[gentoo-commits] proj/hardened-docs:master commit in: xml/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     52f1c7c20b38cc869c542c655c19c03b60ec0b91
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar  9 18:13:09 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar  9 18:13:09 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=52f1c7c2

Adding SELinux FAQ

---
 xml/selinux-faq.xml |  297 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 297 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
new file mode 100644
index 0000000..a23bbd6
--- /dev/null
+++ b/xml/selinux-faq.xml
@@ -0,0 +1,297 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide link="/proj/en/hardened/selinux-faq.xml" lang="en">
+<title>Gentoo Hardened SELinux Frequently Asked Questions</title>
+<author title="Author">
+  <mail link="pebenito@gentoo.org">Chris PeBenito</mail>
+</author>
+<author title="Author">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+Frequently Asked Questions on SELinux integration with Gentoo Hardened.
+The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
+elsewhere
+</abstract>
+
+<version>1</version>
+<date>2011-03-19</date>
+
+<faqindex>
+<title>Questions</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<p>
+Using SELinux requires administrators a more thorough knowledge of their
+system and a good idea on how processes should behave. Next to the <uri 
+link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo Hardened SELinux
+handbook</uri>, a proper FAQ allows us to inform and help users in their 
+day-to-day SELinux experience.
+</p>
+
+<p>
+The FAQ is an aggregation of solutions found on IRC, mailinglists, forums
+and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but 
+general SELinux questions that are popping up regularly will be incorporated
+as well.
+</p>
+
+</body>
+</section>
+</faqindex>
+
+<chapter>
+<title>General SELinux Support Questions</title>
+<section id="features">
+<title>Does SELinux enforce resource limits?</title>
+<body>
+
+<p>
+No, resource limits are outside the scope of an access control system. If you 
+are looking for this type of support, take a look at technologies like
+grsecurity, cgroups, pam and the like.
+</p>
+
+</body>
+</section>
+<section id="grsecurity">
+<title>Can I use SELinux with grsecurity (and PaX)?</title>
+<body>
+
+<p>
+Definitely, we even recommend it. However, it is suggested that grsecurity's
+ACL support is not used as it would be redundant to SELinux's access control.
+</p>
+
+</body>
+</section>
+<section id="pie-ssp">
+<title>Can I use SELinux and the hardened compiler (with PIE-SSP)?</title>
+<body>
+
+<p>
+Definitely. We also suggest to use PaX to take full advantage of the PIE
+features of the compiler.
+</p>
+
+</body>
+</section>
+<section id="rsbac">
+<title>Can I use SELinux and RSBAC?</title>
+<body>
+
+<p>
+We don't know. If you try this combination, we would be very interested
+in its results.
+</p>
+
+</body>
+</section>
+<section id="filesystem">
+<title>Can I use SELinux with any file system?</title>
+<body>
+
+<p>
+SELinux requires access to a file's security context to operate properly.
+To do so, SELinux uses <e>extended file attributes</e> which needs to be 
+properly supported by the underlying file system. If the file system supports
+extended file attributes and you have configured your kernel to enable this
+support, then SELinux will work on those file systems.
+</p>
+
+<p>
+General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs
+support extended attributes (but don't forget to enable it in the kernel
+configuration) as well as tmpfs (for instance used by udev). If your file
+system collection is limited to this set, then you should have no issues.
+</p>
+
+<p>
+Ancillary file systems such as vfat and iso9660 are supported too, but with
+an important caveat: all files in each file system will have the same SELinux
+security context information since these file systems do not support extended
+file attributes. 
+</p>
+
+<p>
+Network file systems can be supported in the same manner as ancillary file
+systems (all files share the same security context). However, some development
+has been made in supported extended file attributes on the more popular file
+systems such as NFS. Although this is far from production-ready, it does look
+like we will eventually support these file systems on SELinux fully as well.
+</p>
+
+</body>
+</section>
+<section id="nomultilib">
+<title>Can I use SELinux with AMD64 no-multilib?</title>
+<body>
+
+<p>
+No. The SELinux profiles inherit from the base amd64 profiles, requiring
+multilib support. Early tests trying to enable SELinux on a no-multilib
+profile show that it will not be supported without additional development
+effort being required.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Using SELinux</title>
+<section id="enable_selinux">
+<title>How do I enable SELinux?</title>
+<body>
+
+<p>
+This is explained in the <uri 
+link="/proj/en/hardened/selinux/selinux-handbook.xml">SELinux Handbook</uri>
+in the chapter on <e>Using Gentoo/Hardened SELinux</e>.
+</p>
+
+</body>
+</section>
+<section id="switch_status">
+<title>How do I switch between permissive and enforcing?</title>
+<body>
+
+<p>
+The easiest way is to use the <c>setenforce</c> command. With <c>setenforce 
+0</c> you tell SELinux to run in permissive mode. Similarly, with 
+<c>setenforce 1</c> you tell SELinux to run in enforcing mode.
+</p>
+
+<p>
+You can also add a kernel option <c>enforcing=0</c> or <c>enforcing=1</c>
+in the bootloader configuration (or during the startup routine of the system). 
+This allows you to run SELinux in permissive or enforcing mode from the start 
+of the system.
+</p>
+
+<p>
+The default state of the system is kept in <path>/etc/selinux/config</path>.
+</p>
+
+</body>
+</section>
+<section id="disable_selinux">
+<title>How do I disable SELinux completely?</title>
+<body>
+
+<p>
+It might be possible that running SELinux in permissive mode is not sufficient
+to properly fix any issue you have. To disable SELinux completely, you need to
+edit <path>/etc/selinux/config</path> and set <c>SELINUX=disabled</c>. Next,
+reboot your system.
+</p>
+
+<impo>
+When you have been running your system with SELinux disabled, you must boot 
+in permissive mode first and relabel your entire file system. Activities ran
+while SELinux was disabled might have created new files or removed the labels
+from existing files, causing these files to be available with no security
+context.
+</impo>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>SELinux Kernel Error Messages</title>
+<section id="register_security">
+<title>I get a register_security error message when booting</title>
+<body>
+
+<p>
+During boot-up, the following message pops up:
+</p>
+
+<pre caption="Kernel message on register_security">
+There is already a security framework initialized, register_security failed.
+Failure registering capabilities with the kernel
+selinux_register_security: Registering secondary module capability
+Capability LSM initialized
+</pre>
+
+<p>
+This is nothing to worry about (and perfectly normal).
+</p>
+
+<p>
+This means that the Capability LSM module couldn't register as the primary 
+module, since SELinux is the primary module. The third message means that it
+registers with SELinux as a secondary module.
+</p>
+
+</body>
+</section>
+</chapter>
+<chapter>
+<title>SELinux and Gentoo</title>
+<section id="no_module">
+<title>I get a missing SELinux module error when using emerge</title>
+<body>
+
+<p>
+When trying to use <c>emerge</c>, the following error message is displayed:
+</p>
+
+<pre caption="Error message from emerge on the SELinux module">
+!!! SELinux module not found. Please verify that it was installed.
+</pre>
+
+<p>
+This indicates that the portage SELinux module is missing or damaged. Recent 
+Portage versions provide this module out-of-the-box, but the security contexts
+of the necessary files might be wrong on your system. Try relabelling the files
+of the portage package:
+</p>
+
+<pre caption="Relabel all portage files">
+~# <i>rlpkg portage</i>
+</pre>
+
+</body>
+</section>
+<section id="loadpolicy">
+<title>I get 'FEATURES variable contains unknown value(s): loadpolicy'</title>
+<body>
+
+<p>
+When running emerge, the following error is shown:
+</p>
+
+<pre caption="Emerge error on loadpolicy">
+FEATURES variable contains unknown value(s): loadpolicy
+</pre>
+
+<p>
+This is a remnant of the older SELinux policy module set where policy packages
+might require this FEATURE to be available. Although the more recent packages
+do not support this FEATURE value anymore, these are still in the ~arch phase 
+so the current SELinux profile still offers this value. Portage however already
+knows that this FEATURE is not supported anymore and complains.
+</p>
+
+<p>
+We recommend you to use the ~arch versions of all packages in the sec-policy
+category, and set <c>FEATURES="-loadpolicy"</c> to disable this (cosmetic)
+error.
+</p>
+
+<p>
+Once the newer policy modules are stabilized, the SELinux profile will be updated
+to remove this setting.
+</p>
+
+</body>
+</section>
+</chapter>
+</guide>