[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: roadmap.xml selinux-bugreporting.xml selinux-development.xml selinux-faq.xml

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: roadmap.xml selinux-bugreporting.xml selinux-development.xml selinux-faq.xml

[Sven Vermeulen (swift)]

swift       11/12/10 15:18:56

  Modified:             roadmap.xml selinux-development.xml selinux-faq.xml
  Added:                selinux-bugreporting.xml
  Log:
  Updates on documentation. Added guide on bugreporting.

Revision  Changes    Path
1.16                 xml/htdocs/proj/en/hardened/roadmap.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/roadmap.xml?rev=1.16&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/roadmap.xml?rev=1.16&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/roadmap.xml?r1=1.15&r2=1.16

Index: roadmap.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/roadmap.xml,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- roadmap.xml	12 Nov 2011 21:27:43 -0000	1.15
+++ roadmap.xml	10 Dec 2011 15:18:56 -0000	1.16
@@ -45,8 +45,8 @@
 Hardened Gentoo project.
 </abstract>
 
-<version>2</version>
-<date>2011-08-24</date>
+<version>3</version>
+<date>2011-12-10</date>
 
 <chapter>
 <title>Vision</title>
@@ -432,6 +432,13 @@
   <ti>SwifT</ti>
   <ti></ti>
 </tr>
+<tr>
+  <ti>Have SELinux-enabled stage3 available on the mirrors</ti>
+  <ti>2012-01-31</ti>
+  <ti></ti>
+  <ti></ti>
+  <ti></ti>
+</tr>
 </table>
 
 </body>



1.3                  xml/htdocs/proj/en/hardened/selinux-development.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-development.xml?rev=1.3&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-development.xml?rev=1.3&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-development.xml?r1=1.2&r2=1.3

Index: selinux-development.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-development.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- selinux-development.xml	4 Sep 2011 19:55:28 -0000	1.2
+++ selinux-development.xml	10 Dec 2011 15:18:56 -0000	1.3
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-development.xml,v 1.2 2011/09/04 19:55:28 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-development.xml,v 1.3 2011/12/10 15:18:56 swift Exp $ -->
 
 <guide link="/proj/en/hardened/selinux-development.xml" lang="en">
 <title>Gentoo Hardened SELinux Development</title>
@@ -18,8 +18,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>2</version>
-<date>2011-09-04</date>
+<version>3</version>
+<date>2011-11-22</date>
 
 <chapter>
 <title>Introduction</title>
@@ -208,9 +208,16 @@
 <body>
 
 <p>
-To update your policy workspace, use the same tactic as describes
-earlier, but now for the specific SELinux policy module package (like
-<path>selinux-postfix</path>).
+If you want to or need to work on the policy of a SELinux module (rather than
+the base policy), check its ebuild to see if it holds any additional patches
+(mentioned through the <c>POLICY_PATCH</c> variable). If not, then you can work
+off the snapshot taken earlier in this guide.
+</p>
+
+<p>
+However, if a patch (or set of patches) is applied as well, you either need to
+apply those manually on the snapshot, or use the following tactics to create a
+snapshot just for this module:
 </p>
 
 <pre caption="Updating the dev/hardened workspace">



1.11                 xml/htdocs/proj/en/hardened/selinux-faq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml?rev=1.11&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml?rev=1.11&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml?r1=1.10&r2=1.11

Index: selinux-faq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- selinux-faq.xml	30 Oct 2011 12:13:27 -0000	1.10
+++ selinux-faq.xml	10 Dec 2011 15:18:56 -0000	1.11
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v 1.10 2011/10/30 12:13:27 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v 1.11 2011/12/10 15:18:56 swift Exp $ -->
 
-<guide link="/proj/en/hardened/selinux-faq.xml" lang="en">
+<guide>
 <title>Gentoo Hardened SELinux Frequently Asked Questions</title>
 <author title="Author">
   <mail link="pebenito@gentoo.org">Chris PeBenito</mail>
@@ -252,9 +252,7 @@
 </body>
 </section>
 <section id="matchcontext">
-<title>
-  How do I know which file context rule is used for a particular file?
-</title>
+<title>How do I know which file context rule is used for a particular file?</title>
 <body>
 
 <p>
@@ -398,8 +396,8 @@
 </p>
 
 <p>
-When using interface names, make sure that the type (<c>ssh_t</c> and
-<c>user_t</c>) is mentioned in the <c>require { ... }</c> paragraph.
+When using interface names, make sure that the types (<c>ssh_t</c> and
+<c>user_t</c>) are mentioned in the <c>require { ... }</c> paragraph.
 </p>
 
 <p>
@@ -590,10 +588,8 @@
 </body>
 </section>
 <section id="portage_libsandbox">
-<title>
-  During package installation, ld.so complains 'object 'libsandbox.so' from 
-  LD_PRELOAD cannot be preloaded: ignored'
-</title>
+<title>During package installation, ld.so complains 'object 'libsandbox.so'
+from LD_PRELOAD cannot be preloaded: ignored'</title>
 <body>
 
 <p>
@@ -663,10 +659,8 @@
 </body>
 </section>
 <section id="cronfails">
-<title>
-  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
-  FAILED (crontabs/root)'
-</title>
+<title>Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+FAILED (crontabs/root)'</title>
 <body>
 
