing interface calls to the module (in 
+the <path>.te</path> file) then you should be able to test it easily by building
+the changed module and loading it. However, if you need to change the interface
+of your module itself (in the <path>.if</path> file) you will eventually need
+to rebuild the base policy and even provide and install a new
+<path>sec-policy/selinux-base-policy</path> package as the interfaces are placed
+in <path>/usr/share/selinux/strict/include</path>. This is one of the reasons
+why the <path>sec-policy/selinux-base-policy</path> package in Gentoo Hardened
+has a high revision number (and many updates).
 </p>
 
 </body>
@@ -687,22 +757,65 @@ reason why selinux-base-policy has that many revisions.
 <body>
 
 <p>
-TODO talk about potentially reusing domains (like apache module providing the
-various httpd_* domains which can be reused by lighttpd). Talk about assigning
-the proper labels to the files to see if that is sufficient.
+If you are facing problems because you run an application which has no domain
+itself (and hence is probably running in the <path>user_t</path>,
+<path>staff_t</path> or <path>sysadm_t</path> domains - or even tries to run in
+the <path>initrc_t</path> domain), you will need to create one. But before we do
+that, it might be possible that the application can work within the domain
+definition of a different application.
+</p>
+
+<p>
+One example here is lighttpd. This lightweight HTTPd service "uses" the
+definitions offered by the <path>apache</path> module. By marking its executable
+file <path>httpd_exec_t</path> it runs in the <path>httpd_t</path> domain and
+uses the same policy like Apache. By labeling the files according to the
+<path>apache.fc</path> definitions (but now for lighttpd) it might Just Work
+&trade;
+</p>
+
+<p>
+Reusing existing domains requires that you at least consider the following
+aspects:
 </p>
 
+<ul>
+  <li>
+    Will the application run on the same system as the application for which the
+    domain is originally intended? If so, then both might run in the same domain
+    (and as such have more privileges towards each other than intended) which
+    might not be what you want.
+  </li>
+  <li>
+    Do you need to enhance (read: add additional privileges) the master domain?
+    If so, make sure that you don't add more privileges than the original domain
+    would ever need to the extend that these privileges become a security risk.
+  </li>
+</ul>
+
 </body>
 </section>
 <section>
-<title>Copy from existing domains</title>
+<title>(Do Not) Copy from existing domains</title>
 <body>
 
 <p>
-TODO talk about finding a similar module (apps or service) and start from a
-(slimmed-down) domain. Not recommended as it might already open too much, but it
-is a good start, if not to just look at with every denial you get later. Keep it
-short, most information is in next section.
+If reusing existing domains introduces too many risks, you'll need to create a
+new domain for the application. Many people would be inclined to copy the domain
+definition of a similar application and work from there. Although this is a
+viable approach, it is considered a bad practice because you start by providing
+privileges to the domain that are never needed, and removing privileges from a
+domain later is very difficult. Even more, if you are not the author of the
+modules, most developers will not even try to remove them as they assume that
+the author of the domain had a good reason to add it in the first place. This is
+one of the reasons why upstream takes great care in accepting patches - they
+must be properly documented before they are accepted.
+</p>
+
+<p>
+Instead, create a domain from scratch but take a close eye on the domain you
+belief is very similar. Issues that arise during the module development might be
+quickly resolved by looking at how the original domain is defined.
 </p>
 
 </body>
@@ -712,8 +825,238 @@ short, most information is in next section.
 <body>
 
 <p>
-TODO talk about defining the proper domains, set proper types (like file_type or
-application_type), refer to refpolicy guidelines
+To start the development of a new module from scratch, first identify the
+domain(s) you want to have. An application that, in its entire lifespan only
+constitutes of a single process, will most likely only have one domain. For
+instance, the Skype client will have just <path>skype_t</path>. However,
+applications that have multiple processes running might need multiple domains
+too. For instance, the Postfix application runs a master
+(<path>postfix_master_t</path>), queue manager (<path>postfix_qmgr_t</path>) and
+pickup service (<path>postfix_pickup_t</path>), but depending on the commands
+you execute, it will also have (short-lived) processes running as
+<path>postfix_cleanup_t</path>, <path>postfix_bounce_t</path>, etc.) It is
+considered a best practice to start with a fine-grained model for domains
+and only later decide if merging multiple domains into one is beneficial.
+Splitting domains later is more difficult. Don't forget to look at the
+client-side aspect too!
+</p>
+
+<p>
+Next, define the types that each domain interacts with. This of course includes
+the binary (like <path>skype_exec_t</path>) but do not forget resources like
+</p>
+
+<ul>
+  <li>
+    The configuration file(s) in <path>/etc</path> (f.i.
+    <path>postfix_etc_t</path>)
+  </li>
+  <li>
+    PID files (f.i. <path>sshd_var_run_t</path>)
+  </li>
+  <li>
+    Spool files (f.i. <path>postfix_spool_t</path>)
+  </li>
+  <li>
+    Variable data files (f.i. <path>snmpd_var_lib_t</path>)
+  </li>
+  <li>
+    Log files (f.i. <path>zebra_log_t</path>)
+  </li>
+  <li>
+    Cache files (f.i. <path>squid_cache_t</path>)
+  </li>
+  <li>
+    (User) content files (f.i. <path>httpd_sys_content_t</path> and
+    <path>httpd_user_content_t</path>)
+  </li>
+</ul>
+
+<p>
+Also, try to separate types that are used by other domains as well. This way,
+the other domains can only interact with those files or resources that are
+labeled accordingly, rather than interact with a broad spectrum of files. The
+distinction that the <path>apache</path> module makes between system-provided
+content (like phpmyadmin files) and user-provided content (in the
+<path>public_html</path> directory in the users' home directories) seems (and
+is) very logical, but one could wrongly say that for Apache itself, the access
+controls are the same. Although that might be true, both types are clearly used
+in different ways so this mandates the use of different domains.
+</p>
+
+<p>
+Once you have defined those types too, start writing down the intra-domain
+permissions. Right now is a good time to look at other modules to see how they
+do things. Start with defining the accesses towards the domains.
+</p>
+
+<pre caption="Snippet from the spamassassin module">
+type spamassassin_t;
+type spamassassin_exec_t;
+application_domain(spamassassin_t, spamassassin_exec_t)
+ubac_constrained(spamassassin_t)
+</pre>
+
+<p>
+This small snippet defines many things. The first two lines just mention the new
+types (the <path>spamassassin_t</path> domain and
+<path>spamassassin_exec_t</path> type). The <c>application_domain</c> interface
+marks <path>spamassassin_t</path> as an application domain type (it gets the
+<path>application_domain_type</path> and <path>domain</path> attributes and a
+few default permissions (like allowing that it sends SIGCHLD and SIGNULL to
+init). It also marks <path>spamassassin_exec_t</path> as an applications'
+executable type (<path>application_exec_type</path> and <path>exec_type</path>
+attributes) so that it can be executed by regular users (these domains have
+execute rights against all resources that have the
+<path>application_exec_type</path> attribute set. Finally, it marks the
+<path>spamassassin_t</path> domain as a constrained domain for user-based access
+controls. In other words, if SELinux users <path>user_u</path> and
+<path>staff_u</path> launch the application in <path>spamassassin_t</path>
+domains, then the domains are segregated from each other (the intra-domain rules
+inside <path>spamassassin_t</path> are only valid for communication within the
+same SELinux user, not between SELinux users).
+</p>
+
+<p>
+Attributes are an important aspect in SELinux policy development. They make
+managing the domains easier, but you should always consider the implications
+when you add an attribute to one of your types. It usually means that a whole
+lot of permissions are suddenly granted between other domains and yours.
+</p>
+
+<p>
+Next, set the proper intra-domain permissions. For instance, allow your domain
+to read its configuration files as well as more access inside its own
+<path>/var/lib</path> location:
+</p>
+
+<pre caption="Snippet from openca module">
+allow openca_ca_t openca_etc_t:file read_file_perms;
+allow openca_ca_t openca_etc_t:dir list_dir_perms;
+
+manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+</pre>
+
+<p>
+The majority of work in developing SELinux policy modules is using and choosing
+the right interfaces. Having a few functions available to browse through all the
+available information is always interesting, so you might want to use the
+following function definitions (definitely not mandatory - this is only to help
+people skim through the policy definitions):
+</p>
+
+<pre caption="SELinux policy development function definitions">
+POLICY_LOCATION="/path/to/your/refpolicy";
+
+# sefindif - Find interface definitions that have a string that matches the
+# given regular expression
+sefindif() {
+  REGEXP="$1";
+  cd ${POLICY_LOCATION}/policy/modules;
+  for FILE in */*.if;
+  do
+    awk "/(interface\(|template\()/ { NAME=\$NF; P=0 }; /${REGEXP}/ { if (P==0) {P=1; print NAME}; print };" ${FILE} | sed -e "s:^:${FILE}\: :g";
+  done
+}
+
+# seshowif - Show the interface definition
+seshowif() {
+  INTERFACE="$1";
+  cd ${POLICY_LOCATION}/policy/modules;
+  for FILE in */*.if;
+  do
+    grep -A 9999 "\(interface(\`${INTERFACE}'\|template(\`${INTERFACE}'\)" ${FILE} | grep -B 9999 -m 1 "^')";
+  done
+}
+
+# sefinddef - Find macro definitions that have a string that matches the given
+# regular expression
+sefinddef() {
+  REGEXP="$1";
+  grep -H "define(\`.*${REGEXP}.*" ${POLICY_LOCATION}/policy/support/* | sed -e 's:.*\/\([^(]*\):\1:g'
+}
+
+# seshowdef - Show the macro definition
+seshowdef() {
+  MACRONAME="$1";
+  cd ${POLICY_LOCATION}/policy/support;
+  for FILE in *.spt;
+  do
+    grep -A 9999 "define(\`${MACRONAME}'" ${FILE} | grep -B 999 -m 1 "')";
+  done
+}
+</pre>
+
+<p>
+These functions can then be used to find the information / interfaces you are
+looking for. For instance, you need the application to read the postfix
+configuration files:
+</p>
+
+<pre caption="Looking for the interface(s) needed">
+~$ <i>sefindif postfix_etc_t</i>
+services/postfix.if: template(`postfix_domain_template',`
+services/postfix.if:    allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+services/postfix.if:    read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+services/postfix.if:    read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+<comment>services/postfix.if: interface(`postfix_read_config',`
+services/postfix.if:            type postfix_etc_t;
+services/postfix.if:    read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+services/postfix.if:    read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)</comment>
+services/postfix.if: interface(`postfix_config_filetrans',`
+services/postfix.if:            type postfix_etc_t;
+services/postfix.if:    filetrans_pattern($1, postfix_etc_t, $2, $3)
+
+~$ <i>seshowif postfix_read_config</i>
+interface(`postfix_read_config',`
+        gen_require(`
+                type postfix_etc_t;
+        ')
+
+        read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+        read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+        files_search_etc($1)
+')
+</pre>
+
+<p>
+Same thing if you want to look for the correct macro definition (usually, if you
+notice something but you cannot find it as an interface, then it is most likely
+a macro):
+</p>
+
+<pre caption="Looking for the right macros">
+<comment># Suppose you need to read, write, connect, ... to a socket</comment>
+~$ <i>sefinddef connect</i>
+ipc_patterns.spt:define(`stream_connect_pattern',`
+<comment>obj_perm_sets.spt:define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')</comment>
+obj_perm_sets.spt:define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+obj_perm_sets.spt:define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+<comment># To see what the ps_process_pattern is about</comment>
+~$ <i>seshowdef ps_process_pattern</i>
+define(`ps_process_pattern',`
+        allow $1 $2:dir list_dir_perms;
+        allow $1 $2:file read_file_perms;
+        allow $1 $2:lnk_file read_lnk_file_perms;
+        allow $1 $2:process getattr;
+')
+</pre>
+
+<p>
+As we strive to bring most of our patches upstream, please do consider the <uri
+link="http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute">contribution
+guidelines</uri> of the reference policy project. The project has a documented
+style guide, naming convention and an online API reference (for the various
+interfaces).
+</p>
+
+<p>
+Note that, the moment you create a new module, you'll need to create the proper
+role interfaces (if it is an application that is directly called from a user
+domain). Take a look at <c>tvtime_role</c> and how it is used in the
+<path>staff.te</path> and <path>sysadm.te</path> role definitions.
 </p>
 
 </body>
@@ -723,10 +1066,49 @@ application_type), refer to refpolicy guidelines
 <body>
 
 <p>
-TODO talk about users trying to do maximum testing (all the way). Also, if they
-want to support unconfined domains too, how they can do this (and should test).
+When you test your application, test it in as many ways as possible. If your
+application is a command-line application, run it both from a regular terminal
+(tty) as well as a virtual one (in an xterm). See if it still works if you run
+it in a screen session. Try out all functions and features that the application
+supports.
+</p>
+
+<p>
+This rigorous testing is necessary because SELinux denies everything that isn't
+explicitly allowed. If you do not test certain features, chances are that the
+module does not provide the necessary permissions and as such, users will be
+impacted.
+</p>
+
+<p>
+To test out a new module, load it (<c>semodule -i modulename.pp</c>) and relabel
+the files affiliated with the application (either through <c>rlpkg</c> or using
+<c>restorecon</c>). Consider the following testing activities if applicable (not
+all domains are interactive domains, so please read the activities with your
+domain definition in mind):
 </p>
 
+<ul>
+  <li>
+    Sending signals to the application (if you need to be able to kill it, try
+    killing it)
+  </li>
+  <li>
+    Run it both as a regular user (<path>user_u</path>) as well as
+    administrative users (if applicable). If your domain needs to support
+    unconfined domains/users, run it from an unconfined user domain too.
+  </li>
+  <li>
+    Run it from a terminal, console, screen, sudo, ...
+  </li>
+  <li>
+    Change the applications' configuration file (including rendering it useless
+    with syntax errors) and look at the applications' behavior. Especially
+    syntax failures as that might trigger the application to log things at
+    places that you haven't discovered earlier.
+  </li>
+</ul>
+
 </body>
 </section>
 </chapter>
@@ -734,14 +1116,48 @@ want to support unconfined domains too, how they can do this (and should test).
 <chapter>
 <title>Policy Guidelines</title>
 <section>
+<title>Cosmetic denials</title>
+<body>
+
+<p>
+When working on policy modules, you'll notice that the application is trying to
+do things which are denied, but have no obvious effect on the applications
+functionality. This is to be expected: many applications do not handle file
+descriptors properly (file descriptor leaks are common) or applications read
+attributes of files but don't do anything with it. You'll notice that you learn
+a lot from the application while writing its policy ;-)
+</p>
+
+<p>
+Gentoo Hardened's idea here is to only allow what is actually needed by the
+application. Cosmetic denials are to be <c>dontaudit</c>'ed. Gentoo Hardened
+uses the <c>gentoo_try_dontaudit</c> boolean for this:
+</p>
+
+<pre caption="Example usage of gentoo_try_dontaudit">
+<comment># Hide sshd_t calling module_request from the kernel_t domain</comment>
+tunable_policy(`gentoo_try_dontaudit',`
+        kernel_dontaudit_request_load_module(sshd_t)
+')
+</pre>
+
+</body>
+</section>
+<section>
+<title>Gentoo Hardened SELinux policy</title>
 <body>
 
 <p>
-TODO dealing with cosmetic denials
+To streamline the policy development efforts, Gentoo Hardened as a <uri
+link="selinux-policy.xml">SELinux Policy</uri> document explaining the
+principles used during policy development and the implementation guidelines we
+strive to follow during development.
 </p>
 
 <p>
-TODO resources - gentoo selinux policy, refpolicy guidelines
+Such a policy is important because we want to have a consistent security policy
+that users and developers can relate to. By following the policy, we hope that
+other developers can quickly jump in and work on it further.
 </p>
 
 </body>
@@ -751,16 +1167,114 @@ TODO resources - gentoo selinux policy, refpolicy guidelines
 <chapter>
 <title>Submitting Patches</title>
 <section>
+<title>File context patches</title>
+<body>
+
+<p>
+If you are able to fix a problem by adding the proper file contexts (using
+<c>semanage fcontext -a</c>), please consider the following:
+</p>
+
+<ul>
+  <li>
+    If the location for which you set the context deviates from the standard
+    location as either intended by the project or Gentoo itself, it might be
+    best to document it in the forums or elsewhere. We will not change file
+    contexts to match every ones configuration, unless the file context change
+    is apparent for each installation.
+  </li>
+  <li>
+    Developers might not immediately push file context changes in new policy
+    module packages to keep the amount of policy module changes low. Instead,
+    these changes can be stacked and pushed when other changes occur as well.
+  </li>
+</ul>
+
+<p>
+If you believe that the change is needed for everyone using Gentoo Hardened with
+SELinux, create a <uri link="https://bugs.gentoo.org">bugreport</uri> and assign
+it to <c>selinux@gentoo.org</c>. In the bugreport, mention the file context you
+think is necessary and why.
+</p>
+
+</body>
+</section>
+<section>
+<title>Module patches</title>
+<body>
+
+<p>
+Module patches with changes that are intra-module (and have no effect outside)
+are best generated from the <path>policy/modules</path> location:
+</p>
+
+<pre caption="Example generating patch for modular changes">
+~$ <i>cd dev/hardened/strict.local/policy/modules</i>
+~$ <i>diff -ut ../../../strict/policy/modules/services/openct.te services/openct.te</i>
+--- ../../../../strict/policy/modules/services/openct.te   2011-04-22 23:28:17.932918002 +0200
++++ services/openct.te  2011-04-23 09:55:08.156918002 +0200
+@@ -47,6 +47,10 @@
+ 
+ miscfiles_read_localization(openct_t)
+ 
++tunable_policy(`gentoo_try_dontaudit',`
++        kernel_dontaudit_read_system_state(openct_t)
++')
++
+ userdom_dontaudit_use_unpriv_user_fds(openct_t)
+ userdom_dontaudit_search_user_home_dirs(openct_t)
+</pre>
+
+<p>
+Attach this patch to the <uri link="https://bugs.gentoo.org">bugreport</uri>
+explaining why it is needed. If you think the patch itself is not obvious, make
+sure that the necessary comments are in place <e>inside the patch</e> for future
+reference.
+</p>
+
+<p>
+Please have a separate patch file per module (do not combine multiple modules in
+a single patch).
+</p>
+
+</body>
+</section>
+<section>
+<title>Base policy patches</title>
 <body>
 
 <p>
-TODO differentiate between base patch and module patch.
+If a patch extends a single module, or it includes interface changes on a
+module, you'll need to create a patch for the base policy. In this case, the
+patch is best made from the upper location.
+</p>
+
+<pre caption="Generating a base policy patch">
+~$ <i>cd dev/hardened/strict.local</i>
+~$ <i>diff -ut ../strict/policy/modules/services/openct.if policy/modules/services/openct.if</i>
+--- ../strict/policy/modules/services/openct.if    2011-04-22 23:28:17.918918002 +0200
++++ policy/modules/services/openct.if       2011-04-23 10:01:38.753918001 +0200
+@@ -15,7 +15,7 @@
+                 type openct_t;
+         ')
+ 
+-        allow $1 openct_t:process signull;
++        allow $1 openct_t:process { signull sigchld };
+ ')
+ 
+ ########################################
+</pre>
+
+<p>
+Attach this patch to the <uri link="https://bugs.gentoo.org">bugreport</uri>
+explaining why it is needed. If you think the patch itself is not obvious, make
+sure that the necessary comments are in place <e>inside the patch</e> for future
+reference.
 </p>
 
 <p>
-TODO perhaps talk about file context patches. Perhaps we will not make a new
-build release for it, but stage it to be included in the next release when a
-non-filecontext patch is added?
+Please have a separate patch file per major change (do not combine multiple
+unrelated changes in a single patch).
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     6fc7dfa7a3f3e35949384a205825b510bba74294
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 23 11:32:04 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Apr 23 11:32:04 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6fc7dfa7

Finalization

---
 xml/selinux-development.xml |  113 ++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 107 insertions(+), 6 deletions(-)

diff --git a/xml/selinux-development.xml b/xml/selinux-development.xml
index c4ee4b5..ddd5230 100644
--- a/xml/selinux-development.xml
+++ b/xml/selinux-development.xml
@@ -651,7 +651,7 @@ creating an additional domain or type can be beneficial.
 <p>
 A noticeable example is Portage' support for CVS/SVN/GIT ebuilds (the so-called
 live ebuilds). These ebuilds get their repository and store it in the
-<path>distfiles/svn+src</path> location, which was by default labelled
+<path>distfiles/svn+src</path> location, which was by default labeled
 <path>portage_ebuild_t</path> with only read-access for the
 <path>portage_sandbox_t</path> domain. However, with those live ebuilds, the
 <path>portage_sandbox_t</path> domain also needs write privileges to this
@@ -1284,17 +1284,118 @@ unrelated changes in a single patch).
 <chapter>
 <title>Running Your Own Policy</title>
 <section>
+<title>Creating a local overlay</title>
 <body>
 
 <p>
-TODO describe how to create your own overlay with modules and patchbundles. Also
-usable for developers to stage their ebuild / patch submissions before actually
-putting in git repo. Ensure that naming is consistent (so that ebuild
-dependencies of packages remain).
+If you want to use your own policy rather than Gentoo's, we seriously recommend
+to use a local overlay which uses the same package names and constructs. This
+allows your policy to integrate properly with the other Gentoo packages (which
+might depend on the SELinux packages). For instance, when you install openldap,
+it will still properly depend on the <path>sec-policy/selinux-ldap</path>
+package even if you provide it completely.
 </p>
 
 <p>
-TODO describe how to exclude sec-policy in regular rsync
+To do so, first create a local overlay and copy the content of the
+<path>sec-policy</path> category inside it.
+</p>
+
+<pre caption="Creating a local overlay">
+~$ <i>mkdir dev/overlay</i>
+~$ <i>cp -r /usr/portage/sec-policy dev/overlay</i>
+</pre>
+
+<p>
+Next, tell Portage to not synchronise the <path>sec-policy</path> category of
+the main tree anymore. To do so, create the file
+<path>/etc/portage/rsync_excludes</path> with the following content:
+</p>
+
+<pre caption="Rsync exclusion information">
+sec-policy/
+</pre>
+
+<p>
+Finally, add your current overlay by editing <path>/etc/make.conf</path>:
+</p>
+
+<pre caption="Editing make.conf">
+PORTDIR_OVERLAY="${PORTDIR_OVERLAY} /home/user/dev/overlay"
+</pre>
+
+<p>
+From now onwards, Gentoo Portage will only use your local overlay (you can
+remove <path>/usr/portage/sec-policy</path> if you don't want Portage to even
+reuse the current set of packages.
+</p>
+
+</body>
+</section>
+<section>
+<title>Updating module packages</title>
+<body>
+
+<p>
+To create or update a module package, you can use the following skeleton for the
+ebuilds:
+</p>
+
+<pre caption="Skeleton for ebuilds, example for postfix">
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+<comment># Set the MODS variable to the refpolicy name used, so services/postfix.te gives "postfix"</comment>
+MODS="postfix"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for postfix"
+
+KEYWORDS="~amd64 ~x86"
+
+<comment># POLICY_PATCH is optional (only when you have a patch), without it just uses the 
+# refpolicy version.</comment>
+POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"
+</pre>
+
+<p>
+The patch(es) that you can put in the <path>files/</path> location (and referred to
+in the <c>POLICY_PATCH</c>) should be made as defined earlier in this document.
+You can put multiple patches in this variable if you want.
+</p>
+
+<p>
+Don't forget to run <c>repoman manifest</c> with every change, and run
+<c>repoman scan</c> to check for potential mistakes.
+</p>
+
+</body>
+</section>
+<section>
+<title>Updating base package</title>
+<body>
+
+<p>
+To provide updates on the base policy, it is recommended to keep all patches you
+made centrally in a directory (say <path>dev/hardened/base-patches</path>). When
+you want to create a new <path>sec-policy/selinux-base-policy</path> release,
+create a patchbundle from your patch directory, put the bundle in the
+<path>files</path> location, create the updated ebuild and try it out.
+</p>
+
+<pre caption="Building a base policy package">
+~$ <i>cd dev/hardened/base-patches</i>
+~$ <i>tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r13.tar.bz2 *</i>
+~$ <i>cd ../overlay/sec-policy/selinux-base-policy</i>
+~$ <i>cp selinux-base-policy-2.20101213-r12.ebuild selinux-base-policy-2.20101213-r13.ebuild</i>
+</pre>
+
+<p>
+Don't forget to run <c>repoman manifest</c> and <c>repoman scan</c>. You can
+then install <path>sec-policy/selinux-base-policy-2.20101213-r13</path> and test
+it out.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     e40d8870011b4809109716b7bf0749961a7c63d6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 30 08:58:46 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Apr 30 08:58:46 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e40d8870

Explain no-multilib situation more correctly

---
 xml/selinux-faq.xml |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index cda3a15..b300301 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>3</version>
-<date>2011-04-22</date>
+<version>4</version>
+<date>2011-04-30</date>
 
 <faqindex>
 <title>Questions</title>
@@ -133,10 +133,9 @@ like we will eventually support these file systems on SELinux fully as well.
 <body>
 
 <p>
-No. The SELinux profiles inherit from the base amd64 profiles, requiring
-multilib support. Early tests trying to enable SELinux on a no-multilib
-profile show that it will not be supported without additional development
-effort being required.
+Theoretically, definitely. However, the current selinux profiles in the Portage
+tree are not no-multilib capable. Work is on the way however to make the
+profiles more flexible and support no-multilib soon.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     d4dd801cfdfc6fabff6498fe7eeaaab11a2fad29
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 30 19:42:41 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Apr 30 19:42:41 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d4dd801c

Add FAQ on emerge not working (no sysadm_r role)

---
 xml/selinux-faq.xml |   32 +++++++++++++++++++++++++++++++-
 1 files changed, 31 insertions(+), 1 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index b300301..d042d2c 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,7 +17,7 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>4</version>
+<version>5</version>
 <date>2011-04-30</date>
 
 <faqindex>
@@ -385,5 +385,35 @@ hidden).
 
 </body>
 </section>
+<section id="emergefails">
+<title>Emerge does not work, giving 'Permission denied: /etc/make.conf'</title>
+<body>
+
+<p>
+This is to be expected if you are not using the <c>sysadm_r</c> role. Any
+Portage related activity requires that you are in the <c>sysadm_r</c> role. To
+transition to the role, first validate if you are currently known as
+<c>staff_u</c> (or, if you added your own SELinux identities, a user that has
+the permission to transition to the <c>sysadm_r</c> role). Then run <c>newrole
+-r sysadm_r</c> to transition.
+</p>
+
+<pre caption="Transitioning to sysadm_r">
+~$ <i>emerge --info</i>
+Permission denied: '/etc/make.conf'
+~$ <i>id -Z</i>
+staff_u:staff_r:staff_t
+~$ <i>newrole -r sysadm_r</i>
+Password: <comment># Enter your users' password</comment>
+</pre>
+
+<p>
+This is also necessary if you logged on to your system as root but through SSH.
+The default behavior is that SSH sets the lowest role for the particular user
+when logged on. And you shouldn't allow remote root logins anyhow.
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     ae56f62162c95b724fb5f2f749b94255dee913bb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May  1 20:21:26 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May  1 20:21:26 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae56f621

Add cron failure information

---
 xml/selinux-faq.xml |   51 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index d042d2c..3922c94 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>5</version>
-<date>2011-04-30</date>
+<version>6</version>
+<date>2011-05-01</date>
 
 <faqindex>
 <title>Questions</title>
@@ -415,5 +415,52 @@ when logged on. And you shouldn't allow remote root logins anyhow.
 
 </body>
 </section>
+<section id="cronfails">
+<title>
+  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+  FAILED (crontabs/root)'
+</title>
+<body>
+
+<p>
+When you hit the mentioned error with a root crontab or an administrative
+users' crontab, but not with a regular users' crontab, then check the context of
+the crontab file:
+</p>
+
+<pre caption="Check context of the crontab file">
+~# <i>ls -Z /var/spool/cron/crontabs/root</i>
+staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
+</pre>
+
+<p>
+Next, check what the default context is for the given user (in this case, root)
+when originating from the <c>crond_t</c> domain:
+</p>
+
+<pre caption="Check default context for user root">
+~# <i>getseuser root system_u:system_r:crond_t</i>
+seuser:  root, level (null)
+Context 0       root:sysadm_r:cronjob_t
+Context 1       root:staff_r:cronjob_t
+</pre>
+
+<p>
+As you can see, the default context is always for the <c>root</c> SELinux user.
+However, the <path>/var/spool/cron/crontabs/root</path> file context in the
+above example is for the SELinux user staff_u. Hence, cron will not be able to
+read this file (the <c>user_cron_spool_t</c> type is a UBAC constrained one).
+</p>
+
+<p>
+To fix this, change the user of the file to root:
+</p>
+
+<pre caption="Change the SELinux user of the root crontab file">
+~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
+</pre>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     51846c0899f8c055fc5f74c33d723eda8380937a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  3 20:22:50 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  3 20:22:50 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=51846c08

Add UBAC FAQ

---
 xml/selinux-faq.xml |   38 ++++++++++++++++++++++++++++++++++++--
 1 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 3922c94..c815ff4 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>6</version>
-<date>2011-05-01</date>
+<version>7</version>
+<date>2011-05-03</date>
 
 <faqindex>
 <title>Questions</title>
@@ -140,6 +140,40 @@ profiles more flexible and support no-multilib soon.
 
 </body>
 </section>
+<section id="ubac">
+<title>What is UBAC exactly?</title>
+<body>
+
+<p>
+UBAC, or <e>User Based Access Control</e>, introduces additional constraints
+when using SELinux policy. Participating domains / types that are <e>both</e>
+marked as a <c>ubac_constrained_type</c> (which is an attribute) will only
+have the allowed privileges in effect if they both run with the same SELinux
+user context.
+</p>
+
+<pre caption="Domains and their SELinux user context">
+<comment># The SELinux allow rule</comment>
+allow foo_t bar_t:file { read };
+
+<comment># This will succeed:</comment>
+staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t
+
+<comment># This will be prohibited:</comment>
+user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t
+</pre>
+
+<p>
+Of course, this is not always the case. Besides the earlier mentioned
+requirement that both types are <c>ubac_constrained_type</c>, if the source
+domain is <c>sysadm_t</c>, then the constraint will not be in effect (the 
+<c>sysadm_t</c> domain is exempt from UBAC constraints). Also, if the source
+or destination SELinux user is <c>system_u</c> then the constraint will also
+not be in effect. 
+</p>
+
+</body>
+</section>
 </chapter>
 
 <chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     1015ab70f06b9be02b598e1e8c94f1ff00690682
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  3 21:06:16 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  3 21:06:16 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=1015ab70

Mention USE=ubac in FAQ on crontab issues

---
 xml/selinux-faq.xml |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index c815ff4..c4740c7 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -494,6 +494,11 @@ To fix this, change the user of the file to root:
 ~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
 </pre>
 
+<p>
+Another fix would be to disable UBAC completely. This is accomplished with
+<c>USE="-ubac"</c>.
+</p>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     c905159e3812ba690d55bcf6fedd5e26b3eb18d6
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Wed May  4 21:44:13 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Wed May  4 21:44:13 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c905159e

Fixing some QA issues

---
 xml/etdyn.xml |   44 +++++++++++++++++++++++++-------------------
 1 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/xml/etdyn.xml b/xml/etdyn.xml
index 2b81d4d..6744440 100644
--- a/xml/etdyn.xml
+++ b/xml/etdyn.xml
@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding="utf-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 <guide link="/proj/en/hardened/etdyn.xml">
-
+<title>ETDYN guide</title>
 <author title="Author">
 	<mail link="pageexec@freemail.hu">The PaX Team</mail>
 </author>
@@ -27,6 +27,7 @@ These guidelines are required to achieve full Address Space Layout Randomization
 
 <chapter>
 	<title>Introduction</title>
+	<section>
 	<body>
    <p>One of the features of PaX is Address Space Layout Randomization (ASLR)
    that allows the kernel to randomize the addresses of various areas in
@@ -67,10 +68,12 @@ These guidelines are required to achieve full Address Space Layout Randomization
    themselves in the future.</p>
 
 	</body>
+        </section>
 </chapter>
 
 <chapter>
 	<title>How to produce ET_DYN ELF executables</title>
+        <section>
 	<body>
 
    <p>The following discussion assumes that the GNU toolchain (such as gcc and
@@ -114,8 +117,8 @@ These guidelines are required to achieve full Address Space Layout Randomization
    care about gcrt1.o). It is no coincidence that crt1.o is not linked into
    shared libraries as this object contains (among others) the low-level entry
    point and startup code that invokes the C library startup code which in
-   turn calls main(). 
-   <warn>Initiating the building of ET_DYN executables on Gentoo does not require us to put -shared in our CFLAGS or LDFLAGS</warn></p>
+   turn calls main(). </p>
+   <warn>Initiating the building of ET_DYN executables on Gentoo does not require us to put -shared in our CFLAGS or LDFLAGS</warn>
 
    <p>Making crt1.o position independent is easy, we just have to make use of the
    GOT (in keeping with the tradition of the glibc naming convention for the
@@ -148,20 +151,22 @@ These guidelines are required to achieve full Address Space Layout Randomization
    code) they can be compiled once and put into the same directory where
    the other systemwide crt* files are.</p>
 	</body>
+        </section>
 </chapter>
 
 <chapter>
 	<title>ET_DYN ELF executables (The Gentoo Way)</title>
+        <section>
 	<body>
 
-   <p>On Gentoo this is accomplished by merging <i>hardened-gcc</i>: </p>
+   <p>On Gentoo this is accomplished by merging <c>hardened-gcc</c>: </p>
 
    <pre caption = "Emerging hardened-gcc">
-<c># emerge hardened-gcc</c>
+# <i>emerge hardened-gcc</i>
 </pre>
    
-   <p><i>hardened-gcc</i> is an umbrella package for non-mainstream gcc modifications
-   The <i>hardened-gcc</i> packages was initially created by Alexander Gabert 
+   <p><c>hardened-gcc</c> is an umbrella package for non-mainstream gcc modifications
+   The <c>hardened-gcc</c> packages was initially created by Alexander Gabert 
    for this special purpose we are serving here: rolling out the etdyn
    specs file and interp.o together with the position independent
    crt1S.o.  But this package is not limited to that purpose.  
@@ -184,21 +189,17 @@ These guidelines are required to achieve full Address Space Layout Randomization
    one is chpax built as an ET_EXEC.</p>
 
 	<pre caption = "Example files">
-<c># file /sbin/chpax</c>
+# <i>file /sbin/chpax</i>
 /sbin/chpax: ELF 32-bit LSB shared object, Intel 80386, version 1 \
 (GNU/Linux), stripped
 /sbin/chpax: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for \
 GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped
 </pre>
 
-	</body>
-</chapter>
-
+<!--To keep the bugs down for us we really dont want the
+end user mucking with the specs -solar -->
 
-<comment>To keep the bugs down for us we really dont want the
-end user mucking with the specs -solar </comment>
-<comment>
-   <p>We can further simplify the building of ET_DYN executables by modifying
+<!--   We can further simplify the building of ET_DYN executables by modifying
    a few sections of the default gcc specs file as demonstrated in the
    specs.2.95.3 and specs.3.2.3 files (for the respective gcc versions).
    To use the new specs file we can either replace the default one or pass
@@ -206,12 +207,17 @@ end user mucking with the specs -solar </comment>
    could further trim down the new specs file and keep only the sections
    that we changed: *cpp, *cc1, *endfile, *link and *startfile). From now
    on invoking gcc as 'gcc -et_dyn' will produce an ET_DYN executable (the
-   same goes for g++).</p>
+   same goes for g++).
 
-   <p>Readers interested in rebuilding entire distributions are encouraged to
+   Readers interested in rebuilding entire distributions are encouraged to
    take a look at the Adamantix (http://www.adamantix.org) and Hardened
-   Gentoo projects (http://www.gentoo.org/proj/en/hardened/).</p>
-</comment>
+   Gentoo projects (http://www.gentoo.org/proj/en/hardened/).
+-->
+	</body>
+        </section>
+</chapter>
+
+
 <chapter>      
 	<title>Credits</title>
 	<section>       

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     6d4ba6227c96e8b2ae4a1090fc6f409dece7ad23
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Wed May  4 20:58:34 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Wed May  4 20:58:34 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6d4ba622

pushing vapier's changes

---
 xml/gnu-stack.xml |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/xml/gnu-stack.xml b/xml/gnu-stack.xml
index e661760..dc63054 100644
--- a/xml/gnu-stack.xml
+++ b/xml/gnu-stack.xml
@@ -21,8 +21,8 @@
 
 <!-- The content of this document is placed into the public domain, have fun -->
 
-<version>3.1</version>
-<date>2010-11-27</date>
+<version>4</version>
+<date>2011-03-17</date>
 
 <chapter>
 <title>Introduction</title>
@@ -399,7 +399,7 @@ append-ldflags -Wl,-z,noexecstack
 <p>
 If all else fails, ask around on #gentoo-dev on the irc server 
 irc.freenode.net.  Or send an e-mail to the <uri 
-link="/main/en/lists.xml">gentoo-dev mailing list</uri>.  
+link="http://www.gentoo.org/main/en/lists.xml">gentoo-dev mailing list</uri>.  
 If no one can seem to answer your question, give me a poke either on irc 
 (nickname SpanKY/vapier) or via <mail link="vapier@gentoo.org">e-mail</mail>.
 </p>
@@ -416,7 +416,7 @@ If no one can seem to answer your question, give me a poke either on irc
 
 <table>
  <tr><th>Arch</th>     <th>Status</th></tr>
- <tr><ti>alpha</ti>    <ti>gcc generates proper .note.GNU-stack, but final link results in exec stack</ti></tr>
+ <tr><ti>alpha</ti>    <ti>fully supported (gcc-4.4.x/glibc-2.11)</ti></tr>
  <tr><ti>amd64</ti>    <ti>fully supported</ti></tr>
  <tr><ti>arm</ti>      <ti>fully supported (gcc-4.1.x/glibc-2.5)</ti></tr>
  <tr><ti>blackfin</ti> <ti>fully supported (gcc-4.3+)</ti></tr>
@@ -424,8 +424,8 @@ If no one can seem to answer your question, give me a poke either on irc
  <tr><ti>ia64</ti>     <ti>fully supported (gcc-3.4.4+)</ti></tr>
  <tr><ti>m68k</ti>     <ti>fully supported (gcc-3.4.x)</ti></tr>
  <tr><ti>mips</ti>     <ti>gcc-3.4.x does not generate .note.GNU-stack</ti></tr>
- <tr><ti>ppc</ti>      <ti>gcc generates proper .note.GNU-stack, but final link results in exec stack</ti></tr>
- <tr><ti>ppc64</ti>    <ti>gcc generates proper .note.GNU-stack, but final link results in exec stack</ti></tr>
+ <tr><ti>ppc</ti>      <ti>fully supported (gcc-4.4.x/glibc-2.11)</ti></tr>
+ <tr><ti>ppc64</ti>    <ti>fully supported (gcc-4.4.x/glibc-2.11)</ti></tr>
  <tr><ti>s390</ti>     <ti>fully supported</ti></tr>
  <tr><ti>s390x</ti>    <ti>fully supported</ti></tr>
  <tr><ti>sh</ti>       <ti>fully supported (gcc-3.4.x/glibc-2.5)</ti></tr>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     e2383632c32d16e68e8baa0a29c5ab13ff303348
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Mon May  9 21:46:03 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Mon May  9 21:46:03 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e2383632

Adding a comment to disable learning mode prior to converting rules. Thanks to Peter Harmsen

---
 xml/grsecurity.xml |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/xml/grsecurity.xml b/xml/grsecurity.xml
index 4517f10..12648e5 100644
--- a/xml/grsecurity.xml
+++ b/xml/grsecurity.xml
@@ -468,6 +468,11 @@ let <c>gradm</c> process them and propose roles under
 # <i>gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles</i>
 </pre>
 
+<note>
+You will need to disable the RBAC learning mode before doing this. You can use
+<c>gradm -D</c> for this.
+</note>
+
 <p>
 Audit the <path>/etc/grsec/learning.roles</path> and save it as
 <path>/etc/grsec/policy</path> (mode 0600) when you are finished.

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     ec0cc4ac98815ecf6dfe2588a18d6d4b4ffaccea
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Tue May 10 02:35:16 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Tue May 10 02:35:16 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ec0cc4ac

Forgot to push the date and version

---
 xml/grsecurity.xml |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/grsecurity.xml b/xml/grsecurity.xml
index 12648e5..0833805 100644
--- a/xml/grsecurity.xml
+++ b/xml/grsecurity.xml
@@ -17,8 +17,8 @@ configuration options and tools provided by the grsecurity project to lift your
 system's security to higher standards.
 </abstract>
 
-<version>1.2</version>
-<date>2010-11-28</date>
+<version>1.3</version>
+<date>2010-05-10</date>
 
 <chapter>
 <title>About Grsecurity</title>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     e355d40278fe8df7e742825cb2baa9b15a115e09
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 14 12:13:36 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 14 12:13:36 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e355d402

Add FAQ on how to retrieve the file context rule for a particular path

---
 xml/selinux-faq.xml |   31 +++++++++++++++++++++++++++++--
 1 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 471917e..969b562 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>7</version>
-<date>2011-05-03</date>
+<version>8</version>
+<date>2011-05-14</date>
 
 <faqindex>
 <title>Questions</title>
@@ -234,6 +234,33 @@ context.
 
 </body>
 </section>
+<section id="matchcontext">
+<title>
+  How do I know which file context rule is used for a particular file?
+</title>
+<body>
+
+<p>
+If you use the <c>matchpathcon</c> command, it will tell you what the security
+context for the given path (file or directory) should be, but it doesn't tell
+you which rule it used to deduce this. To do that, you can use <c>findcon</c>:
+</p>
+
+<pre caption="Using findcon">
+~# <i>findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</i>
+/.*                          system_u:object_r:default_t
+/lib(64)?/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
+/lib64/.*                    system_u:object_r:lib_t
+</pre>
+
+<p>
+When the SELinux utilities try to apply a context, they try to match the rule
+that is the most specific, so in the above case, it is the one that leads to the
+initrc_state_t context.
+</p>
+
+</body>
+</section>
 </chapter>
 
 <chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     55938fb923ef8479039c869c661556f5e00a0f83
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 14 12:50:07 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 14 12:50:07 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=55938fb9

Update on FAQ about file contexts

---
 xml/selinux-faq.xml |   26 +++++++++++++++++++++++++-
 1 files changed, 25 insertions(+), 1 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 969b562..2cf70ed 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -249,7 +249,7 @@ you which rule it used to deduce this. To do that, you can use <c>findcon</c>:
 <pre caption="Using findcon">
 ~# <i>findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</i>
 /.*                          system_u:object_r:default_t
-/lib(64)?/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
+/lib64/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
 /lib64/.*                    system_u:object_r:lib_t
 </pre>
 
@@ -259,6 +259,30 @@ that is the most specific, so in the above case, it is the one that leads to the
 initrc_state_t context.
 </p>
 
+<p>
+The most specific means, in order of tests:
+</p>
+
+<ol>
+  <li>
+    If line A has a regular expression, and line B doesn't, then line B is more
+    specific.
+  </li>
+  <li>
+    If the number of characters before the first regular expression in line A is
+    less than the number of characters before the first regular expression in
+    line B, then line B is more specific
+  </li>
+  <li>
+    If the number of characters in line A is less than in line B, then line B is
+    more specific
+  </li>
+  <li>
+    If line A does not map to a specific SELinux type, and line B does, then
+    line B is more specific
+  </li>
+</ol>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     d4a0dd66fa75f530f88e84bad169a1276d9d7806
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 22 19:58:25 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 22 19:58:25 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d4a0dd66

Drop negative paragraphs, roadmap are a way to show how a project evolves, not what its history of flaws was

---
 xml/roadmap.xml |   21 ++-------------------
 1 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 6304c12..e8a46d8 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -42,25 +42,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>1.3</version>
-<date>2011-02-02</date>
-
-<chapter>
-<title>Where the Hardened Gentoo Project Is Today</title>
-<section>
-<body>
-
-<p>
-The Hardened Gentoo herd lost many developer in the past years. The toolchain
-was stuck on GCC 3.4.X for a long time but we have started to catch up, and the
-hardened-sources also needed to be brought up to date. The documentation is
-being updated slowly and still needs a lot of work. We also need bug-wranglers
-that help us with fixing bugs.
-</p>
-
-</body>
-</section>
-</chapter>
+<version>1.4</version>
+<date>2011-05-22</date>
 
 <chapter>
 <title>Short-Term Goals</title>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     30fc4bb43b43456288c250ed48d13972c00f5055
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 22 21:34:25 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 22 21:34:25 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=30fc4bb4

Improve roadmap (still wip)

---
 xml/roadmap.xml |  528 ++++++++++++++++++++++++++++++++++++++-----------------
 1 files changed, 364 insertions(+), 164 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index e8a46d8..eab839e 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -1,7 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 
-<guide link="roadmap.xml">
+<!--
+  TODO BEFORE REMOVING THE DISCLAIMER !!!
+
+  - Update document to use a generic structure (cfr until the "@HERE" sign)
+  - Move support tables out of the document, make it a
+    'supported-architectures.xml' file or something like that. People will
+    eventually ask if this or that is supported on their architecture, and then
+    that page is better suited than a roadmap page (with a roadmap page, people
+    think it isn't supported). 
+    Instead, in the roadmap, use something like 'Support currently unsupported
+    architectures (mips, ppc64, ...)' -> Unassigned, and for each one that is
+    progressing have a specific entry.
+  - Suggest changes to the document (make milestones benchmarkable, move other
+    stuff as goals).
+-->
+<guide disclaimer="draft" link="roadmap.xml">
 <title>Hardened Gentoo Roadmap</title>
 <author title="Author">
   <mail link="tocharian@gentoo.org">Adam Mondl</mail>
@@ -46,28 +61,366 @@ Hardened Gentoo project.
 <date>2011-05-22</date>
 
 <chapter>
-<title>Short-Term Goals</title>
+<title>Vision</title>
+<section>
+<body>
+
+<!--
+  What is the main vision that Gentoo Hardened strives towards?
+  Why does Gentoo Hardened exist? In light of which vision do we
+  take our decisions?
+-->
+
+<p>
+Within Gentoo Linux, the Gentoo Hardened project wants to be a shepherd for all
+security oriented projects. The project wants to make Gentoo viable for highly
+secure, high stability production environments. 
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Strategy</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<!--
+  Our strategy should reflect our high-level choices and focuses. It should
+  describe what we aim for (in light of our vision) in a generic descriptive
+  approach. The strategy of Gentoo Hardened should be what we envision to be the
+  way to go forward to implement our vision. It should not change much in time.
+-->
+
+<p>
+In order to succesfully strive towards our vision, Gentoo Hardened aims to
+provide subprojects that test, develop, enhance, implement and integrate 
+specific security measures in Gentoo Linux. Although each of these projects has
+operational responsibilities (after all, the technologies that they support are
+used by users all around) they continue to research and develop, making Gentoo
+Linux even better than it is today.
+</p>
+
+<p>
+The direction that each of these projects is heading towards is described in
+their <e>roadmap</e>, a combination of strategic directions and shorter term
+milestones. These roadmaps are combined in this very document, allowing users to
+get a general overview of where Gentoo Hardened is evolving towards.
+</p>
+
+</body>
+</section>
+<section>
+<title>Documentation</title>
+<body>
+
+<p>
+Documentation is Gentoo Hardened's first asset that users come in contact with.
+It is important that Gentoo Hardened's documentation is well structured, easily
+accessible and correctly written. Although we currently focus on technically
+educated users and system administrators, this focus should not lower our
+responsibility of creating the necessary documents to guide new users in Gentoo
+Hardened's realms.
+</p>
+
+</body>
+</section>
+<section>
+<title>Vulnerability Mitigation</title>
+<body>
+
+<p>
+Users use a <e>toolchain</e>, a set of libraries and tools like compilers,
+linkers and more, to build their systems with. To fight potential
+vulnerabilities and future exploits, Gentoo Hardened maintains a toolchain that
+supports additional security-enhancing features like SSP, PIE and PIC.
+Our focus is to enhance and maintain this toolchain and help the integration of
+these security-enhancing patchsets within the upstream communities so that the
+benefits are available for all Linux users.
+</p>
+
+<p>
+Yet toolchains are not the only method where risks can be reduced. Specific
+patch sets that enhance Linux' security-related capabilities exist, such as
+PAX, that help users mitigate the risk of succesful exploitation of
+vulnerabilities. Gentoo Hardened positions and integrates these patches in the
+distribution.
+</p>
+
+</body>
+</section>
+<section>
+<title>Access Control</title>
+<body>
+
+<p>
+Although definitely not the only security component of a system, proper access
+control is a prerequisite for a safer environment. Within Gentoo Hardened,
+support of proper access control systems is important, and reflected in our
+choices of enhanced development of SELinux, grSecurity RSBAC and more.
+</p>
+
+</body>
+</section>
+<section>
+<title>Architecture Support</title>
+<body>
+
+<p>
+The current primary development activities take place within the popular and
+commodity architectures x86 and amd64 (x86_64). Yet many other architectures
+exist, especially within the server and embedded/mobile environments. These
+architectures need to be properly supported as well.
+</p>
+
+</body>
+</section>
+<section>
+<title>Staffing</title>
+<body>
+
+<p>
+In order to sustain or even grow our research and development pace and keep
+supporting operational tasks and help out users, the Gentoo Hardened team is
+always looking for fresh blood. Users who take a proactive approach to finding
+places for improvement and filling in the holes should and will be noticed and
+probably recruited. Yet recruitment is not mandatory to help out our project. 
+The necessary resources are put in place to let contributors efficiently help 
+out the project.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Documentation Goals and Milestones</title>
 <section>
-<title>Hardened Toolchain</title>
+<title>Current State</title>
 <body>
 
 <p>
-Now is the time to take a step back and examine the work that has been done so
-far. A review of the current approach that the hardened toolchain takes is
-needed. There may be ways to strengthen the current implementation or areas of
-code that can be cleaned up to allow changes to be pushed upstream easier.
+The Gentoo Hardened project is currently lagging behind a bit on documentation.
+Recent upstaffing and contributions have helped this out, but we still need to
+focus on the toolchain documentation (both toolchain-specific documentation
+as wel as documents that relate to the toolchain) such as SSP, PIE and PIC
+information.
 </p>
 
 <p>
-As a side effect of the previous hardened toolchain, many ebuilds currently
-filter hardened CFLAGS such as -fPIE and -fstack-protector. Work will also be
-dedicated to reviewing those packages and seeking alternate solutions for the
-filters.
+Also, comparative documents should be written to explain the choices that Gentoo
+Hardened has made, such as tool selection.
 </p>
 
 </body>
 </section>
+<section>
+<title>Goals and Milestones</title>
+<body>
+
+<!--
+  TODO I just verbatimly copied it from the previous version. However, I think
+  we should set goals (what to go for) and milestones (specific points that are
+  benchmarkable and - most likely - be strengthened by the availability of bug
+  reports)
+-->
+
+<table>
+<tr>
+  <th>Description</th>
+  <th>ETA</th>
+  <th>Status</th>
+  <th>Coordinator(s)</th>
+  <th>Related Bugs</th>
+</tr>
+<tr>
+  <ti>Document the Hardened Toolchain</ti>
+  <ti></ti>
+  <ti><keyword>In Progress</keyword></ti>
+  <ti>Zorry</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Comparative analysis of security approaches taken by distributions</ti>
+  <ti></ti>
+  <ti><comment>Unassigned</comment></ti>
+  <ti></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Rework grSecurity documentation</ti>
+  <ti></ti>
+  <ti><comment>Unassigned</comment></ti>
+  <ti></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Update/rewrite propolice documentation</ti>
+  <ti></ti>
+  <ti><comment>Unassigned</comment></ti>
+  <ti></ti>
+  <ti />
+</tr>
+</table>
+
+</body>
+</section>
+</chapter>
 
+<chapter>
+<title>Hardened Toolchain Goals and Milestones</title>
+<section>
+<title>Current State</title>
+<body>
+
+<p>
+Our toolchain so far has seen a tremendous evolution. Some of the integrated
+patches have been accepted upstream (like SSP), but work can still improve.
+To allow changes to be pushed upstream more easily, we might need improvements
+on the ways to strengthen the current implementation, and work on the areas of
+code that need clean-up.
+</p>
+
+<p>
+Our next steps are to take a step backwards and examine the work that has been
+done so far. We need to improve our existing documents, but also review the
+packages available in the Portage tree and help out the package maintainers in
+handling CFLAG filters for a hardened toolchain in a proper way.
+</p>
+
+</body>
+</section>
+<section>
+<title>Goals and Milestones</title>
+<body>
+
+<table>
+<tr>
+  <th>Description</th>
+  <th>ETA</th>
+  <th>Status</th>
+  <th>Coordinator(s)</th>
+  <th>Related Bugs</th>
+</tr>
+<tr>
+  <th colspan="5">Improve and sustain support for multiple architectures</th>
+</tr>
+<tr>
+  <ti>x86 support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>Zorry</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>amd64 (x86_64) support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>Zorry</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc32 support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>sparc64 support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>ppc support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>nixnut, Zorry, blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc64 support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>s390 support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>hppa support</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>arm support</ti>
+  <ti />
+  <ti><var>In progress</var></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>mips support</ti>
+  <ti />
+  <ti><var>In progress</var></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ia64 support</ti>
+  <ti />
+  <ti><keyword>In place</keyword></ti>
+  <ti>Zorry, blueness</ti>
+  <ti />
+</tr>
+<tr>
+  <th colspan="5">Enhance documentation</th>
+</tr>
+<tr>
+  <ti>Document the toolchain feature set</ti>
+  <ti />
+  <ti><var>In progress</var></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <ti>Describe the grSecurity RBAC system</ti>
+  <ti />
+  <ti><comment>Unassigned</comment></ti>
+  <ti />
+  <ti />
+</tr>
+<tr>
+  <th colspan="5">Kernel development and maintenance</th>
+</tr>
+<tr>
+  <ti>Release hardened-sources-2.6.37</ti>
+  <ti />
+  <ti><keyword>Done</keyword></ti>
+  <ti>blueness</ti>
+  <ti />
+</tr>
+</table>
+
+<!-- @HERE -->
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Short-Term Goals</title>
 <section>
 <title>Access Control Systems</title>
 <body>
@@ -132,115 +485,8 @@ contact us.
 </chapter>
 
 <chapter>
-<title>Long-Term Goals</title>
-<section>
-<title>Documentation</title>
-<body>
-
-<p>
-The Hardened Gentoo Project is currently very lacking in documentation. The
-hardened toolchain needs to be documented fully, and older documents that have a
-relationship to the  toolchain need to be updated, such as the SSP, PIE, and PIC
-documents. Also, comparative documents should be written to explain the choices
-that Hardened Gentoo has made in deciding which security tools to support and
-which not to support.
-</p>
-
-</body>
-</section>
-
-<section>
-<title>Support More Architectures</title>
-<body>
-
-<p>
-A long-term goal of the Hardened Gentoo Project is to support all of the
-architectures that are officially supported by Gentoo. The only strong support
-that exists at the moment is for  x86 and amd64.
-</p>
-
-<p>
-The hardened toolchain supports x86, amd64, ppc, ppc64, arm, ia64 and would like
-to extend support to sparc and similar architectures. With access to different
-kinds of hardware,  hardened support can slowly be extended to those
-architectures as well.
-</p>
-
-</body>
-</section>
-
-<section>
-<title>Expand the Hardened Team</title>
-<body>
-
-<p>
-There will always be unfinished tasks for the Hardened Team. Users who take a
-proactive approach to finding places for improvement and filling in the holes
-will be noticed and probably recruited. Current Hardened Team members will be
-responsible for training new developers to fill new roles. If you are interested
-in helping out, stop by the IRC channel and let someone know what you are
-interested in and what you will be doing about it.
-</p>
-
-<p>
-Input/peer review should always be welcome as it helps everyone out in the long
-run.
-</p>
-
-
-</body>
-</section>
-</chapter>
-
-<chapter>
 <title>Roadmap Tracking</title>
 <section>
-<title>Hardened Toolchain</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>x86 Support</ti><ti>zorry</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>amd64 Support</ti><ti>zorry</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>sparc32 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>sparc64 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>ppc Support</ti><ti>nixnut,zorry,blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>ppc64 Support</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>s390 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>hppa Support</ti><ti></ti><ti>Not supported</ti>
-  </tr>
-  <tr>
-    <ti>arm Support</ti><ti>blueness</ti><ti>In progress</ti>
-  </tr>
-  <tr>
-    <ti>mips Support</ti><ti>blueness</ti><ti>In progress</ti>
-  </tr>
-  <tr>
-    <ti>ia64 Support</ti><ti>zorry,blueness</ti><ti>Complete</ti>
-  </tr>
-</table>
-
-</body>
-</section>
-
-<section>
 <title>Hardened GCC</title>
 <body>
 
@@ -266,27 +512,6 @@ run.
 </section>
 
 <section>
-<title>Hardened Toolchain</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>Document the feature set</ti><ti>none</ti><ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>Describe the RBAC system</ti><ti>none</ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Release hardened-sources-2.6.37</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-</table>
-
-</body>
-</section>
-<section>
 <title>Hardened Sources</title>
 <body>
 
@@ -383,31 +608,6 @@ run.
 </body>
 </section>
 
-<section>
-<title>Documentation</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>Comparative analysis of security approaches taken by distributions.</ti>
-    <ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Rework Grsecurity Documentation</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Update/Rewrite Propolice Documentation</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Document the Hardened Toolchain</ti><ti>zorry</ti><ti>In Progress</ti>
-  </tr>
-</table>
-
-</body>
-</section>
 </chapter>
 
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     c13c3be38a527171da47e374b3eeabde482f2a89
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 24 20:36:06 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 24 20:36:06 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c13c3be3

Suggest roadmap alterations, create support matrix page

---
 xml/roadmap.xml       |  224 ++++++++++++++++++-------------------------
 xml/support-state.xml |  257 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 349 insertions(+), 132 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index eab839e..e9d8839 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -4,20 +4,11 @@
 <!--
   TODO BEFORE REMOVING THE DISCLAIMER !!!
 
-  - Update document to use a generic structure (cfr until the "@HERE" sign)
-  - Move support tables out of the document, make it a
-    'supported-architectures.xml' file or something like that. People will
-    eventually ask if this or that is supported on their architecture, and then
-    that page is better suited than a roadmap page (with a roadmap page, people
-    think it isn't supported). 
-    Instead, in the roadmap, use something like 'Support currently unsupported
-    architectures (mips, ppc64, ...)' -> Unassigned, and for each one that is
-    progressing have a specific entry.
   - Suggest changes to the document (make milestones benchmarkable, move other
     stuff as goals).
 -->
 <guide disclaimer="draft" link="roadmap.xml">
-<title>Hardened Gentoo Roadmap</title>
+<title>Gentoo Hardened Roadmap</title>
 <author title="Author">
   <mail link="tocharian@gentoo.org">Adam Mondl</mail>
 </author>
@@ -305,185 +296,153 @@ handling CFLAG filters for a hardened toolchain in a proper way.
   <th>Related Bugs</th>
 </tr>
 <tr>
-  <th colspan="5">Improve and sustain support for multiple architectures</th>
-</tr>
-<tr>
-  <ti>x86 support</ti>
-  <ti />
-  <ti><keyword>In place</keyword></ti>
-  <ti>Zorry</ti>
-  <ti />
-</tr>
-<tr>
-  <ti>amd64 (x86_64) support</ti>
-  <ti />
-  <ti><keyword>In place</keyword></ti>
-  <ti>Zorry</ti>
-  <ti />
+  <th colspan="5">Enhance documentation</th>
 </tr>
 <tr>
-  <ti>sparc32 support</ti>
+  <ti>Document the toolchain feature set</ti>
   <ti />
-  <ti><comment>Unassigned</comment></ti>
+  <ti><var>In progress</var></ti>
   <ti />
   <ti />
 </tr>
 <tr>
-  <ti>sparc64 support</ti>
+  <ti>Describe the grSecurity RBAC system</ti>
   <ti />
   <ti><comment>Unassigned</comment></ti>
   <ti />
   <ti />
 </tr>
 <tr>
-  <ti>ppc support</ti>
-  <ti />
-  <ti><keyword>In place</keyword></ti>
-  <ti>nixnut, Zorry, blueness</ti>
-  <ti />
+  <th colspan="5">Kernel development and maintenance</th>
 </tr>
 <tr>
-  <ti>ppc64 support</ti>
+  <ti>Release hardened-sources-2.6.37</ti>
   <ti />
-  <ti><keyword>In place</keyword></ti>
+  <ti><keyword>Done</keyword></ti>
   <ti>blueness</ti>
   <ti />
 </tr>
+</table>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>grSecurity Goals and Milestones</title>
+<section>
+<title>Current State</title>
+<body>
+
+<p>
+grSecurity is well integrated within Gentoo Hardened (patch- and software wise
+as well as knowledge). However, the documentation is lagging behind a lot and
+is in need for attention.
+</p>
+
+</body>
+</section>
+<section>
+<title>Goals and Milestones</title>
+<body>
+
+<table>
 <tr>
-  <ti>s390 support</ti>
-  <ti />
-  <ti><comment>Unassigned</comment></ti>
-  <ti />
-  <ti />
+  <th>Description</th>
+  <th>ETA</th>
+  <th>Status</th>
+  <th>Coordinator(s)</th>
+  <th>Related Bugs</th>
 </tr>
 <tr>
-  <ti>hppa support</ti>
+  <ti>
+    the existing grSecurity2 document needs to be converted to Handbook XML
+  </ti>
   <ti />
   <ti><comment>Unassigned</comment></ti>
   <ti />
   <ti />
 </tr>
 <tr>
-  <ti>arm support</ti>
-  <ti />
-  <ti><var>In progress</var></ti>
-  <ti>blueness</ti>
-  <ti />
-</tr>
-<tr>
-  <ti>mips support</ti>
-  <ti />
-  <ti><var>In progress</var></ti>
-  <ti>blueness</ti>
-  <ti />
-</tr>
-<tr>
-  <ti>ia64 support</ti>
+  <ti>
+    the features of PAX and grSecurity need to be described and documented
+  </ti>
   <ti />
-  <ti><keyword>In place</keyword></ti>
-  <ti>Zorry, blueness</ti>
-  <ti />
-</tr>
-<tr>
-  <th colspan="5">Enhance documentation</th>
-</tr>
-<tr>
-  <ti>Document the toolchain feature set</ti>
-  <ti />
-  <ti><var>In progress</var></ti>
+  <ti><comment>Unassigned</comment></ti>
   <ti />
   <ti />
 </tr>
 <tr>
-  <ti>Describe the grSecurity RBAC system</ti>
+  <ti>
+    the RBAC system needs to be covered documentation-wise in much more detail
+  </ti>
   <ti />
   <ti><comment>Unassigned</comment></ti>
   <ti />
   <ti />
 </tr>
-<tr>
-  <th colspan="5">Kernel development and maintenance</th>
-</tr>
-<tr>
-  <ti>Release hardened-sources-2.6.37</ti>
-  <ti />
-  <ti><keyword>Done</keyword></ti>
-  <ti>blueness</ti>
-  <ti />
-</tr>
 </table>
 
-<!-- @HERE -->
-
 </body>
 </section>
 </chapter>
 
 <chapter>
-<title>Short-Term Goals</title>
+<title>SELinux Goals and Milestones</title>
 <section>
-<title>Access Control Systems</title>
+<title>Current State</title>
 <body>
 
-<p><b>Grsecurity</b></p>
-
-<p>
-Documents regarding Grsecurity are currently a major need for Gentoo.
-</p>
-
-<ul>
-<li>
-The existing Grsecurity2 document needs to be converted to Handbook XML.
-</li>
-<li>
-We are working on a document describing the features on PAX and Grsecurity.
-</li>
-<li>
-Also, a document describing the RBAC system in more detail is needed.
-</li>
-<li>
-Finally we are working on keeping the hardened kernel sources up to date.
-</li>
-</ul>
-
-<p><b>SELinux</b></p>
-
 <p>
-Currently the project supports x86 and AMD64 so support for other architectures
-has to be handled by upstream except when the issues can also be reproduced in
-any of those architectures. Aside work is being done in the following areas:
+The Gentoo Hardened SELinux state is, within the ~arch branches, up to date and
+fully supported (except MCS/MLS which is not supported yet). The documentation
+is being updated as the state evolves, but can still improve. 
 </p>
 
-<ul>
-<li>
-Strengthen and extend current policies.
-</li>
-<li>
-Extend support to more architectures.
-</li>
-<li>
-Policy module support.
-</li>
-<li>
-Additional Daemon Policies.
-</li>
-<li>
-Updated documentation.
-</li>
-</ul>
-
-<p><b>RSBAC</b></p>
+</body>
+</section>
+<section>
+<title>Goals and Milestones</title>
+<body>
 
-<p>
-We need a new maintainer here so if you think you qualify as it feel free to
-contact us.
-</p>
+<table>
+<tr>
+  <th>Description</th>
+  <th>ETA</th>
+  <th>Status</th>
+  <th>Coordinator(s)</th>
+  <th>Related Bugs</th>
+</tr>
+<tr>
+  <ti>Stabilize the userland tools and libraries</ti>
+  <ti>2011-05-24</ti>
+  <ti><var>Slight delay</var></ti>
+  <ti>blueness, SwifT</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>
+    Stabilize the ~arch SELinux policies based on 2.20101213 upstream branch
+  </ti>
+  <ti>2011-06-07</ti>
+  <ti><keyword>On track</keyword></ti>
+  <ti>blueness, SwifT</ti>
+  <ti><uri link="https://bugs.gentoo.org/368199">#368199</uri></ti>
+</tr>
+<tr>
+  <ti>Stabilize the new SELinux profile structure</ti>
+  <ti>2011-06-28</ti>
+  <ti><keyword>On track</keyword></ti>
+  <ti>blueness</ti>
+  <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
+</tr>
+</table>
 
 </body>
 </section>
-
 </chapter>
 
+<!-- 
 <chapter>
 <title>Roadmap Tracking</title>
 <section>
@@ -609,5 +568,6 @@ contact us.
 </section>
 
 </chapter>
+-->
 
 </guide>

diff --git a/xml/support-state.xml b/xml/support-state.xml
new file mode 100644
index 0000000..ea2047a
--- /dev/null
+++ b/xml/support-state.xml
@@ -0,0 +1,257 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+
+<guide disclaimer="draft" link="roadmap.xml">
+<title>Gentoo Hardened Support State</title>
+<author title="Author">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+The support state of the Gentoo Hardened project describes the supported
+platforms, setups and additional requirements for each of the subprojects
+involved. 
+</abstract>
+
+<version>1.0</version>
+<date>2011-05-25</date>
+
+<chapter>
+<title>Introduction</title>
+<section>
+<body>
+
+<p>
+The Gentoo Hardened project aims to support as many platforms as possible.
+However, this aim is restrained as we do not have access to as many platforms
+that we want (nor do we have the resources to work on all these platforms). As a
+result, support for the individual subprojects becomes limited to those
+platforms that we have access and resources to.
+</p>
+
+<p>
+This document gives an overview of the supported platforms and, if necessary,
+elaborates on the specific requirements in order to work with one of Gentoo
+Hardened's subprojects. Note that each subproject has its own support matrix,
+based on upstream support (which platforms are supported by the technology) and
+Gentoo Hardened (for which platforms can we run tests and validate users'
+reports and feedback).
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Support Matrices</title>
+<section>
+<title>Hardened Toolchain</title>
+<body>
+
+<table>
+<tr>
+  <th>Architecture</th>
+  <th>Support</th>
+  <th>Additional notes</th>
+</tr>
+<tr>
+  <ti>x86</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>amd64 / x86_64</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc64</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ia64</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>arm</ti>
+  <ti><var>In progress</var></ti>
+  <ti>Contact blueness for more information</ti>
+</tr>
+<tr>
+  <ti>mips</ti>
+  <ti><var>In progress</var></ti>
+  <ti>Contact blueness for more information</ti>
+</tr>
+<tr>
+  <ti>sparc32</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc64</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>s390</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>hppa</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+</table>
+
+</body>
+</section>
+<section>
+<title>grSecurity (incl. PAX)</title>
+<body>
+
+<table>
+<tr>
+  <th>Architecture</th>
+  <th>Support</th>
+  <th>Additional notes</th>
+</tr>
+<tr>
+  <ti>x86</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>amd64 / x86_64</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc64</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ia64</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>arm</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>mips</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc32</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc64</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>s390</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>hppa</ti>
+  <ti><const>Yet to be determined</const></ti>
+  <ti />
+</tr>
+</table>
+
+</body>
+</section>
+<section>
+<title>SELinux</title>
+<body>
+
+<table>
+<tr>
+  <th>Architecture</th>
+  <th>Support</th>
+  <th>Additional notes</th>
+</tr>
+<tr>
+  <ti>x86</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti>Still ~arch for the time being</ti>
+</tr>
+<tr>
+  <ti>amd64 / x86_64</ti>
+  <ti><keyword>In place</keyword></ti>
+  <ti>Still ~arch for the time being</ti>
+</tr>
+<tr>
+  <ti>ppc</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ppc64</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>ia64</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>arm</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>mips</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc32</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>sparc64</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>s390</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+<tr>
+  <ti>hppa</ti>
+  <ti><comment>Unsupported</comment></ti>
+  <ti />
+</tr>
+</table>
+
+
+</body>
+</section>
+</chapter>
+
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     2b99b5c3b7f1c2982e454f236362812f0a641075
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun  1 19:57:27 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jun  1 19:57:27 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2b99b5c3

Update no-multilib faq

---
 xml/selinux-faq.xml |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 2cf70ed..48c29be 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>8</version>
-<date>2011-05-14</date>
+<version>9</version>
+<date>2011-06-01</date>
 
 <faqindex>
 <title>Questions</title>
@@ -133,9 +133,10 @@ like we will eventually support these file systems on SELinux fully as well.
 <body>
 
 <p>
-Theoretically, definitely. However, the current selinux profiles in the Portage
-tree are not no-multilib capable. Work is on the way however to make the
-profiles more flexible and support no-multilib soon.
+Yes. However, for the time being, it is only supported through developer
+profiles, meaning that the profiles should not be seen as very stable (their
+content can still change swiftly). Try out
+<c>hardened/linux/amd64/no-multilib/selinux</c> and tell us what you get.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     6ed03fec733088e5acad8b2c06b1a438a7a85d71
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun  1 21:25:55 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jun  1 21:25:55 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ed03fec

Remove draft disclaimer

---
 xml/roadmap.xml       |    8 +-------
 xml/support-state.xml |    2 +-
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index d6ef1aa..1c2c987 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -1,13 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 
-<!--
-  TODO BEFORE REMOVING THE DISCLAIMER !!!
-
-  - Suggest changes to the document (make milestones benchmarkable, move other
-    stuff as goals).
--->
-<guide disclaimer="draft" link="roadmap.xml">
+<guide link="roadmap.xml">
 <title>Gentoo Hardened Roadmap</title>
 <author title="Author">
   <mail link="tocharian@gentoo.org">Adam Mondl</mail>

diff --git a/xml/support-state.xml b/xml/support-state.xml
index ea2047a..3733175 100644
--- a/xml/support-state.xml
+++ b/xml/support-state.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 
-<guide disclaimer="draft" link="roadmap.xml">
+<guide link="roadmap.xml">
 <title>Gentoo Hardened Support State</title>
 <author title="Author">
   <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     2d6ecd9d8e029f870749f4c6e8a24447ed65e819
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Thu Jun  9 17:34:54 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Thu Jun  9 17:34:54 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2d6ecd9d

Pushing typo corrected by nimiux

---
 xml/hardenedxorg.xml |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/hardenedxorg.xml b/xml/hardenedxorg.xml
index 74852cc..57be607 100644
--- a/xml/hardenedxorg.xml
+++ b/xml/hardenedxorg.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedxorg.xml,v 1.11 2006/12/23 13:03:11 phreak Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedxorg.xml,v 1.12 2011/05/12 16:32:02 nimiux Exp $ -->
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 
 <guide link="hardenedxorg.xml">
@@ -93,7 +93,7 @@ Suggestion therefore is, to turn this option off by deselecting it in your confi
 <body>
 
 <p>
-Enabling this option will result in all ioperm(2) and iopl(2) calls returning an error messge. ioperm(2) and iopl(2) might be
+Enabling this option will result in all ioperm(2) and iopl(2) calls returning an error message. ioperm(2) and iopl(2) might be
 used to modify the running kernel. As you wish to run a Xorg server on top of your hardened kernel (mostly GRsecurity), you'll
 have to disable this config option, in order to get the XServer up and running.
 </p>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[José María Alonso]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1016 bytes --]

commit:     8f25d7fa11c6a04f1c0a4a4b6ecbd6f21814b00d
Author:     José María Alonso <nimiux <AT> gentoo <DOT> org>
AuthorDate: Fri Jun 10 14:56:34 2011 +0000
Commit:     José María Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Fri Jun 10 14:56:34 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8f25d7fa

Removed duplicate word. No version bump.

---
 xml/pax-utils.xml |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/pax-utils.xml b/xml/pax-utils.xml
index 39a3a9d..523f74d 100644
--- a/xml/pax-utils.xml
+++ b/xml/pax-utils.xml
@@ -636,8 +636,8 @@ their Program Header. The following flags are supported:
   <ti>X</ti>
   <ti>RANDEXEC</ti>
   <ti>
-    Randomize the address where the application maps to to
-    prevent certain attacks from being exploitable
+    Randomize the address where the application maps to prevent
+    certain attacks from being exploitable
   </ti>
 </tr>
 </table>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     968bd6cd20e26086c50a38c3ebe1cc4e8699ca1d
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Jun 10 18:02:41 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Jun 10 18:02:41 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=968bd6cd

Improving nasm lines so the stack bits are added on elf32 and elf64 targets

---
 xml/gnu-stack.xml |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/xml/gnu-stack.xml b/xml/gnu-stack.xml
index dc63054..45fcf64 100644
--- a/xml/gnu-stack.xml
+++ b/xml/gnu-stack.xml
@@ -348,6 +348,12 @@ at the end of the source file, recompile, and do a jig.
 %ifidn __OUTPUT_FORMAT__,elf
 section .note.GNU-stack noalloc noexec nowrite progbits
 %endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
 </pre>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     afbcd5f12e948e3ee39d35c0f434d0af6854b8c7
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Fri Jun 10 18:04:59 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Fri Jun 10 18:04:59 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=afbcd5f1

Small details versions and so

---
 xml/gnu-stack.xml |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/xml/gnu-stack.xml b/xml/gnu-stack.xml
index 45fcf64..a2fd7c6 100644
--- a/xml/gnu-stack.xml
+++ b/xml/gnu-stack.xml
@@ -16,13 +16,16 @@
 <author title="Contributor">
  <mail link="kevquinn@gentoo.org">Kevin F. Quinn</mail>
 </author>
+<author title="Contributor">
+ <mail link="klondike@gentoo.org">klondike</mail>
+</author>
 
 <abstract>Handbook for proper GNU Stack management in ELF systems</abstract>
 
 <!-- The content of this document is placed into the public domain, have fun -->
 
-<version>4</version>
-<date>2011-03-17</date>
+<version>4.1</version>
+<date>2011-09-06</date>
 
 <chapter>
 <title>Introduction</title>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     c90795d87b9934739e3ae907c0dd9e102815a169
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Jun 11 13:16:10 2011 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Jun 11 13:16:10 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c90795d8

Fixing date format

---
 xml/gnu-stack.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/gnu-stack.xml b/xml/gnu-stack.xml
index a2fd7c6..c453ef6 100644
--- a/xml/gnu-stack.xml
+++ b/xml/gnu-stack.xml
@@ -25,7 +25,7 @@
 <!-- The content of this document is placed into the public domain, have fun -->
 
 <version>4.1</version>
-<date>2011-09-06</date>
+<date>2011-06-11</date>
 
 <chapter>
 <title>Introduction</title>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     ea9087ae30f1b98f25bb27913097ae8e3f3e6fa0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 13 14:12:27 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Jun 13 14:12:27 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ea9087ae

update selinux roadmap

---
 xml/roadmap.xml |  147 ++++--------------------------------------------------
 1 files changed, 11 insertions(+), 136 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 1c2c987..f143ec5 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -36,6 +36,9 @@
 <author title="Contributor">
   <mail link="blueness@gentoo.org">Anthony G. Basile</mail>
 </author>
+<author title="Contributor">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
 
 <abstract>
 A roadmap that plots current needs and goals of the
@@ -419,27 +422,27 @@ is being updated as the state evolves, but can still improve.
     Stabilize the ~arch SELinux policies based on 2.20101213 upstream branch
   </ti>
   <ti>2011-06-07</ti>
-  <ti><keyword>On track</keyword></ti>
+  <ti>Done</ti>
   <ti>blueness, SwifT</ti>
-  <ti><uri link="https://bugs.gentoo.org/368199">#368199</uri></ti>
+  <ti />
 </tr>
 <tr>
   <ti>Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</ti>
-  <ti>2011-06-14</ti>
+  <ti>2011-07-01</ti>
   <ti><keyword>On track</keyword></ti>
-  <ti>SwifT</ti>
-  <ti />
+  <ti>blueness, SwifT</ti>
+  <ti><uri link="https://bugs.gentoo.org/370927">#370927</uri></ti>
 </tr>
 <tr>
   <ti>Stabilize the new SELinux profile structure</ti>
-  <ti>2011-06-28</ti>
+  <ti>2011-07-15</ti>
   <ti><keyword>On track</keyword></ti>
-  <ti>blueness</ti>
+  <ti>blueness, SwifT</ti>
   <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
 </tr>
 <tr>
   <ti>Add support for MCS (driver is virtualization)</ti>
-  <ti>2011-07-15</ti>
+  <ti>2011-08-01</ti>
   <ti><keyword>On track</keyword></ti>
   <ti>SwifT</ti>
   <ti></ti>
@@ -450,132 +453,4 @@ is being updated as the state evolves, but can still improve.
 </section>
 </chapter>
 
-<!-- 
-<chapter>
-<title>Roadmap Tracking</title>
-<section>
-<title>Hardened GCC</title>
-<body>
-
-<table>
-  <tr>
-    <th>GCC version</th><th>Support PIE</th><th>Support SSP</th><th>Arch</th>
-  </tr>
-  <tr>
-    <ti>3.6.X</ti><ti>Yes</ti><ti>Yes</ti><ti>x86 amd64</ti>
-  </tr>
-  <tr>
-    <ti>4.3.X</ti><ti>Yes</ti><ti>Yes</ti><ti>x86 amd64</ti>
-  </tr>
-  <tr>
-    <ti>4.4.X</ti><ti>Yes</ti><ti>Yes</ti><ti>x86 amd64 arm ppc ppc64 ia64</ti>
-  </tr>
-  <tr>
-    <ti>4.5.X</ti><ti>Yes</ti><ti>Yes</ti><ti>x86 amd64 arm ppc ppc64 ia64</ti>
-  </tr>
-</table>
-
-</body>
-</section>
-
-<section>
-<title>Hardened Sources</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>x86 Support</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>amd64 Support</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>sparc32 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>sparc64 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>ppc Support</ti><ti>blueness</ti><ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>ppc64 Support</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-  <tr>
-    <ti>s390 Support</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>hppa Support</ti><ti></ti><ti>Not supported</ti>
-  </tr>
-  <tr>
-    <ti>arm Support</ti><ti>blueness</ti><ti>In testing</ti>
-  </tr>
-  <tr>
-    <ti>mips Support</ti><ti>blueness</ti><ti>In testing</ti>
-  </tr>
-  <tr>
-    <ti>ia64 Support</ti><ti>blueness</ti><ti>Complete</ti>
-  </tr>
-</table>
-</body>
-</section>
-
-<section>
-<title>SELinux</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>Strengthen and extend the current policies</ti><ti>pebenito</ti>
-    <ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>Extend support to more architectures</ti><ti>pebenito</ti>
-    <ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>Policy module support</ti><ti>pebenito</ti>
-    <ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>Additional Daemon Policies</ti><ti>pebenito</ti>
-    <ti>In Progress</ti>
-  </tr>
-  <tr>
-    <ti>Updated documentation</ti><ti>SwifT</ti>
-    <ti>In Progress</ti>
-  </tr>
-</table>
-</body>
-</section>
-
-<section>
-<title>RSBAC</title>
-<body>
-
-<table>
-  <tr>
-    <th>Description</th><th>Coordinator(s)</th><th>Status</th>
-  </tr>
-  <tr>
-    <ti>Bring policy support tool to Gentoo packages.</ti><ti></ti>
-    <ti>Unassigned</ti>
-  </tr>
-  <tr>
-    <ti>Enhance RSBAC Documentation</ti><ti></ti><ti>Unassigned</ti>
-  </tr>
-</table>
-
-</body>
-</section>
-
-</chapter>
--->
-
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     2f1c5ca355dc71adfae07ac5bc6c326217b1e007
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 13 14:13:47 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Jun 13 14:13:47 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2f1c5ca3

Update SELinux roadmap

---
 xml/roadmap.xml |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index f143ec5..7537e4a 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>1.4</version>
-<date>2011-05-22</date>
+<version>1.5</version>
+<date>2011-06-13</date>
 
 <chapter>
 <title>Vision</title>
@@ -391,9 +391,10 @@ is in need for attention.
 <body>
 
 <p>
-The Gentoo Hardened SELinux state is, within the ~arch branches, up to date and
-fully supported (except MCS/MLS which is not supported yet). The documentation
-is being updated as the state evolves, but can still improve. 
+The Gentoo Hardened SELinux state is up to date and fully supported (except
+MCS/MLS which is not supported yet). The documentation is being updated as 
+the state evolves, but can still improve. Primary focus now is on the quality
+of the packages.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     742ec905f5f7173b2e726f9e1d1e319061ba6788
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jul 10 20:07:44 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jul 10 20:07:44 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=742ec905

Update SELinux roadmap status

---
 xml/roadmap.xml |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 7537e4a..82524ab 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>1.5</version>
-<date>2011-06-13</date>
+<version>1.6</version>
+<date>2011-07-10</date>
 
 <chapter>
 <title>Vision</title>
@@ -429,15 +429,15 @@ of the packages.
 </tr>
 <tr>
   <ti>Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</ti>
-  <ti>2011-07-01</ti>
-  <ti><keyword>On track</keyword></ti>
+  <ti>2011-07-15</ti>
+  <ti><var>In progress</var></ti>
   <ti>blueness, SwifT</ti>
   <ti><uri link="https://bugs.gentoo.org/370927">#370927</uri></ti>
 </tr>
 <tr>
   <ti>Stabilize the new SELinux profile structure</ti>
   <ti>2011-07-15</ti>
-  <ti><keyword>On track</keyword></ti>
+  <ti><var>In progress</var></ti>
   <ti>blueness, SwifT</ti>
   <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
 </tr>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[José María Alonso]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1199 bytes --]

commit:     cf085dc1f7e27c1ecc6def42c824f8d5b92a1d36
Author:     José María Alonso <nimiux <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 11 15:03:31 2011 +0000
Commit:     José María Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Mon Jul 11 15:03:31 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cf085dc1

Removed leading parenthesis. No version bump.

---
 xml/pic-guide.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/pic-guide.xml b/xml/pic-guide.xml
index ce94b20..41ed7d9 100644
--- a/xml/pic-guide.xml
+++ b/xml/pic-guide.xml
@@ -75,7 +75,7 @@ or not. There are occasional architectures which don't make the
 distinction, usually because all object code is position independent by
 virtue of the Application Binary Interface (ABI), or less often because
 the load address of the object is fixed at compile time, which implies
-that shared libraries are not supported by such a platform).
+that shared libraries are not supported by such a platform.
 
 If an object is compiled as position independent code (PIC),
 then the operating system can load the object at any address

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     fa37b06ba12169bc569120d01a9128be32139908
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 13 21:37:38 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 13 21:37:38 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=fa37b06b

RSBAC and SELinux: yes, but no. See bug #374991

---
 xml/selinux-faq.xml |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 48c29be..dd081c0 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>9</version>
-<date>2011-06-01</date>
+<version>10</version>
+<date>2011-07-13</date>
 
 <faqindex>
 <title>Questions</title>
@@ -86,8 +86,14 @@ features of the compiler.
 <body>
 
 <p>
-We don't know. If you try this combination, we would be very interested
-in its results.
+Yes, SELinux and RSBAC can be used together, but it is not recommended. The
+RSBAC framework that is added to the Linux Security Modules framework (which
+is used by SELinux) impacts performance for little added value. 
+</p>
+
+<p>
+In most cases, it makes more sense to use RSBAC without SELinux, or SELinux
+without RSBAC.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     1298c89ecfc7eee914e182882cab95a6b799e591
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 13 22:02:37 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 13 22:02:37 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=1298c89e

Update on RSBAC/SELinux wording

---
 xml/selinux-faq.xml |   16 +++++++++++++---
 1 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index dd081c0..28ea85a 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -86,9 +86,11 @@ features of the compiler.
 <body>
 
 <p>
-Yes, SELinux and RSBAC can be used together, but it is not recommended. The
-RSBAC framework that is added to the Linux Security Modules framework (which
-is used by SELinux) impacts performance for little added value. 
+Yes, SELinux and RSBAC can be used together, but it is not recommended.
+Both frameworks (RSBAC and the SELinux implementation on top of Linux' Linux
+Security Modules framework) have a slight impact on system performance.
+Enabling them both only hinders performance more, for little added value since
+they both offer similar functionality.
 </p>
 
 <p>
@@ -96,6 +98,14 @@ In most cases, it makes more sense to use RSBAC without SELinux, or SELinux
 without RSBAC.
 </p>
 
+<!--
+If users are unclear, mention that you can compile both in and then try to
+only enable one (configuration wise), but that this has little benefit on
+the performance (since the hooks are there, the checks that are made are just
+a bit different but due to caching, the overhead of having it enabled versus
+disabled is small anyhow).
+-->
+
 </body>
 </section>
 <section id="filesystem">

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     75196d7d1968eaadde181d6722ee834a333b12d0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jul 15 16:07:09 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Jul 15 16:07:09 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=75196d7d

Fix roadmap to be guide.dtd compliant

---
 xml/roadmap.xml |   36 ++++++++++++++++++------------------
 1 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 82524ab..18ebf78 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>1.6</version>
-<date>2011-07-10</date>
+<version>1.7</version>
+<date>2011-07-15</date>
 
 <chapter>
 <title>Vision</title>
@@ -226,28 +226,28 @@ Hardened has made, such as tool selection.
 <tr>
   <ti>Document the Hardened Toolchain</ti>
   <ti></ti>
-  <ti><keyword>In Progress</keyword></ti>
+  <ti>In Progress</ti>
   <ti>Zorry</ti>
   <ti />
 </tr>
 <tr>
   <ti>Comparative analysis of security approaches taken by distributions</ti>
   <ti></ti>
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti></ti>
   <ti />
 </tr>
 <tr>
   <ti>Rework grSecurity documentation</ti>
   <ti></ti>
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti></ti>
   <ti />
 </tr>
 <tr>
   <ti>Update/rewrite propolice documentation</ti>
   <ti></ti>
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti></ti>
   <ti />
 </tr>
@@ -298,14 +298,14 @@ handling CFLAG filters for a hardened toolchain in a proper way.
 <tr>
   <ti>Document the toolchain feature set</ti>
   <ti />
-  <ti><var>In progress</var></ti>
+  <ti>In progress</ti>
   <ti />
   <ti />
 </tr>
 <tr>
   <ti>Describe the grSecurity RBAC system</ti>
   <ti />
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti />
   <ti />
 </tr>
@@ -315,7 +315,7 @@ handling CFLAG filters for a hardened toolchain in a proper way.
 <tr>
   <ti>Release hardened-sources-2.6.37</ti>
   <ti />
-  <ti><keyword>Done</keyword></ti>
+  <ti>Done</ti>
   <ti>blueness</ti>
   <ti />
 </tr>
@@ -356,7 +356,7 @@ is in need for attention.
     the existing grSecurity2 document needs to be converted to Handbook XML
   </ti>
   <ti />
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti />
   <ti />
 </tr>
@@ -365,7 +365,7 @@ is in need for attention.
     the features of PAX and grSecurity need to be described and documented
   </ti>
   <ti />
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti />
   <ti />
 </tr>
@@ -374,7 +374,7 @@ is in need for attention.
     the RBAC system needs to be covered documentation-wise in much more detail
   </ti>
   <ti />
-  <ti><comment>Unassigned</comment></ti>
+  <ti>Unassigned</ti>
   <ti />
   <ti />
 </tr>
@@ -429,22 +429,22 @@ of the packages.
 </tr>
 <tr>
   <ti>Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</ti>
-  <ti>2011-07-15</ti>
-  <ti><var>In progress</var></ti>
+  <ti>2011-07-18</ti>
+  <ti>In progress</ti>
   <ti>blueness, SwifT</ti>
   <ti><uri link="https://bugs.gentoo.org/370927">#370927</uri></ti>
 </tr>
 <tr>
   <ti>Stabilize the new SELinux profile structure</ti>
-  <ti>2011-07-15</ti>
-  <ti><var>In progress</var></ti>
+  <ti>2011-08-01</ti>
+  <ti>In progress</ti>
   <ti>blueness, SwifT</ti>
   <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
 </tr>
 <tr>
   <ti>Add support for MCS (driver is virtualization)</ti>
-  <ti>2011-08-01</ti>
-  <ti><keyword>On track</keyword></ti>
+  <ti>2011-08-15</ti>
+  <ti>On track</ti>
   <ti>SwifT</ti>
   <ti></ti>
 </tr>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     3fcf0bf060d787bb49d8cadf636dd4df7df7fdf7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 16 20:33:07 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul 16 20:33:07 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3fcf0bf0

update, remove keyword/const/comment/var

---
 xml/support-state.xml |   66 ++++++++++++++++++++++++------------------------
 1 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/xml/support-state.xml b/xml/support-state.xml
index 3733175..65ed7bb 100644
--- a/xml/support-state.xml
+++ b/xml/support-state.xml
@@ -56,57 +56,57 @@ reports and feedback).
 </tr>
 <tr>
   <ti>x86</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti />
 </tr>
 <tr>
   <ti>amd64 / x86_64</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti />
 </tr>
 <tr>
   <ti>ppc</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti />
 </tr>
 <tr>
   <ti>ppc64</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti />
 </tr>
 <tr>
   <ti>ia64</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti />
 </tr>
 <tr>
   <ti>arm</ti>
-  <ti><var>In progress</var></ti>
+  <ti>In progress</ti>
   <ti>Contact blueness for more information</ti>
 </tr>
 <tr>
   <ti>mips</ti>
-  <ti><var>In progress</var></ti>
+  <ti>In progress</ti>
   <ti>Contact blueness for more information</ti>
 </tr>
 <tr>
   <ti>sparc32</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>sparc64</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>s390</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>hppa</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 </table>
@@ -125,57 +125,57 @@ reports and feedback).
 </tr>
 <tr>
   <ti>x86</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>amd64 / x86_64</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>ppc</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>ppc64</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>ia64</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>arm</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>mips</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>sparc32</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>sparc64</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>s390</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 <tr>
   <ti>hppa</ti>
-  <ti><const>Yet to be determined</const></ti>
+  <ti>Yet to be determined</ti>
   <ti />
 </tr>
 </table>
@@ -194,57 +194,57 @@ reports and feedback).
 </tr>
 <tr>
   <ti>x86</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti>Still ~arch for the time being</ti>
 </tr>
 <tr>
   <ti>amd64 / x86_64</ti>
-  <ti><keyword>In place</keyword></ti>
+  <ti>In place</ti>
   <ti>Still ~arch for the time being</ti>
 </tr>
 <tr>
   <ti>ppc</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>ppc64</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>ia64</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>arm</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>mips</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>sparc32</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>sparc64</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>s390</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 <tr>
   <ti>hppa</ti>
-  <ti><comment>Unsupported</comment></ti>
+  <ti>Unsupported</ti>
   <ti />
 </tr>
 </table>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     fda8a26f64cf78fbdb98c2975fe39497a3053a3a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 21 19:47:29 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 21 19:47:29 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=fda8a26f

Update roadmap SELinux state

---
 xml/roadmap.xml |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 18ebf78..0dc844f 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>1.7</version>
-<date>2011-07-15</date>
+<version>1.8</version>
+<date>2011-07-21</date>
 
 <chapter>
 <title>Vision</title>
@@ -392,9 +392,9 @@ is in need for attention.
 
 <p>
 The Gentoo Hardened SELinux state is up to date and fully supported (except
-MCS/MLS which is not supported yet). The documentation is being updated as 
+MLS which is considered experimental). The documentation is being updated as 
 the state evolves, but can still improve. Primary focus now is on the quality
-of the packages.
+of the packages and improved support for MCS.
 </p>
 
 </body>
@@ -430,9 +430,9 @@ of the packages.
 <tr>
   <ti>Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</ti>
   <ti>2011-07-18</ti>
-  <ti>In progress</ti>
+  <ti>Done</ti>
   <ti>blueness, SwifT</ti>
-  <ti><uri link="https://bugs.gentoo.org/370927">#370927</uri></ti>
+  <ti />
 </tr>
 <tr>
   <ti>Stabilize the new SELinux profile structure</ti>
@@ -444,7 +444,7 @@ of the packages.
 <tr>
   <ti>Add support for MCS (driver is virtualization)</ti>
   <ti>2011-08-15</ti>
-  <ti>On track</ti>
+  <ti>Done</ti>
   <ti>SwifT</ti>
   <ti></ti>
 </tr>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     bda8e6d494db7b206df97c5fc314697258e55f9c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 10 18:32:38 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 10 18:32:38 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=bda8e6d4

Add information on undefined permissions

A question that pops up on #gentoo-hardened from time to time is the error message displayed during boot about missing permissions. This FAQ entry should answer that question.

---
 xml/selinux-faq.xml |   36 ++++++++++++++++++++++++++++++++++--
 1 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 28ea85a..35fc742 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>10</version>
-<date>2011-07-13</date>
+<version>11</version>
+<date>2011-08-10</date>
 
 <faqindex>
 <title>Questions</title>
@@ -333,6 +333,38 @@ registers with SELinux as a secondary module.
 
 </body>
 </section>
+<section id="permission_not_defined">
+<title>I get a 'Permission ... in class ... not defined' message during booting</title>
+<body>
+
+<p>
+During boot-up, the following message is shown:
+</p>
+
+<pre caption="Kernel message on undefined permission(s)">
+SELinux: 2048 avtab hash slots, 16926 rules.
+SELinux: 2048 avtab hash slots, 16926 rules.
+SELinux:  6 users, 6 roles, 1083 types, 34 bools
+SELinux:  77 classes, 16926 rules
+SELinux:  Permission read_policy in class security not defined in policy.
+SELinux:  Permission audit_access in class file not defined in policy.
+SELinux:  Permission audit_access in class dir not defined in policy.
+SELinux:  Permission execmod in class dir not defined in policy.
+...
+SELinux: the above unknown classes and permissions will be denied
+SELinux:  Completing initialization.
+</pre>
+
+<p>
+This means that the Linux kernel that you are booting supports permissions that
+are not defined in the policy (as offered through the
+<c>sec-policy/selinux-base-policy</c> package). If you do not notice any errors
+during regular operations, then this can be ignored (the permissions will be
+made part of upcoming policy definitions).
+</p>
+
+</body>
+</section>
 </chapter>
 <chapter>
 <title>SELinux and Gentoo</title>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     791d5a0e38996ec8ae8738ae3d5624d4ef4e5eda
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 12 20:59:55 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 12 20:59:55 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=791d5a0e

Update role

---
 xml/index.xml |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index f0bc818..c770a9e 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -5,7 +5,7 @@
 <project>
 <name>hardened</name>
 <longname>Hardened Gentoo</longname>
-<date>2011-1-7</date>
+<date>2011-08-12</date>
 
 <description>
 Hardened Gentoo brings advanced security measures to Gentoo Linux.
@@ -41,6 +41,7 @@ Gentoo once they've been tested for security and stability by the Hardened team.
 <dev role="Member" description="Hardened sources">Chainsaw</dev>
 <dev role="Member" description="PPC arch team liaison">nixnut</dev>
 <dev role="Member" description="SELinux">pebenito</dev>
+<dev role="Member" description="SELinux">SwifT</dev>
 
 <!-- In the future we could use inheritmembers="yes"  but we need pages for all
 or most of the subprojects -->
@@ -144,8 +145,6 @@ project:
 <ti>Documentation writing, support</ti></tr>
 <tr><ti>Chris Richards</ti><ti>gizmo</ti>
 <ti>Policy development, support (SELinux)</ti></tr>
-<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti>
-<ti>Documentation writing, policy development, support (SELinux)</ti></tr>
 </table>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     33c798db8e4821f50f067978b212114c6f0863a9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Aug 22 19:17:11 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Aug 22 19:17:11 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=33c798db

Adding FAQ entry on the policy version mixing !#^$@°à

---
 xml/selinux-faq.xml |   57 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 35fc742..961c4fd 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>11</version>
-<date>2011-08-10</date>
+<version>12</version>
+<date>2011-08-22</date>
 
 <faqindex>
 <title>Questions</title>
@@ -601,5 +601,58 @@ Another fix would be to disable UBAC completely. This is accomplished with
 
 </body>
 </section>
+<section id="missingdatum">
+<title>When querying the policy, I get 'ERROR: could not find datum for type ...'</title>
+<body>
+
+<p>
+When using <c>seinfo</c> or <c>sesearch</c> to query the policy on the system,
+you get errors similar to:
+</p>
+
+<pre caption="Triggering the 'could not find datum' error">
+~# <i>seinfo -tasterisk_t</i>
+ERROR: could not find datum for type asterisk_t
+</pre>
+
+<p>
+This is most likely because your tools are using a newer binary policy to
+enforce policy, but an older binary for querying. You can verify if this is the
+case by listing the last modification time on the files:
+</p>
+
+<pre caption="Checking last modification time of the policy files">
+~# <i>ls -ltr /etc/selinux/strict/policy/policy.*</i>
+</pre>
+
+<p>
+The file modified last should be the same one as returned by checking
+<path>/selinux/policyvers</path>:
+</p>
+
+<pre caption="Checking the runtime policy version">
+~# <i>cat /selinux/policyvers; echo</i>
+24
+</pre>
+
+<p>
+If this is not the case (which is very likely since you are reading this FAQ
+entry) then try forcing the utilities policy version to the correct version:
+</p>
+
+<pre caption="Editing semanage.conf">
+~# <i>vim /etc/selinux/semanage.conf</i>
+<comment># Look for and uncomment the policy-version line and set it to the right version</comment>
+policy-version = <i>24</i>
+</pre>
+
+<impo>
+If your system is upgrading its kernel, higher version(s) can be supported. In
+this case, either unset the value again to automatically "jump" to a higher
+version, or force set it to the higher version.
+</impo>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     04166a1ae8fe74eba7a41b5b9feb9496cfa8967a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 24 21:09:02 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 24 21:09:02 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=04166a1a

Update on roadmap for SELinux

---
 xml/roadmap.xml |   53 +++++++++++++++++++++++++++++------------------------
 1 files changed, 29 insertions(+), 24 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 0dc844f..9fbefc9 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -37,7 +37,7 @@
   <mail link="blueness@gentoo.org">Anthony G. Basile</mail>
 </author>
 <author title="Contributor">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+  <mail link="swift" />
 </author>
 
 <abstract>
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>1.8</version>
-<date>2011-07-21</date>
+<version>2</version>
+<date>2011-08-24</date>
 
 <chapter>
 <title>Vision</title>
@@ -412,41 +412,46 @@ of the packages and improved support for MCS.
   <th>Related Bugs</th>
 </tr>
 <tr>
-  <ti>Stabilize the userland tools and libraries</ti>
-  <ti>2011-05-24</ti>
+  <ti>Add support for MCS (driver is virtualization)</ti>
+  <ti>2011-08-15</ti>
   <ti>Done</ti>
-  <ti>blueness, SwifT</ti>
-  <ti />
+  <ti>SwifT</ti>
+  <ti></ti>
 </tr>
 <tr>
-  <ti>
-    Stabilize the ~arch SELinux policies based on 2.20101213 upstream branch
-  </ti>
-  <ti>2011-06-07</ti>
+  <ti>Stabilize the new SELinux profile structure</ti>
+  <ti>2011-08-20</ti>
   <ti>Done</ti>
   <ti>blueness, SwifT</ti>
-  <ti />
+  <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
 </tr>
 <tr>
-  <ti>Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</ti>
-  <ti>2011-07-18</ti>
-  <ti>Done</ti>
-  <ti>blueness, SwifT</ti>
+  <ti>Merge 20110726 policies in ~arch</ti>
+  <ti>2011-08-28</ti>
+  <ti>Busy</ti>
+  <ti>SwifT</ti>
   <ti />
 </tr>
 <tr>
-  <ti>Stabilize the new SELinux profile structure</ti>
-  <ti>2011-08-01</ti>
-  <ti>In progress</ti>
-  <ti>blueness, SwifT</ti>
-  <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
+  <ti>Stabilize the 20110727 userland tools and libraries</ti>
+  <ti>2011-09-30</ti>
+  <ti></ti>
+  <ti>SwifT</ti>
+  <ti />
 </tr>
 <tr>
-  <ti>Add support for MCS (driver is virtualization)</ti>
-  <ti>2011-08-15</ti>
-  <ti>Done</ti>
+  <ti>Stabilize the 20110726 policies</ti>
+  <ti>2011-09-30</ti>
+  <ti></ti>
   <ti>SwifT</ti>
+  <ti />
+</tr>
+<tr>
+  <ti>Deprecate old profiles</ti>
+  <ti>2011-12-01</ti>
   <ti></ti>
+  <ti>blueness</ti>
+  <ti />
 </tr>
 </table>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     5b6d6b610ddbb96018f8159ffad8dd838d139306
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep  3 12:09:43 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Sep  3 12:09:43 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5b6d6b61

File context order is only for policy-provided ones, locally added use last-match algorithm

---
 xml/selinux-faq.xml |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 961c4fd..1427d89 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>12</version>
-<date>2011-08-22</date>
+<version>13</version>
+<date>2011-09-03</date>
 
 <faqindex>
 <title>Questions</title>
@@ -300,6 +300,12 @@ The most specific means, in order of tests:
   </li>
 </ol>
 
+<p>
+However, when you add your own file contexts (using <c>semanage</c>), this does
+not apply. Instead, tools like <c>restorecon</c> will take the <e>last</e> hit
+within the locally added file contexts!
+</p>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     11b1fe0702047eb939047f1f441b45c2e474485f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep  4 19:12:29 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep  4 19:12:29 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=11b1fe07

Update FAQ, add entry regarding local policy (id=localpolicy)

---
 xml/selinux-faq.xml |  121 ++++++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 114 insertions(+), 7 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 1427d89..9a3fc95 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>13</version>
-<date>2011-09-03</date>
+<version>14</version>
+<date>2011-09-04</date>
 
 <faqindex>
 <title>Questions</title>
@@ -148,11 +148,11 @@ like we will eventually support these file systems on SELinux fully as well.
 <title>Can I use SELinux with AMD64 no-multilib?</title>
 <body>
 
+<!-- FAQ might be removed in the future since it is now obvious -->
+
 <p>
-Yes. However, for the time being, it is only supported through developer
-profiles, meaning that the profiles should not be seen as very stable (their
-content can still change swiftly). Try out
-<c>hardened/linux/amd64/no-multilib/selinux</c> and tell us what you get.
+Yes, just use the <path>hardened/linux/amd64/no-multilib/selinux</path> profile
+and you're all set.
 </p>
 
 </body>
@@ -303,7 +303,114 @@ The most specific means, in order of tests:
 <p>
 However, when you add your own file contexts (using <c>semanage</c>), this does
 not apply. Instead, tools like <c>restorecon</c> will take the <e>last</e> hit
-within the locally added file contexts!
+within the locally added file contexts! You can check the content of the
+locally added rules in <path>/etc/selinux/strict/contexts/files/file_contexts.local</path>
+(substitute <path>strict</path> with your SELinux type).
+</p>
+
+</body>
+</section>
+<section id="localpolicy">
+<title>How do I make small changes (additions) to the policy?</title>
+<body>
+
+<p>
+If you are interested in the Gentoo Hardened SELinux development itself, please
+have a look at the <uri link="/proj/en/hardened/selinux-development.xml">SELinux
+Development Guide</uri> and other documentation linked from the <uri
+link="/proj/en/hardened/selinux/index.xml">SELinux project page</uri>.
+</p>
+
+<p>
+However, you will eventually need to keep some changes on your policy, due to
+how you have configured your system or when you need to allow something that is
+not going to be accepted as a distribution-wide policy change. In that case,
+read on.
+</p>
+
+<p>
+Updates on the policy are only possible as long as you need to <e>allow</e>
+additional privileges. It is not possible to remove rules from the policy, only
+enhance it. To maintain your own set of additional rules, create a file in which
+you will keep your changes. In the next example, I will use the term
+<path>fixlocal</path>, substitute with whatever name you like - but keep it
+consistent. In the file (<path>fixlocal.te</path>) put in the following text
+(again, substitute <path>fixlocal</path> with your chosen name):
+</p>
+
+<pre caption="fixlocal.te content">
+policy_module(fixlocal, 1.0)
+
+require {
+<comment># Declarations of types, classes and permissions used</comment>
+
+}
+
+<comment># Declaration of policy rules</comment>
+</pre>
+
+<p>
+In this file, you can add rules as you like. In the next example, we add three
+rules:
+</p>
+
+<ol>
+  <li>
+    Allow <c>mozilla_t</c> the <c>execmem</c> privilege (based on a denial that
+    occurs when mozilla fails to start)
+  </li>
+  <li>
+    Allow <c>ssh_t</c> to connect to any port rather than just the SSH port
+  </li>
+  <li>
+    Allows the <c>user_t</c> domain to send messages directly to the system
+    logger
+  </li>
+</ol>
+
+<pre caption="fixlocal.te content">
+policy_module(fixlocal, 1.0)
+
+require {
+  type mozilla_t;
+  type ssh_t;
+  type user_t;
+
+  class process { execmem };
+}
+
+<comment># Grant mozilla the execmem privilege</comment>
+allow mozilla_t self:process { execmem };
+
+<comment># Allow SSH client to connect to any port (as provided by the user through the 
+# "ssh -p &lt;portnum&gt; ..." command)</comment>
+corenet_tcp_connect_all_ports(ssh_t)
+
+<comment># Allow the user_t domain to send messages to the system logger</comment>
+logging_send_syslog_msg(user_t)
+</pre>
+
+<p>
+If you need to provide raw allow statements (like the one above for the
+<c>mozilla_t</c> domain), make sure that the type (<c>mozilla_t</c>), 
+class (<c>process</c>) and privilege (<c>execmem</c>) are mentioned in
+the <c>require { ... }</c> paragraph.
+</p>
+
+<p>
+When using interface names, make sure that the type (<c>ssh_t</c> and
+<c>user_t</c>) is mentioned in the <c>require { ... }</c> paragraph.
+</p>
+
+<p>
+To find the proper interface name (like <c>corenet_tcp_connect_all_ports</c>
+above), you can either look for it in the <uri
+link="http://oss.tresys.com/docs/refpolicy/api/">SELinux Reference Policy
+API</uri> online or, if <c>sec-policy/selinux-base-policy</c> is built with the
+<e>doc</e> USE flag, in <path>/usr/share/doc/selinux-base-policy-.*/html</path>.
+Of course, you can also ask for help in <c>#gentoo-hardened</c> on
+irc.freenode.net, the mailinglist, forums, etc. to find the proper rules and
+statements for your case.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     3f78e9c189f9cf89cca00bbe727d3fcf3515d76e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep  4 19:28:51 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep  4 19:28:51 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3f78e9c1

Update on SELinux policy - remove the stanza on gentoo_ prefix, does not work out well

---
 xml/selinux-policy.xml |   33 ++-------------------------------
 1 files changed, 2 insertions(+), 31 deletions(-)

diff --git a/xml/selinux-policy.xml b/xml/selinux-policy.xml
index 3d5f273..1f17889 100644
--- a/xml/selinux-policy.xml
+++ b/xml/selinux-policy.xml
@@ -19,8 +19,8 @@ Gentoo Hardened in order to consistenly develop its security policy rules.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>3</version>
-<date>2011-02-26</date>
+<version>4</version>
+<date>2011-09-04</date>
 
 <chapter>
 <title>Principles</title>
@@ -148,35 +148,6 @@ domain).
 </body>
 </section>
 <section>
-<title>Use 'gentoo_' prefix</title>
-<body>
-
-<p>
-When Gentoo Hardened updates policy rules, the patches it applies will strive to
-use a <e>gentoo_</e> prefix where possible:
-</p>
-
-<ul>
-  <li>
-    added interfaces for existing modules will start with the <e>gentoo_</e>
-    prefix
-  </li>
-  <li>
-    new booleans will start with the <e>gentoo_</e> prefix
-  </li>
-</ul>
-
-<p>
-This ensures that, if the changes (and their use) is included upstream, we can
-safely migrate towards the upstream implementation rather than face a collision
-of names. Also, this ensures that no unwanted accesses are granted (or
-functionalities suddenly prohibited) when upstream includes a change with the
-same name but totally different meaning or implementation.
-</p>
-
-</body>
-</section>
-<section>
 <title>Do Not Allow Cosmetic Denials</title>
 <body>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     510073a8aac83a538605eaf3bdaab23758b15fb2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep  4 19:53:01 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep  4 19:53:01 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=510073a8

Update on recent development updates

---
 xml/selinux-development.xml |  135 ++++++++++++++++++++++---------------------
 1 files changed, 70 insertions(+), 65 deletions(-)

diff --git a/xml/selinux-development.xml b/xml/selinux-development.xml
index ddd5230..a8e8e14 100644
--- a/xml/selinux-development.xml
+++ b/xml/selinux-development.xml
@@ -18,8 +18,8 @@ acquainted with the necessary resources, trips and tricks to get along.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1</version>
-<date>2011-04-22</date>
+<version>2</version>
+<date>2011-09-04</date>
 
 <chapter>
 <title>Introduction</title>
@@ -156,34 +156,25 @@ Let's create the first workspace:
 <pre caption="Creating the SELinux policy workspace">
 ~$ <i>mkdir dev/hardened</i>
 ~$ <i>cd dev/hardened</i>
-~$ <i>ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r12.ebuild compile</i>
-~$ <i>cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12/work/* .</i>
-~$ <i>rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12</i>
+~$ <i>ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20110726-r3.ebuild prepare</i>
+~$ <i>cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r3/work/refpolicy .</i>
+~$ <i>rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r3</i>
 </pre>
 
 <p>
-As result, you should have two or three directories in 
-<path>dev/hardened</path> called <path>refpolicy</path> and <path>strict</path>
-and/or <path>targeted</path>. The only one of interest is the
-<path>strict</path> and/or <path>targeted</path> one, depending on the policy
-type you are working with. In the remainder of the document, I'm assuming you
-work with <path>strict</path>.
-</p>
-
-<p>
-Now the <path>dev/hardened</path> workspace is patched with the Gentoo Hardened
-SELinux patches applicable to the base policy. Gentoo Hardened has two "flavors"
-of patches:
+As result, you now have a subdirectory called <path>refpolicy</path> inside
+<path>dev/hardened</path>. This directory contains all the SELinux policy rules
+available. Now the <path>dev/hardened</path> workspace is patched with the
+Gentoo Hardened SELinux patches applicable to the policy. Gentoo Hardened has
+two "flavors" of patches:
 </p>
 
 <ol>
   <li>
-    <e>Base policy patches</e> contain the patches for the SELinux modules that
-    take part of the base policy as well as all interface patches for the
-    modules
+    patches in the <e>patchbundle</e> contain the majority of patches
   </li>
   <li>
-    <e>Module-specific patches</e> that contain the permissions affecting the
+    <e>module patches</e> that contain the permissions affecting the
     domains and types that are defined in a single module (for instance, all
     interaction between <path>portage_t</path> and <path>portage_exec_t</path>
     or even <path>portage_t</path> and <path>portage_fetch_t</path>)
@@ -191,14 +182,24 @@ of patches:
 </ol>
 
 <p>
-The base policy patches are important to have available at all times. The
-module-specific ones can be added when you work with that particular module.
+When we develop changes on the SELinux policy, we currently try to put those
+changes in the patchbundle as soon as possible. Currently, the
+<c>selinux-base-policy</c> package is updated fast enough to hold off module
+patches and wait for a new release of <c>selinux-base-policy</c> (after which
+the SELinux modules themselves can just refer to the new base policy to get
+their patches).
 </p>
 
 <p>
+However, when the <c>selinux-base-policy</c> is more stable, then patches might
+be made part of the modules themselves. In that case, a <e>module patch</e> is
+made.
+</p>
+
+<note>
 Every time a new revision comes out, you'll need to clean the
 <path>dev/hardened</path> workspace and rebuild it.
-</p>
+</note>
 
 </body>
 </section>
@@ -213,30 +214,20 @@ earlier, but now for the specific SELinux policy module package (like
 </p>
 
 <pre caption="Updating the dev/hardened workspace">
-~$ <i>ls dev/hardened/strict/policy/modules/*/postfix.te</i>
-dev/hardened/strict/policy/modules/services/postfix.te
-<comment>                                   ^^^^^^^^</comment>
-~$ <i>ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild compile</i>
+~$ <i>ls dev/hardened/refpolicy/policy/modules/*/postfix.te</i>
+dev/hardened/refpolicy/policy/modules/services/postfix.te
+<comment>                                      ^^^^^^^^</comment>
+~$ <i>ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20110726-r1.ebuild prepare</i>
 
 <comment># Next, we copy the postfix.te and postfix.fc files.
 # Do NOT copy the postfix.if file (as the one available there is a stub)</comment>
-~$ <i>cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.te \
-  dev/hardened/strict/policy/modules/services/</i>
-<comment>                                     ^^^^^^^^</comment>
-~$ <i>cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.fc \
-  dev/hardened/strict/policy/modules/services/</i>
-<comment>                                     ^^^^^^^^</comment>
-~$ <i>rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12</i>
-</pre>
-
-<p>
-Finally, clean up the workspace (as it contains built policies and other
-material we do not want to see in our patches)
-</p>
-
-<pre caption="Cleaning up the workspace">
-~$ <i>cd dev/hardened/strict</i>
-~$ <i>make clean</i>
+~$ <i>cp /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1/work/strict/postfix.te \
+  dev/hardened/refpolicy/policy/modules/services/</i>
+<comment>                                        ^^^^^^^^</comment>
+~$ <i>cp /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1/work/strict/postfix.fc \
+  dev/hardened/refpolicy/policy/modules/services/</i>
+<comment>                                        ^^^^^^^^</comment>
+~$ <i>rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1</i>
 </pre>
 
 </body>
@@ -246,13 +237,13 @@ material we do not want to see in our patches)
 <body>
 
 <p>
-Setting up a local workspace is easy: just copy the <path>dev/hardened</path>
-one:
+Setting up a local workspace (where we will create changes and generate patches
+out of later) is easy: just copy the <path>dev/hardened</path> one:
 </p>
 
 <pre caption="Setting up a local workspace">
 ~$ <i>cd dev/hardened</i>
-~$ <i>cp -r strict strict.local/</i>
+~$ <i>cp -r refpolicy refpolicy.local/</i>
 </pre>
 
 </body>
@@ -263,7 +254,7 @@ one:
 
 <p>
 The main location you will work with is
-<path>dev/hardened/strict.local/policy/modules</path>. This location is subdivided in
+<path>dev/hardened/refpolicy.local/policy/modules</path>. This location is subdivided in
 categories:
 </p>
 
@@ -293,7 +284,7 @@ Inside the categories, the modules are available using their three files
 </p>
 
 <pre caption="Listing the available sudo files">
-~$ <i>cd dev/hardened/strict.local/policy/modules/admin</i>
+~$ <i>cd dev/hardened/refpolicy.local/policy/modules/admin</i>
 ~$ <i>ls sudo.*</i>
 sudo.fc    sudo.if     sudo.te
 </pre>
@@ -309,9 +300,15 @@ To build a module, go to the location where the module code is. Then, run
 <c>make</c> with the development Makefile as provided by the reference policy.
 </p>
 
+<note>
+You can ignore warnings about duplicate interface definitions and such. That is
+because the Makefile will include both the existing interfaces as well as the
+current working directory - which of course contains the same interfaces.
+</note>
+
 <pre caption="Building the portage module">
-~$ <i>cd dev/hardened/strict.local/policy/modules/admin</i>
-~$ <i>make -f ../../../support/Makefile.devel portage.pp</i>
+~$ <i>cd dev/hardened/refpolicy.local/policy/modules/admin</i>
+~$ <i>make -f /usr/share/selinux/strict/include/Makefile portage.pp</i>
 </pre>
 
 <p>
@@ -330,7 +327,7 @@ If you want to build the base policy, run <c>make base</c>.
 </p>
 
 <pre caption="Building the base policy">
-~$ <i>cd dev/hardened/strict.local</i>
+~$ <i>cd dev/hardened/refpolicy.local</i>
 ~$ <i>make base</i>
 </pre>
 
@@ -1209,9 +1206,9 @@ are best generated from the <path>policy/modules</path> location:
 </p>
 
 <pre caption="Example generating patch for modular changes">
-~$ <i>cd dev/hardened/strict.local/policy/modules</i>
-~$ <i>diff -ut ../../../strict/policy/modules/services/openct.te services/openct.te</i>
---- ../../../../strict/policy/modules/services/openct.te   2011-04-22 23:28:17.932918002 +0200
+~$ <i>cd dev/hardened/refpolicy.local/policy/modules</i>
+~$ <i>diff -ut ../../../refpolicy/policy/modules/services/openct.te services/openct.te</i>
+--- ../../../../refpolicy/policy/modules/services/openct.te   2011-04-22 23:28:17.932918002 +0200
 +++ services/openct.te  2011-04-23 09:55:08.156918002 +0200
 @@ -47,6 +47,10 @@
  
@@ -1250,8 +1247,8 @@ patch is best made from the upper location.
 </p>
 
 <pre caption="Generating a base policy patch">
-~$ <i>cd dev/hardened/strict.local</i>
-~$ <i>diff -ut ../strict/policy/modules/services/openct.if policy/modules/services/openct.if</i>
+~$ <i>cd dev/hardened/refpolicy.local</i>
+~$ <i>diff -ut ../refpolicy/policy/modules/services/openct.if policy/modules/services/openct.if</i>
 --- ../strict/policy/modules/services/openct.if    2011-04-22 23:28:17.918918002 +0200
 +++ policy/modules/services/openct.if       2011-04-23 10:01:38.753918001 +0200
 @@ -15,7 +15,7 @@
@@ -1344,19 +1341,21 @@ ebuilds:
 <pre caption="Skeleton for ebuilds, example for postfix">
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
+EAPI="4"
 
+IUSE=""
 <comment># Set the MODS variable to the refpolicy name used, so services/postfix.te gives "postfix"</comment>
 MODS="postfix"
-IUSE=""
+<comment># BASEPOL is optional, set it to the selinux-base-policy version which
+# includes the latest patch (or interface you use in the policy)</comment>
+BASEPOL="2.20110726-r3"
 
 inherit selinux-policy-2
 
 DESCRIPTION="SELinux policy for postfix"
-
 KEYWORDS="~amd64 ~x86"
 
-<comment># POLICY_PATCH is optional (only when you have a patch), without it just uses the 
-# refpolicy version.</comment>
+<comment># POLICY_PATCH is optional (only when you have a module patch)</comment>
 POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"
 </pre>
 
@@ -1386,15 +1385,21 @@ create a patchbundle from your patch directory, put the bundle in the
 </p>
 
 <pre caption="Building a base policy package">
+<comment># Go to the location where all patches are currently extracted</comment>
 ~$ <i>cd dev/hardened/base-patches</i>
-~$ <i>tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r13.tar.bz2 *</i>
+
+<comment># Add the patches you want to include, cfr Submitting Patches</comment>
+<comment># Then, create a new patch bundle</comment>
+~$ <i>tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20110726-r3.tar.bz2 *</i>
+
+<comment># Finally, bump the revision of the ebuild in the overlay</comment>
 ~$ <i>cd ../overlay/sec-policy/selinux-base-policy</i>
-~$ <i>cp selinux-base-policy-2.20101213-r12.ebuild selinux-base-policy-2.20101213-r13.ebuild</i>
+~$ <i>cp selinux-base-policy-2.20110726-r3.ebuild selinux-base-policy-2.20110726-r4.ebuild</i>
 </pre>
 
 <p>
 Don't forget to run <c>repoman manifest</c> and <c>repoman scan</c>. You can
-then install <path>sec-policy/selinux-base-policy-2.20101213-r13</path> and test
+then install <path>sec-policy/selinux-base-policy-2.20110726-r4</path> and test
 it out.
 </p>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     a32bd2f55f10d81df329439f220e0b1e48ec8ab9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct  8 16:53:49 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct  8 16:53:49 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a32bd2f5

Adding FAQ on recovering portage in case of setfiles failure

---
 xml/selinux-faq.xml |   37 +++++++++++++++++++++++++++++++++++--
 1 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 9a3fc95..b556c57 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>14</version>
-<date>2011-09-04</date>
+<version>15</version>
+<date>2011-10-08</date>
 
 <faqindex>
 <title>Questions</title>
@@ -767,5 +767,38 @@ version, or force set it to the higher version.
 
 </body>
 </section>
+<section id="recoverportage">
+<title>Portage fails to label files because "setfiles" does not work anymore</title>
+<body>
+
+<p>
+Portage uses the <c>setfiles</c> command to set the labels of the files it
+installs. However, that command is a dynamically linked executable, so any
+update in its depending libraries (<path>libselinux.so</path>,
+<path>libsepol.so</path>, <path>libaudit.so</path> and of course
+<path>libc.so</path>) might cause for the application to fail. Gentoo's standard
+solution (<c>revdep-rebuild</c>) will not work, since the tool will try to
+rebuild policycoreutils, which will fail to install because Portage cannot set
+the file labels.
+</p>
+
+<p>
+The solution is to rebuild policycoreutils while disabling Portage' selinux
+support, then label the installed files manually using <c>chcon</c>, based on
+the feedback received from <c>matchpathcon</c>.
+</p>
+
+<pre caption="Recovering from Portage installation failures">
+# <i>FEATURES="-selinux" emerge --oneshot policycoreutils</i>
+# <i>for FILE in $(qlist policycoreutils); do \
+CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</i>
+</pre>
+
+<p>
+Now Portage will function properly again, labeling files as they should.
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     ee9fb9d06f54205f107cc3c611db69a27f09fb40
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Oct 13 14:49:38 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct 13 14:49:38 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ee9fb9d0

Add FAQ on nosuid mount file systems

---
 xml/selinux-faq.xml |   22 ++++++++++++++++++++--
 1 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index b556c57..70b2f69 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>15</version>
-<date>2011-10-08</date>
+<version>16</version>
+<date>2011-10-13</date>
 
 <faqindex>
 <title>Questions</title>
@@ -800,5 +800,23 @@ Now Portage will function properly again, labeling files as they should.
 
 </body>
 </section>
+<section id="nosuid">
+<title>Applications do not transition on a nosuid-mounted partition</title>
+<body>
+
+<p>
+If you have file systems mounted with the <c>nosuid</c> option, then
+applications started from these file systems will not transition into their
+appropriate domain. This is intentional.
+</p>
+
+<p>
+So, a <c>passwd</c> binary, although correctly labeled <e>passwd_exec_t</e>,
+will not transition into the <e>passwd_t</e> domain if the binary is stored on a
+file system mounted with <c>nosuid</c>.
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     6f020c3b5ef75a36f9c2814851a25b8ef40b837b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Oct 25 18:33:55 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 25 18:33:55 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6f020c3b

Posix SH requires semicolon; thanks to Mick Reed for reporting

---
 xml/selinux-faq.xml |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 70b2f69..39fbd49 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>16</version>
-<date>2011-10-13</date>
+<version>17</version>
+<date>2011-10-25</date>
 
 <faqindex>
 <title>Questions</title>
@@ -791,7 +791,7 @@ the feedback received from <c>matchpathcon</c>.
 <pre caption="Recovering from Portage installation failures">
 # <i>FEATURES="-selinux" emerge --oneshot policycoreutils</i>
 # <i>for FILE in $(qlist policycoreutils); do \
-CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</i>
+CONTEXT=$(matchpathcon -n ${FILE}); chcon ${CONTEXT} ${FILE}; done</i>
 </pre>
 
 <p>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[José María Alonso]

commit:     ee957bd2a3e32a9cac785d903b12d4f3cb753e0f
Author:     José María Alonso <nimiux.gentoo.org>
AuthorDate: Fri Oct 28 17:35:17 2011 +0000
Commit:     José María Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Fri Oct 28 17:35:17 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ee957bd2

Removed useless link tag. Fixed typos and style.

---
 xml/selinux-faq.xml |   24 +++++++++---------------
 1 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 39fbd49..09b04ab 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v 1.2 2011/04/25 20:21:47 zorry Exp $ -->
 
-<guide link="/proj/en/hardened/selinux-faq.xml" lang="en">
+<guide>
 <title>Gentoo Hardened SELinux Frequently Asked Questions</title>
 <author title="Author">
   <mail link="pebenito@gentoo.org">Chris PeBenito</mail>
@@ -252,9 +252,7 @@ context.
 </body>
 </section>
 <section id="matchcontext">
-<title>
-  How do I know which file context rule is used for a particular file?
-</title>
+<title>How do I know which file context rule is used for a particular file?</title>
 <body>
 
 <p>
@@ -398,8 +396,8 @@ the <c>require { ... }</c> paragraph.
 </p>
 
 <p>
-When using interface names, make sure that the type (<c>ssh_t</c> and
-<c>user_t</c>) is mentioned in the <c>require { ... }</c> paragraph.
+When using interface names, make sure that the types (<c>ssh_t</c> and
+<c>user_t</c>) are mentioned in the <c>require { ... }</c> paragraph.
 </p>
 
 <p>
@@ -590,10 +588,8 @@ that the default policies are updated accordingly.
 </body>
 </section>
 <section id="portage_libsandbox">
-<title>
-  During package installation, ld.so complains 'object 'libsandbox.so' from 
-  LD_PRELOAD cannot be preloaded: ignored'
-</title>
+<title>During package installation, ld.so complains 'object 'libsandbox.so'
+from LD_PRELOAD cannot be preloaded: ignored'</title>
 <body>
 
 <p>
@@ -663,10 +659,8 @@ when logged on. And you shouldn't allow remote root logins anyhow.
 </body>
 </section>
 <section id="cronfails">
-<title>
-  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
-  FAILED (crontabs/root)'
-</title>
+<title>Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+FAILED (crontabs/root)'</title>
 <body>
 
 <p>
@@ -783,7 +777,7 @@ the file labels.
 </p>
 
 <p>
-The solution is to rebuild policycoreutils while disabling Portage' selinux
+The solution is to rebuild policycoreutils while disabling Portage's selinux
 support, then label the installed files manually using <c>chcon</c>, based on
 the feedback received from <c>matchpathcon</c>.
 </p>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     8c0e7d94b70c29cc530e742cc51f8a45ae9d07e9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 12 21:25:07 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Nov 12 21:25:07 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8c0e7d94

Cleaned out older profiels

---
 xml/roadmap.xml |   39 +++++++++------------------------------
 1 files changed, 9 insertions(+), 30 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 9fbefc9..090c565 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -394,7 +394,7 @@ is in need for attention.
 The Gentoo Hardened SELinux state is up to date and fully supported (except
 MLS which is considered experimental). The documentation is being updated as 
 the state evolves, but can still improve. Primary focus now is on the quality
-of the packages and improved support for MCS.
+of the packages and standard policies.
 </p>
 
 </body>
@@ -412,46 +412,25 @@ of the packages and improved support for MCS.
   <th>Related Bugs</th>
 </tr>
 <tr>
-  <ti>Add support for MCS (driver is virtualization)</ti>
-  <ti>2011-08-15</ti>
-  <ti>Done</ti>
+  <ti>Deprecate old policies</ti>
+  <ti>2011-11-10</ti>
+  <ti>done</ti>
   <ti>SwifT</ti>
   <ti></ti>
 </tr>
 <tr>
-  <ti>Stabilize the new SELinux profile structure</ti>
-  <ti>2011-08-20</ti>
-  <ti>Done</ti>
-  <ti>blueness, SwifT</ti>
-  <ti><uri link="https://bugs.gentoo.org/365483">#365483</uri></ti>
-</tr>
-<tr>
-  <ti>Merge 20110726 policies in ~arch</ti>
-  <ti>2011-08-28</ti>
-  <ti>Busy</ti>
-  <ti>SwifT</ti>
-  <ti />
-</tr>
-<tr>
-  <ti>Stabilize the 20110727 userland tools and libraries</ti>
-  <ti>2011-09-30</ti>
+  <ti>Deprecate old profiles</ti>
+  <ti>2011-12-01</ti>
   <ti></ti>
-  <ti>SwifT</ti>
+  <ti>blueness</ti>
   <ti />
 </tr>
 <tr>
-  <ti>Stabilize the 20110726 policies</ti>
-  <ti>2011-09-30</ti>
+  <ti>Get mainstream packages the proper dependencies on the SELinux policies</ti>
+  <ti>2011-12-31</ti>
   <ti></ti>
   <ti>SwifT</ti>
-  <ti />
-</tr>
-<tr>
-  <ti>Deprecate old profiles</ti>
-  <ti>2011-12-01</ti>
   <ti></ti>
-  <ti>blueness</ti>
-  <ti />
 </tr>
 </table>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     d3b33b1ecfd94ba18107a5208aafdee05096a60b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 17 20:30:33 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Nov 17 20:30:33 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d3b33b1e

Updating page

---
 xml/index.xml |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index c770a9e..acf1d96 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -42,6 +42,8 @@ Gentoo once they've been tested for security and stability by the Hardened team.
 <dev role="Member" description="PPC arch team liaison">nixnut</dev>
 <dev role="Member" description="SELinux">pebenito</dev>
 <dev role="Member" description="SELinux">SwifT</dev>
+<dev role="Member" description="SELinux">prometheanfire</dev>
+<dev role="Member" description="Doc, PR">klondike</dev>
 
 <!-- In the future we could use inheritmembers="yes"  but we need pages for all
 or most of the subprojects -->
@@ -141,7 +143,6 @@ project:
 </p>
 <table>
 <tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
-<tr><ti>Francisco Blas Izquierdo Riera</ti><ti>klondike</ti>
 <ti>Documentation writing, support</ti></tr>
 <tr><ti>Chris Richards</ti><ti>gizmo</ti>
 <ti>Policy development, support (SELinux)</ti></tr>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     8979b149eeef6721f6ba552119bdf3939183a96a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 17 20:32:32 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Nov 17 20:32:32 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8979b149

Argh, XML mismatch

---
 xml/index.xml |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index acf1d96..7c6ccf2 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -143,7 +143,6 @@ project:
 </p>
 <table>
 <tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
-<ti>Documentation writing, support</ti></tr>
 <tr><ti>Chris Richards</ti><ti>gizmo</ti>
 <ti>Policy development, support (SELinux)</ti></tr>
 </table>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     b80637fce2cc5ce455e39d5c7cad2a1370879604
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 17 20:50:59 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Nov 17 20:50:59 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b80637fc

SELinux is stable

---
 xml/support-state.xml |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/xml/support-state.xml b/xml/support-state.xml
index 65ed7bb..46cb7d3 100644
--- a/xml/support-state.xml
+++ b/xml/support-state.xml
@@ -13,8 +13,8 @@ platforms, setups and additional requirements for each of the subprojects
 involved. 
 </abstract>
 
-<version>1.0</version>
-<date>2011-05-25</date>
+<version>2</version>
+<date>2011-11-17</date>
 
 <chapter>
 <title>Introduction</title>
@@ -195,12 +195,12 @@ reports and feedback).
 <tr>
   <ti>x86</ti>
   <ti>In place</ti>
-  <ti>Still ~arch for the time being</ti>
+  <ti></ti>
 </tr>
 <tr>
   <ti>amd64 / x86_64</ti>
   <ti>In place</ti>
-  <ti>Still ~arch for the time being</ti>
+  <ti></ti>
 </tr>
 <tr>
   <ti>ppc</ti>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     250b434deec2a8c12e8e209e41b871504930e392
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 17 21:36:43 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Nov 17 21:36:43 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=250b434d

Remove battousai from hardened page. Bryan: thanks for all the hard work you did!

---
 xml/index.xml |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index 7c6ccf2..46fb415 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -33,7 +33,6 @@ Gentoo once they've been tested for security and stability by the Hardened team.
 
 </goals>
 
-<dev role="Member" description="Bastille Lead">battousai</dev>
 <dev role="Member" description="PaX/Grsecurity, Hardened sources">gengor</dev>
 <dev role="Project Lead" description="Hardened Toolchain, Doc">Zorry</dev>
 <dev role="Member" description="PaX/Grsecurity, Hardened sources">blueness</dev>
@@ -70,12 +69,6 @@ A kernel which provides patches for hardened subprojects, and stability/security
 oriented patches. Includes Grsecurity and SELinux.
 </extraproject>
 
-<extraproject name="Bastille" lead="battousai">
-Bastille is an interactive application which gives the user suggestions on
-securing their machine. It will be customized to make suggestions about other
-Hardened Gentoo subprojects.
-</extraproject>
-
 <!-- Still rewieving it.
 <plannedproject name="Security Documentation">Maintain
 documentation about best practices, and general security measures

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     cf4aaf2bf53d3dd358a54e3253796d23a0f33395
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 22 20:05:18 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 22 20:05:18 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cf4aaf2b

Adding SELinux bugreporting guide

---
 xml/selinux-bugreporting.xml |  171 ++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 171 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-bugreporting.xml b/xml/selinux-bugreporting.xml
new file mode 100644
index 0000000..bfc13ad
--- /dev/null
+++ b/xml/selinux-bugreporting.xml
@@ -0,0 +1,171 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide link="/proj/en/hardened/selinux-policy.xml" lang="en">
+<title>Gentoo Hardened SELinux Development Policy</title>
+
+<author title="Author">
+  <mail link="swift"/>
+</author>
+
+<abstract>
+This guide helps users to create a properly filled out bug report for SELinux
+policy updates.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2011-11-22</date>
+
+<chapter>
+<title>So you got a bug?</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<p>
+When working with a SELinux-enabled system, you will notice that some policies
+are far from perfect. That is to be expected, since there are a lot more
+policies and SELinux policy modules than we can thoroughly test. That is why bug
+reports are very important for us as they give us much-needed feedback on the
+state of the policies. Also, since we follow the reference policy closely,
+patches are also sent upstream so that other distributions can benefit from the
+updates.
+</p>
+
+<p>
+However, debugging and fixing SELinux policies also means that we need to
+identify a proper policy failure, find the root cause of this failure and have
+an optimal solution. Since we are talking about <e>security</e> policies, much
+attention goes into details, but also in the <e>many eyes</e> paradigm to
+validate if a policy fix is correct or not.
+</p>
+
+<p>
+That is one of the reasons why we created this bugreport as it helps you, as the
+feedback-providing user, to both properly figure out why a failure occurs and
+how to fix it, but also why we are quite strict in the acceptance of patches.
+</p>
+
+</body>
+</section>
+<section>
+<title>Short version</title>
+<body>
+
+<p>
+When reporting SELinux policy fixes based on AVC denials,
+</p>
+
+<ul>
+  <li>
+    structure the denials and try to create one bug report per logically
+    coherent set of denials. Don't push all your AVC denials onto us.
+  </li>
+  <li>
+    make sure you can reproduce the issue and that you have the ability to
+    reproduce while we work on the fix. We cannot test all policies ourselves.
+  </li>
+  <li>
+    report the application failure output as well, not only the AVC denial. We
+    need to know what the application is trying to do (and failing to do) to fix
+    the problem.
+  </li>
+</ul>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Bugs related to AVC denials (and non-functional applications)</title>
+<section>
+<title>About</title>
+<body>
+
+<p>
+In this section, we'll go into the details of creating a helpful bug report for
+SELinux policies in case you have an AVC denial (which means SELinux is
+prohibiting a certain privilege request) that results in the failure of the
+application.
+</p>
+
+</body>
+</section>
+<section>
+<title>Structure the denials</title>
+<body>
+
+<p>
+When you get one or more AVC denials, try to structure them into logically
+coherent sets. We cannot easily deal with several dozen denials. Most of the
+time, you either get multiple denials of the same cause, or the denials are not
+truely related.
+</p>
+
+<p>
+When we need to fix the SELinux policy, nine out of ten times we focus on one or
+a few related denials and come up with a proper fix. When there is an abundance
+of AVC denials, we need to skim through them (which we usually then do one at a
+time) which puts a lot of stress on you (the reporter) as we will ask you
+hundred-and-one questions and requests for testing.
+</p>
+
+</body>
+</section>
+<section>
+<title>Prepare for testing</title>
+<body>
+
+<p>
+When you report a SELinux policy related bug, make sure you are ready to test
+the results that we want to put in. We cannot test out all applications
+ourselves. Sometimes, a failure is even only reproducable on a specific setup.
+</p>
+
+</body>
+</section>
+<section>
+<title>Report the application failure</title>
+<body>
+
+<p>
+More than once, we get bug reports on SELinux policy denials where the user is
+still running in permissive mode. He is reporting the denials because he is
+afraid that he will not be able to run it in enforcing mode without the denials
+being fixed.
+</p>
+
+<p>
+However, denials can be <e>cosmetic</e>, in which case we should actually hide
+the denials rather than allow their requests. Also, when you run in permissive
+mode, it is very much possible that the denials would never be reached when
+running in enforcing mode because of earlier denials (which, coincidentally,
+might be wrongly hidden from your logs).
+</p>
+
+<p>
+For this reason, we urge you to give us not only the AVC denial information, but
+also the application failure log output when running in enforcing mode.
+</p>
+
+<p>
+The <uri link="selinux/selinux-handbook.xml">Gentoo Hardened SELinux
+Handbook</uri> will guide you through the process of migrating from a permissive
+system into an enforcing mode. If you believe that booting in enforcing is not
+possible yet, just boot in permissive, log on as root, run <c>setenforce 1</c>
+and only then log on as user(s) to reproduce your situation. There is also a
+<uri link="selinux/selinux-handbook.xml?part=2&amp;chap=2">Troubleshooting
+SELinux</uri> section that helps you identify common bottlenecks or issues while
+trying to get SELinux running on your system.
+</p>
+
+</body>
+</section>
+</chapter>
+
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     6df6a029f9de6caf4981e30707fef7f6edc08dee
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 22 19:43:13 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 22 19:43:13 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6df6a029

Updating information on module policy development aspects

---
 xml/selinux-development.xml |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/xml/selinux-development.xml b/xml/selinux-development.xml
index a8e8e14..9a05123 100644
--- a/xml/selinux-development.xml
+++ b/xml/selinux-development.xml
@@ -18,8 +18,8 @@ acquainted with the necessary resources, trips and tricks to get along.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>2</version>
-<date>2011-09-04</date>
+<version>3</version>
+<date>2011-11-22</date>
 
 <chapter>
 <title>Introduction</title>
@@ -208,9 +208,16 @@ Every time a new revision comes out, you'll need to clean the
 <body>
 
 <p>
-To update your policy workspace, use the same tactic as describes
-earlier, but now for the specific SELinux policy module package (like
-<path>selinux-postfix</path>).
+If you want to or need to work on the policy of a SELinux module (rather than
+the base policy), check its ebuild to see if it holds any additional patches
+(mentioned through the <c>POLICY_PATCH</c> variable). If not, then you can work
+off the snapshot taken earlier in this guide.
+</p>
+
+<p>
+However, if a patch (or set of patches) is applied as well, you either need to
+apply those manually on the snapshot, or use the following tactics to create a
+snapshot just for this module:
 </p>
 
 <pre caption="Updating the dev/hardened workspace">

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     3b919557b2a427ee53fc1c487dccf138fb278ca3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 22 20:06:50 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 22 20:06:50 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3b919557

Fix title for SELinux bug reporting guide

---
 xml/selinux-bugreporting.xml |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-bugreporting.xml b/xml/selinux-bugreporting.xml
index bfc13ad..becc591 100644
--- a/xml/selinux-bugreporting.xml
+++ b/xml/selinux-bugreporting.xml
@@ -2,8 +2,8 @@
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 <!-- $Header$ -->
 
-<guide link="/proj/en/hardened/selinux-policy.xml" lang="en">
-<title>Gentoo Hardened SELinux Development Policy</title>
+<guide lang="en">
+<title>Reporting SELinux (policy) bugs</title>
 
 <author title="Author">
   <mail link="swift"/>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     c40c47f9d883af01fc42d0ef650d1c450d5699de
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 10 14:46:00 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 10 14:46:00 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c40c47f9

Add request for SELinux-enabled stage3 files to roadmap

---
 xml/roadmap.xml |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 090c565..8b97133 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>2</version>
-<date>2011-08-24</date>
+<version>3</version>
+<date>2011-12-10</date>
 
 <chapter>
 <title>Vision</title>
@@ -432,6 +432,13 @@ of the packages and standard policies.
   <ti>SwifT</ti>
   <ti></ti>
 </tr>
+<tr>
+  <ti>Have SELinux-enabled stage3 available on the mirrors</ti>
+  <ti>2012-01-31</ti>
+  <ti></ti>
+  <ti></ti>
+  <ti></ti>
+</tr>
 </table>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     ddcd5c9b875aa87ca72c068c2b0c6ea47a8ee2da
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 10 15:41:59 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 10 15:41:59 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ddcd5c9b

Roadmap update: old profiles are deprecated

---
 xml/roadmap.xml |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 8b97133..7fe37aa 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,7 +45,7 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>3</version>
+<version>4</version>
 <date>2011-12-10</date>
 
 <chapter>
@@ -421,7 +421,7 @@ of the packages and standard policies.
 <tr>
   <ti>Deprecate old profiles</ti>
   <ti>2011-12-01</ti>
-  <ti></ti>
+  <ti>done</ti>
   <ti>blueness</ti>
   <ti />
 </tr>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     945eac4bc1e59dddac5681f5be0ce9139e9dfa69
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 10 17:31:46 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 10 17:31:46 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=945eac4b

Adding FAQ on run_init authentication

---
 xml/selinux-faq.xml |   38 ++++++++++++++++++++++++++++++++++++--
 1 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 09b04ab..cff0308 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>17</version>
-<date>2011-10-25</date>
+<version>18</version>
+<date>2011-12-10</date>
 
 <faqindex>
 <title>Questions</title>
@@ -812,5 +812,39 @@ file system mounted with <c>nosuid</c>.
 
 </body>
 </section>
+<section id="auth-run_init">
+<title>Why do I always need to re-authenticate when operating init scripts?</title>
+<body>
+
+<p>
+When you, as an administrator, wants to launch or stop daemons, these activities
+need to be done as <c>system_u:system_r</c>. Switching to this context set is a
+highly privileged operation (since you are effectively leaving the user context
+and entering a system context) and hence the default setup requires the user to
+re-authenticate.
+</p>
+
+<p>
+You can ask not to re-authenticate if you use PAM by editing
+<path>/etc/pam.d/run_init</path> and adding the following line on top:
+</p>
+
+<pre caption="Setup run_init pam configuration to allow root not to re-authenticate">
+auth     sufficient     pam_rootok.so
+</pre>
+
+<p>
+With this in place, you can now prepend your init script activities with
+<c>run_init</c> and it will not ask for your password anymore:
+</p>
+
+<pre caption="Using run_init">
+# <i>run_init rc-service local status</i>
+Authenticating swift.
+ * status: started
+</pre>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     9a0d9a267741ad3547c9fc9f96164e8f8629c702
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 23 19:38:41 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec 23 19:38:41 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9a0d9a26

It is SEGMEXEC that is not available for non-x86_32 architectures

---
 xml/grsecurity.xml |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/xml/grsecurity.xml b/xml/grsecurity.xml
index 0833805..aee3d37 100644
--- a/xml/grsecurity.xml
+++ b/xml/grsecurity.xml
@@ -17,8 +17,8 @@ configuration options and tools provided by the grsecurity project to lift your
 system's security to higher standards.
 </abstract>
 
-<version>1.3</version>
-<date>2010-05-10</date>
+<version>2</version>
+<date>2011-12-23</date>
 
 <chapter>
 <title>About Grsecurity</title>
@@ -210,7 +210,7 @@ CONFIG_GRKERNSEC_HIDESYM=y
 
 <p>
 If you are running a non-x86 system you will observe that there is no
-CONFIG_GRKERNSEC_PAX_NOEXEC. You should select CONFIG_GRKERNSEC_PAX_PAGEEXEC 
+CONFIG_GRKERNSEC_PAX_SEGMEXEC. You should select CONFIG_GRKERNSEC_PAX_PAGEEXEC 
 instead as it is the only non-exec implementation around.
 </p>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     93f47bb5f38b3473c36bc94895e8f5df3acdbf7b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec 27 12:51:04 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Dec 27 12:51:04 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=93f47bb5

FAQ update - loadpolicy issue is not in tree anymore

---
 xml/selinux-faq.xml |   21 +++++++--------------
 1 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index cff0308..d4aeb18 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>18</version>
-<date>2011-12-10</date>
+<version>19</version>
+<date>2011-12-27</date>
 
 <faqindex>
 <title>Questions</title>
@@ -518,21 +518,14 @@ FEATURES variable contains unknown value(s): loadpolicy
 
 <p>
 This is a remnant of the older SELinux policy module set where policy packages
-might require this FEATURE to be available. Although the more recent packages
-do not support this FEATURE value anymore, these are still in the ~arch phase 
-so the current SELinux profile still offers this value. Portage however already
-knows that this FEATURE is not supported anymore and complains.
+might require this FEATURE to be available. This has however since long been
+removed from the tree.
 </p>
 
 <p>
-We recommend you to use the ~arch versions of all packages in the sec-policy
-category, and set <c>FEATURES="-loadpolicy"</c> to disable this (cosmetic)
-error.
-</p>
-
-<p>
-Once the newer policy modules are stabilized, the SELinux profile will be updated
-to remove this setting.
+Please update your profile to a recent SELinux profile (one ending with
+<path>/selinux</path>) and make sure that <path>/etc/make.conf</path> does not
+have <c>FEATURES="loadpolicy"</c> set.
 </p>
 
 </body>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     0bedf2ae8789144dc48313ea6bd4da0a6ab52fd9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 28 18:57:51 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 28 18:57:51 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=0bedf2ae

Backport change to project directory

---
 xml/index.xml |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index 46fb415..21aef7b 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -38,6 +38,7 @@ Gentoo once they've been tested for security and stability by the Hardened team.
 <dev role="Member" description="PaX/Grsecurity, Hardened sources">blueness</dev>
 <dev role="Member" description="Hardened sources, Doc">quantumsummers</dev>
 <dev role="Member" description="Hardened sources">Chainsaw</dev>
+<dev role="Member" description="Hardened sources">lejonet</dev>
 <dev role="Member" description="PPC arch team liaison">nixnut</dev>
 <dev role="Member" description="SELinux">pebenito</dev>
 <dev role="Member" description="SELinux">SwifT</dev>
@@ -47,9 +48,9 @@ Gentoo once they've been tested for security and stability by the Hardened team.
 <!-- In the future we could use inheritmembers="yes"  but we need pages for all
 or most of the subprojects -->
 <subproject ref="/proj/en/hardened/selinux/index.xml" inheritresources="yes"/>
-<!-- RSBAC is no longer with us :(
+<!-- RSBAC is now with us again :) -->
 <subproject ref="/proj/en/hardened/rsbac/index.xml" inheritresources="yes" />
--->
+
 <extraproject name="PaX/Grsecurity" lead="blueness">
 Grsecurity is a complete security solution providing such features as a MAC or
 RBAC system, chroot restrictions, address space modification protection (via

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     036119a286cf69f29a0aad81ee98d5f1128cdf1f
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Mon Apr  2 15:49:09 2012 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Mon Apr  2 15:49:09 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=036119a2

WIP on the revdep-pax guide

---
 xml/revdep-pax.xml |  740 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 740 insertions(+), 0 deletions(-)

diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml
new file mode 100644
index 0000000..ba9f822
--- /dev/null
+++ b/xml/revdep-pax.xml
@@ -0,0 +1,740 @@
+<?xml version='1.0' encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: $ -->
+
+<guide>
+<title>Gentoo revdep-pax introduction</title>
+
+<author title="Author">
+  <mail link="klondike"/>
+</author>
+
+<abstract>
+This guide provides an introduction to revdep-pax and how to use it to propagate
+the PaC markings caused by libraries requiring them, for example, libraries
+requiring RWX memory in order to process JIT code.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2012-02-19</date>
+
+<chapter>
+<title>What's <c>revdep-pax</c> about?</title>
+
+<p by="Geroge Orwell">
+Since the early days of PaX it was known that all programs were equal although
+some were more equal than others and needed an environment with less
+restrictions in order to be able to run. Thus, in order to have a secure way of
+allowing system administrators and users telling the system which binaries
+needed this lessened environment the PaX marks were created.
+</p>
+
+<section>
+<title>A quick introduction to PaX markings.</title>
+<body>
+
+<p>
+There are some programs which won't be able to run in an environment with all
+the PaX features enabled, for example you may have a program which has so called
+<e>text relocations</e> or you may have a language interpreter doing JIT code
+compilation and requiring <e>RWX</e> mappings you may also have a program that
+saves data including internal pointers into an mmaped file and which needs to be
+restored in the same place no matter what. You could also be holding a security
+competition and need to disable the execution restrictions and force it to
+use fixed addresses on a particular program so it can be exploited doing a
+simple nop sled based stack overflow to get to the next level. For taking into
+account these issues binaries can be marked to force on or off some of the PaX
+features.
+</p>
+
+<p>
+Currently, the PaX features that can be lessened or enforced to allow programs
+to run are:
+</p>
+
+<dl>
+  <dt><b>PAGEEXEC</b></dt>
+  <dd>Paging based execution restrictions. This is what other OSes know as
+  <e>NX</e>.</dd>
+  <dt><b>EMUTRAMP</b></dt>
+  <dd>Trampoline emulation. Required by for amongst other things code with
+  nested functions.</dd>
+  <dt><b>MPROTECT</b></dt>
+  <dd>Prevents the introduction of new executable code in the task. This is the
+  one you are more likely to need disabling with libraries generating JIT code.
+  </dd>
+  <dt><b>RANDMMAP</b></dt>
+  <dd>Randomizes the addresses where mappings are made unless the program
+  explicitly requests one (using the MAP_FIXED flag).</dd>
+  <dt><b>RANDEXEC</b></dt>
+  <dd>This flag is currently deprecated and was used to enforce random placement
+  of the executable part of the binary.</dd>
+  <dt><b>SEGMEXEC</b></dt>
+  <dd>This flag enables segmentation based execution protection. This feature is
+  not available on the amd64 architecture so in that architecture is disables by
+  default.</dd>
+</dl>
+
+<p>
+There are various ways in which this advice to lessen the environment can be
+provided to the system, amongst others Mandatory Access Control rules, extended
+attributes and two kinds of markings on the binaries themselves, the legacy ones
+which abuse an unused field in the ELF headers and the new ones which add a new
+specific section to the ELF file with the markings.
+</p>
+
+<p>
+All this markings though are only read in the executable and not in the
+libraries linked by it to prevent some possible attacks (like libraries being
+injected via LD_PRELOAD) and because it eases a lot the implementation since the
+kernel shouldn't be aware of linking details.
+</p>
+
+<p>
+This system has a problem: if we have a binary linking to a library which
+requires, for example, trampoline emulation because it uses nested functions how
+can we make sure the binary gets the propper markings? Yeah we could add PaX
+marks to the library to state it needs trampoline emulation but still we haven't
+fixed the issue since the kernel will only read the marks on the binary being
+called. In order to solve this issue we have created <c>revdep-pax</c>.
+</p>
+
+</body>
+</section>
+<section>
+<title>What's <c>revdep-pax</c>?</title>
+<body>
+
+<p>
+<c>revdep-pax</c> is a tool that allows to check for differences in PaX markings
+between elf objects linking to libraries (for example <path>/bin/bash</path>)
+and the libraries themselves (for example <path>/lib64/libc.so.6</path>).
+</p>
+
+<p>
+<c>revdep-pax</c> is able to do this in various ways, it can check for
+differences <e>forward</e> from one binary to all the libraries it links and it
+can also check for PaX marking differences <e>backwards</e> from one library to
+all the binaries linking to it (which may include other libraries too). In a
+similar way it is possible to have all the forward and reverse mappings in the
+system checked to try finding issues.
+</p>
+
+<p>
+<c>revdep-pax</c> is also able to propagate these markings both forward to the
+libraries linked by an object and backwards to the objects linked by a library.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Using <c>revdep-pax</c></title>
+
+<p by="The Emperor">
+In order to witness the firepower of this fully ARMED and OPERATIONAL tool
+you'll first need to learn how to use it, once you are done, you'll be
+able to fire at will.
+</p>
+
+<section>
+<title>Propagating PaX marks backwards from a library to objects that link at it
+</title>
+<body>
+
+<p>
+This is going to be probably the main way in which you are going to use this
+utility. What it does is check all the libraries linked statically 
+The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
+</p>
+
+<table>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-p</ti>
+  <ti>--path</ti>
+  <ti>Scan all directories in PATH environment</ti>
+</tr>
+<tr>
+  <ti>-l</ti>
+  <ti>--ldpath</ti>
+  <ti>Scan all directories in /etc/ld.so.conf</ti>
+</tr>
+<tr>
+  <ti>-R</ti>
+  <ti>--recursive</ti>
+  <ti>Scan directories recursively</ti>
+</tr>
+<tr>
+  <ti>-m</ti>
+  <ti>--mount</ti>
+  <ti>Don't recursively cross mount points</ti>
+</tr>
+<tr>
+  <ti>-y</ti>
+  <ti>--symlink</ti>
+  <ti>Don't scan symlinks</ti>
+</tr>
+<tr>
+  <ti>-A</ti>
+  <ti>--archives</ti>
+  <ti>Scan archives (.a files)</ti>
+</tr>
+<tr>
+  <ti>-L</ti>
+  <ti>--ldcache</ti>
+  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
+</tr>
+<tr>
+  <ti>-X</ti>
+  <ti>--fix</ti>
+  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
+</tr>
+<tr>
+  <ti>-z [arg]</ti>
+  <ti>--setpax [arg]</ti>
+  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
+</tr>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-x</ti>
+  <ti>--pax</ti>
+  <ti>Print PaX markings</ti>
+</tr>
+<tr>
+  <ti>-e</ti>
+  <ti>--header</ti>
+  <ti>Print GNU_STACK/PT_LOAD markings</ti>
+</tr>
+<tr>
+  <ti>-t</ti>
+  <ti>--textrel</ti>
+  <ti>Print TEXTREL information</ti>
+</tr>
+<tr>
+  <ti>-r</ti>
+  <ti>--rpath</ti>
+  <ti>Print RPATH information</ti>
+</tr>
+<tr>
+  <ti>-n</ti>
+  <ti>--needed</ti>
+  <ti>Print NEEDED information</ti>
+</tr>
+<tr>
+  <ti>-i</ti>
+  <ti>--interp</ti>
+  <ti>Print INTERP information</ti>
+</tr>
+<tr>
+  <ti>-b</ti>
+  <ti>--bind</ti>
+  <ti>Print BIND information</ti>
+</tr>
+<tr>
+  <ti>-S</ti>
+  <ti>--soname</ti>
+  <ti>Print SONAME information</ti>
+</tr>
+<tr>
+  <ti>-s [arg]</ti>
+  <ti>--symbol [arg]</ti>
+  <ti>Find a specified symbol</ti>
+</tr>
+<tr>
+  <ti>-k [arg]</ti>
+  <ti>--section [arg]</ti>
+  <ti>Find a specified section</ti>
+</tr>
+<tr>
+  <ti>-N [arg]</ti>
+  <ti>--lib [arg]</ti>
+  <ti>Find a specified library</ti>
+</tr>
+<tr>
+  <ti>-g</ti>
+  <ti>--gmatch</ti>
+  <ti>Use strncmp to match libraries. (use with -N)</ti>
+</tr>
+<tr>
+  <ti>-T</ti>
+  <ti>--textrels</ti>
+  <ti>Locate cause of TEXTREL</ti>
+</tr>
+<tr>
+  <ti>-E [arg]</ti>
+  <ti>--etype [arg]</ti>
+  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
+</tr>
+<tr>
+  <ti>-M [arg]</ti>
+  <ti>--bits [arg]</ti>
+  <ti>Print only ELF files matching numeric bits</ti>
+</tr>
+<tr>
+  <ti>-a</ti>
+  <ti>--all</ti>
+  <ti>Print all scanned info (-x -e -t -r -b)</ti>
+</tr>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-q</ti>
+  <ti>--quiet</ti>
+  <ti>Only output 'bad' things</ti>
+</tr>
+<tr>
+  <ti>-v</ti>
+  <ti>--verbose</ti>
+  <ti>Be verbose (can be specified more than once)</ti>
+</tr>
+<tr>
+  <ti>-F [arg]</ti>
+  <ti>--format [arg]</ti>
+  <ti>Use specified format for output</ti>
+</tr>
+<tr>
+  <ti>-f [arg]</ti>
+  <ti>--from [arg]</ti>
+  <ti>Read input stream from a filename</ti>
+</tr>
+<tr>
+  <ti>-o [arg]</ti>
+  <ti>--file [arg]</ti>
+  <ti>Write output stream to a filename</ti>
+</tr>
+<tr>
+  <ti>-B</ti>
+  <ti>--nobanner</ti>
+  <ti>Don't display the header</ti>
+</tr>
+<tr>
+  <ti>-h</ti>
+  <ti>--help</ti>
+  <ti>Print this help and exit</ti>
+</tr>
+<tr>
+  <ti>-V</ti>
+  <ti>--version</ti>
+  <ti>Print version and exit</ti>
+</tr>
+</table>
+
+<p>
+The format specifiers for the <c>-F</c> option are given in the following table.
+Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly.
+</p>
+
+<table>
+<tr>
+  <th>Specifier</th>
+  <th>Full Name</th>
+  <th>Specifier</th>
+  <th>Full Name</th>
+</tr>
+<tr>
+  <ti>F</ti>
+  <ti>Filename</ti>
+  <ti>x</ti>
+  <ti>PaX Flags</ti>
+</tr>
+<tr>
+  <ti>e</ti>
+  <ti>STACK/RELRO</ti>
+  <ti>t</ti>
+  <ti>TEXTREL</ti>
+</tr>
+<tr>
+  <ti>r</ti>
+  <ti>RPATH</ti>
+  <ti>n</ti>
+  <ti>NEEDED</ti>
+</tr>
+<tr>
+  <ti>i</ti>
+  <ti>INTERP</ti>
+  <ti>b</ti>
+  <ti>BIND</ti>
+</tr>
+<tr>
+  <ti>s</ti>
+  <ti>Symbol</ti>
+  <ti>N</ti>
+  <ti>Library</ti>
+</tr>
+<tr>
+  <ti>o</ti>
+  <ti>Type</ti>
+  <ti>p</ti>
+  <ti>File name</ti>
+</tr>
+<tr>
+  <ti>f</ti>
+  <ti>Base file name</ti>
+  <ti>k</ti>
+  <ti>Section</ti>
+</tr>
+<tr>
+  <ti>a</ti>
+  <ti>ARCH/e_machine</ti>
+  <ti>&nbsp;</ti>
+  <ti>&nbsp;</ti>
+</tr>
+</table>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Text Relocations</title>
+<body>
+
+<p>
+As an example, we will use <c>scanelf</c> to find binaries containing text
+relocations.
+</p>
+
+<p>
+A relocation is an operation that rewrites an address in a loaded segment. Such
+an address rewrite can happen when a segment has references to a shared object
+and that shared object is loaded in memory. In this case, the references are
+substituted with the real address values. Similar events can occur inside the 
+shared object itself.
+</p>
+
+<p>
+A text relocation is a relocation in the text segment. Since text segments
+contain executable code, system administrators might prefer not to have these
+segments writable. This is perfectly possible, but since text relocations
+actually write in the text segment, it is not always feasible. 
+</p>
+
+<p>
+If you want to eliminate text relocations, you will need to make sure
+that the application and shared object is built with <e>Position Independent
+Code</e> (PIC), making references obsolete. This not only increases security,
+but also increases the performance in case of shared objects (allowing writes in
+the text segment requires a swap space reservation and a private copy of the
+shared object for each application that uses it).
+</p>
+
+<p>
+The following example will search your library paths recursively, without
+leaving the mounted file system and ignoring symbolic links, for any ELF binary
+containing a text relocation:
+</p>
+
+<pre caption="Scanning the system for text relocation binaries">
+# <i>scanelf -lqtmyR</i>
+</pre>
+
+<p>
+If you want to scan your entire system for <e>any</e> file containing text
+relocations:
+</p>
+
+<pre caption="Scanning the entire system for text relocation files">
+# <i>scanelf -qtmyR /</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Specific Header</title>
+<body>
+
+<p>
+The scanelf util can be used to quickly identify files that contain a 
+given section header using the -k .section option.
+</p>
+
+<p>
+In this example we are looking for all files in /usr/lib/debug 
+recursively using a format modifier with quiet mode enabled that have been 
+stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
+to invert the matching logic.
+</p>
+
+<pre caption="Scanning for stripped or non stripped executables">
+# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Specific Segment Markings</title>
+<body>
+
+<p>
+Each segment has specific flags assigned to it in the Program Header of the
+binary. One of those flags is the type of the segment. Interesting values are
+PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
+segment contains dynamic linking information), PT_INTERP (the segment 
+contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
+for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
+(a PaX extension for the ELF format, used by the security-minded 
+<uri link="http://pax.grsecurity.net/">PaX Project</uri>.
+</p>
+
+<p>
+If we want to scan all executables in the current working directory, PATH
+environment and library paths and report those who have a writable and
+executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
+</p>
+
+<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK">
+# <i>scanelf -lpqe .</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf's Format Modifier Handler</title>
+<body>
+
+<p>
+A useful feature of the <c>scanelf</c> utility is the format modifier handler.  
+With this option you can control the output of <c>scanelf</c>, thereby 
+simplifying parsing the output with scripts.
+</p>
+
+<p>
+As an example, we will use <c>scanelf</c> to print the file names that contain
+text relocations:
+</p>
+
+<pre caption="Example of the scanelf format modifier handler">
+# <i>scanelf -l -p -R -q -F "%F #t"</i>
+</pre>
+
+</body>
+</section>
+</chapter>
+
+<chapter id="pspax">
+<title>Listing PaX Flags and Capabilities</title>
+<section>
+<title>About PaX</title>
+<body>
+
+<p>
+<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri
+link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri
+link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main 
+goal is "to research various defense mechanisms against the exploitation of 
+software bugs that give an attacker arbitrary read/write access to the 
+attacked task's address space. This class of bugs contains among others 
+various forms of buffer overflow bugs (be they stack or heap based), user
+supplied format string bugs, etc."
+</p>
+
+<p>
+To be able to benefit from these defense mechanisms, you need to run a Linux
+kernel patched with the latest PaX code. The <uri
+link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and
+its parent project, grsecurity. The supported kernel package is
+<c>sys-kernel/hardened-sources</c>.
+</p>
+
+<p>
+The Gentoo/Hardened project has a <uri
+link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri>
+for your reading pleasure.
+</p>
+
+</body>
+</section>
+<section>
+<title>Flags and Capabilities</title>
+<body>
+
+<p>
+If your toolchain supports it, your binaries can have additional PaX flags in
+their Program Header. The following flags are supported:
+</p>
+
+<table>
+<tr>
+  <th>Flag</th>
+  <th>Name</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>P</ti>
+  <ti>PAGEEXEC</ti>
+  <ti>
+    Refuse code execution on writable pages based on the NX bit
+    (or emulated NX bit)
+  </ti>
+</tr>
+<tr>
+  <ti>S</ti>
+  <ti>SEGMEXEC</ti>
+  <ti>
+    Refuse code execution on writable pages based on the
+    segmentation logic of IA-32
+  </ti>
+</tr>
+<tr>
+  <ti>E</ti>
+  <ti>EMUTRAMP</ti>
+  <ti>
+    Allow known code execution sequences on writable pages that
+    should not cause any harm
+  </ti>
+</tr>
+<tr>
+  <ti>M</ti>
+  <ti>MPROTECT</ti>
+  <ti>
+    Prevent the creation of new executable code to the process
+    address space
+  </ti>
+</tr>
+<tr>
+  <ti>R</ti>
+  <ti>RANDMMAP</ti>
+  <ti>
+    Randomize the stack base to prevent certain stack overflow
+    attacks from being successful
+  </ti>
+</tr>
+<tr>
+  <ti>X</ti>
+  <ti>RANDEXEC</ti>
+  <ti>
+    Randomize the address where the application maps to prevent
+    certain attacks from being exploitable
+  </ti>
+</tr>
+</table>
+
+<p>
+The default Linux kernel also supports certain capabilities, grouped in the
+so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
+capabilities in our <uri
+link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document.
+</p>
+
+</body>
+</section>
+<section>
+<title>Using pspax</title>
+<body>
+
+<p>
+The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the
+run-time capabilities of all programs you have permission for. On Linux kernels
+with additional support for extended attributes (such as SELinux) those
+attributes are shown as well.
+</p>
+
+<p>
+When ran, <c>pspax</c> shows the following information:
+</p>
+
+<table>
+<tr>
+  <th>Column</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>USER</ti>
+  <ti>Owner of the process</ti>
+</tr>
+<tr>
+  <ti>PID</ti>
+  <ti>Process id</ti>
+</tr>
+<tr>
+  <ti>PAX</ti>
+  <ti>Run-time PaX flags (if applicable)</ti>
+</tr>
+<tr>
+  <ti>MAPS</ti>
+  <ti>Write/eXecute markings for the process map</ti>
+</tr>
+<tr>
+  <ti>ELF_TYPE</ti>
+  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
+</tr>
+<tr>
+  <ti>NAME</ti>
+  <ti>Name of the process</ti>
+</tr>
+<tr>
+  <ti>CAPS</ti>
+  <ti>POSIX.1e capabilities (see note)</ti>
+</tr>
+<tr>
+  <ti>ATTR</ti>
+  <ti>Extended attributes (if applicable)</ti>
+</tr>
+</table>
+
+<note>
+<c>pspax</c> only displays these capabilities when it is linked with
+the external capabilities library. This requires you to build <c>pax-utils</c>
+with -DWANT_SYSCAP.
+</note>
+
+<p>
+By default, <c>pspax</c> does not show any kernel processes. If you want those
+to be taken as well, use the <c>-a</c> switch.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter id="dumpelf">
+<title>Programming with ELF files</title>
+<section>
+<title>The dumpelf Utility</title>
+<body>
+
+<p>
+With the <c>dumpelf</c> utility you can convert a ELF file into human readable C
+code that defines a structure with the same image as the original ELF file.
+</p>
+
+<pre caption="dumpelf example">
+$ <i>dumpelf /bin/hostname</i>
+#include &lt;elf.h&gt;
+
+<comment>/*
+ * ELF dump of '/bin/hostname'
+ *     10276 (0x2824) bytes
+ */</comment>
+
+struct {
+        Elf32_Ehdr ehdr;
+        Elf32_Phdr phdrs[8];
+        Elf32_Shdr shdrs[26];
+} dumpedelf_0 = {
+
+.ehdr = {
+<comment>(... Output stripped ...)</comment>
+</pre>
+
+</body>
+</section>
+</chapter>
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     aa8b3763c5c94be4e0bce63547b89fc73065f667
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr  5 18:48:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr  5 18:48:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=aa8b3763

Add information on XDM and other support

---
 xml/selinux-faq.xml |   34 ++++++++++++++++++++++++++++++++--
 1 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 62c2c28..965adca 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>20</version>
-<date>2012-02-26</date>
+<version>21</version>
+<date>2012-04-05</date>
 
 <faqindex>
 <title>Questions</title>
@@ -862,5 +862,35 @@ When enabled, enforcing mode cannot be disabled anymore (until you reboot).
 
 </body>
 </section>
+<section id="xdm">
+<title>Logons through xdm (or similar) fail</title>
+<body>
+
+<p>
+If you log on through xdm, gdm, kdm, slim or any other graphical logon manager,
+you might notice in permissive mode that your context is off, and in enforcing
+mode that you just cannot log on.
+</p>
+
+<p>
+The reason of this is that PAM needs to be configured to include SELinux
+awareness in your session handling:
+</p>
+
+<pre caption="Updating pam setting for gdm">
+...
+session  required   pam_loginuid.so
+session  optional   pam_console.so
+<i>session  optional   pam_selinux.so</i>
+</pre>
+
+<p>
+Replicate the calls towards <path>pam_selinux.so</path> in the various
+<path>/etc/pam.d/gdm*</path> files (or similar depending on your graphical
+logon manager).
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     b1354a6e8a73534da607d197759dbe68d6550b32
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr  5 20:42:21 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr  5 20:42:21 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b1354a6e

update selinux roadmap

---
 xml/roadmap.xml |   24 +++++-------------------
 1 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 7fe37aa..1a57ab8 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>4</version>
-<date>2011-12-10</date>
+<version>5</version>
+<date>2012-04-05</date>
 
 <chapter>
 <title>Vision</title>
@@ -412,29 +412,15 @@ of the packages and standard policies.
   <th>Related Bugs</th>
 </tr>
 <tr>
-  <ti>Deprecate old policies</ti>
-  <ti>2011-11-10</ti>
-  <ti>done</ti>
-  <ti>SwifT</ti>
-  <ti></ti>
-</tr>
-<tr>
-  <ti>Deprecate old profiles</ti>
-  <ti>2011-12-01</ti>
-  <ti>done</ti>
-  <ti>blueness</ti>
-  <ti />
-</tr>
-<tr>
-  <ti>Get mainstream packages the proper dependencies on the SELinux policies</ti>
-  <ti>2011-12-31</ti>
+  <ti>Stabilize 20120215 policies</ti>
+  <ti>2012-04-30</ti>
   <ti></ti>
   <ti>SwifT</ti>
   <ti></ti>
 </tr>
 <tr>
   <ti>Have SELinux-enabled stage3 available on the mirrors</ti>
-  <ti>2012-01-31</ti>
+  <ti>2012-06-31</ti>
   <ti></ti>
   <ti></ti>
   <ti></ti>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Francisco Blas Izquierdo Riera]

commit:     f756acec0e3a45939cc506f996bb2bfd71c0bfa4
Author:     klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Apr 28 19:22:04 2012 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Apr 28 19:22:04 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=f756acec

Fix bug #413289

---
 xml/hardened-debugging.xml |   12 +-
 xml/revdep-pax.xml         |  616 +++-----------------------------------------
 2 files changed, 43 insertions(+), 585 deletions(-)

diff --git a/xml/hardened-debugging.xml b/xml/hardened-debugging.xml
index 21a0fc9..0a648a9 100644
--- a/xml/hardened-debugging.xml
+++ b/xml/hardened-debugging.xml
@@ -5,7 +5,7 @@
 <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
 <title>Gentoo Hardened debugging</title>
 <author title="Author">
-  <mail link="klondike@xiscosoft.es">klondike</mail>
+  <mail link="klondike"/>
 </author>
 <author title="Contributor">
   <!-- Via bugs #341889 and 265693 -->
@@ -21,8 +21,8 @@ hardened kernel and toolcahin with PaX/Grsec, PIE and SSP.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1.0</version>
-<date>2010-10-26</date>
+<version>2</version>
+<date>2012-04-28</date>
 
 <chapter>
 <title>Solving the '??' issue.</title>
@@ -214,10 +214,12 @@ available breakpoints.
 <p>
 After debugging you may want to restore the system to its normal state, if you
 used <c>paxctl</c> you can reset the flags to default using the <c>-z</c> flag.
+Since the -z flags will zero all the flags also want to keep trampoline
+emulation disabled. This is done with the <c>-e</c> flag.
 </p>
 
-<pre caption="Reseting the flags back to its defaults.">
-# <i>paxctl -z binary</i>
+<pre caption="Reseting the flags back to its defaults. Keep  trampoline emulation disabled">
+# <i>paxctl -ze binary</i>
 </pre>
 
 </body>

diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml
index ba9f822..cbf3181 100644
--- a/xml/revdep-pax.xml
+++ b/xml/revdep-pax.xml
@@ -23,7 +23,10 @@ requiring RWX memory in order to process JIT code.
 <date>2012-02-19</date>
 
 <chapter>
-<title>What's <c>revdep-pax</c> about?</title>
+<title>What's revdep-pax about?</title>
+
+<section>
+<body>
 
 <p by="Geroge Orwell">
 Since the early days of PaX it was known that all programs were equal although
@@ -33,6 +36,9 @@ allowing system administrators and users telling the system which binaries
 needed this lessened environment the PaX marks were created.
 </p>
 
+</body>
+</section>
+
 <section>
 <title>A quick introduction to PaX markings.</title>
 <body>
@@ -106,7 +112,7 @@ called. In order to solve this issue we have created <c>revdep-pax</c>.
 </body>
 </section>
 <section>
-<title>What's <c>revdep-pax</c>?</title>
+<title>What's revdep-pax?</title>
 <body>
 
 <p>
@@ -134,7 +140,10 @@ libraries linked by an object and backwards to the objects linked by a library.
 </chapter>
 
 <chapter>
-<title>Using <c>revdep-pax</c></title>
+<title>Using revdep-pax</title>
+
+<section>
+<body>
 
 <p by="The Emperor">
 In order to witness the firepower of this fully ARMED and OPERATIONAL tool
@@ -142,6 +151,9 @@ you'll first need to learn how to use it, once you are done, you'll be
 able to fire at will.
 </p>
 
+</body>
+</section>
+    
 <section>
 <title>Propagating PaX marks backwards from a library to objects that link at it
 </title>
@@ -149,592 +161,36 @@ able to fire at will.
 
 <p>
 This is going to be probably the main way in which you are going to use this
-utility. What it does is check all the libraries linked statically 
-The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
-With this application you can print out information specific to the ELF
-structure of a binary. The following table sums up the various options.
-</p>
-
-<table>
-<tr>
-  <th>Option</th>
-  <th>Long Option</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>-p</ti>
-  <ti>--path</ti>
-  <ti>Scan all directories in PATH environment</ti>
-</tr>
-<tr>
-  <ti>-l</ti>
-  <ti>--ldpath</ti>
-  <ti>Scan all directories in /etc/ld.so.conf</ti>
-</tr>
-<tr>
-  <ti>-R</ti>
-  <ti>--recursive</ti>
-  <ti>Scan directories recursively</ti>
-</tr>
-<tr>
-  <ti>-m</ti>
-  <ti>--mount</ti>
-  <ti>Don't recursively cross mount points</ti>
-</tr>
-<tr>
-  <ti>-y</ti>
-  <ti>--symlink</ti>
-  <ti>Don't scan symlinks</ti>
-</tr>
-<tr>
-  <ti>-A</ti>
-  <ti>--archives</ti>
-  <ti>Scan archives (.a files)</ti>
-</tr>
-<tr>
-  <ti>-L</ti>
-  <ti>--ldcache</ti>
-  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
-</tr>
-<tr>
-  <ti>-X</ti>
-  <ti>--fix</ti>
-  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
-</tr>
-<tr>
-  <ti>-z [arg]</ti>
-  <ti>--setpax [arg]</ti>
-  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
-</tr>
-<tr>
-  <th>Option</th>
-  <th>Long Option</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>-x</ti>
-  <ti>--pax</ti>
-  <ti>Print PaX markings</ti>
-</tr>
-<tr>
-  <ti>-e</ti>
-  <ti>--header</ti>
-  <ti>Print GNU_STACK/PT_LOAD markings</ti>
-</tr>
-<tr>
-  <ti>-t</ti>
-  <ti>--textrel</ti>
-  <ti>Print TEXTREL information</ti>
-</tr>
-<tr>
-  <ti>-r</ti>
-  <ti>--rpath</ti>
-  <ti>Print RPATH information</ti>
-</tr>
-<tr>
-  <ti>-n</ti>
-  <ti>--needed</ti>
-  <ti>Print NEEDED information</ti>
-</tr>
-<tr>
-  <ti>-i</ti>
-  <ti>--interp</ti>
-  <ti>Print INTERP information</ti>
-</tr>
-<tr>
-  <ti>-b</ti>
-  <ti>--bind</ti>
-  <ti>Print BIND information</ti>
-</tr>
-<tr>
-  <ti>-S</ti>
-  <ti>--soname</ti>
-  <ti>Print SONAME information</ti>
-</tr>
-<tr>
-  <ti>-s [arg]</ti>
-  <ti>--symbol [arg]</ti>
-  <ti>Find a specified symbol</ti>
-</tr>
-<tr>
-  <ti>-k [arg]</ti>
-  <ti>--section [arg]</ti>
-  <ti>Find a specified section</ti>
-</tr>
-<tr>
-  <ti>-N [arg]</ti>
-  <ti>--lib [arg]</ti>
-  <ti>Find a specified library</ti>
-</tr>
-<tr>
-  <ti>-g</ti>
-  <ti>--gmatch</ti>
-  <ti>Use strncmp to match libraries. (use with -N)</ti>
-</tr>
-<tr>
-  <ti>-T</ti>
-  <ti>--textrels</ti>
-  <ti>Locate cause of TEXTREL</ti>
-</tr>
-<tr>
-  <ti>-E [arg]</ti>
-  <ti>--etype [arg]</ti>
-  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
-</tr>
-<tr>
-  <ti>-M [arg]</ti>
-  <ti>--bits [arg]</ti>
-  <ti>Print only ELF files matching numeric bits</ti>
-</tr>
-<tr>
-  <ti>-a</ti>
-  <ti>--all</ti>
-  <ti>Print all scanned info (-x -e -t -r -b)</ti>
-</tr>
-<tr>
-  <th>Option</th>
-  <th>Long Option</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>-q</ti>
-  <ti>--quiet</ti>
-  <ti>Only output 'bad' things</ti>
-</tr>
-<tr>
-  <ti>-v</ti>
-  <ti>--verbose</ti>
-  <ti>Be verbose (can be specified more than once)</ti>
-</tr>
-<tr>
-  <ti>-F [arg]</ti>
-  <ti>--format [arg]</ti>
-  <ti>Use specified format for output</ti>
-</tr>
-<tr>
-  <ti>-f [arg]</ti>
-  <ti>--from [arg]</ti>
-  <ti>Read input stream from a filename</ti>
-</tr>
-<tr>
-  <ti>-o [arg]</ti>
-  <ti>--file [arg]</ti>
-  <ti>Write output stream to a filename</ti>
-</tr>
-<tr>
-  <ti>-B</ti>
-  <ti>--nobanner</ti>
-  <ti>Don't display the header</ti>
-</tr>
-<tr>
-  <ti>-h</ti>
-  <ti>--help</ti>
-  <ti>Print this help and exit</ti>
-</tr>
-<tr>
-  <ti>-V</ti>
-  <ti>--version</ti>
-  <ti>Print version and exit</ti>
-</tr>
-</table>
-
-<p>
-The format specifiers for the <c>-F</c> option are given in the following table.
-Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly.
-</p>
-
-<table>
-<tr>
-  <th>Specifier</th>
-  <th>Full Name</th>
-  <th>Specifier</th>
-  <th>Full Name</th>
-</tr>
-<tr>
-  <ti>F</ti>
-  <ti>Filename</ti>
-  <ti>x</ti>
-  <ti>PaX Flags</ti>
-</tr>
-<tr>
-  <ti>e</ti>
-  <ti>STACK/RELRO</ti>
-  <ti>t</ti>
-  <ti>TEXTREL</ti>
-</tr>
-<tr>
-  <ti>r</ti>
-  <ti>RPATH</ti>
-  <ti>n</ti>
-  <ti>NEEDED</ti>
-</tr>
-<tr>
-  <ti>i</ti>
-  <ti>INTERP</ti>
-  <ti>b</ti>
-  <ti>BIND</ti>
-</tr>
-<tr>
-  <ti>s</ti>
-  <ti>Symbol</ti>
-  <ti>N</ti>
-  <ti>Library</ti>
-</tr>
-<tr>
-  <ti>o</ti>
-  <ti>Type</ti>
-  <ti>p</ti>
-  <ti>File name</ti>
-</tr>
-<tr>
-  <ti>f</ti>
-  <ti>Base file name</ti>
-  <ti>k</ti>
-  <ti>Section</ti>
-</tr>
-<tr>
-  <ti>a</ti>
-  <ti>ARCH/e_machine</ti>
-  <ti>&nbsp;</ti>
-  <ti>&nbsp;</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Using scanelf for Text Relocations</title>
-<body>
-
-<p>
-As an example, we will use <c>scanelf</c> to find binaries containing text
-relocations.
-</p>
-
-<p>
-A relocation is an operation that rewrites an address in a loaded segment. Such
-an address rewrite can happen when a segment has references to a shared object
-and that shared object is loaded in memory. In this case, the references are
-substituted with the real address values. Similar events can occur inside the 
-shared object itself.
-</p>
-
-<p>
-A text relocation is a relocation in the text segment. Since text segments
-contain executable code, system administrators might prefer not to have these
-segments writable. This is perfectly possible, but since text relocations
-actually write in the text segment, it is not always feasible. 
-</p>
-
-<p>
-If you want to eliminate text relocations, you will need to make sure
-that the application and shared object is built with <e>Position Independent
-Code</e> (PIC), making references obsolete. This not only increases security,
-but also increases the performance in case of shared objects (allowing writes in
-the text segment requires a swap space reservation and a private copy of the
-shared object for each application that uses it).
-</p>
-
-<p>
-The following example will search your library paths recursively, without
-leaving the mounted file system and ignoring symbolic links, for any ELF binary
-containing a text relocation:
-</p>
-
-<pre caption="Scanning the system for text relocation binaries">
-# <i>scanelf -lqtmyR</i>
-</pre>
-
-<p>
-If you want to scan your entire system for <e>any</e> file containing text
-relocations:
-</p>
-
-<pre caption="Scanning the entire system for text relocation files">
-# <i>scanelf -qtmyR /</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Using scanelf for Specific Header</title>
-<body>
-
-<p>
-The scanelf util can be used to quickly identify files that contain a 
-given section header using the -k .section option.
-</p>
-
-<p>
-In this example we are looking for all files in /usr/lib/debug 
-recursively using a format modifier with quiet mode enabled that have been 
-stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
-to invert the matching logic.
-</p>
-
-<pre caption="Scanning for stripped or non stripped executables">
-# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Using scanelf for Specific Segment Markings</title>
-<body>
-
-<p>
-Each segment has specific flags assigned to it in the Program Header of the
-binary. One of those flags is the type of the segment. Interesting values are
-PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
-segment contains dynamic linking information), PT_INTERP (the segment 
-contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
-for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
-(a PaX extension for the ELF format, used by the security-minded 
-<uri link="http://pax.grsecurity.net/">PaX Project</uri>.
-</p>
-
-<p>
-If we want to scan all executables in the current working directory, PATH
-environment and library paths and report those who have a writable and
-executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
-</p>
-
-<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK">
-# <i>scanelf -lpqe .</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Using scanelf's Format Modifier Handler</title>
-<body>
-
-<p>
-A useful feature of the <c>scanelf</c> utility is the format modifier handler.  
-With this option you can control the output of <c>scanelf</c>, thereby 
-simplifying parsing the output with scripts.
-</p>
-
-<p>
-As an example, we will use <c>scanelf</c> to print the file names that contain
-text relocations:
-</p>
-
-<pre caption="Example of the scanelf format modifier handler">
-# <i>scanelf -l -p -R -q -F "%F #t"</i>
+utility. What it does is check all the libraries linked statically by the
+binaries using <c>ldd</c> and then smartly add the paxmarks of those libraries
+to generate the new set. As a result if <path>/usr/games/bin/armagetronad</path>
+links with <path>/usr/lib64/libGL.so.1</path> which has the <e>-m</e> PaX mark
+(allow RWX mappings) because you are using a llvm requiring graphics driver
+you'll get that binary marked with the <e>-m</e> PaX mark too since it needs it.
+Below you can see how to run it.
+</p>
+
+<pre caption="Propagating the PaX marks from the libraries">
+# <i>mv /etc/grsec/learning.roles /etc/grsec/policy</i>
+# <i>chmod 0600 /etc/grsec/policy</i>
 </pre>
 
-</body>
-</section>
-</chapter>
-
-<chapter id="pspax">
-<title>Listing PaX Flags and Capabilities</title>
-<section>
-<title>About PaX</title>
-<body>
-
-<p>
-<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri
-link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri
-link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main 
-goal is "to research various defense mechanisms against the exploitation of 
-software bugs that give an attacker arbitrary read/write access to the 
-attacked task's address space. This class of bugs contains among others 
-various forms of buffer overflow bugs (be they stack or heap based), user
-supplied format string bugs, etc."
-</p>
-
-<p>
-To be able to benefit from these defense mechanisms, you need to run a Linux
-kernel patched with the latest PaX code. The <uri
-link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and
-its parent project, grsecurity. The supported kernel package is
-<c>sys-kernel/hardened-sources</c>.
-</p>
-
-<p>
-The Gentoo/Hardened project has a <uri
-link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri>
-for your reading pleasure.
-</p>
-
-</body>
-</section>
-<section>
-<title>Flags and Capabilities</title>
-<body>
-
-<p>
-If your toolchain supports it, your binaries can have additional PaX flags in
-their Program Header. The following flags are supported:
-</p>
-
-<table>
-<tr>
-  <th>Flag</th>
-  <th>Name</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>P</ti>
-  <ti>PAGEEXEC</ti>
-  <ti>
-    Refuse code execution on writable pages based on the NX bit
-    (or emulated NX bit)
-  </ti>
-</tr>
-<tr>
-  <ti>S</ti>
-  <ti>SEGMEXEC</ti>
-  <ti>
-    Refuse code execution on writable pages based on the
-    segmentation logic of IA-32
-  </ti>
-</tr>
-<tr>
-  <ti>E</ti>
-  <ti>EMUTRAMP</ti>
-  <ti>
-    Allow known code execution sequences on writable pages that
-    should not cause any harm
-  </ti>
-</tr>
-<tr>
-  <ti>M</ti>
-  <ti>MPROTECT</ti>
-  <ti>
-    Prevent the creation of new executable code to the process
-    address space
-  </ti>
-</tr>
-<tr>
-  <ti>R</ti>
-  <ti>RANDMMAP</ti>
-  <ti>
-    Randomize the stack base to prevent certain stack overflow
-    attacks from being successful
-  </ti>
-</tr>
-<tr>
-  <ti>X</ti>
-  <ti>RANDEXEC</ti>
-  <ti>
-    Randomize the address where the application maps to prevent
-    certain attacks from being exploitable
-  </ti>
-</tr>
-</table>
-
-<p>
-The default Linux kernel also supports certain capabilities, grouped in the
-so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
-capabilities in our <uri
-link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document.
-</p>
-
-</body>
-</section>
-<section>
-<title>Using pspax</title>
-<body>
-
-<p>
-The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the
-run-time capabilities of all programs you have permission for. On Linux kernels
-with additional support for extended attributes (such as SELinux) those
-attributes are shown as well.
-</p>
-
-<p>
-When ran, <c>pspax</c> shows the following information:
-</p>
-
-<table>
-<tr>
-  <th>Column</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>USER</ti>
-  <ti>Owner of the process</ti>
-</tr>
-<tr>
-  <ti>PID</ti>
-  <ti>Process id</ti>
-</tr>
-<tr>
-  <ti>PAX</ti>
-  <ti>Run-time PaX flags (if applicable)</ti>
-</tr>
-<tr>
-  <ti>MAPS</ti>
-  <ti>Write/eXecute markings for the process map</ti>
-</tr>
-<tr>
-  <ti>ELF_TYPE</ti>
-  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
-</tr>
-<tr>
-  <ti>NAME</ti>
-  <ti>Name of the process</ti>
-</tr>
-<tr>
-  <ti>CAPS</ti>
-  <ti>POSIX.1e capabilities (see note)</ti>
-</tr>
-<tr>
-  <ti>ATTR</ti>
-  <ti>Extended attributes (if applicable)</ti>
-</tr>
-</table>
 
 <note>
-<c>pspax</c> only displays these capabilities when it is linked with
-the external capabilities library. This requires you to build <c>pax-utils</c>
-with -DWANT_SYSCAP.
+Due to the way in which <c>ldd</c> works you'll get all the libraries required
+at runtime, even those required by libraries you link to (and so on recursively)
+as a result <c>revdep-pax</c> will detect all dependencies in a single pass. If
+the behaviour of <c>ldd</c> changes so may change the behaviour of
+<c>revdep-pax</c>
 </note>
 
 <p>
-By default, <c>pspax</c> does not show any kernel processes. If you want those
-to be taken as well, use the <c>-a</c> switch.
-</p>
-
-</body>
-</section>
-</chapter>
-
-<chapter id="dumpelf">
-<title>Programming with ELF files</title>
-<section>
-<title>The dumpelf Utility</title>
-<body>
-
-<p>
-With the <c>dumpelf</c> utility you can convert a ELF file into human readable C
-code that defines a structure with the same image as the original ELF file.
+The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
 </p>
 
-<pre caption="dumpelf example">
-$ <i>dumpelf /bin/hostname</i>
-#include &lt;elf.h&gt;
-
-<comment>/*
- * ELF dump of '/bin/hostname'
- *     10276 (0x2824) bytes
- */</comment>
-
-struct {
-        Elf32_Ehdr ehdr;
-        Elf32_Phdr phdrs[8];
-        Elf32_Shdr shdrs[26];
-} dumpedelf_0 = {
-
-.ehdr = {
-<comment>(... Output stripped ...)</comment>
-</pre>
-
 </body>
 </section>
 </chapter>
-</guide>
+</guide>
\ No newline at end of file

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     525742edca2dca72f9d976d6907d075213e4c0e3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May  4 20:19:15 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May  4 20:19:15 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=525742ed

Adding blurb on keeping /selinux

---
 xml/selinux-faq.xml |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 5bb32b8..c893818 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -917,6 +917,14 @@ falls back to the original <path>/selinux</path> location if it cannot find it
 at the new place.
 </p>
 
+<p>
+However, the <path>/sys/fs/selinux</path> location currently has an issue for
+those systems not using an initramfs, as it means that <path>/sys</path> has not
+been mounted when <c>init</c> tries to mount <path>/sys/fs/selinux</path>. We
+are working out how to resolve this, but for now, keep <path>/selinux</path>
+active.
+</p>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     43763764f49c68a232a9da3568927e3541fdb493
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 21 19:07:31 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 21 19:07:31 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=43763764

Update on localpolicy

---
 xml/selinux-faq.xml |   25 +++++++++++++++++++++++--
 1 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index c893818..5fe99fe 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>22</version>
-<date>2012-05-05</date>
+<version>23</version>
+<date>2012-05-21</date>
 
 <faqindex>
 <title>Questions</title>
@@ -411,6 +411,27 @@ irc.freenode.net, the mailinglist, forums, etc. to find the proper rules and
 statements for your case.
 </p>
 
+<p>
+With the policy file created, you can then build it using the
+<path>Makefile</path> provided by the system:
+</p>
+
+<pre caption="Building a fixlocal.pp file">
+<comment>(This uses "strict" as the example policy type, substitute with your
+own)</comment>
+# <i>make -f /usr/share/selinux/strict/include/Makefile fixlocal.pp</i>
+</pre>
+
+<p>
+Then, if the builds succeeds, you can load it in memory. Once loaded, it will be
+loaded after every boot as well, so you do not need to repeat this over and over
+again.
+</p>
+
+<pre caption="Loading the policy">
+# <i>semodule -i fixlocal.pp</i>
+</pre>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     4de038c7580a475f58c4f9a423b52ed61e736478
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 26 18:06:59 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 26 18:06:59 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4de038c7

Hardened roadmap for SELinux updated

---
 xml/roadmap.xml |   11 ++---------
 1 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/xml/roadmap.xml b/xml/roadmap.xml
index 1a57ab8..8a70224 100644
--- a/xml/roadmap.xml
+++ b/xml/roadmap.xml
@@ -45,8 +45,8 @@ A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
 </abstract>
 
-<version>5</version>
-<date>2012-04-05</date>
+<version>6</version>
+<date>2012-05-26</date>
 
 <chapter>
 <title>Vision</title>
@@ -412,13 +412,6 @@ of the packages and standard policies.
   <th>Related Bugs</th>
 </tr>
 <tr>
-  <ti>Stabilize 20120215 policies</ti>
-  <ti>2012-04-30</ti>
-  <ti></ti>
-  <ti>SwifT</ti>
-  <ti></ti>
-</tr>
-<tr>
   <ti>Have SELinux-enabled stage3 available on the mirrors</ti>
   <ti>2012-06-31</ti>
   <ti></ti>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     cd95497c6985db348bae718ee614f15caea2f2f3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 26 19:25:20 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 26 19:25:20 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cd95497c

Attempt to document changes since installation for SELinux users

---
 xml/selinux-changes.xml |  172 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 172 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-changes.xml b/xml/selinux-changes.xml
new file mode 100644
index 0000000..3474a31
--- /dev/null
+++ b/xml/selinux-changes.xml
@@ -0,0 +1,172 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide lang="en">
+<title>Gentoo Hardened SELinux Change Overview</title>
+
+<author title="Author">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+As Gentoo is a rolling-release distribution, sometimes changes are being
+introduced which are documented in the main installation instructions but should
+be known by regular users as well. Not all of these changes are sufficiently
+intrusive to be set in a Gentoo news item. This document will contain an
+overview of all changes made in chronological order.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2012-05-26</date>
+
+<chapter>
+<title>Introduction</title>
+<section>
+<title>About this document</title>
+<body>
+
+<p>
+This document will give an overview of all SELinux documented changes made
+on particular dates and that might be important for users to follow up through.
+</p>
+
+<p>
+Changes that only affect ~arch users will be documented below and moved up when
+they are stabilized. It is possible though that these changes will be "fixed"
+automatically and as such removed from this page.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Overview of Changes for Stable Users</title>
+<section>
+<title>2012/05/26 - Support of initramfs</title>
+<body>
+
+<p>
+Users who boot with an initramfs will need to boot in permissive mode first, and
+later on switch to enforcing mode. This can be done automatically using an
+init script, as documented at <uri
+link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap5">Initramfs
+users</uri>.
+</p>
+
+</body>
+</section>
+<section>
+<title>2012/05/26 - Support for graphical login managers</title>
+<body>
+
+<p>
+Users who boot into a graphical environment (such as through GDM) will need to
+edit their PAM configuration files accordingly to support SELinux security
+context settings. This is documented at <uri
+link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap3">Users
+of a graphical environment</uri>.
+</p>
+
+</body>
+</section>
+<section>
+<title>2012/05/18 - No more sandbox configuration needed</title>
+<body>
+
+<p>
+The previously documented editing of <path>/etc/sandbox.conf</path> to open
+write access to <path>/sys/fs/selinux/context</path> can be removed as the
+SELinux profile does this now automatically.
+</p>
+
+</body>
+</section>
+<section>
+<title>2012/04/29 - Edit of lvm-start/stop scripts no longer needed</title>
+<body>
+
+<p>
+When users install the newly stabilized 2.20120215 policies, the documented
+editing of <path>/lib/rcscripts/addons/lvm-st*.sh</path> is no longer needed.
+</p>
+
+</body>
+</section>
+<section>
+<title>2012/02/21 - /dev mount line in fstab no longer needed</title>
+<body>
+
+<p>
+The previously documented /dev mount line in <path>/etc/fstab</path> is no
+longer needed as <path>util-linux-2.20.1-r1</path> has been marked stable (which
+contains the correct bug fix).
+</p>
+
+</body>
+</section>
+<section>
+<title>2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</title>
+<body>
+
+<p>
+The old SELinux profiles (starting with <c>selinux/v2refpolicy</c>) are not
+supported anymore. Users are strongly encouraged to switch to the new profiles
+(those ending with <c>/selinux</c>).
+</p>
+
+</body>
+</section>
+<section>
+<title>2011/07/22 - Introduction of MLS/MCS support</title>
+<body>
+
+<p>
+We now support MLS and MCS, right next to targeted and strict SELinux policy
+types. When using MLS or MCS, you will need to update the <path>/tmp</path>
+entry in your <path>/etc/fstab</path> to use
+<c>rootcontext=system_u:object_r:tmp_t:s0</c> (note the trailing <c>:s0</c>).
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Overview of Changes for ~Arch Users</title>
+<section>
+<title>2012/05/26 - Definition of /run in fstab</title>
+<body>
+
+<p>
+Users that have a <path>/run</path> location will need to mark this location in their
+<path>/etc/fstab</path> to make sure it gets mounted with the right SELinux
+context.
+</p>
+
+<p>
+For users of the <c>strict</c> and <c>targeted</c> SELinux policy types:
+</p>
+
+<pre caption="/etc/fstab setting for strict or targeted">
+tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
+</pre>
+
+<p>
+For other policy types users:
+</p>
+
+<pre caption="/etc/fstab setting for other policy type users">
+tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0
+</pre>
+
+</body>
+</section>
+</chapter>
+
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Michael Palimaka]

commit:     820f2d3638c8c67a6a9407174acf886ad13832ec
Author:     Michael Palimaka <kensington <AT> gentoo <DOT> org>
AuthorDate: Tue Jul 10 19:30:34 2012 +0000
Commit:     Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Tue Jul 10 19:30:34 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=820f2d36

Add initial draft of AppArmor guide.

---
 xml/apparmor.xml |  204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 204 insertions(+), 0 deletions(-)

diff --git a/xml/apparmor.xml b/xml/apparmor.xml
new file mode 100644
index 0000000..032f1f3
--- /dev/null
+++ b/xml/apparmor.xml
@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide disclaimer="draft" link="apparmor.xml" lang="en">
+<title>Gentoo AppArmor Guide</title>
+
+<author title="Author">
+    <mail link="kensington@gentoo.org">Michael Palimaka</mail>
+</author>
+
+<abstract>
+This guide provides a brief overview of AppArmor, and gives information
+on how to install and configure it on Gentoo.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
+<license version="3.0"/>
+
+<version>1</version>
+<date>2012-07-10</date>
+
+<chapter>
+<title>Introduction</title>
+
+<section>
+<body>
+<p>
+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
+</p>
+<p>
+For each file path you specify, AppArmor will permit it only the permissions you grant.
+</p>
+<pre caption="Sample profile">
+# ------------------------------------------------------------------
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include &lt;tunables/global&gt;
+
+/sbin/klogd {
+  #include &lt;abstractions/base&gt;
+
+  capability sys_admin, # for backward compatibility with kernel &lt;= 2.6.37
+  capability syslog,
+
+  network inet stream,
+
+  /boot/System.map*     r,
+  @{PROC}/kmsg          r,
+  @{PROC}/kallsyms      r,
+  /dev/tty              rw,
+
+  /sbin/klogd           rmix,
+  /var/log/boot.msg     rwl,
+  /{,var/}run/klogd.pid    krwl,
+  /{,var/}run/klogd/klogd.pid krwl,
+  /{,var/}run/klogd/kmsg   r,
+}
+</pre>
+</body>
+</section>
+
+</chapter>
+
+<chapter>
+<title>Initial setup</title>
+
+<section>
+<title>Kernel patching</title>
+<body>
+<p>
+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
+it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
+profiles - deactivation, listing, init script etc. will not work.
+</p>
+<p>
+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>,
+the patches will not cleanly apply. For convenience, a rebased version of the patches is
+<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>.
+</p>
+</body>
+</section>
+
+<section>
+<title>Install utilities</title>
+<body>
+<p>
+The AppArmor userspace utilities currently live in the
+<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>.
+You should install layman, and then add the <c>hardened-dev</c> overlay:
+
+<pre caption="Install userspace utilities">
+# <i>layman -a hardened-dev</i>
+# <i>emerge apparmor-utils</i>
+<comment>You will probably also wish to install some profiles to get started:</comment>
+# <i>emerge apparmor-profiles</i>
+</pre>
+
+</p>
+</body>
+</section>
+
+<section>
+<title>Further configuration</title>
+<body>
+<p>
+You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however
+the default values will suit most users.
+</p>
+</body>
+</section>
+
+</chapter>
+
+<chapter>
+<title>Working with profiles</title>
+
+<section>
+<body>
+<p>
+Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored
+in subdirectories - you may organise them however it suits you.
+</p>
+
+<pre caption="Sample profile directory listing">
+/etc/apparmor.d $ <i>ls</i>
+abstractions  program-chunks  usr.lib.apache2.mpm-prefork.apache2  usr.lib.dovecot.managesieve-login  usr.sbin.dovecot  usr.sbin.nscd
+apache2.d     sbin.klogd      usr.lib.dovecot.deliver              usr.lib.dovecot.pop3               usr.sbin.identd   usr.sbin.ntpd
+bin.ping      sbin.syslog-ng  usr.lib.dovecot.dovecot-auth         usr.lib.dovecot.pop3-login         usr.sbin.lspci    usr.sbin.smbd
+disable       sbin.syslogd    usr.lib.dovecot.imap                 usr.sbin.avahi-daemon              usr.sbin.mdnsd    usr.sbin.smbldap-useradd
+local         tunables        usr.lib.dovecot.imap-login           usr.sbin.dnsmasq                   usr.sbin.nmbd     usr.sbin.traceroute
+</pre>
+
+<p>
+Profiles are referred to by name, including any parent subdirectories if present.
+</p>
+</body>
+</section>
+
+<section>
+<title>Manual control</title>
+<body>
+
+<p>
+To activate a profile, simply set it to enforce mode.
+<pre caption="Manual profile activation">
+# <i>aa-enforce usr.sbin.dnsmasq</i>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
+</pre>
+</p>
+
+<p>
+Similarly, to deactive a profile, simply set it to complain mode.
+<pre caption="Manual profile deactivation">
+# <i>aa-complain usr.sbin.dnsmasq</i>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
+</pre>
+</p>
+
+<p>
+The current status of your profiles may be viewed using <c>aa-status</c>.
+<pre caption="Profile status listing">
+# <i>aa-status</i>
+apparmor module is loaded.
+6 profiles are loaded.
+5 profiles are in enforce mode.
+   /bin/ping
+   /sbin/klogd
+   /sbin/syslog-ng
+   /usr/sbin/dnsmasq
+   /usr/sbin/identd
+1 profiles are in complain mode.
+   /usr/sbin/lspci
+1 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/dnsmasq (12905)
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+</pre>
+</p>
+
+</body>
+</section>
+
+<section>
+<title>Automatic control</title>
+<body>
+<p>
+The provided init script will automatically load all profiles located in your profile directory.
+Unless specifically specified otherwise, each profile will be loaded in enforce mode.
+</p>
+</body>
+</section>
+
+</chapter>
+
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Sven Vermeulen]

commit:     7c8011c8bac2c8c4d249cd0b0988aa7dcd1ea291
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Aug 20 17:17:14 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Aug 20 17:17:14 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=7c8011c8

Update in index page for hardened project site

---
 xml/index.xml |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/xml/index.xml b/xml/index.xml
index 21aef7b..fb5ebe0 100644
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -41,7 +41,7 @@ Gentoo once they've been tested for security and stability by the Hardened team.
 <dev role="Member" description="Hardened sources">lejonet</dev>
 <dev role="Member" description="PPC arch team liaison">nixnut</dev>
 <dev role="Member" description="SELinux">pebenito</dev>
-<dev role="Member" description="SELinux">SwifT</dev>
+<dev role="Member" description="SELinux, Integrity">SwifT</dev>
 <dev role="Member" description="SELinux">prometheanfire</dev>
 <dev role="Member" description="Doc, PR">klondike</dev>
 
@@ -50,6 +50,7 @@ or most of the subprojects -->
 <subproject ref="/proj/en/hardened/selinux/index.xml" inheritresources="yes"/>
 <!-- RSBAC is now with us again :) -->
 <subproject ref="/proj/en/hardened/rsbac/index.xml" inheritresources="yes" />
+<subproject ref="/proj/en/hardened/integrity/index.xml" inheritresources="yes" />
 
 <extraproject name="PaX/Grsecurity" lead="blueness">
 Grsecurity is a complete security solution providing such features as a MAC or

[gentoo-commits] proj/hardened-docs:master commit in: xml/

[Magnus Granberg]

commit:     1782f8ce0113f44ac5f1710b527327e3a4def915
Author:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 12 14:18:38 2013 +0000
Commit:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sat Jan 12 14:18:38 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=1782f8ce

Add orc use flag to the faq

---
 xml/hardenedfaq.xml |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
index 9be1ffb..73760e3 100644
--- a/xml/hardenedfaq.xml
+++ b/xml/hardenedfaq.xml
@@ -339,7 +339,7 @@ there should fix your problem.
 </section>
 
 <section id="jitflag">
-<title>Why is the jit flag disabled in the hardened profile?</title>
+<title>Why is the jit and orc flag disabled in the hardened profile?</title>
 <body>
 
 <p>
@@ -349,7 +349,8 @@ binary code in memory and then executing the compiled code. This means that the
 program need a section of memory which has write and execution permissions to
 write and then execute the code which is denied by PaX, unless the mprotect flag
 is unset for the executable. As a result, we disabled the JIT use flag by
-default to avoid complaints and security problems.
+default to avoid complaints and security problems. ORC use Just In Time
+Compilation (jit).
 </p>
 
 <p>
@@ -362,7 +363,7 @@ execute any code it wants to.
 </section>
 
 <section id="enablejit">
-<title>How do I enable the jit flag?</title>
+<title>How do I enable the jit or orc flag?</title>
 <body>
 
 <p>
@@ -399,7 +400,7 @@ SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
 </pre>
 
 <impo>
-Remember that if you enable JIT code on PaX you may need to disable mprotect on
+Remember that if you enable JIT or ORC code on PaX you may need to disable mprotect on
 the binaries using such code, either by them selves or through libraries. Check
 the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this
 </uri>