* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-states.xml
@ 2011-10-26 22:08 JosA MarAa Alonso (nimiux)
0 siblings, 0 replies; 4+ messages in thread
From: JosA MarAa Alonso (nimiux) @ 2011-10-26 22:08 UTC (permalink / raw
To: gentoo-commits
nimiux 11/10/26 22:08:08
Modified: hb-using-states.xml
Log:
Update the selinux docs
Revision Changes Path
1.2 xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?r1=1.1&r2=1.2
Index: hb-using-states.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hb-using-states.xml 23 Oct 2011 13:00:13 -0000 1.1
+++ hb-using-states.xml 26 Oct 2011 22:08:08 -0000 1.2
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.1 2011/10/23 13:00:13 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.2 2011/10/26 22:08:08 nimiux Exp $ -->
<sections>
<version>1</version>
@@ -312,7 +312,7 @@
<p>
It is not recommended to switch between types often. At best, you choose your
-policy type at install type and stick with it. But it is not impossible (nor
+policy type at install time and stick with it. But it is not impossible (nor
that hard) to switch between types.
</p>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-states.xml
@ 2012-06-14 18:09 Sven Vermeulen (swift)
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen (swift) @ 2012-06-14 18:09 UTC (permalink / raw
To: gentoo-commits
swift 12/06/14 18:09:51
Modified: hb-using-states.xml
Log:
Mention of initramfs where needed
Revision Changes Path
1.6 xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.6&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.6&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?r1=1.5&r2=1.6
Index: hb-using-states.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- hb-using-states.xml 29 Apr 2012 14:26:40 -0000 1.5
+++ hb-using-states.xml 14 Jun 2012 18:09:51 -0000 1.6
@@ -4,11 +4,11 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.5 2012/04/29 14:26:40 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.6 2012/06/14 18:09:51 swift Exp $ -->
<sections>
-<version>2</version>
-<date>2012-04-29</date>
+<version>3</version>
+<date>2012-06-14</date>
<section>
<title>SELinux States</title>
@@ -180,7 +180,8 @@
You can now test if your system is still working properly.
</li>
<li>
- Next, boot with <c>enforcing=1</c> as kernel parameter. This way, your
+ Next, boot with <c>enforcing=1</c> as kernel parameter (unless you boot with
+ an initramfs, see earlier in this handbook). This way, your
system will boot in enforcing mode, but if things go haywire, you can just
reboot, leave out the option and be back in permissive mode
</li>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-states.xml
@ 2012-12-20 9:45 Sven Vermeulen (swift)
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-20 9:45 UTC (permalink / raw
To: gentoo-commits
swift 12/12/20 09:45:06
Modified: hb-using-states.xml
Log:
Update instructions on switching SELinux policy types
Revision Changes Path
1.7 xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.7&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.7&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?r1=1.6&r2=1.7
Index: hb-using-states.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- hb-using-states.xml 14 Jun 2012 18:09:51 -0000 1.6
+++ hb-using-states.xml 20 Dec 2012 09:45:06 -0000 1.7
@@ -4,11 +4,11 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.6 2012/06/14 18:09:51 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.7 2012/12/20 09:45:06 swift Exp $ -->
<sections>
-<version>3</version>
-<date>2012-06-14</date>
+<version>4</version>
+<date>2012-12-20</date>
<section>
<title>SELinux States</title>
@@ -338,27 +338,62 @@
</p>
<p>
-First, you need to edit <path>/etc/selinux/config</path> so that it both
-switches the policy type as well as put the mode in <e>permissive</e>. This is
-necessary, since at your next reboot, many labels might (or will) be incorrect.
+First switch your system to permissive mode using <c>setenforce 0</c> or, if
+your system does not allow switching the mode, edit
+<path>/etc/selinux/config</path> to have the system boot in permissive mode. If
+you cannot use <c>setenforce 0</c> then you need to reboot now so that the
+system is in permissive mode.
</p>
<p>
-Next, edit <path>/etc/fstab</path> and make sure that the domains you use there
-are updated accordingly. For instance, the line for <path>/tmp</path>:
+Next, edit <path>/etc/selinux/config</path> and change the <c>SELINUXTYPE</c>
+variable from the current policy type to the new one. This will tell SELinux to
+load the right policy at boot time.
