From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1R0ImM-0001s5-Uc for garchives@archives.gentoo.org; Sun, 04 Sep 2011 19:54:55 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C123921C0EB; Sun, 4 Sep 2011 19:54:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6361721C0EB for ; Sun, 4 Sep 2011 19:54:47 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4D1101B4009 for ; Sun, 4 Sep 2011 19:54:44 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id A348C80042 for ; Sun, 4 Sep 2011 19:54:43 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <555cbf18bfca18194bfe699c67337b1f2f9030b6.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/index.html html/index2.html html/selinux-development.html html/selinux-policy.html html/selinux/index.html X-VCS-Directories: html/ html/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 555cbf18bfca18194bfe699c67337b1f2f9030b6 Date: Sun, 4 Sep 2011 19:54:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: f2b6bb94108d3f906e29af40bc28fac4 commit: 555cbf18bfca18194bfe699c67337b1f2f9030b6 Author: Sven Vermeulen siphos be> AuthorDate: Sun Sep 4 19:53:39 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun Sep 4 19:53:39 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D555cbf18 Update previews --- html/index.html | 12 +++- html/index2.html | 16 +++-- html/selinux-development.html | 147 +++++++++++++++++++++--------------= ------ html/selinux-policy.html | 25 +------- html/selinux/index.html | 74 ++++---------------- 5 files changed, 112 insertions(+), 162 deletions(-) diff --git a/html/index.html b/html/index.html index 22740ea..f85729e 100644 --- a/html/index.html +++ b/html/index.html @@ -269,16 +269,22 @@ GNU Stack Quickstart diff --git a/html/index2.html b/html/index2.html index 469ee86..6ed1a19 100644 --- a/html/index2.html +++ b/html/index2.html @@ -98,12 +98,12 @@ Gentoo once they've been tested for security and stab= ility by the Hardened team. Sven Vermeulen swift - Documentation, Userspace tools, Poli= cy development + Developer ( Documentation, Userspace= tools, Policy development ) Anthony G. Basile blueness - Policy development, Proxy (non devel= oper contributors) + Developer ( Policy development, Prox= y (non developer contributors) ) Chris PeBenito @@ -242,16 +242,22 @@ GNU Stack Quickstart diff --git a/html/selinux-development.html b/html/selinux-development.htm= l index b028321..1249769 100644 --- a/html/selinux-development.html +++ b/html/selinux-development.html @@ -132,45 +132,46 @@ Let's create the first workspace: 
 ~$ mkdir dev/hardened
 ~$ cd dev/hardened
-~$ ebuild /usr/portage/sec-policy/selinux-bas=
e-policy/selinux-base-policy-2.20101213-r12.ebuild compile
-~$ cp -r /var/tmp/portage/sec-policy/selinux-=
base-policy-2.20101213-r12/work/* .
-~$ rm -rf /var/tmp/portage/sec-policy/selinux=
-base-policy-2.20101213-r12
+~$ ebuild /usr/portage/sec-policy/selinux-bas=
e-policy/selinux-base-policy-2.20110726-r3.ebuild prepare
+~$ cp -r /var/tmp/portage/sec-policy/selinux-=
base-policy-2.20110726-r3/work/refpolicy .
+~$ rm -rf /var/tmp/portage/sec-policy/selinux=
-base-policy-2.20110726-r3

-As result, you should have two or three directories in=20 -dev/hardened called refpolicy and = strict -and/or targeted. The only one of= interest is the -strict and/or targeted one, depending on the policy -type you are working with. In the remainder of the document, I'm assumin= g you -work with strict. -

-

-Now the dev/hardened workspace i= s patched with the Gentoo Hardened -SELinux patches applicable to the base policy. Gentoo Hardened has two "= flavors" -of patches: +As result, you now have a subdirectory called refpolicy inside +dev/hardened. This directory con= tains all the SELinux policy rules +available. Now the dev/hardened = workspace is patched with the +Gentoo Hardened SELinux patches applicable to the policy. Gentoo Hardene= d has +two "flavors" of patches:

  1. - Base policy patches contain the patc= hes for the SELinux modules that - take part of the base policy as well as all interface patches for th= e - modules + patches in the patchbundle contain t= he majority of patches
  2. - Module-specific patches that contain= the permissions affecting the + module patches that contain the perm= issions affecting the domains and types that are defined in a single module (for instance,= all interaction between portage_t and portage_exec_t or even portage_t and portage_fetch_t)

-The base policy patches are important to have available at all times. Th= e -module-specific ones can be added when you work with that particular mod= ule. +When we develop changes on the SELinux policy, we currently try to put t= hose +changes in the patchbundle as soon as possible. Currently, the +selinux-base-policy package is u= pdated fast enough to hold off module +patches and wait for a new release of s= elinux-base-policy (after which +the SELinux modules themselves can just refer to the new base policy to = get +their patches).

+However, when the selinux-base-policy is more stable, then patches might +be made part of the modules themselves. In that case, a module patch is +made. +

+

Note: = Every time a new revision comes out, you'll need to clean the dev/hardened workspace and rebui= ld it. -

+

Add specific module fi= les

To update your policy workspace, use the same tactic as describes @@ -180,49 +181,38 @@ earlier, but now for the specific SELinux policy mo= dule package (like -

Code Listing2.2: Upda= ting the dev/hardened workspace

-~$ ls dev/hardened/strict/policy/modules/*/po=
stfix.te
-dev/hardened/strict/policy/modules/services/postfix.te
-                                   ^^^^^^^^=

-~$ ebuild /usr/portage/sec-policy/selinux-pos=
tfix/selinux-postfix-2.20101213-r3.ebuild compile
+~$ ls dev/hardened/refpolicy/policy/modules/*=
/postfix.te
+dev/hardened/refpolicy/policy/modules/services/postfix.te
+                                      ^^^^^=
^^^
+~$ ebuild /usr/portage/sec-policy/selinux-pos=
tfix/selinux-postfix-2.20110726-r1.ebuild prepare
=20
 # Next, we copy the postfix.te and postfix.=
fc files.
 # Do NOT copy the postfix.if file (as the one available there is a stub)=

-~$ cp /var/tmp/portage/sec-policy/selinux-pos=
tfix-2.20101213-r12/work/strict/postfix.te \
-  dev/hardened/strict/policy/modules/services/
-                                     ^^^^^^=
^^
-~$ cp /var/tmp/portage/sec-policy/selinux-pos=
tfix-2.20101213-r12/work/strict/postfix.fc \
-  dev/hardened/strict/policy/modules/services/
-                                     ^^^^^^=
^^
-~$ rm -rf /var/tmp/portage/sec-policy/selinux=
-postfix-2.20101213-r12
-
-

-Finally, clean up the workspace (as it contains built policies and other -material we do not want to see in our patches) -

- - -

Code Listing2.3: Clea= ning up the workspace

-~$ cd dev/hardened/strict
-~$ make clean
+~$ cp /var/tmp/portage/sec-policy/selinux-pos=
tfix-2.20110726-r1/work/strict/postfix.te \
+  dev/hardened/refpolicy/policy/modules/services/
+                                        ^^^=
^^^^^
+~$ cp /var/tmp/portage/sec-policy/selinux-pos=
tfix-2.20110726-r1/work/strict/postfix.fc \
+  dev/hardened/refpolicy/policy/modules/services/
+                                        ^^^=
^^^^^
+~$ rm -rf /var/tmp/portage/sec-policy/selinux=
-postfix-2.20110726-r1

Setting up a local wor= kspace

-Setting up a local workspace is easy: just copy the dev/hardened -one: +Setting up a local workspace (where we will create changes and generate = patches +out of later) is easy: just copy the de= v/hardened one:

- - +

Code Listing2.4: Sett= ing up a local workspace

+

Code Listing2.3: Sett= ing up a local workspace

 ~$ cd dev/hardened
-~$ cp -r strict strict.local/
+~$ cp -r refpolicy refpolicy.local/

Navigating the policy = workspace

The main location you will work with is -dev/hardened/strict.local/policy/module= s. This location is subdivided in +dev/hardened/refpolicy.local/policy/mod= ules. This location is subdivided in categories:

@@ -247,10 +237,10 @@ category!

Inside the categories, the modules are available using their three files

- - +

Code Listing2.5: List= ing the available sudo files

+ @@ -260,11 +250,16 @@ sudo.fc sudo.if sudo.te To build a module, go to the location where the module code is. Then, ru= n make with the development Makefi= le as provided by the reference policy.

-

Code Listing2.4: List= ing the available sudo files

-~$ cd dev/hardened/strict.local/policy/module=
s/admin
+~$ cd dev/hardened/refpolicy.local/policy/mod=
ules/admin
 ~$ ls sudo.*
 sudo.fc    sudo.if     sudo.te
- +

Code Listing2.6: Buil= ding the portage module

Note: = +You can ignore warnings about duplicate interface definitions and such. = That is +because the Makefile will include both the existing interfaces as well a= s the +current working directory - which of course contains the same interfaces= . +

+ +

Code Listing2.5: Buil= ding the portage module

-~$ cd dev/hardened/strict.local/policy/module=
s/admin
-~$ make -f ../../../support/Makefile.devel po=
rtage.pp
+~$ cd dev/hardened/refpolicy.local/policy/mod=
ules/admin
+~$ make -f /usr/share/selinux/strict/include/=
Makefile portage.pp

@@ -275,10 +270,10 @@ You now have a por= tage.pp file available whi

If you want to build the base policy, run make base.

- - +

Code Listing2.7: Buil= ding the base policy

+

Code Listing2.6: Buil= ding the base policy

-~$ cd dev/hardened/strict.local
+~$ cd dev/hardened/refpolicy.local
 ~$ make base
@@ -1053,9 +1048,9 @@ are best generated from the policy/modules l

Code Listing6.1: Exam= ple generating patch for modular changes

-~$ cd dev/hardened/strict.local/policy/module=
s
-~$ diff -ut ../../../strict/policy/modules/se=
rvices/openct.te services/openct.te
---- ../../../../strict/policy/modules/services/openct.te   2011-04-22 23=
:28:17.932918002 +0200
+~$ cd dev/hardened/refpolicy.local/policy/mod=
ules
+~$ diff -ut ../../../refpolicy/policy/modules=
/services/openct.te services/openct.te
+--- ../../../../refpolicy/policy/modules/services/openct.te   2011-04-22=
 23:28:17.932918002 +0200
 +++ services/openct.te  2011-04-23 09:55:08.156918002 +0200
 @@ -47,6 +47,10 @@
 =20
@@ -1088,8 +1083,8 @@ patch is best made from the upper location.
 

 
Code Listing6.2: Gene=
rating a base policy patch

 
-~$ cd dev/hardened/strict.local
-~$ diff -ut ../strict/policy/modules/services=
/openct.if policy/modules/services/openct.if
+~$ cd dev/hardened/refpolicy.local
+~$ diff -ut ../refpolicy/policy/modules/servi=
ces/openct.if policy/modules/services/openct.if
 --- ../strict/policy/modules/services/openct.if    2011-04-22 23:28:17.9=
18918002 +0200
 +++ policy/modules/services/openct.if       2011-04-23 10:01:38.75391800=
1 +0200
 @@ -15,7 +15,7 @@
@@ -1170,19 +1165,21 @@ ebuilds:
 
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
+EAPI=3D"4"
=20
+IUSE=3D""
 # Set the MODS variable to the refpolicy na=
me used, so services/postfix.te gives "postfix"
 MODS=3D"postfix"
-IUSE=3D""
+# BASEPOL is optional, set it to the selinu=
x-base-policy version which
+# includes the latest patch (or interface you use in the policy)
+BASEPOL=3D"2.20110726-r3"
=20
 inherit selinux-policy-2
=20
 DESCRIPTION=3D"SELinux policy for postfix"
-
 KEYWORDS=3D"~amd64 ~x86"
=20
-# POLICY_PATCH is optional (only when you h=
ave a patch), without it just uses the=20
-# refpolicy version.
+# POLICY_PATCH is optional (only when you h=
ave a module patch)
 POLICY_PATCH=3D"${FILESDIR}/fix-services-postfix-r3.patch"
 

 

@@ -1206,15 +1203,21 @@ create a patchbundle from your patch directory, p=
ut the bundle in the
 

 
Code Listing7.5: Buil=
ding a base policy package

 
+# Go to the location where all patches are =
currently extracted
 ~$ cd dev/hardened/base-patches
-~$ tar cjvf ../overlay/sec-policy/selinux-bas=
e-policy/files/patchbundle-selinux-base-policy-2.20101213-r13.tar.bz2 *
+
+# Add the patches you want to include, cfr =
Submitting Patches
+# Then, create a new patch bundle
+~$ tar cjvf ../overlay/sec-policy/selinux-bas=
e-policy/files/patchbundle-selinux-base-policy-2.20110726-r3.tar.bz2 *
+
+# Finally, bump the revision of the ebuild =
in the overlay
 ~$ cd ../overlay/sec-policy/selinux-base-poli=
cy
-~$ cp selinux-base-policy-2.20101213-r12.ebui=
ld selinux-base-policy-2.20101213-r13.ebuild
+~$ cp selinux-base-policy-2.20110726-r3.ebuil=
d selinux-base-policy-2.20110726-r4.ebuild
 

 

 

 Don't forget to run repoman manifest and repoman scan. You can
-then install sec-policy/selinux-base-po=
licy-2.20101213-r13 and test
+then install sec-policy/selinux-base-po=
licy-2.20110726-r4 and test
 it out.
 

 

@@ -1236,7 +1239,7 @@ it out.
- +

Print

Updated A= pril 22, 2011

Updated S= eptember 4, 2011

Summary:= When planning to help Gentoo Hardened in the development of SELinux poli= cies, or when trying to debug existing policies, this document should help you= get diff --git a/html/selinux-policy.html b/html/selinux-policy.html index 63704fa..88d2d70 100644 --- a/html/selinux-policy.html +++ b/html/selinux-policy.html @@ -125,28 +125,7 @@ domain needs to transition back to the caller (staff_tstaff_screen_t which launches a shell or= command in the staff_t domain).

-

Use 'gentoo_' prefix

-

-When Gentoo Hardened updates policy rules, the patches it applies will s= trive to -use a gentoo_ prefix where possible: -

-
    -
  • - added interfaces for existing modules will start with the gentoo_ - prefix -
    • -
  • - new booleans will start with the gentoo_ prefix -
    • -
-

-This ensures that, if the changes (and their use) is included upstream, = we can -safely migrate towards the upstream implementation rather than face a co= llision -of names. Also, this ensures that no unwanted accesses are granted (or -functionalities suddenly prohibited) when upstream includes a change wit= h the -same name but totally different meaning or implementation. -

-

Do Not Allow Cosmetic = Denials

+

Do Not Allow Cosmetic = Denials

When developing SELinux rules, the Gentoo Hardened SELinux developers wi= ll implement the access permissions needed for an application to function p= roperly @@ -216,7 +195,7 @@ of the packages clean.

- + - + - +

Print

Updated F= ebruary 26, 2011

Updated S= eptember 4, 2011

Summary:= Developing a set of security rules is or should always be done with a co= mmon set of principles and rules in mind. This document explains the policy used = by diff --git a/html/selinux/index.html b/html/selinux/index.html index a51aad4..c9ffd77 100644 --- a/html/selinux/index.html +++ b/html/selinux/index.html @@ -24,9 +24,8 @@ - - - + +

= 1. Project Description

@@ -92,12 +91,12 @@ As a result, we
Sven Vermeulen swiftDocumentation, Userspace tools, Poli= cy developmentDeveloper ( Documentation, Userspace= tools, Policy development )
Anthony G. Basile bluenessPolicy development, Proxy (non devel= oper contributors)Developer ( Policy development, Prox= y (non developer contributors) )

@@ -121,68 +120,31 @@ The following people, although non-developer, are a= ctively contributing to the p

= 5. - Subprojects

-

The SELinux - project has the following subprojects: -

- - - - - - - - - - - - - - - - - - - - - - - - - - -
ProjectLeadDescription
PolicyChris PeBenito -Develop and maintain a secure, default set of policies for the system, i= ncluding -user and role definitions, service policies and application policies. -
UserlandChris PeBenito -Develop and maintain the packages for SELinux userland utilities and lib= raries, -including SELinux-aware patches for more general applications and librar= ies. -
KernelChris PeBenito -Integrate, improve and maintain SELinux patches in the Linux kernel for = Gentoo -Hardened. -
DocumentationChris PeBenito -Develop and maintain SELinux documentation specific to the Gentoo distri= bution -
-

= 6. Resources

Resources offered by the SELinux project are:

-

= 7. +

= 6. I Want to Participate

To participate in the SELinux project first join the mailing list at @@ -196,7 +158,7 @@ contributing work we will always need testers to use = and audit the SELinux policies. All development, testing, feedback, and productive comments wi= ll be greatly appreciated.

-

Policy Submissions=

+

Policy Submissions=

The critical component of a SELinux system is having a strong policy. T= he team does its best to support as many daemons as possible. However, we = cannot @@ -216,12 +178,6 @@ to receive policy submissions for consideration. Th= ere are a few requirements: We need to know if the policy is dependent on another policy (for ex= ample rpcd is dependent on portmap) other than base-policy. -

  • - An ebuild for the policy can also be submitted to help the developer= s - integrate the policy into Portage more quickly, if it is accepted. =20 - See current daemon policies in Portage for example uses of the - selinux-policy eclass. -

    • The policy should be submitted on bu= gzilla.