 <p>
@@ -783,7 +777,7 @@
 </p>
 
 <p>
-The solution is to rebuild policycoreutils while disabling Portage' selinux
+The solution is to rebuild policycoreutils while disabling Portage's selinux
 support, then label the installed files manually using <c>chcon</c>, based on
 the feedback received from <c>matchpathcon</c>.
 </p>



1.1                  xml/htdocs/proj/en/hardened/selinux-bugreporting.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-bugreporting.xml?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-bugreporting.xml?rev=1.1&content-type=text/plain

Index: selinux-bugreporting.xml
===================================================================
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-bugreporting.xml,v 1.1 2011/12/10 15:18:56 swift Exp $ -->

<guide lang="en">
<title>Reporting SELinux (policy) bugs</title>

<author title="Author">
  <mail link="swift"/>
</author>

<abstract>
This guide helps users to create a properly filled out bug report for SELinux
policy updates.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />

<version>1</version>
<date>2011-11-22</date>

<chapter>
<title>So you got a bug?</title>
<section>
<title>Introduction</title>
<body>

<p>
When working with a SELinux-enabled system, you will notice that some policies
are far from perfect. That is to be expected, since there are a lot more
policies and SELinux policy modules than we can thoroughly test. That is why bug
reports are very important for us as they give us much-needed feedback on the
state of the policies. Also, since we follow the reference policy closely,
patches are also sent upstream so that other distributions can benefit from the
updates.
</p>

<p>
However, debugging and fixing SELinux policies also means that we need to
identify a proper policy failure, find the root cause of this failure and have
an optimal solution. Since we are talking about <e>security</e> policies, much
attention goes into details, but also in the <e>many eyes</e> paradigm to
validate if a policy fix is correct or not.
</p>

<p>
That is one of the reasons why we created this bugreport as it helps you, as the
feedback-providing user, to both properly figure out why a failure occurs and
how to fix it, but also why we are quite strict in the acceptance of patches.
</p>

</body>
</section>
<section>
<title>Short version</title>
<body>

<p>
When reporting SELinux policy fixes based on AVC denials,
</p>

<ul>
  <li>
    structure the denials and try to create one bug report per logically
    coherent set of denials. Don't push all your AVC denials onto us.
  </li>
  <li>
    make sure you can reproduce the issue and that you have the ability to
    reproduce while we work on the fix. We cannot test all policies ourselves.
  </li>
  <li>
    report the application failure output as well, not only the AVC denial. We
    need to know what the application is trying to do (and failing to do) to fix
    the problem.
  </li>
</ul>

</body>
</section>
</chapter>

<chapter>
<title>Bugs related to AVC denials (and non-functional applications)</title>
<section>
<title>About</title>
<body>

<p>
In this section, we'll go into the details of creating a helpful bug report for
SELinux policies in case you have an AVC denial (which means SELinux is
prohibiting a certain privilege request) that results in the failure of the
application.
</p>

</body>
</section>
<section>
<title>Structure the denials</title>
<body>

<p>
When you get one or more AVC denials, try to structure them into logically
coherent sets. We cannot easily deal with several dozen denials. Most of the
time, you either get multiple denials of the same cause, or the denials are not
truely related.
</p>

<p>
When we need to fix the SELinux policy, nine out of ten times we focus on one or
a few related denials and come up with a proper fix. When there is an abundance
of AVC denials, we need to skim through them (which we usually then do one at a
time) which puts a lot of stress on you (the reporter) as we will ask you
hundred-and-one questions and requests for testing.
</p>

</body>
</section>
<section>
<title>Prepare for testing</title>
<body>

<p>
When you report a SELinux policy related bug, make sure you are ready to test
the results that we want to put in. We cannot test out all applications
ourselves. Sometimes, a failure is even only reproducable on a specific setup.
</p>

</body>
</section>
<section>
<title>Report the application failure</title>
<body>

<p>
More than once, we get bug reports on SELinux policy denials where the user is
still running in permissive mode. He is reporting the denials because he is
afraid that he will not be able to run it in enforcing mode without the denials
being fixed.
</p>

<p>
However, denials can be <e>cosmetic</e>, in which case we should actually hide
the denials rather than allow their requests. Also, when you run in permissive
mode, it is very much possible that the denials would never be reached when
running in enforcing mode because of earlier denials (which, coincidentally,
might be wrongly hidden from your logs).
</p>

<p>
For this reason, we urge you to give us not only the AVC denial information, but
also the application failure log output when running in enforcing mode.
</p>

<p>
The <uri link="selinux/selinux-handbook.xml">Gentoo Hardened SELinux
Handbook</uri> will guide you through the process of migrating from a permissive
system into an enforcing mode. If you believe that booting in enforcing is not
possible yet, just boot in permissive, log on as root, run <c>setenforce 1</c>
and only then log on as user(s) to reproduce your situation. There is also a
<uri link="selinux/selinux-handbook.xml?part=2&amp;chap=2">Troubleshooting
SELinux</uri> section that helps you identify common bottlenecks or issues while
trying to get SELinux running on your system.
</p>

</body>
</section>
</chapter>

</guide>