+</p>
+
+<p>
+Now go to the built policy modules in <path>/usr/share/selinux</path> because we
+need to load in the new policy (as you are currently still running with the old
+type). The next example shows how to do this if you come from a <e>strict</e>
+policy type and want to go to <e>mcs</e>:
+</p>
+
+<pre caption="Loading in the mcs policy">
+# <i>cd /usr/share/selinux/mcs</i>
+# <i>semodule -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp)</i>
+</pre>
+
+<p>
+You are now running with the mcs policy loaded, but will have lots of denials if
+you do anything on the file system, because the files on your file system are
+not labeled correctly: the mcs policy type requires the labels to have a
+sensitivity label on them, which isn't the case if you use the strict policy. So
+let's relabel the entire file system, including those locations that might be
+hidden because other file systems are mounted on top of it.
+</p>
+
+<pre caption="Relabeling the entire file system">
+# <i>rlpkg -a -r</i>
+# <i>mount -o bind / /mnt/gentoo</i>
+# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</i>
+# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</i>
+# <i>umount /mnt/gentoo</i>
+</pre>
+
+<p>
+Finally, edit <path>/etc/fstab</path> and update the <c>rootcontext=</c>
+parameters to include a sensitivity label as well (in case you switched towards
+mcs or mls) or not anymore (in case you switched to targeted or strict).
</p>
<pre caption="Changing /etc/fstab">
<comment># Example when switching from strict to mcs</comment>
-tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<i>:c0</i> 0 0
+tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<i>:s0</i> 0 0
</pre>
<p>
-When this is done, reboot your system. Log on as root, and relabel your entire
-file system using <c>rlpkg -a -r</c>. Finally, reboot again and then validate if
-your context (such as when logged on as a user) is correct again. Once you are
-confident that the domains and contexts are correct, switch the SELinux policy
-mode back to "enforcing".
+With all these steps now completed, reboot to ensure that everything is still
+working correctly (even the boot-up).
</p>
</body>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-states.xml
@ 2012-12-20 9:47 Sven Vermeulen (swift)
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-20 9:47 UTC (permalink / raw
To: gentoo-commits
swift 12/12/20 09:47:34
Modified: hb-using-states.xml
Log:
Add information that POLICY_TYPES should already contain the target policy
Revision Changes Path
1.8 xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.8&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.8&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?r1=1.7&r2=1.8
Index: hb-using-states.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- hb-using-states.xml 20 Dec 2012 09:45:06 -0000 1.7
+++ hb-using-states.xml 20 Dec 2012 09:47:34 -0000 1.8
@@ -4,10 +4,10 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.7 2012/12/20 09:45:06 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.8 2012/12/20 09:47:34 swift Exp $ -->
<sections>
-<version>4</version>
+<version>5</version>
<date>2012-12-20</date>
<section>
@@ -338,7 +338,15 @@
</p>
<p>
-First switch your system to permissive mode using <c>setenforce 0</c> or, if
+Make sure that your <c>POLICY_TYPES</c> variable in <path>make.conf</path>
+contains the target policy type already and that the SELinux policy packages
+have been built since. If that isn't the case, edit the <c>POLICY_TYPES</c>
+variable to include the target policy type, and rebuild all SELinux policy
+packages using <c>emerge $(qlist -IC sec-policy)</c>.
+</p>
+
+<p>
+Now switch your system to permissive mode using <c>setenforce 0</c> or, if
your system does not allow switching the mode, edit
<path>/etc/selinux/config</path> to have the system boot in permissive mode. If
you cannot use <c>setenforce 0</c> then you need to reboot now so that the
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-12-20 9:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-26 22:08 [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-states.xml JosA MarAa Alonso (nimiux)
-- strict thread matches above, loose matches on Subject: below --
2012-06-14 18:09 Sven Vermeulen (swift)
2012-12-20 9:45 Sven Vermeulen (swift)
2012-12-20 9:47 Sven Vermeulen (swift)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox