From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-commits+bounces-323955-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1PxNuP-0007ai-RJ
	for garchives@archives.gentoo.org; Wed, 09 Mar 2011 18:14:54 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3608DE071C;
	Wed,  9 Mar 2011 18:14:47 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id CF0CBE06F3
	for <gentoo-commits@lists.gentoo.org>; Wed,  9 Mar 2011 18:14:46 +0000 (UTC)
Received: from pelican.gentoo.org (unknown [66.219.59.40])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1E0D21B4082
	for <gentoo-commits@lists.gentoo.org>; Wed,  9 Mar 2011 18:14:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by pelican.gentoo.org (Postfix) with ESMTP id 5A3BF8006A
	for <gentoo-commits@lists.gentoo.org>; Wed,  9 Mar 2011 18:14:45 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <52f1c7c20b38cc869c542c655c19c03b60ec0b91.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/selinux-faq.xml
X-VCS-Directories: xml/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 52f1c7c20b38cc869c542c655c19c03b60ec0b91
Date: Wed,  9 Mar 2011 18:14:45 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: b1e0ef36fb82fa281f84050d9186162f

commit:     52f1c7c20b38cc869c542c655c19c03b60ec0b91
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar  9 18:13:09 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar  9 18:13:09 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs=
.git;a=3Dcommit;h=3D52f1c7c2

Adding SELinux FAQ

---
 xml/selinux-faq.xml |  297 +++++++++++++++++++++++++++++++++++++++++++++=
++++++
 1 files changed, 297 insertions(+), 0 deletions(-)

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
new file mode 100644
index 0000000..a23bbd6
--- /dev/null
+++ b/xml/selinux-faq.xml
@@ -0,0 +1,297 @@
+<?xml version=3D"1.0" encoding=3D"UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide link=3D"/proj/en/hardened/selinux-faq.xml" lang=3D"en">
+<title>Gentoo Hardened SELinux Frequently Asked Questions</title>
+<author title=3D"Author">
+  <mail link=3D"pebenito@gentoo.org">Chris PeBenito</mail>
+</author>
+<author title=3D"Author">
+  <mail link=3D"sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+Frequently Asked Questions on SELinux integration with Gentoo Hardened.
+The FAQ is a collection of solutions found on IRC, mailinglist, forums o=
r=20
+elsewhere
+</abstract>
+
+<version>1</version>
+<date>2011-03-19</date>
+
+<faqindex>
+<title>Questions</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<p>
+Using SELinux requires administrators a more thorough knowledge of their
+system and a good idea on how processes should behave. Next to the <uri=20
+link=3D"/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo Hardened =
SELinux
+handbook</uri>, a proper FAQ allows us to inform and help users in their=
=20
+day-to-day SELinux experience.
+</p>
+
+<p>
+The FAQ is an aggregation of solutions found on IRC, mailinglists, forum=
s
+and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but=
=20
+general SELinux questions that are popping up regularly will be incorpor=
ated
+as well.
+</p>
+
+</body>
+</section>
+</faqindex>
+
+<chapter>
+<title>General SELinux Support Questions</title>
+<section id=3D"features">
+<title>Does SELinux enforce resource limits?</title>
+<body>
+
+<p>
+No, resource limits are outside the scope of an access control system. I=
f you=20
+are looking for this type of support, take a look at technologies like
+grsecurity, cgroups, pam and the like.
+</p>
+
+</body>
+</section>
+<section id=3D"grsecurity">
+<title>Can I use SELinux with grsecurity (and PaX)?</title>
+<body>
+
+<p>
+Definitely, we even recommend it. However, it is suggested that grsecuri=
ty's
+ACL support is not used as it would be redundant to SELinux's access con=
trol.
+</p>
+
+</body>
+</section>
+<section id=3D"pie-ssp">
+<title>Can I use SELinux and the hardened compiler (with PIE-SSP)?</titl=
e>
+<body>
+
+<p>
+Definitely. We also suggest to use PaX to take full advantage of the PIE
+features of the compiler.
+</p>
+
+</body>
+</section>
+<section id=3D"rsbac">
+<title>Can I use SELinux and RSBAC?</title>
+<body>
+
+<p>
+We don't know. If you try this combination, we would be very interested
+in its results.
+</p>
+
+</body>
+</section>
+<section id=3D"filesystem">
+<title>Can I use SELinux with any file system?</title>
+<body>
+
+<p>
+SELinux requires access to a file's security context to operate properly=
.
+To do so, SELinux uses <e>extended file attributes</e> which needs to be=
=20
+properly supported by the underlying file system. If the file system sup=
ports
+extended file attributes and you have configured your kernel to enable t=
his
+support, then SELinux will work on those file systems.
+</p>
+
+<p>
+General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs
+support extended attributes (but don't forget to enable it in the kernel
+configuration) as well as tmpfs (for instance used by udev). If your fil=
e
+system collection is limited to this set, then you should have no issues=
.
+</p>
+
+<p>
+Ancillary file systems such as vfat and iso9660 are supported too, but w=
ith
+an important caveat: all files in each file system will have the same SE=
Linux
+security context information since these file systems do not support ext=
ended
+file attributes.=20
+</p>
+
+<p>
+Network file systems can be supported in the same manner as ancillary fi=
le
+systems (all files share the same security context). However, some devel=
opment
+has been made in supported extended file attributes on the more popular =
file
+systems such as NFS. Although this is far from production-ready, it does=
 look
+like we will eventually support these file systems on SELinux fully as w=
ell.
+</p>
+
+</body>
+</section>
+<section id=3D"nomultilib">
+<title>Can I use SELinux with AMD64 no-multilib?</title>
+<body>
+
+<p>
+No. The SELinux profiles inherit from the base amd64 profiles, requiring
+multilib support. Early tests trying to enable SELinux on a no-multilib
+profile show that it will not be supported without additional developmen=
t
+effort being required.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Using SELinux</title>
+<section id=3D"enable_selinux">
+<title>How do I enable SELinux?</title>
+<body>
+
+<p>
+This is explained in the <uri=20
+link=3D"/proj/en/hardened/selinux/selinux-handbook.xml">SELinux Handbook=
</uri>
+in the chapter on <e>Using Gentoo/Hardened SELinux</e>.
+</p>
+
+</body>
+</section>
+<section id=3D"switch_status">
+<title>How do I switch between permissive and enforcing?</title>
+<body>
+
+<p>
+The easiest way is to use the <c>setenforce</c> command. With <c>setenfo=
rce=20
+0</c> you tell SELinux to run in permissive mode. Similarly, with=20
+<c>setenforce 1</c> you tell SELinux to run in enforcing mode.
+</p>
+
+<p>
+You can also add a kernel option <c>enforcing=3D0</c> or <c>enforcing=3D=
1</c>
+in the bootloader configuration (or during the startup routine of the sy=
stem).=20
+This allows you to run SELinux in permissive or enforcing mode from the =
start=20
+of the system.
+</p>
+
+<p>
+The default state of the system is kept in <path>/etc/selinux/config</pa=
th>.
+</p>
+
+</body>
+</section>
+<section id=3D"disable_selinux">
+<title>How do I disable SELinux completely?</title>
+<body>
+
+<p>
+It might be possible that running SELinux in permissive mode is not suff=
icient
+to properly fix any issue you have. To disable SELinux completely, you n=
eed to
+edit <path>/etc/selinux/config</path> and set <c>SELINUX=3Ddisabled</c>.=
 Next,
+reboot your system.
+</p>
+
+<impo>
+When you have been running your system with SELinux disabled, you must b=
oot=20
+in permissive mode first and relabel your entire file system. Activities=
 ran
+while SELinux was disabled might have created new files or removed the l=
abels
+from existing files, causing these files to be available with no securit=
y
+context.
+</impo>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>SELinux Kernel Error Messages</title>
+<section id=3D"register_security">
+<title>I get a register_security error message when booting</title>
+<body>
+
+<p>
+During boot-up, the following message pops up:
+</p>
+
+<pre caption=3D"Kernel message on register_security">
+There is already a security framework initialized, register_security fai=
led.
+Failure registering capabilities with the kernel
+selinux_register_security: Registering secondary module capability
+Capability LSM initialized
+</pre>
+
+<p>
+This is nothing to worry about (and perfectly normal).
+</p>
+
+<p>
+This means that the Capability LSM module couldn't register as the prima=
ry=20
+module, since SELinux is the primary module. The third message means tha=
t it
+registers with SELinux as a secondary module.
+</p>
+
+</body>
+</section>
+</chapter>
+<chapter>
+<title>SELinux and Gentoo</title>
+<section id=3D"no_module">
+<title>I get a missing SELinux module error when using emerge</title>
+<body>
+
+<p>
+When trying to use <c>emerge</c>, the following error message is display=
ed:
+</p>
+
+<pre caption=3D"Error message from emerge on the SELinux module">
+!!! SELinux module not found. Please verify that it was installed.
+</pre>
+
+<p>
+This indicates that the portage SELinux module is missing or damaged. Re=
cent=20
+Portage versions provide this module out-of-the-box, but the security co=
ntexts
+of the necessary files might be wrong on your system. Try relabelling th=
e files
+of the portage package:
+</p>
+
+<pre caption=3D"Relabel all portage files">
+~# <i>rlpkg portage</i>
+</pre>
+
+</body>
+</section>
+<section id=3D"loadpolicy">
+<title>I get 'FEATURES variable contains unknown value(s): loadpolicy'</=
title>
+<body>
+
+<p>
+When running emerge, the following error is shown:
+</p>
+
+<pre caption=3D"Emerge error on loadpolicy">
+FEATURES variable contains unknown value(s): loadpolicy
+</pre>
+
+<p>
+This is a remnant of the older SELinux policy module set where policy pa=
ckages
+might require this FEATURE to be available. Although the more recent pac=
kages
+do not support this FEATURE value anymore, these are still in the ~arch =
phase=20
+so the current SELinux profile still offers this value. Portage however =
already
+knows that this FEATURE is not supported anymore and complains.
+</p>
+
+<p>
+We recommend you to use the ~arch versions of all packages in the sec-po=
licy
+category, and set <c>FEATURES=3D"-loadpolicy"</c> to disable this (cosme=
tic)
+error.
+</p>
+
+<p>
+Once the newer policy modules are stabilized, the SELinux profile will b=
e updated
+to remove this setting.
+</p>
+
+</body>
+</section>
+</chapter>
+</guide>