From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
Date: Sun, 4 Sep 2011 19:54:43 +0000 (UTC) [thread overview]
Message-ID: <555cbf18bfca18194bfe699c67337b1f2f9030b6.SwifT@gentoo> (raw)
commit: 555cbf18bfca18194bfe699c67337b1f2f9030b6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep 4 19:53:39 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep 4 19:53:39 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=555cbf18
Update previews
---
html/index.html | 12 +++-
html/index2.html | 16 +++--
html/selinux-development.html | 147 +++++++++++++++++++++--------------------
html/selinux-policy.html | 25 +-------
html/selinux/index.html | 74 ++++----------------
5 files changed, 112 insertions(+), 162 deletions(-)
diff --git a/html/index.html b/html/index.html
index 22740ea..f85729e 100644
--- a/html/index.html
+++ b/html/index.html
@@ -269,16 +269,22 @@ GNU Stack Quickstart
</b>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
<li>
- <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
</li>
<li>
- <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
</li>
</ul>
</li>
diff --git a/html/index2.html b/html/index2.html
index 469ee86..6ed1a19 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -98,12 +98,12 @@ Gentoo once they've been tested for security and stability by the Hardened team.
<tr>
<td class="tableinfo">Sven Vermeulen</td>
<td class="tableinfo">swift</td>
- <td class="tableinfo">Documentation, Userspace tools, Policy development</td>
+ <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
</tr>
<tr>
<td class="tableinfo">Anthony G. Basile</td>
<td class="tableinfo">blueness</td>
- <td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
+ <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
</tr>
<tr>
<td class="tableinfo">Chris PeBenito</td>
@@ -242,16 +242,22 @@ GNU Stack Quickstart</a>
</b>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
<li>
- <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
</li>
<li>
- <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
</li>
</ul>
</li>
diff --git a/html/selinux-development.html b/html/selinux-development.html
index b028321..1249769 100644
--- a/html/selinux-development.html
+++ b/html/selinux-development.html
@@ -132,45 +132,46 @@ Let's create the first workspace:
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">mkdir dev/hardened</span>
~$ <span class="code-input">cd dev/hardened</span>
-~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r12.ebuild compile</span>
-~$ <span class="code-input">cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12/work/* .</span>
-~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12</span>
+~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20110726-r3.ebuild prepare</span>
+~$ <span class="code-input">cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r3/work/refpolicy .</span>
+~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r3</span>
</pre></td></tr>
</table>
<p>
-As result, you should have two or three directories in
-<span class="path" dir="ltr">dev/hardened</span> called <span class="path" dir="ltr">refpolicy</span> and <span class="path" dir="ltr">strict</span>
-and/or <span class="path" dir="ltr">targeted</span>. The only one of interest is the
-<span class="path" dir="ltr">strict</span> and/or <span class="path" dir="ltr">targeted</span> one, depending on the policy
-type you are working with. In the remainder of the document, I'm assuming you
-work with <span class="path" dir="ltr">strict</span>.
-</p>
-<p>
-Now the <span class="path" dir="ltr">dev/hardened</span> workspace is patched with the Gentoo Hardened
-SELinux patches applicable to the base policy. Gentoo Hardened has two "flavors"
-of patches:
+As result, you now have a subdirectory called <span class="path" dir="ltr">refpolicy</span> inside
+<span class="path" dir="ltr">dev/hardened</span>. This directory contains all the SELinux policy rules
+available. Now the <span class="path" dir="ltr">dev/hardened</span> workspace is patched with the
+Gentoo Hardened SELinux patches applicable to the policy. Gentoo Hardened has
+two "flavors" of patches:
</p>
<ol>
<li>
- <span class="emphasis">Base policy patches</span> contain the patches for the SELinux modules that
- take part of the base policy as well as all interface patches for the
- modules
+ patches in the <span class="emphasis">patchbundle</span> contain the majority of patches
</li>
<li>
- <span class="emphasis">Module-specific patches</span> that contain the permissions affecting the
+ <span class="emphasis">module patches</span> that contain the permissions affecting the
domains and types that are defined in a single module (for instance, all
interaction between <span class="path" dir="ltr">portage_t</span> and <span class="path" dir="ltr">portage_exec_t</span>
or even <span class="path" dir="ltr">portage_t</span> and <span class="path" dir="ltr">portage_fetch_t</span>)
</li>
</ol>
<p>
-The base policy patches are important to have available at all times. The
-module-specific ones can be added when you work with that particular module.
+When we develop changes on the SELinux policy, we currently try to put those
+changes in the patchbundle as soon as possible. Currently, the
+<span class="code" dir="ltr">selinux-base-policy</span> package is updated fast enough to hold off module
+patches and wait for a new release of <span class="code" dir="ltr">selinux-base-policy</span> (after which
+the SELinux modules themselves can just refer to the new base policy to get
+their patches).
</p>
<p>
+However, when the <span class="code" dir="ltr">selinux-base-policy</span> is more stable, then patches might
+be made part of the modules themselves. In that case, a <span class="emphasis">module patch</span> is
+made.
+</p>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Every time a new revision comes out, you'll need to clean the
<span class="path" dir="ltr">dev/hardened</span> workspace and rebuild it.
-</p>
+</p></td></tr></table>
<p class="secthead"><a name="doc_chap2_sect2">Add specific module files</a></p>
<p>
To update your policy workspace, use the same tactic as describes
@@ -180,49 +181,38 @@ earlier, but now for the specific SELinux policy module package (like
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Updating the dev/hardened workspace</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">ls dev/hardened/strict/policy/modules/*/postfix.te</span>
-dev/hardened/strict/policy/modules/services/postfix.te
-<span class="code-comment"> ^^^^^^^^</span>
-~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild compile</span>
+~$ <span class="code-input">ls dev/hardened/refpolicy/policy/modules/*/postfix.te</span>
+dev/hardened/refpolicy/policy/modules/services/postfix.te
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20110726-r1.ebuild prepare</span>
<span class="code-comment"># Next, we copy the postfix.te and postfix.fc files.
# Do NOT copy the postfix.if file (as the one available there is a stub)</span>
-~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.te \
- dev/hardened/strict/policy/modules/services/</span>
-<span class="code-comment"> ^^^^^^^^</span>
-~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.fc \
- dev/hardened/strict/policy/modules/services/</span>
-<span class="code-comment"> ^^^^^^^^</span>
-~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12</span>
-</pre></td></tr>
-</table>
-<p>
-Finally, clean up the workspace (as it contains built policies and other
-material we do not want to see in our patches)
-</p>
-<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Cleaning up the workspace</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict</span>
-~$ <span class="code-input">make clean</span>
+~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1/work/strict/postfix.te \
+ dev/hardened/refpolicy/policy/modules/services/</span>
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1/work/strict/postfix.fc \
+ dev/hardened/refpolicy/policy/modules/services/</span>
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect3">Setting up a local workspace</a></p>
<p>
-Setting up a local workspace is easy: just copy the <span class="path" dir="ltr">dev/hardened</span>
-one:
+Setting up a local workspace (where we will create changes and generate patches
+out of later) is easy: just copy the <span class="path" dir="ltr">dev/hardened</span> one:
</p>
-<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Setting up a local workspace</p></td></tr>
+<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Setting up a local workspace</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">cd dev/hardened</span>
-~$ <span class="code-input">cp -r strict strict.local/</span>
+~$ <span class="code-input">cp -r refpolicy refpolicy.local/</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect4">Navigating the policy workspace</a></p>
<p>
The main location you will work with is
-<span class="path" dir="ltr">dev/hardened/strict.local/policy/modules</span>. This location is subdivided in
+<span class="path" dir="ltr">dev/hardened/refpolicy.local/policy/modules</span>. This location is subdivided in
categories:
</p>
<dl>
@@ -247,10 +237,10 @@ category!
<p>
Inside the categories, the modules are available using their three files
</p>
-<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Listing the available sudo files</p></td></tr>
+<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Listing the available sudo files</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules/admin</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local/policy/modules/admin</span>
~$ <span class="code-input">ls sudo.*</span>
sudo.fc sudo.if sudo.te
</pre></td></tr>
@@ -260,11 +250,16 @@ sudo.fc sudo.if sudo.te
To build a module, go to the location where the module code is. Then, run
<span class="code" dir="ltr">make</span> with the development Makefile as provided by the reference policy.
</p>
-<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Building the portage module</p></td></tr>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
+You can ignore warnings about duplicate interface definitions and such. That is
+because the Makefile will include both the existing interfaces as well as the
+current working directory - which of course contains the same interfaces.
+</p></td></tr></table>
+<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Building the portage module</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules/admin</span>
-~$ <span class="code-input">make -f ../../../support/Makefile.devel portage.pp</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local/policy/modules/admin</span>
+~$ <span class="code-input">make -f /usr/share/selinux/strict/include/Makefile portage.pp</span>
</pre></td></tr>
</table>
<p>
@@ -275,10 +270,10 @@ You now have a <span class="path" dir="ltr">portage.pp</span> file available whi
<p>
If you want to build the base policy, run <span class="code" dir="ltr">make base</span>.
</p>
-<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: Building the base policy</p></td></tr>
+<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Building the base policy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local</span>
~$ <span class="code-input">make base</span>
</pre></td></tr>
</table>
@@ -1053,9 +1048,9 @@ are best generated from the <span class="path" dir="ltr">policy/modules</span> l
<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Example generating patch for modular changes</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules</span>
-~$ <span class="code-input">diff -ut ../../../strict/policy/modules/services/openct.te services/openct.te</span>
---- ../../../../strict/policy/modules/services/openct.te 2011-04-22 23:28:17.932918002 +0200
+~$ <span class="code-input">cd dev/hardened/refpolicy.local/policy/modules</span>
+~$ <span class="code-input">diff -ut ../../../refpolicy/policy/modules/services/openct.te services/openct.te</span>
+--- ../../../../refpolicy/policy/modules/services/openct.te 2011-04-22 23:28:17.932918002 +0200
+++ services/openct.te 2011-04-23 09:55:08.156918002 +0200
@@ -47,6 +47,10 @@
@@ -1088,8 +1083,8 @@ patch is best made from the upper location.
<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Generating a base policy patch</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local</span>
-~$ <span class="code-input">diff -ut ../strict/policy/modules/services/openct.if policy/modules/services/openct.if</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local</span>
+~$ <span class="code-input">diff -ut ../refpolicy/policy/modules/services/openct.if policy/modules/services/openct.if</span>
--- ../strict/policy/modules/services/openct.if 2011-04-22 23:28:17.918918002 +0200
+++ policy/modules/services/openct.if 2011-04-23 10:01:38.753918001 +0200
@@ -15,7 +15,7 @@
@@ -1170,19 +1165,21 @@ ebuilds:
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
+EAPI="4"
+IUSE=""
<span class="code-comment"># Set the MODS variable to the refpolicy name used, so services/postfix.te gives "postfix"</span>
MODS="postfix"
-IUSE=""
+<span class="code-comment"># BASEPOL is optional, set it to the selinux-base-policy version which
+# includes the latest patch (or interface you use in the policy)</span>
+BASEPOL="2.20110726-r3"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for postfix"
-
KEYWORDS="~amd64 ~x86"
-<span class="code-comment"># POLICY_PATCH is optional (only when you have a patch), without it just uses the
-# refpolicy version.</span>
+<span class="code-comment"># POLICY_PATCH is optional (only when you have a module patch)</span>
POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"
</pre></td></tr>
</table>
@@ -1206,15 +1203,21 @@ create a patchbundle from your patch directory, put the bundle in the
<a name="doc_chap7_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.5: Building a base policy package</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Go to the location where all patches are currently extracted</span>
~$ <span class="code-input">cd dev/hardened/base-patches</span>
-~$ <span class="code-input">tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r13.tar.bz2 *</span>
+
+<span class="code-comment"># Add the patches you want to include, cfr Submitting Patches</span>
+<span class="code-comment"># Then, create a new patch bundle</span>
+~$ <span class="code-input">tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20110726-r3.tar.bz2 *</span>
+
+<span class="code-comment"># Finally, bump the revision of the ebuild in the overlay</span>
~$ <span class="code-input">cd ../overlay/sec-policy/selinux-base-policy</span>
-~$ <span class="code-input">cp selinux-base-policy-2.20101213-r12.ebuild selinux-base-policy-2.20101213-r13.ebuild</span>
+~$ <span class="code-input">cp selinux-base-policy-2.20110726-r3.ebuild selinux-base-policy-2.20110726-r4.ebuild</span>
</pre></td></tr>
</table>
<p>
Don't forget to run <span class="code" dir="ltr">repoman manifest</span> and <span class="code" dir="ltr">repoman scan</span>. You can
-then install <span class="path" dir="ltr">sec-policy/selinux-base-policy-2.20101213-r13</span> and test
+then install <span class="path" dir="ltr">sec-policy/selinux-base-policy-2.20110726-r4</span> and test
it out.
</p>
<br><p class="copyright">
@@ -1236,7 +1239,7 @@ it out.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
When planning to help Gentoo Hardened in the development of SELinux policies,
or when trying to debug existing policies, this document should help you get
diff --git a/html/selinux-policy.html b/html/selinux-policy.html
index 63704fa..88d2d70 100644
--- a/html/selinux-policy.html
+++ b/html/selinux-policy.html
@@ -125,28 +125,7 @@ domain needs to transition back to the caller (<span class="emphasis">staff_t</s
<span class="emphasis">staff_screen_t</span> which launches a shell or command in the <span class="emphasis">staff_t</span>
domain).
</p>
-<p class="secthead"><a name="doc_chap2_sect2">Use 'gentoo_' prefix</a></p>
-<p>
-When Gentoo Hardened updates policy rules, the patches it applies will strive to
-use a <span class="emphasis">gentoo_</span> prefix where possible:
-</p>
-<ul>
- <li>
- added interfaces for existing modules will start with the <span class="emphasis">gentoo_</span>
- prefix
- </li>
- <li>
- new booleans will start with the <span class="emphasis">gentoo_</span> prefix
- </li>
-</ul>
-<p>
-This ensures that, if the changes (and their use) is included upstream, we can
-safely migrate towards the upstream implementation rather than face a collision
-of names. Also, this ensures that no unwanted accesses are granted (or
-functionalities suddenly prohibited) when upstream includes a change with the
-same name but totally different meaning or implementation.
-</p>
-<p class="secthead"><a name="doc_chap2_sect3">Do Not Allow Cosmetic Denials</a></p>
+<p class="secthead"><a name="doc_chap2_sect2">Do Not Allow Cosmetic Denials</a></p>
<p>
When developing SELinux rules, the Gentoo Hardened SELinux developers will
implement the access permissions needed for an application to function properly
@@ -216,7 +195,7 @@ of the packages clean.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-policy.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 26, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Developing a set of security rules is or should always be done with a common set
of principles and rules in mind. This document explains the policy used by
diff --git a/html/selinux/index.html b/html/selinux/index.html
index a51aad4..c9ffd77 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -24,9 +24,8 @@
<option value="#doc_chap2">2. Project Goals</option>
<option value="#doc_chap3">3. Developers</option>
<option value="#doc_chap4">4. Contributors</option>
-<option value="#doc_chap5">5. Subprojects</option>
-<option value="#doc_chap6">6. Resources</option>
-<option value="#doc_chap7">7. I Want to Participate</option></select>
+<option value="#doc_chap5">5. Resources</option>
+<option value="#doc_chap6">6. I Want to Participate</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Project Description</p>
@@ -92,12 +91,12 @@ As a result, we
<tr>
<td class="tableinfo">Sven Vermeulen</td>
<td class="tableinfo">swift</td>
- <td class="tableinfo">Documentation, Userspace tools, Policy development</td>
+ <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
</tr>
<tr>
<td class="tableinfo">Anthony G. Basile</td>
<td class="tableinfo">blueness</td>
- <td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
+ <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
</tr>
</table>
<p>
@@ -121,68 +120,31 @@ The following people, although non-developer, are actively contributing to the p
</tr>
</table>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
- </span>Subprojects</p>
-<p>The SELinux
- project has the following subprojects:
- </p>
-<table class="ntable">
- <tr>
- <td class="infohead"><b>Project</b></td>
- <td class="infohead"><b>Lead</b></td>
- <td class="infohead"><b>Description</b></td>
- </tr>
- <tr>
- <td class="tableinfo">Policy</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Develop and maintain a secure, default set of policies for the system, including
-user and role definitions, service policies and application policies.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Userland</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Develop and maintain the packages for SELinux userland utilities and libraries,
-including SELinux-aware patches for more general applications and libraries.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Kernel</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Integrate, improve and maintain SELinux patches in the Linux kernel for Gentoo
-Hardened.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Documentation</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Develop and maintain SELinux documentation specific to the Gentoo distribution
-</td>
- </tr>
- </table>
-<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>Resources</p>
<p>Resources offered by the
SELinux
project are:</p>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
<li>
- <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
</li>
<li>
- <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
</li>
</ul>
-<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
+<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>I Want to Participate</p>
<p>
To participate in the SELinux project first join the mailing list at
@@ -196,7 +158,7 @@ contributing work we will always need testers to use and audit the SELinux
policies. All development, testing, feedback, and productive comments will
be greatly appreciated.
</p>
-<p class="secthead"><a name="doc_chap7_sect2">Policy Submissions</a></p>
+<p class="secthead"><a name="doc_chap6_sect2">Policy Submissions</a></p>
<p>
The critical component of a SELinux system is having a strong policy. The
team does its best to support as many daemons as possible. However, we cannot
@@ -216,12 +178,6 @@ to receive policy submissions for consideration. There are a few requirements:
We need to know if the policy is dependent on another policy (for example
rpcd is dependent on portmap) other than base-policy.
</li>
- <li>
- An ebuild for the policy can also be submitted to help the developers
- integrate the policy into Portage more quickly, if it is accepted.
- See current daemon policies in Portage for example uses of the
- selinux-policy eclass.
- </li>
</ul>
<p>
The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>.
next reply other threads:[~2011-09-04 19:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-04 19:54 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-04-28 19:23 [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ Francisco Blas Izquierdo Riera
2011-10-15 13:05 Sven Vermeulen
2011-08-24 21:10 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-15 9:11 Sven Vermeulen
2011-04-22 22:35 Sven Vermeulen
2011-04-22 19:18 Sven Vermeulen
2011-02-19 3:45 Francisco Blas Izquierdo Riera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555cbf18bfca18194bfe699c67337b1f2f9030b6.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox