Optional: Setting the /tmp context

From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QKyH3-0004u6-Oq for garchives@archives.gentoo.org; Fri, 13 May 2011 19:43:45 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C0C141C018; Fri, 13 May 2011 19:43:36 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 820851C018 for ; Fri, 13 May 2011 19:43:36 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DBDFB1B4015 for ; Fri, 13 May 2011 19:43:35 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 5033B80504 for ; Fri, 13 May 2011 19:43:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <338e04b26909cdbff6b6a41cdbcb10ed3c0d7269.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-intro-concepts.xml xml/selinux/hb-using-install.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 338e04b26909cdbff6b6a41cdbcb10ed3c0d7269 Date: Fri, 13 May 2011 19:43:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 842471bb79908257cf82dd1a8cbe6b48 commit: 338e04b26909cdbff6b6a41cdbcb10ed3c0d7269 Author: Sven Vermeulen siphos be> AuthorDate: Fri May 13 19:41:27 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri May 13 19:41:27 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D338e04b2 Add rc-svcdir mount and update UBAC information --- xml/selinux/hb-intro-concepts.xml | 3 ++- xml/selinux/hb-using-install.xml | 20 +++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-con= cepts.xml index b0c91fe..1252d95 100644 --- a/xml/selinux/hb-intro-concepts.xml +++ b/xml/selinux/hb-intro-concepts.xml @@ -512,7 +512,8 @@ file because the SELinux users' differ. =20

At this moment, Gentoo Hardened SELinux' supports both policies with and -without UBAC. This is controlled through the ubac USE flag. +without UBAC, although we strongly recommend to use UBAC. This is contro= lled +through the ubac USE flag.

=20 diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-inst= all.xml index 0c9adc7..f51a62d 100644 --- a/xml/selinux/hb-using-install.xml +++ b/xml/selinux/hb-using-install.xml @@ -110,7 +110,7 @@ Available Python interpreters: -Optional: Setting the /tmp context +Setting the filesystem contexts =20

@@ -128,6 +128,18 @@ To configure the /tmp mount, edit your = /etc/fstab: tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=3Dsystem_u:obj= ect_r:tmp_t 0 0 =20 +

+Next to the /tmp location, you will need to explicitly defi= ne the +mount for rc-svcdir, used by sys-apps/openrc. If not, this = tmpfs +file system is mounted with the wrong security label which will result i= n boot +failures. +

+ +

+# Change /lib64 with /lib for 32-bit systems / support
+rc-svcdir  /lib64/rc/init.d  tmpfs  rw,rootcontext=3Dsystem_u:object_r:i=
nitrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=3D1024k,mode=3D7=
55  0 0
+

+ @@ -247,11 +259,9 @@ or disable them. ubac - Disabled + Enabled - When enabled, the SELinux policy is built with user-based access con= trol - enabled. This is optional as it introduces constraints that might be - difficult to notice at first when you hit them. + When disabled, the SELinux policy is built without user-based access= control.