* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-02-19 3:45 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 9+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 3:45 UTC (permalink / raw
To: gentoo-commits
commit: 5c92e153df652939446f429038050d6375a9876a
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 03:45:14 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 03:45:14 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5c92e153
Previews
---
html/index.html | 2 +-
html/selinux/index.html | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/html/index.html b/html/index.html
index a8993ba..0b8bda4 100644
--- a/html/index.html
+++ b/html/index.html
@@ -124,7 +124,7 @@ project:
<tr>
<td class="tableinfo">Sven Vermeulen</td>
<td class="tableinfo">SwifT</td>
-<td class="tableinfo">Documentation writing, support (SELinux)</td>
+<td class="tableinfo">Documentation writing, policy development, support (SELinux)</td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
diff --git a/html/selinux/index.html b/html/selinux/index.html
index 87691d0..2ee0997 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -107,7 +107,7 @@ project:
<tr>
<td class="tableinfo">Sven Vermeulen</td>
<td class="tableinfo">SwifT</td>
-<td class="tableinfo">Documentation writing, support</td>
+<td class="tableinfo">Documentation writing, policy development, support</td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-04-22 19:18 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-04-22 19:18 UTC (permalink / raw
To: gentoo-commits
commit: e4503de380d1762bf2e26363e7283320b7948edd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 19:17:35 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 19:17:35 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e4503de3
Update previews
---
html/selinux-faq.html | 40 +++++++++++++++++++++++++++++++++
html/selinux/hb-using-enforcing.html | 5 +--
html/selinux/hb-using-permissive.html | 6 ++++-
3 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index b208016..b32a389 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -63,6 +63,10 @@ as well.
<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
<li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
<li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li>
+<li><a href="#portage_libsandbox">
+ During package installation, ld.so complains 'object 'libsandbox.so' from
+ LD_PRELOAD cannot be preloaded: ignored'
+</a></li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>General SELinux Support Questions</p>
@@ -272,6 +276,42 @@ It is also not a bad idea to report (after verifying if it hasn't been reported
first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so
that the default policies are updated accordingly.
</p>
+<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">
+ During package installation, ld.so complains 'object 'libsandbox.so' from
+ LD_PRELOAD cannot be preloaded: ignored'
+</a></p>
+<p>
+During installation of a package, you might see the following error message:
+</p>
+<a name="doc_chap5_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.5: Error message during package installation</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+>> Installing (1 of 1) net-dns/host-991529
+>>> Setting SELinux security labels
+ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
+</pre></td></tr>
+</table>
+<p>
+This message should <span class="emphasis">only</span> occur after the <span class="emphasis">Setting SELinux security
+labels</span> message. It happens because SELinux tells glibc to disable
+<span class="code" dir="ltr">LD_PRELOAD</span> (and other environment variables that are considered
+potentially harmful) during domain transitions. Here, portage calls the
+<span class="code" dir="ltr">setfiles</span> command (part of a SELinux installation) and as such
+transitions from portage_t to setfiles_t, which clears the environment
+variable.
+</p>
+<p>
+We believe that it is safer to trust the SELinux policy here (as setfiles runs
+in its own confined domain anyhow) rather than updating the policy to allow
+transitioning between portage_t to setfiles_t without clearing these
+environment variables. Note that <span class="emphasis">libsandbox.so is not disabled during builds
+and merges</span>, only during the activity where Portage labels the files it
+just merged.
+</p>
+<p>
+So the error is in our opinion cosmetic and can be ignored (but sadly not
+hidden).
+</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using-enforcing.html
index 810722f..eb5d08a 100644
--- a/html/selinux/hb-using-enforcing.html
+++ b/html/selinux/hb-using-enforcing.html
@@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
@@ -141,8 +141,7 @@ system as the intention was to ignore the output anyhow.
</p>
<p>
So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need
-to create a module (like we have seen before and which we discuss in a later
-chapter again :-):
+to create a module (like we have seen before in <span title="Link to other book part not available"><font color="#404080">(Creating Specific Allow Rules)</font></span>):
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a module to ignore these AVC denials</p></td></tr>
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
index b1a43d8..edb5a19 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -308,7 +308,7 @@ files whose context you want to set. Writing policy modules is described later
in this book in <span title="Link to other book part not available"><font color="#404080">(Adding SELinux Policy
Modules)</font></span>.
</p>
-<p class="secthead"><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p>
+<p class="secthead"><a name="create_module"></a><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p>
<p>
If a denial isn't resolved through an available SELinux policy module or a
corrective action taken against the target file or directory, or there
@@ -381,6 +381,10 @@ order to load a module, you can use <span class="code" dir="ltr">semodule -i mod
</p>
<ul>
<li>
+ With <span class="code" dir="ltr">semodule -i modulename.pp</span> you (re)install a module (or install
+ a higher version of said module)
+ </li>
+ <li>
With <span class="code" dir="ltr">semodule -u modulename.pp</span> you upgrade an existing installed
module with a new version of this module
</li>
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-04-22 22:35 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-04-22 22:35 UTC (permalink / raw
To: gentoo-commits
commit: d8673bd593f010a5317e7335f2d5501ffd56cf11
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 22:35:36 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 22:35:36 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d8673bd5
Updating previews
---
html/selinux-development.html | 681 +++++++++++++++++++++++++++++++++
html/selinux/hb-using-permissive.html | 2 +-
html/selinux/index.html | 42 +--
3 files changed, 692 insertions(+), 33 deletions(-)
diff --git a/html/selinux-development.html b/html/selinux-development.html
new file mode 100644
index 0000000..72f7a56
--- /dev/null
+++ b/html/selinux-development.html
@@ -0,0 +1,681 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+ Gentoo Hardened SELinux Development</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Gentoo Hardened SELinux Development</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
+<option value="#doc_chap2">2. Setting Up Your Environment</option>
+<option value="#doc_chap3">3. A Domain Does Not Function Properly</option>
+<option value="#doc_chap4">4. No Domain Exists (Yet)</option>
+<option value="#doc_chap5">5. Policy Guidelines</option>
+<option value="#doc_chap6">6. Submitting Patches</option>
+<option value="#doc_chap7">7. Running Your Own Policy</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Introduction</p>
+<p class="secthead"><a name="doc_chap1_sect1">About this document...</a></p>
+<p>
+Dealing with Mandatory Access Control is never easy. SELinux might be available
+by default with Linux, enabling it can provide serious headaches - let alone
+developing policies for it. Within Gentoo Hardened, we strive to offer a default
+policy that is flexible enough to match the requirements of most of you (our
+users) yet remain manageable by the limited number of developers that we have.
+To ensure that the policy we offer is up to date, we definitely need help from
+end users and other developers, because developing policies requires intimate
+knowledge of the products they are written for. With over several thousand
+packages, this is just not feasible for a handful of us. Hence, this Gentoo
+Hardened SELinux Development guide.
+</p>
+<p>
+Within this document, we will try to explain how to set up an environment ready
+to build policies yourself and provide patches to Gentoo Hardened. We also cover
+how to deal with malfunctioning domains and even how to create your own, new
+domains from scratch (if we need to). Further down, we give an overview of the
+guidelines that we try to follow during the policy developments and finally
+talk about how to properly create patches and submit them to our <a href="https://bugs.gentoo.org">bugzilla</a> service.
+</p>
+<p>
+For those who want to run Gentoo Hardened with their own policies, we've also
+added a chapter on just that. We know that our policy does not match everyone's
+requirements, so we definitely want to help you run your own too.
+</p>
+<p class="secthead"><a name="doc_chap1_sect2">Intended audience</a></p>
+<p>
+This document is a must-read for everyone willing to provide patches or develop
+the Gentoo Hardened SELinux policies.
+</p>
+<p>
+Other SELinux advanced users might find this document interesting as well.
+</p>
+<p class="secthead"><a name="doc_chap1_sect3">What you need to know</a></p>
+<p>
+This document does assume prior knowledge on SELinux policies and the way the
+reference policy works. For those that need a quick recap, here are the
+highlights...
+</p>
+<ul>
+ <li>
+ SELinux uses <span class="emphasis">domains</span> and <span class="emphasis">types</span> to differentiate its various
+ security objects. A domain is usually referred to as the security context
+ of a process (or group of processes) whereas a type is usually referred to
+ as the label given to a particular resource (file, directory, network
+ interface, socket, network port, ...).
+ </li>
+ <li>
+ <span class="emphasis">SELinux policies</span> describe what interaction is allowed between a
+ domain and the other domains and types it needs to work with. If no policy
+ allows for a particular activity, then the activity is denied.
+ </li>
+ <li>
+ The structure in which policies are written are called <span class="emphasis">SELinux policy
+ modules</span> which contain three parts: a <span class="emphasis">type enforcement file</span> (with
+ suffix <span class="path" dir="ltr">.te</span>) that contains the intra-module permissions, an
+ <span class="emphasis">interface file</span> (with suffix <span class="path" dir="ltr">.if</span>) that contains the
+ inter-module permissions and a <span class="emphasis">file contexts file</span> (with suffix
+ <span class="path" dir="ltr">.fc</span>) that contains the file context definitions for all file
+ resources that are labeled with the type or types defined in the module
+ </li>
+ <li>
+ Inter-domain privileges must be declared through functions in the
+ <span class="emphasis">interface file</span> which can then be called by other modules. This
+ includes the necessary permissions to allow domain transitions
+ </li>
+</ul>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+ </span>Setting Up Your Environment</p>
+<p class="secthead"><a name="doc_chap2_sect1">Patching the reference policy</a></p>
+<p>
+Gentoo Hardened builds its policy upon the <a href="http://oss.tresys.com/projects/refpolicy">reference policy</a> as
+provided by <a href="http://www.tresys.com">Tresys</a> and managed through
+an active <a href="http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute">community</a>.
+I suggest to use two workspaces when dealing with SELinux policies for Gentoo
+Hardened: the <span class="path" dir="ltr">hardened</span> one for the Gentoo patched policy, and a
+<span class="path" dir="ltr">local</span> one in which you work and make your patches in.
+</p>
+<p>
+Of course, using a source control system like git can be helpful too. For now,
+Gentoo Hardened doesn't have a git repository where its policies are based from
+(yet). That might sound a bit dull, but it forces the developers to remain as
+close to upstream as possible (and contribute the changes upstream too so that
+newer releases include them automatically). You can definitely use a source
+control system yourself - the only reason we do not use it in this document is
+that it is easier to document without ;-)
+</p>
+<p>
+Let's create the first workspace:
+</p>
+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Creating the SELinux policy workspace</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">mkdir dev/hardened</span>
+~$ <span class="code-input">cd dev/hardened</span>
+~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r12.ebuild compile</span>
+~$ <span class="code-input">cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12/work/* .</span>
+~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12</span>
+</pre></td></tr>
+</table>
+<p>
+As result, you should have two or three directories in
+<span class="path" dir="ltr">dev/hardened</span> called <span class="path" dir="ltr">refpolicy</span> and <span class="path" dir="ltr">strict</span>
+and/or <span class="path" dir="ltr">targeted</span>. The only one of interest is the
+<span class="path" dir="ltr">strict</span> and/or <span class="path" dir="ltr">targeted</span> one, depending on the policy
+type you are working with. In the remainder of the document, I'm assuming you
+work with <span class="path" dir="ltr">strict</span>.
+</p>
+<p>
+Now the <span class="path" dir="ltr">dev/hardened</span> workspace is patched with the Gentoo Hardened
+SELinux patches applicable to the base policy. Gentoo Hardened has two "flavors"
+of patches:
+</p>
+<ol>
+ <li>
+ <span class="emphasis">Base policy patches</span> contain the patches for the SELinux modules that
+ take part of the base policy as well as all interface patches for the
+ modules
+ </li>
+ <li>
+ <span class="emphasis">Module-specific patches</span> that contain the permissions affecting the
+ domains and types that are defined in a single module (for instance, all
+ interaction between <span class="path" dir="ltr">portage_t</span> and <span class="path" dir="ltr">portage_exec_t</span>
+ or even <span class="path" dir="ltr">portage_t</span> and <span class="path" dir="ltr">portage_fetch_t</span>)
+ </li>
+</ol>
+<p>
+The base policy patches are important to have available at all times. The
+module-specific ones can be added when you work with that particular module.
+</p>
+<p>
+Every time a new revision comes out, you'll need to clean the
+<span class="path" dir="ltr">dev/hardened</span> workspace and rebuild it.
+</p>
+<p class="secthead"><a name="doc_chap2_sect2">Add specific module files</a></p>
+<p>
+To update your policy workspace, use the same tactic as describes
+earlier, but now for the specific SELinux policy module package (like
+<span class="path" dir="ltr">selinux-postfix</span>).
+</p>
+<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Updating the dev/hardened workspace</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">ls dev/hardened/strict/policy/modules/*/postfix.te</span>
+dev/hardened/strict/policy/modules/services/postfix.te
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild compile</span>
+
+<span class="code-comment"># Next, we copy the postfix.te and postfix.fc files.
+# Do NOT copy the postfix.if file (as the one available there is a stub)</span>
+~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.te \
+ dev/hardened/strict/policy/modules/services/</span>
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.fc \
+ dev/hardened/strict/policy/modules/services/</span>
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12</span>
+</pre></td></tr>
+</table>
+<p>
+Finally, clean up the workspace (as it contains built policies and other
+material we do not want to see in our patches)
+</p>
+<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Cleaning up the workspace</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/hardened/strict</span>
+~$ <span class="code-input">make clean</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect3">Setting up a local workspace</a></p>
+<p>
+Setting up a local workspace is easy: just copy the <span class="path" dir="ltr">dev/hardened</span>
+one:
+</p>
+<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Setting up a local workspace</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">mkdir dev/local</span>
+~$ <span class="code-input">cp -r dev/hardened/strict dev/local/</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect4">Navigating the policy workspace</a></p>
+<p>
+The main location you will work with is
+<span class="path" dir="ltr">dev/local/strict/policy/modules</span>. This location is subdivided in
+categories:
+</p>
+<dl>
+ <dt>admin</dt>
+ <dd>Administrative SELinux policy modules (portage, logrotate, sudo, ...)</dd>
+ <dt>apps</dt>
+ <dd>Application SELinux policy modules (evolution, mozilla, screen, ...)</dd>
+ <dt>kernel</dt>
+ <dd>Kernel specific SELinux policy domains (corenetwork, kernel, ...)</dd>
+ <dt>roles</dt>
+ <dd>Domains specific to SELinux roles (sysadm, user, staff, ...)</dd>
+ <dt>services</dt>
+ <dd>Daemon SELinux policy modules (postfix, apache, squid, ...)</dd>
+ <dt>system</dt>
+ <dd>Core SELinux policy modules (selinuxutil, mount, iptables, ...)</dd>
+</dl>
+<p>
+The categorization is arbitrary and serves no purpose other than keeping the
+modules a but separated. Each module must have a unique name, regardless of the
+category!
+</p>
+<p>
+Inside the categories, the modules are available using their three files
+</p>
+<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Listing the available sudo files</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/local/strict/policy/modules/admin</span>
+~$ <span class="code-input">ls sudo.*</span>
+sudo.fc sudo.if sudo.te
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect5">Building a module</a></p>
+<p>
+To build a module, go to the location where the module code is. Then, run
+<span class="code" dir="ltr">make</span> with the development Makefile as provided by the reference policy.
+</p>
+<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Building the portage module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/local/strict/policy/modules/admin</span>
+~$ <span class="code-input">make -f ../../../support/Makefile.devel portage.pp</span>
+</pre></td></tr>
+</table>
+<p>
+You now have a <span class="path" dir="ltr">portage.pp</span> file available which you can load (using
+<span class="code" dir="ltr">semodule -i portage.pp</span>).
+</p>
+<p class="secthead"><a name="doc_chap2_sect6">Building the base policy</a></p>
+<p>
+If you want to build the base policy, run <span class="code" dir="ltr">make base</span>.
+</p>
+<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: Building the base policy</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">cd dev/local/strict</span>
+~$ <span class="code-input">make base</span>
+</pre></td></tr>
+</table>
+<p>
+The result should be a <span class="path" dir="ltr">base.pp</span> file that you can load using
+<span class="code" dir="ltr">semodule -b base.pp</span>. However, if you intend to do a bit more than just
+test this base policy quickly, it is seriously recommended to create your own
+Gentoo overlay for your own <span class="path" dir="ltr">selinux-base-policy</span> and install that
+one as installing a base policy is not only about the policy module itself, but
+also about the include files that will then be stored in
+<span class="path" dir="ltr">/usr/share/selinux/strict/include</span>.
+</p>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
+ </span>A Domain Does Not Function Properly</p>
+<p class="secthead"><a name="doc_chap3_sect1">Introduction</a></p>
+<p>
+The most likely problem that you are hitting is that a domain does exist in
+Gentoo Hardened SELinux, but that it isn't functioning as it should. To solve
+this problem, it is adviseable to use the following sequence of investigations:
+</p>
+<ol>
+ <li>
+ Is it really SELinux that is restraining your system?
+ </li>
+ <li>
+ Is the problem related to wrong resource labels / security contexts?
+ </li>
+ <li>
+ Is the problem related to intra-module permissions?
+ </li>
+ <li>
+ Is the problem related to inter-module permissions?
+ </li>
+</ol>
+<p class="secthead"><a name="doc_chap3_sect2">Check if SELinux is to blame</a></p>
+<p>
+Make sure that the problem you are seeing is a SELinux-triggered problem. An
+easy way to find out is to run SELinux in permissive mode and try again:
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Switching to permissive mode</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">setenforce 0</span>
+</pre></td></tr>
+</table>
+<p>
+This only works if the problem is <span class="emphasis">not</span> to do with a SELinux-aware
+application (unlike <span class="code" dir="ltr">init</span> or <span class="code" dir="ltr">sudo</span> which are linked to the
+libselinux library). SELinux-aware applications might alter their behavior if
+SELinux is set on the system regardless of it running in permissive mode or not.
+A prime example is <span class="code" dir="ltr">vixie-cron</span> (as can be seen in <a href="https://bugs.gentoo.org/show_bug.cgi?id=257111">bug #257111</a>). But
+for applications that are not SELinux aware, this is the easiest method to find
+out if SELinux is to blame or not.
+</p>
+<p>
+If running your system in permissive mode works around the problem, read on. If
+it doesn't, check the regular permissions (<span class="code" dir="ltr">strace</span>'ing the application
+might be a good idea too).
+</p>
+<p class="secthead"><a name="doc_chap3_sect3">Get the proper AVC denials</a></p>
+<p>
+Assuming that we now know that SELinux is to blame, we need to make sure that we
+get the proper AVC denials. Either locate the proper denials in
+<span class="path" dir="ltr">/var/log/avc.log</span> (or <span class="path" dir="ltr">audit.log</span>) around the time that
+you encountered the issue, or run <span class="code" dir="ltr">tail -f /var/log/avc.log</span> and reproduce
+the problem.
+</p>
+<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Example denials</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">tail -f /var/log/avc.log</span>
+Apr 22 15:03:33 www1 kernel: [16053.303739] type=1400 audit(1303477413.188:283):
+avc: denied { dac_read_search } for pid=21758 comm="rm" capability=2
+scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t
+tclass=capability
+</pre></td></tr>
+</table>
+<p>
+Analyzing the meaning of the AVC denial is covered by <a href="selinux/selinux-handbook.xml?part=2&chap=3#avclog">Looking
+at the AVC Log</a> in the Gentoo Hardened SELinux handbook. The denial should
+give you a pointer where to look for. However, it is possible that no denial is
+occurring, or at least no relevant ones.
+</p>
+<p>
+A first step to get potentially more denials is to switch the
+<span class="code" dir="ltr">gentoo_try_dontaudit</span> boolean off. This boolean is used by the Gentoo
+Hardened SELinux developers to hide denials which they assume are cosmetic. As
+these developers are known to have a human side (as well), they are known to
+make mistakes ;-)
+</p>
+<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: Disabling gentoo's dontaudit statements</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">setsebool gentoo_try_dontaudit off</span>
+</pre></td></tr>
+</table>
+<p>
+Retry getting the proper AVC denials.
+</p>
+<p>
+If it still doesn't work, you can disable all <span class="emphasis">dontaudit</span> statements:
+</p>
+<a name="doc_chap3_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.4: Disabling all dontaudit statements</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">semodule -R -D -B</span>
+</pre></td></tr>
+</table>
+<p>
+Retry getting the proper AVC denials.
+</p>
+<p>
+The moment you get the denials you are looking for, isolate them and then undo
+the changes you made earlier:
+</p>
+<a name="doc_chap3_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.5: Resetting the auditing defaults</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">setsebool gentoo_try_dontaudit on</span>
+~# <span class="code-input">semodule -R -B</span>
+</pre></td></tr>
+</table>
+<p>
+If you still do not see any denials, then check out the <span class="code" dir="ltr">dmesg</span> output for
+other problems. It is possible that SELinux is not even getting to the point of
+the policy, which you will not notice by looking at the AVC denials alone.
+However, the chance of this to happen is very slim - most of the time, you'll
+find the AVC denials you are looking for.
+</p>
+<p class="secthead"><a name="doc_chap3_sect4">Deducing the correct security contexts</a></p>
+<p>
+The next step is to see if we are dealing with the right security contexts. This
+does require a bit of insight in how both the application (that is failing) and
+the policy relate to each other.
+</p>
+<p>
+Say you are having issues with SELinux (re)labeling and you notice the following
+AVC denial:
+</p>
+<a name="doc_chap3_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.6: AVC denial for setfiles</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Apr 16 14:39:57 testsys kernel: [ 115.778484] type=1400
+audit(1302957597.827:224): avc: denied { create } for pid=3584
+comm="setfiles" scontext=root:sysadm_r:<span class="code-comment">sysadm_t</span> tcontext=root:sysadm_r:sysadm_t
+tclass=netlink_audit_socket
+</pre></td></tr>
+</table>
+<p>
+In this case, <span class="code" dir="ltr">setfiles</span> is running in the <span class="path" dir="ltr">sysadm_t</span> domain
+even though it should run in <span class="path" dir="ltr">setfiles_t</span>. So check the security
+context of the <span class="code" dir="ltr">setfiles</span> binary as well as the transition rules:
+</p>
+<a name="doc_chap3_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.7: Checking setfiles context and rules</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">ls -lZ /sbin/setfiles</span>
+-rwxr-xr-x. 1 root root <span class="code-comment">system_u:object_r:bin_t</span> 26464 Apr 9 22:22 /sbin/setfiles
+~# <span class="code-input">sesearch -s sysadm_t -t setfiles_t -c process -p transition -A -d</span>
+Found 1 semantic av rules:
+ allow sysadm_t setfiles_t : process transition ;
+~# <span class="code-input">sesearch -s sysadm_t -t setfiles_exec_t -c file -p execute -A -d</span>
+...
+~# <span class="code-input">sesearch -s setfiles_t -t setfiles_exec_t -c file -p entrypoint -A -d</span>
+...
+</pre></td></tr>
+</table>
+<p>
+In the above (forced) situation, the problem is with the security context of the
+binary - it should have been <span class="path" dir="ltr">setfiles_exec_t</span> instead of
+<span class="path" dir="ltr">bin_t</span>. Usually, entry points are named similarly (like
+<span class="path" dir="ltr">portage_exec_t</span> or <span class="path" dir="ltr">sudo_exec_t</span>). If you are not certain
+about which domain it should be, use <span class="code" dir="ltr">sesearch</span>
+</p>
+<a name="doc_chap3_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.8: Using sesearch to find the entrypoint type for a domain</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">sesearch -s setfiles_t -c file -p entrypoint -A -d</span>
+Found 1 semantic av rules:
+ allow setfiles_t setfiles_exec_t : file { ioctl ... execute entrypoint open } ;
+</pre></td></tr>
+</table>
+<p>
+The <span class="code" dir="ltr">sesearch</span> utility is extremely powerful to query the SELinux policy
+(which is currently in memory). I also advise you to use the <span class="code" dir="ltr">-C</span> switch to
+see which rules are trigged by certain SELinux booleans:
+</p>
+<a name="doc_chap3_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.9: Looking for boolean-triggered settings</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">sesearch -s named_t -t named_zone_t -c file -A -d -C</span>
+Found 2 semantic av rules:
+ allow named_t named_zone_t : file { ioctl read getattr lock open } ;
+DT allow named_t named_zone_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ named_write_master_zones ]
+</pre></td></tr>
+</table>
+<p>
+In the above example, the <span class="path" dir="ltr">named_t</span> domain only has write privileges
+on files labeled <span class="path" dir="ltr">named_zone_t</span> if the
+<span class="path" dir="ltr">named_write_master_zones</span> boolean is set (which it currently isn't,
+otherwise the line would stat with ET instead of DT).
+</p>
+<p>
+To gain a bit of insight in the various, available domains, use <span class="code" dir="ltr">seinfo</span>:
+</p>
+<a name="doc_chap3_pre10"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.10: Getting a list of available domains</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">seinfo -t | grep named</span>
+ named_var_run_t
+ named_checkconf_exec_t
+ named_conf_t
+ named_initrc_exec_t
+ named_log_t
+ named_exec_t
+ named_zone_t
+ named_t
+ named_cache_t
+ named_tmp_t
+</pre></td></tr>
+</table>
+<p>
+To gain a bit of insight in the (current) file context rules, use
+<span class="code" dir="ltr">semanage</span>:
+</p>
+<a name="doc_chap3_pre11"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.11: Getting the list of current file context rules</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">semanage fcontext -l | grep named</span>
+/etc/bind(/.*)? all files system_u:object_r:named_zone_t
+/etc/bind/named\.conf regular file system_u:object_r:named_conf_t
+/etc/rc\.d/init\.d/named regular file system_u:object_r:named_initrc_exec_t
+/etc/rc\.d/init\.d/unbound regular file system_u:object_r:named_initrc_exec_t
+/etc/rndc.* regular file system_u:object_r:named_conf_t
+/etc/unbound(/.*)? all files system_u:object_r:named_conf_t
+/usr/sbin/lwresd regular file system_u:object_r:named_exec_t
+/usr/sbin/named regular file system_u:object_r:named_exec_t
+/usr/sbin/named-checkconf regular file system_u:object_r:named_checkconf_exec_t
+/usr/sbin/unbound regular file system_u:object_r:named_exec_t
+/var/bind(/.*)? all files system_u:object_r:named_cache_t
+/var/bind/pri(/.*)? all files system_u:object_r:named_zone_t
+/var/log/named.* regular file system_u:object_r:named_log_t
+/var/run/bind(/.*)? all files system_u:object_r:named_var_run_t
+/var/run/named(/.*)? all files system_u:object_r:named_var_run_t
+/var/run/ndc socket system_u:object_r:named_var_run_t
+/var/run/unbound(/.*)? all files system_u:object_r:named_var_run_t
+</pre></td></tr>
+</table>
+<p>
+Most of the time, fixing domain issues is a matter of relabeling files (or
+updating the configuration to match the contexts already defined - both work).
+</p>
+<p class="secthead"><a name="doc_chap3_sect5">Intra-module permissions are missing</a></p>
+<p>
+It is possible that you get a denial between correct security contexts, but
+that the permission is just never granted. In this case, you can choose between
+two things:
+</p>
+<ol>
+ <li>
+ Enhance the module so that the particular permission is granted, or
+ </li>
+ <li>
+ Enhance the module with an additional type where the permission is granted,
+ and assign this type/label to the related resources
+ </li>
+</ol>
+<p>
+In both cases you will need to edit the module files (most likely the
+<span class="path" dir="ltr">.te</span> file), build the module, load it, perhaps even relabel the
+files or the package and retry. It is also a good idea to take a look at
+upstream (latest refpolicy repository or the repositories of Fedora and co) and
+see if they have already solved this problem or not.
+</p>
+<p>
+Granting additional permissions between existing domains is the easiest, but
+might introduce additional problems: if this permission is only needed in a
+particular case yet you grant it for all files and resources related to those
+domains, then you are opening up the policy beyond what is necessary. Often,
+creating an additional domain or type can be beneficial.
+</p>
+<p>
+A noticeable example is Portage' support for CVS/SVN/GIT ebuilds (the so-called
+live ebuilds). These ebuilds get their repository and store it in the
+<span class="path" dir="ltr">distfiles/svn+src</span> location, which was by default labelled
+<span class="path" dir="ltr">portage_ebuild_t</span> with only read-access for the
+<span class="path" dir="ltr">portage_sandbox_t</span> domain. However, with those live ebuilds, the
+<span class="path" dir="ltr">portage_sandbox_t</span> domain also needs write privileges to this
+location. Rather than allowing <span class="path" dir="ltr">portage_sandbox_t</span> write privileges
+to <span class="path" dir="ltr">portage_ebuild_t</span>, a new type was created called
+<span class="path" dir="ltr">portage_svnsrc_t</span> for just this location and the rights are
+transferred towards type.
+</p>
+<p class="secthead"><a name="doc_chap3_sect6">Inter-module permissions are needed</a></p>
+<p>
+If the solution for the problem requires permissions between modules, then you
+need to create the proper interface functions in the target domain and call
+these functions from the source domain.
+</p>
+<p>
+TODO extend this explanation, use a common example, like mysql_stream_connect in
+postfix.
+</p>
+<p>
+TODO explain that changes in the interface require rebuilds and reinstallations
+of the base (package, not only .pp file, due to includes). tell that this is the
+reason why selinux-base-policy has that many revisions.
+</p>
+<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
+ </span>No Domain Exists (Yet)</p>
+<p class="secthead"><a name="doc_chap4_sect1">Reuse existing domains</a></p>
+<p>
+TODO talk about potentially reusing domains (like apache module providing the
+various httpd_* domains which can be reused by lighttpd). Talk about assigning
+the proper labels to the files to see if that is sufficient.
+</p>
+<p class="secthead"><a name="doc_chap4_sect2">Copy from existing domains</a></p>
+<p>
+TODO talk about finding a similar module (apps or service) and start from a
+(slimmed-down) domain. Not recommended as it might already open too much, but it
+is a good start, if not to just look at with every denial you get later. Keep it
+short, most information is in next section.
+</p>
+<p class="secthead"><a name="doc_chap4_sect3">Starting from scratch</a></p>
+<p>
+TODO talk about defining the proper domains, set proper types (like file_type or
+application_type), refer to refpolicy guidelines
+</p>
+<p class="secthead"><a name="doc_chap4_sect4">Testing new modules</a></p>
+<p>
+TODO talk about users trying to do maximum testing (all the way). Also, if they
+want to support unconfined domains too, how they can do this (and should test).
+</p>
+<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
+ </span>Policy Guidelines</p>
+<p>
+TODO dealing with cosmetic denials
+</p>
+<p>
+TODO resources - gentoo selinux policy, refpolicy guidelines
+</p>
+<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
+ </span>Submitting Patches</p>
+<p>
+TODO differentiate between base patch and module patch.
+</p>
+<p>
+TODO perhaps talk about file context patches. Perhaps we will not make a new
+build release for it, but stage it to be included in the next release when a
+non-filecontext patch is added?
+</p>
+<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
+ </span>Running Your Own Policy</p>
+<p>
+TODO describe how to create your own overlay with modules and patchbundles. Also
+usable for developers to stage their ebuild / patch submissions before actually
+putting in git repo. Ensure that naming is consistent (so that ebuild
+dependencies of packages remain).
+</p>
+<p>
+TODO describe how to exclude sec-policy in regular rsync
+</p>
+<br><p class="copyright">
+ The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons -
+ Attribution / Share Alike</a> license.
+ </p>
+<!--
+ <rdf:RDF xmlns="http://web.resource.org/cc/"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+ <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+ <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+ <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+ <requires rdf:resource="http://web.resource.org/cc/Notice" />
+ <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+ <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+ <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+ </License>
+ </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+When planning to help Gentoo Hardened in the development of SELinux policies,
+or when trying to debug existing policies, this document should help you get
+acquainted with the necessary resources, trips and tricks to get along.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+ <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
index edb5a19..0285dde 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -103,7 +103,7 @@ access is requested which isn't in the cache yet, it is first loaded in the
cache from which the allow/deny is triggered. Hence the "avc" messages and the
<span class="path" dir="ltr">avc.log</span> log file.
</p>
-<p class="secthead"><a name="doc_chap1_sect1">Looking at the AVC Log</a></p>
+<p class="secthead"><a name="avclog"></a><a name="doc_chap1_sect1">Looking at the AVC Log</a></p>
<p>
During regular system operations, you can keep track of the denials through a
simple <span class="code" dir="ltr">tail</span> session:
diff --git a/html/selinux/index.html b/html/selinux/index.html
index 4798084..e1de71a 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -26,10 +26,9 @@
<option value="#doc_chap4">4. Developers</option>
<option value="#doc_chap5">5. Contributors</option>
<option value="#doc_chap6">6. Subprojects</option>
-<option value="#doc_chap7">7. Planned subprojects</option>
-<option value="#doc_chap8">8. Resources</option>
-<option value="#doc_chap9">9. How Do I Use This?</option>
-<option value="#doc_chap10">10. I Want to Participate</option></select>
+<option value="#doc_chap7">7. Resources</option>
+<option value="#doc_chap8">8. How Do I Use This?</option>
+<option value="#doc_chap9">9. I Want to Participate</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Project Description</p>
@@ -130,7 +129,7 @@ project:
</tr>
<tr>
<td class="tableinfo">Daemon Policy</td>
- <td class="tableinfo"></td>
+ <td class="tableinfo">pebenito</td>
<td class="tableinfo">
SELinux policies for common daemons.
</td>
@@ -151,30 +150,6 @@ project:
</tr>
</table>
<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
- </span>Planned subprojects</p>
-<p>The SELinux
- project has the following subprojects planned:
- </p>
-<table class="ntable">
- <tr>
- <td class="infohead"><b>Project</b></td>
- <td class="infohead"><b>Description</b></td>
- </tr>
- <tr>
- <td class="tableinfo">non-x86 Support</td>
- <td class="tableinfo">
- Profiles, installation guides, and support for non-x86 architectures.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Desktop</td>
- <td class="tableinfo">
- SELinux support on destktops. This involves enhancements to XFree's
- security, and accompanying policy.
-</td>
- </tr>
- </table>
-<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8.
</span>Resources</p>
<p>Resources offered by the
SELinux
@@ -183,13 +158,16 @@ project:
<li>
<a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
</li>
+ <li>
+ <a href="selinux-faq.html">Gentoo SELinux FAQ</a>
+ </li>
</ul>
-<p class="chaphead"><a name="doc_chap9"></a><span class="chapnum">9.
+<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8.
</span>How Do I Use This?</p>
<p>
SELinux can be installed on a new system by following the above install guide.
</p>
-<p class="chaphead"><a name="doc_chap10"></a><span class="chapnum">10.
+<p class="chaphead"><a name="doc_chap9"></a><span class="chapnum">9.
</span>I Want to Participate</p>
<p>
To participate in the SELinux project first join the mailing list at
@@ -203,7 +181,7 @@ project:
policies. All development, testing, feedback, and productive comments will
be greatly appreciated.
</p>
-<p class="secthead"><a name="doc_chap10_sect2">Policy Submissions</a></p>
+<p class="secthead"><a name="doc_chap9_sect2">Policy Submissions</a></p>
<p>
The critical component of a SELinux system is having a strong policy. The
team does its best to support as many daemons as possible. However, we cannot
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-05-15 9:11 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-05-15 9:11 UTC (permalink / raw
To: gentoo-commits
commit: ae3ab374c135466423f4ecd405935141a00683f5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 15 09:10:07 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 15 09:10:07 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae3ab374
Update previews
---
html/selinux-faq.html | 49 +++++++++++++++++++++++++++++++++++-
html/selinux/hb-using-install.html | 22 +++------------
2 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 89d9f5b..3a94091 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -56,6 +56,9 @@ as well.
<li><a href="#enable_selinux">How do I enable SELinux?</a></li>
<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
+<li><a href="#matchcontext">
+ How do I know which file context rule is used for a particular file?
+</a></li>
</ul>
<p class="secthead">SELinux Kernel Error Messages</p>
<ul><li><a href="#register_security">I get a register_security error message when booting</a></li></ul>
@@ -195,6 +198,50 @@ while SELinux was disabled might have created new files or removed the labels
from existing files, causing these files to be available without security
context.
</p></td></tr></table>
+<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">
+ How do I know which file context rule is used for a particular file?
+</a></p>
+<p>
+If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
+context for the given path (file or directory) should be, but it doesn't tell
+you which rule it used to deduce this. To do that, you can use <span class="code" dir="ltr">findcon</span>:
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Using findcon</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</span>
+/.* system_u:object_r:default_t
+/lib64/rc/init\.d(/.*)? system_u:object_r:initrc_state_t
+/lib64/.* system_u:object_r:lib_t
+</pre></td></tr>
+</table>
+<p>
+When the SELinux utilities try to apply a context, they try to match the rule
+that is the most specific, so in the above case, it is the one that leads to the
+initrc_state_t context.
+</p>
+<p>
+The most specific means, in order of tests:
+</p>
+<ol>
+ <li>
+ If line A has a regular expression, and line B doesn't, then line B is more
+ specific.
+ </li>
+ <li>
+ If the number of characters before the first regular expression in line A is
+ less than the number of characters before the first regular expression in
+ line B, then line B is more specific
+ </li>
+ <li>
+ If the number of characters in line A is less than in line B, then line B is
+ more specific
+ </li>
+ <li>
+ If line A does not map to a specific SELinux type, and line B does, then
+ line B is more specific
+ </li>
+</ol>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>SELinux Kernel Error Messages</p>
<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
@@ -423,7 +470,7 @@ Another fix would be to disable UBAC completely. This is accomplished with
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index f4288bb..6b41e61 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -93,7 +93,7 @@ Available Python interpreters:
~# <span class="code-input">source /etc/profile</span>
</pre></td></tr>
</table>
-<p class="secthead"><a name="doc_chap1_sect1">Setting the filesystem contexts</a></p>
+<p class="secthead"><a name="doc_chap1_sect1">Optional: Setting the filesystem contexts</a></p>
<p>
If your <span class="path" dir="ltr">/tmp</span> location is a tmpfs-mounted file system, then you need
to tell the kernel that the root context of this location is <span class="code" dir="ltr">tmp_t</span>
@@ -109,19 +109,6 @@ To configure the <span class="path" dir="ltr">/tmp</span> mount, edit your <span
tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t</span> 0 0
</pre></td></tr>
</table>
-<p>
-Next to the <span class="path" dir="ltr">/tmp</span> location, you will need to explicitly define the
-mount for <span class="path" dir="ltr">rc-svcdir</span>, used by sys-apps/openrc. If not, this tmpfs
-file system is mounted with the wrong security label which will result in boot
-failures.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update /etc/fstab for rc-svcdir</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Change /lib64 with /lib for 32-bit systems / support</span>
-rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
-</pre></td></tr>
-</table>
<p class="secthead"><a name="doc_chap1_sect1">Enabling ~Arch Packages</a></p>
<p>
The current stable SELinux related packages are not fit for use anymore (or are
@@ -531,8 +518,8 @@ kernel will not update the security attributes of the files you create or
manipulate during your day-to-day activities on your system.
</p></td></tr></table>
<p>
-First relabel your devices. This will apply the correct security contexts
-(labels) onto the device files.
+First relabel your devices and openrc related files. This will apply the
+correct security contexts (labels) onto the necessary files.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev structure</p></td></tr>
@@ -542,6 +529,7 @@ First relabel your devices. This will apply the correct security contexts
<span class="code-comment">(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</span>
~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</span>
+~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</span>
~# <span class="code-input">umount /mnt/gentoo</span>
</pre></td></tr>
</table>
@@ -598,7 +586,7 @@ made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 16, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-05-24 20:39 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-05-24 20:39 UTC (permalink / raw
To: gentoo-commits
commit: 3e160946c1c040608a82ccb115c198cbdbc297b2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 24 20:36:34 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 24 20:36:34 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3e160946
Update previews
---
html/index.html | 5 +-
html/index2.html | 5 +-
html/roadmap.html | 590 +++++++++++---------------
html/selinux-policy.html | 7 +-
html/selinux/hb-intro-enhancingsecurity.html | 4 +-
html/selinux/index.html | 242 +++++++----
html/support-state.html | 264 ++++++++++++
7 files changed, 676 insertions(+), 441 deletions(-)
diff --git a/html/index.html b/html/index.html
index 9f5561b..8cbf79a 100644
--- a/html/index.html
+++ b/html/index.html
@@ -271,6 +271,9 @@ GNU Stack Quickstart
<li>
<a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
</li>
+ <li>
+ <a href="selinux-faq.html">Gentoo SELinux FAQ</a>
+ </li>
</ul>
</li>
</ul>
@@ -287,7 +290,7 @@ GNU Stack Quickstart
</tr>
<tr>
<td class="tableinfo">hardened</td>
- <td class="tableinfo">battousai, blueness, chainsaw, dragonheart, gengor, nixnut, pebenito, solar, zorry</td>
+ <td class="tableinfo">battousai, blueness, chainsaw, dragonheart, gengor, klondike, nixnut, pebenito, solar, zorry</td>
<td class="tableinfo">Hardened Gentoo project packages and policy</td>
</tr>
<tr>
diff --git a/html/index2.html b/html/index2.html
index 883f517..1f8776e 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -240,6 +240,9 @@ GNU Stack Quickstart</a>
<li>
<a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
</li>
+ <li>
+ <a href="selinux-faq.html">Gentoo SELinux FAQ</a>
+ </li>
</ul>
</li>
</ul>
@@ -256,7 +259,7 @@ GNU Stack Quickstart</a>
</tr>
<tr>
<td class="tableinfo">hardened</td>
- <td class="tableinfo">battousai, blueness, chainsaw, dragonheart, gengor, nixnut, pebenito, solar, zorry</td>
+ <td class="tableinfo">battousai, blueness, chainsaw, dragonheart, gengor, klondike, nixnut, pebenito, solar, zorry</td>
<td class="tableinfo">Hardened Gentoo project packages and policy</td>
</tr>
<tr>
diff --git a/html/roadmap.html b/html/roadmap.html
index e2d38b8..1f74223 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -11,395 +11,295 @@
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
- Hardened Gentoo Roadmap</title>
+ Gentoo Hardened Roadmap</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
-<br><h1>Hardened Gentoo Roadmap</h1>
+<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
+ This document is a work in progress and should not be considered official yet.
+ </p></td></tr></table>
+<br><h1>Gentoo Hardened Roadmap</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
- <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Where the Hardened Gentoo Project Is Today</option>
-<option value="#doc_chap2">2. Short-Term Goals</option>
-<option value="#doc_chap3">3. Long-Term Goals</option>
-<option value="#doc_chap4">4. Roadmap Tracking</option></select>
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Vision</option>
+<option value="#doc_chap2">2. Strategy</option>
+<option value="#doc_chap3">3. Documentation Goals and Milestones</option>
+<option value="#doc_chap4">4. Hardened Toolchain Goals and Milestones</option>
+<option value="#doc_chap5">5. grSecurity Goals and Milestones</option>
+<option value="#doc_chap6">6. SELinux Goals and Milestones</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Where the Hardened Gentoo Project Is Today</p>
+ </span>Vision</p>
<p>
-The Hardened Gentoo herd lost many developer in the past years. The toolchain
-was stuck on GCC 3.4.X for a long time but we have started to catch up, and the
-hardened-sources also needed to be brought up to date. The documentation is
-being updated slowly and still needs a lot of work. We also need bug-wranglers
-that help us with fixing bugs.
+Within Gentoo Linux, the Gentoo Hardened project wants to be a shepherd for all
+security oriented projects. The project wants to make Gentoo viable for highly
+secure, high stability production environments.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
- </span>Short-Term Goals</p>
-<p class="secthead"><a name="doc_chap2_sect1">Hardened Toolchain</a></p>
+ </span>Strategy</p>
+<p class="secthead"><a name="doc_chap2_sect1">Introduction</a></p>
<p>
-Now is the time to take a step back and examine the work that has been done so
-far. A review of the current approach that the hardened toolchain takes is
-needed. There may be ways to strengthen the current implementation or areas of
-code that can be cleaned up to allow changes to be pushed upstream easier.
+In order to succesfully strive towards our vision, Gentoo Hardened aims to
+provide subprojects that test, develop, enhance, implement and integrate
+specific security measures in Gentoo Linux. Although each of these projects has
+operational responsibilities (after all, the technologies that they support are
+used by users all around) they continue to research and develop, making Gentoo
+Linux even better than it is today.
</p>
<p>
-As a side effect of the previous hardened toolchain, many ebuilds currently
-filter hardened CFLAGS such as -fPIE and -fstack-protector. Work will also be
-dedicated to reviewing those packages and seeking alternate solutions for the
-filters.
+The direction that each of these projects is heading towards is described in
+their <span class="emphasis">roadmap</span>, a combination of strategic directions and shorter term
+milestones. These roadmaps are combined in this very document, allowing users to
+get a general overview of where Gentoo Hardened is evolving towards.
</p>
-<p class="secthead"><a name="doc_chap2_sect2">Access Control Systems</a></p>
-<p><b>Grsecurity</b></p>
+<p class="secthead"><a name="doc_chap2_sect2">Documentation</a></p>
<p>
-Documents regarding Grsecurity are currently a major need for Gentoo.
+Documentation is Gentoo Hardened's first asset that users come in contact with.
+It is important that Gentoo Hardened's documentation is well structured, easily
+accessible and correctly written. Although we currently focus on technically
+educated users and system administrators, this focus should not lower our
+responsibility of creating the necessary documents to guide new users in Gentoo
+Hardened's realms.
</p>
-<ul>
-<li>
-The existing Grsecurity2 document needs to be converted to Handbook XML.
-</li>
-<li>
-We are working on a document describing the features on PAX and Grsecurity.
-</li>
-<li>
-Also, a document describing the RBAC system in more detail is needed.
-</li>
-<li>
-Finally we are working on keeping the hardened kernel sources up to date.
-</li>
-</ul>
-<p><b>SELinux</b></p>
+<p class="secthead"><a name="doc_chap2_sect3">Vulnerability Mitigation</a></p>
<p>
-Currently the project supports x86 and AMD64 so support for other architectures
-has to be handled by upstream except when the issues can also be reproduced in
-any of those architectures. Aside work is being done in the following areas:
+Users use a <span class="emphasis">toolchain</span>, a set of libraries and tools like compilers,
+linkers and more, to build their systems with. To fight potential
+vulnerabilities and future exploits, Gentoo Hardened maintains a toolchain that
+supports additional security-enhancing features like SSP, PIE and PIC.
+Our focus is to enhance and maintain this toolchain and help the integration of
+these security-enhancing patchsets within the upstream communities so that the
+benefits are available for all Linux users.
</p>
-<ul>
-<li>
-Strengthen and extend current policies.
-</li>
-<li>
-Extend support to more architectures.
-</li>
-<li>
-Policy module support.
-</li>
-<li>
-Additional Daemon Policies.
-</li>
-<li>
-Updated documentation.
-</li>
-</ul>
-<p><b>RSBAC</b></p>
<p>
-We need a new maintainer here so if you think you qualify as it feel free to
-contact us.
+Yet toolchains are not the only method where risks can be reduced. Specific
+patch sets that enhance Linux' security-related capabilities exist, such as
+PAX, that help users mitigate the risk of succesful exploitation of
+vulnerabilities. Gentoo Hardened positions and integrates these patches in the
+distribution.
</p>
-<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
- </span>Long-Term Goals</p>
-<p class="secthead"><a name="doc_chap3_sect1">Documentation</a></p>
+<p class="secthead"><a name="doc_chap2_sect4">Access Control</a></p>
<p>
-The Hardened Gentoo Project is currently very lacking in documentation. The
-hardened toolchain needs to be documented fully, and older documents that have a
-relationship to the toolchain need to be updated, such as the SSP, PIE, and PIC
-documents. Also, comparative documents should be written to explain the choices
-that Hardened Gentoo has made in deciding which security tools to support and
-which not to support.
+Although definitely not the only security component of a system, proper access
+control is a prerequisite for a safer environment. Within Gentoo Hardened,
+support of proper access control systems is important, and reflected in our
+choices of enhanced development of SELinux, grSecurity RSBAC and more.
</p>
-<p class="secthead"><a name="doc_chap3_sect2">Support More Architectures</a></p>
+<p class="secthead"><a name="doc_chap2_sect5">Architecture Support</a></p>
<p>
-A long-term goal of the Hardened Gentoo Project is to support all of the
-architectures that are officially supported by Gentoo. The only strong support
-that exists at the moment is for x86 and amd64.
+The current primary development activities take place within the popular and
+commodity architectures x86 and amd64 (x86_64). Yet many other architectures
+exist, especially within the server and embedded/mobile environments. These
+architectures need to be properly supported as well.
</p>
+<p class="secthead"><a name="doc_chap2_sect6">Staffing</a></p>
<p>
-The hardened toolchain supports x86, amd64, ppc, ppc64, arm, ia64 and would like
-to extend support to sparc and similar architectures. With access to different
-kinds of hardware, hardened support can slowly be extended to those
-architectures as well.
+In order to sustain or even grow our research and development pace and keep
+supporting operational tasks and help out users, the Gentoo Hardened team is
+always looking for fresh blood. Users who take a proactive approach to finding
+places for improvement and filling in the holes should and will be noticed and
+probably recruited. Yet recruitment is not mandatory to help out our project.
+The necessary resources are put in place to let contributors efficiently help
+out the project.
</p>
-<p class="secthead"><a name="doc_chap3_sect3">Expand the Hardened Team</a></p>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
+ </span>Documentation Goals and Milestones</p>
+<p class="secthead"><a name="doc_chap3_sect1">Current State</a></p>
<p>
-There will always be unfinished tasks for the Hardened Team. Users who take a
-proactive approach to finding places for improvement and filling in the holes
-will be noticed and probably recruited. Current Hardened Team members will be
-responsible for training new developers to fill new roles. If you are interested
-in helping out, stop by the IRC channel and let someone know what you are
-interested in and what you will be doing about it.
+The Gentoo Hardened project is currently lagging behind a bit on documentation.
+Recent upstaffing and contributions have helped this out, but we still need to
+focus on the toolchain documentation (both toolchain-specific documentation
+as wel as documents that relate to the toolchain) such as SSP, PIE and PIC
+information.
</p>
<p>
-Input/peer review should always be welcome as it helps everyone out in the long
-run.
+Also, comparative documents should be written to explain the choices that Gentoo
+Hardened has made, such as tool selection.
</p>
-<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
- </span>Roadmap Tracking</p>
-<p class="secthead"><a name="doc_chap4_sect1">Hardened Toolchain</a></p>
-<table class="ntable">
- <tr>
- <td class="infohead"><b>Description</b></td>
-<td class="infohead"><b>Coordinator(s)</b></td>
-<td class="infohead"><b>Status</b></td>
- </tr>
- <tr>
- <td class="tableinfo">x86 Support</td>
-<td class="tableinfo">zorry</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">amd64 Support</td>
-<td class="tableinfo">zorry</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">sparc32 Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">sparc64 Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">ppc Support</td>
-<td class="tableinfo">nixnut,zorry,blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">ppc64 Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">s390 Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">hppa Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Not supported</td>
- </tr>
- <tr>
- <td class="tableinfo">arm Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">In progress</td>
- </tr>
- <tr>
- <td class="tableinfo">mips Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">In progress</td>
- </tr>
- <tr>
- <td class="tableinfo">ia64 Support</td>
-<td class="tableinfo">zorry,blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
-</table>
-<p class="secthead"><a name="doc_chap4_sect2">Hardened GCC</a></p>
-<table class="ntable">
- <tr>
- <td class="infohead"><b>GCC version</b></td>
-<td class="infohead"><b>Support PIE</b></td>
-<td class="infohead"><b>Support SSP</b></td>
-<td class="infohead"><b>Arch</b></td>
- </tr>
- <tr>
- <td class="tableinfo">3.6.X</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">x86 amd64</td>
- </tr>
- <tr>
- <td class="tableinfo">4.3.X</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">x86 amd64</td>
- </tr>
- <tr>
- <td class="tableinfo">4.4.X</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">x86 amd64 arm ppc ppc64 ia64</td>
- </tr>
- <tr>
- <td class="tableinfo">4.5.X</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">Yes</td>
-<td class="tableinfo">x86 amd64 arm ppc ppc64 ia64</td>
- </tr>
-</table>
-<p class="secthead"><a name="doc_chap4_sect3">Hardened Toolchain</a></p>
-<table class="ntable">
- <tr>
- <td class="infohead"><b>Description</b></td>
-<td class="infohead"><b>Coordinator(s)</b></td>
-<td class="infohead"><b>Status</b></td>
- </tr>
- <tr>
- <td class="tableinfo">Document the feature set</td>
-<td class="tableinfo">none</td>
-<td class="tableinfo">In Progress</td>
- </tr>
- <tr>
- <td class="tableinfo">Describe the RBAC system</td>
-<td class="tableinfo">none</td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">Release hardened-sources-2.6.37</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
-</table>
-<p class="secthead"><a name="doc_chap4_sect4">Hardened Sources</a></p>
+<p class="secthead"><a name="doc_chap3_sect2">Goals and Milestones</a></p>
<table class="ntable">
- <tr>
- <td class="infohead"><b>Description</b></td>
-<td class="infohead"><b>Coordinator(s)</b></td>
-<td class="infohead"><b>Status</b></td>
- </tr>
- <tr>
- <td class="tableinfo">x86 Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">amd64 Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">sparc32 Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">sparc64 Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">ppc Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">In Progress</td>
- </tr>
- <tr>
- <td class="tableinfo">ppc64 Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
- <tr>
- <td class="tableinfo">s390 Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">hppa Support</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Not supported</td>
- </tr>
- <tr>
- <td class="tableinfo">arm Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">In testing</td>
- </tr>
- <tr>
- <td class="tableinfo">mips Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">In testing</td>
- </tr>
- <tr>
- <td class="tableinfo">ia64 Support</td>
-<td class="tableinfo">blueness</td>
-<td class="tableinfo">Complete</td>
- </tr>
+<tr>
+ <td class="infohead"><b>Description</b></td>
+ <td class="infohead"><b>ETA</b></td>
+ <td class="infohead"><b>Status</b></td>
+ <td class="infohead"><b>Coordinator(s)</b></td>
+ <td class="infohead"><b>Related Bugs</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">Document the Hardened Toolchain</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-keyword">In Progress</span></td>
+ <td class="tableinfo">Zorry</td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">Comparative analysis of security approaches taken by distributions</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">Rework grSecurity documentation</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">Update/rewrite propolice documentation</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
</table>
-<p class="secthead"><a name="doc_chap4_sect5">SELinux</a></p>
+<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
+ </span>Hardened Toolchain Goals and Milestones</p>
+<p class="secthead"><a name="doc_chap4_sect1">Current State</a></p>
+<p>
+Our toolchain so far has seen a tremendous evolution. Some of the integrated
+patches have been accepted upstream (like SSP), but work can still improve.
+To allow changes to be pushed upstream more easily, we might need improvements
+on the ways to strengthen the current implementation, and work on the areas of
+code that need clean-up.
+</p>
+<p>
+Our next steps are to take a step backwards and examine the work that has been
+done so far. We need to improve our existing documents, but also review the
+packages available in the Portage tree and help out the package maintainers in
+handling CFLAG filters for a hardened toolchain in a proper way.
+</p>
+<p class="secthead"><a name="doc_chap4_sect2">Goals and Milestones</a></p>
<table class="ntable">
- <tr>
- <td class="infohead"><b>Description</b></td>
-<td class="infohead"><b>Coordinator(s)</b></td>
-<td class="infohead"><b>Status</b></td>
- </tr>
- <tr>
- <td class="tableinfo">Strengthen and extend the current policies</td>
-<td class="tableinfo">pebenito</td>
- <td class="tableinfo">In Progress</td>
- </tr>
- <tr>
- <td class="tableinfo">Extend support to more architectures</td>
-<td class="tableinfo">pebenito</td>
- <td class="tableinfo">In Progress</td>
- </tr>
- <tr>
- <td class="tableinfo">Policy module support</td>
-<td class="tableinfo">pebenito</td>
- <td class="tableinfo">In Progress</td>
- </tr>
- <tr>
- <td class="tableinfo">Additional Daemon Policies</td>
-<td class="tableinfo">pebenito</td>
- <td class="tableinfo">In Progress</td>
- </tr>
- <tr>
- <td class="tableinfo">Updated documentation</td>
-<td class="tableinfo">SwifT</td>
- <td class="tableinfo">In Progress</td>
- </tr>
+<tr>
+ <td class="infohead"><b>Description</b></td>
+ <td class="infohead"><b>ETA</b></td>
+ <td class="infohead"><b>Status</b></td>
+ <td class="infohead"><b>Coordinator(s)</b></td>
+ <td class="infohead"><b>Related Bugs</b></td>
+</tr>
+<tr>
+ <td class="infohead" colspan="5" style="text-align:center"><b>Enhance documentation</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">Document the toolchain feature set</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">Describe the grSecurity RBAC system</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="infohead" colspan="5" style="text-align:center"><b>Kernel development and maintenance</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">Release hardened-sources-2.6.37</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-keyword">Done</span></td>
+ <td class="tableinfo">blueness</td>
+ <td class="tableinfo"></td>
+</tr>
</table>
-<p class="secthead"><a name="doc_chap4_sect6">RSBAC</a></p>
+<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
+ </span>grSecurity Goals and Milestones</p>
+<p class="secthead"><a name="doc_chap5_sect1">Current State</a></p>
+<p>
+grSecurity is well integrated within Gentoo Hardened (patch- and software wise
+as well as knowledge). However, the documentation is lagging behind a lot and
+is in need for attention.
+</p>
+<p class="secthead"><a name="doc_chap5_sect2">Goals and Milestones</a></p>
<table class="ntable">
- <tr>
- <td class="infohead"><b>Description</b></td>
-<td class="infohead"><b>Coordinator(s)</b></td>
-<td class="infohead"><b>Status</b></td>
- </tr>
- <tr>
- <td class="tableinfo">Bring policy support tool to Gentoo packages.</td>
-<td class="tableinfo"></td>
- <td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">Enhance RSBAC Documentation</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
+<tr>
+ <td class="infohead"><b>Description</b></td>
+ <td class="infohead"><b>ETA</b></td>
+ <td class="infohead"><b>Status</b></td>
+ <td class="infohead"><b>Coordinator(s)</b></td>
+ <td class="infohead"><b>Related Bugs</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">
+ the existing grSecurity2 document needs to be converted to Handbook XML
+ </td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">
+ the features of PAX and grSecurity need to be described and documented
+ </td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">
+ the RBAC system needs to be covered documentation-wise in much more detail
+ </td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"><span class="code-comment">Unassigned</span></td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo"></td>
+</tr>
</table>
-<p class="secthead"><a name="doc_chap4_sect7">Documentation</a></p>
+<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
+ </span>SELinux Goals and Milestones</p>
+<p class="secthead"><a name="doc_chap6_sect1">Current State</a></p>
+<p>
+The Gentoo Hardened SELinux state is, within the ~arch branches, up to date and
+fully supported (except MCS/MLS which is not supported yet). The documentation
+is being updated as the state evolves, but can still improve.
+</p>
+<p class="secthead"><a name="doc_chap6_sect2">Goals and Milestones</a></p>
<table class="ntable">
- <tr>
- <td class="infohead"><b>Description</b></td>
-<td class="infohead"><b>Coordinator(s)</b></td>
-<td class="infohead"><b>Status</b></td>
- </tr>
- <tr>
- <td class="tableinfo">Comparative analysis of security approaches taken by distributions.</td>
- <td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">Rework Grsecurity Documentation</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">Update/Rewrite Propolice Documentation</td>
-<td class="tableinfo"></td>
-<td class="tableinfo">Unassigned</td>
- </tr>
- <tr>
- <td class="tableinfo">Document the Hardened Toolchain</td>
-<td class="tableinfo">zorry</td>
-<td class="tableinfo">In Progress</td>
- </tr>
+<tr>
+ <td class="infohead"><b>Description</b></td>
+ <td class="infohead"><b>ETA</b></td>
+ <td class="infohead"><b>Status</b></td>
+ <td class="infohead"><b>Coordinator(s)</b></td>
+ <td class="infohead"><b>Related Bugs</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">Stabilize the userland tools and libraries</td>
+ <td class="tableinfo">2011-05-24</td>
+ <td class="tableinfo"><span class="code-variable">Slight delay</span></td>
+ <td class="tableinfo">blueness, SwifT</td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">
+ Stabilize the ~arch SELinux policies based on 2.20101213 upstream branch
+ </td>
+ <td class="tableinfo">2011-06-07</td>
+ <td class="tableinfo"><span class="code-keyword">On track</span></td>
+ <td class="tableinfo">blueness, SwifT</td>
+ <td class="tableinfo"><a href="https://bugs.gentoo.org/368199">#368199</a></td>
+</tr>
+<tr>
+ <td class="tableinfo">Stabilize the new SELinux profile structure</td>
+ <td class="tableinfo">2011-06-28</td>
+ <td class="tableinfo"><span class="code-keyword">On track</span></td>
+ <td class="tableinfo">blueness</td>
+ <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
+</tr>
</table>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 2, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 22, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
A roadmap that plots current needs and goals of the
Hardened Gentoo project.
diff --git a/html/selinux-policy.html b/html/selinux-policy.html
index f9af9d5..e7ce30a 100644
--- a/html/selinux-policy.html
+++ b/html/selinux-policy.html
@@ -11,16 +11,13 @@
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
- Gentoo Hardened SELinux Policy</title>
+ Gentoo Hardened SELinux Development Policy</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
-<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
- This document is a work in progress and should not be considered official yet.
- </p></td></tr></table>
-<br><h1>Gentoo Hardened SELinux Policy</h1>
+<br><h1>Gentoo Hardened SELinux Development Policy</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Principles</option>
diff --git a/html/selinux/hb-intro-enhancingsecurity.html b/html/selinux/hb-intro-enhancingsecurity.html
index 53ac9ef..1f39ee7 100644
--- a/html/selinux/hb-intro-enhancingsecurity.html
+++ b/html/selinux/hb-intro-enhancingsecurity.html
@@ -170,7 +170,7 @@ Next to the kernel support and labels assigned to the resources and support
within the authorization system, SELinux also requires particular tools to
support the SELinux features. Examples are administrative tools to view and
manipulate labels, privilege management tools (like <span class="code" dir="ltr">sudo</span>), system
-services (like HAL or SysVInit) etc. This is reflected in a set of patches
+services (like SysVInit) etc. This is reflected in a set of patches
against these (and more) tools which are not always part of the applications'
main source code.
</p>
@@ -201,7 +201,7 @@ run and manage a SELinux hardened Gentoo system.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated January 10, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 25, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/index.html b/html/selinux/index.html
index e1de71a..1cd3b3f 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -22,47 +22,62 @@
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option>
<option value="#doc_chap2">2. Project Goals</option>
-<option value="#doc_chap3">3. What is SELinux?</option>
-<option value="#doc_chap4">4. Developers</option>
-<option value="#doc_chap5">5. Contributors</option>
-<option value="#doc_chap6">6. Subprojects</option>
-<option value="#doc_chap7">7. Resources</option>
-<option value="#doc_chap8">8. How Do I Use This?</option>
-<option value="#doc_chap9">9. I Want to Participate</option></select>
+<option value="#doc_chap3">3. Developers</option>
+<option value="#doc_chap4">4. Contributors</option>
+<option value="#doc_chap5">5. Subprojects</option>
+<option value="#doc_chap6">6. Resources</option>
+<option value="#doc_chap7">7. Roadmap</option>
+<option value="#doc_chap8">8. I Want to Participate</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Project Description</p>
<p>
- This project manages SELinux support in Gentoo. This includes providing
- kernels with SELinux support, providing patches to userland utilities, writing
- strong Gentoo-specific default profiles, and deploying policies from Portage.
+This project manages SELinux support in Gentoo. This includes providing
+kernels with SELinux support, providing patches to userland utilities, writing
+strong Gentoo-specific default profiles, and maintaining a good default set of
+policies.
</p>
-<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
- </span>Project Goals</p>
<p>
- The intention of the project is to make SELinux available to more users, and
- improving its integration.
- Policy should be available for common daemons, and files merged in from Portage
- should have the correct file context. Currently we only work on servers, but
- desktops will be supported in the future.
+<a href="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
+Linux</a> (SELinux) is a Mandatory Access Control system using type
+enforcement and role-based access control. It is integrated within Linux as a
+<a href="http://lsm.immunix.org/">Linux Security Module</a> (LSM)
+implementation. In addition to the kernel portion, SELinux consists of a library
+(libselinux) and userland utilities for compiling policy (checkpolicy), and loading
+policy (policycoreutils), in addition to other user programs.
</p>
-<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
- </span>What is SELinux?</p>
<p>
- <a href="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
- Linux</a> (SELinux) is a system of mandatory access control using type
- enforcement and role-based access control. It is implemented as a <a href="http://lsm.immunix.org/">Linux Security Module</a> (LSM). In addition
- to the kernel portion, SELinux consists of a library (libselinux) and userland
- utilities for compiling policy (checkpolicy), and loading policy
- (policycoreutils), in addition to other user programs.
+One common misconception is that SELinux is a complete security solution. It is
+not. SELinux only provides access control on system objects. It can work well
+with other Hardened projects, such as PaX, for a more complete solution.
</p>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+ </span>Project Goals</p>
<p>
- One common misconception is that SELinux is a complete security solution,
- however, it is not. SELinux only provides one piece of a security
- solution. It can work well with other Hardened projects, such as PaX,
- for a more complete solution.
+Our goal is to make SELinux (with Gentoo Hardened) available to more users.
+As a result, we
</p>
-<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
+<ul>
+ <li>
+ develop, improve and maintain the proper documentation and learning
+ material for end users to master SELinux
+ </li>
+ <li>
+ maintain a stable yet progressive set of userland tools that are needed
+ to interoperate with SELinux on a Linux system (such as the core utilities,
+ libselinux and more)
+ </li>
+ <li>
+ focus on the integration of SELinux and SELinux-awareness within the Gentoo
+ distribution, offering the necessary feedback on Portage and other utilities
+ </li>
+ <li>
+ develop, improve and maintain a good and secure default policy, based on the
+ reference policy, so that end users have no difficulties working with and
+ enhancing SELinux within their environment
+ </li>
+</ul>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>Developers</p>
<table class="ntable">
<tr>
@@ -77,19 +92,17 @@
</tr>
<tr>
<td class="tableinfo"></td>
- <td class="tableinfo">blueness
-</td>
+ <td class="tableinfo">blueness</td>
<td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
</tr>
</table>
<p>
All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>.
</p>
-<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
+<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>Contributors</p>
<p>
-The following people although non-developer is actively contributing with the
-project:
+The following people, although non-developer, are actively contributing to the project:
</p>
<table class="ntable">
<tr>
@@ -108,7 +121,7 @@ project:
<td class="tableinfo">Documentation writing, policy development, support</td>
</tr>
</table>
-<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
+<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>Subprojects</p>
<p>The SELinux
project has the following subprojects:
@@ -120,98 +133,153 @@ project:
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
- <td class="tableinfo">Base Policy</td>
+ <td class="tableinfo">Policy</td>
<td class="tableinfo">pebenito</td>
<td class="tableinfo">
- SELinux policy for the core system, including users, administrators, and
- daemons in the system profile.
+Develop and maintain a secure, default set of policies for the system, including
+user and role definitions, service policies and application policies.
</td>
</tr>
<tr>
- <td class="tableinfo">Daemon Policy</td>
+ <td class="tableinfo">Userland</td>
<td class="tableinfo">pebenito</td>
<td class="tableinfo">
- SELinux policies for common daemons.
+Develop and maintain the packages for SELinux userland utilities and libraries,
+including SELinux-aware patches for more general applications and libraries.
</td>
</tr>
<tr>
- <td class="tableinfo">x86</td>
+ <td class="tableinfo">Kernel</td>
<td class="tableinfo">pebenito</td>
<td class="tableinfo">
- Support for the x86 architecture.
+Integrate, improve and maintain SELinux patches in the Linux kernel for Gentoo
+Hardened.
</td>
</tr>
<tr>
- <td class="tableinfo">AMD64</td>
+ <td class="tableinfo">Documentation</td>
<td class="tableinfo">pebenito</td>
<td class="tableinfo">
- Support for the AMD64 (x86-64) architecture.
+Develop and maintain SELinux documentation specific to the Gentoo distribution
</td>
</tr>
</table>
-<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
+<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>Resources</p>
<p>Resources offered by the
SELinux
project are:</p>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
+ <li>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development</a>
+ </li>
+ <li>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
</ul>
-<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8.
- </span>How Do I Use This?</p>
+<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
+ </span>Roadmap</p>
<p>
- SELinux can be installed on a new system by following the above install guide.
+The following table depics the roadmap we have in mind for the Gentoo Hardened
+SELinux project:
</p>
-<p class="chaphead"><a name="doc_chap9"></a><span class="chapnum">9.
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>Milestone</b></td>
+ <td class="infohead"><b>Progress</b></td>
+
+ <td class="infohead"><b>Description</b></td>
+ <td class="infohead"><b>ETA</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">Userland stabilization</td>
+ <td class="tableinfo"><span class="code-keyword">on track</span></td>
+ <td class="tableinfo">
+ Stabilize the SELinux userland utilities currently available in ~arch.
+ These utilities (and libraries) are needed to cover recent SELinux policies
+ and improve user experience within Gentoo Hardened SELinux
+ </td>
+ <td class="tableinfo">
+ 2011-05-24
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">Policy stabilization</td>
+ <td class="tableinfo"><span class="code-keyword">on track</span></td>
+ <td class="tableinfo">
+ Stabilize the SELinux policies based on upstream 2.20101213. The current
+ stable policies are not compatible with the current Gentoo stable state
+ (such as openrc support, networking/wireless and more.)
+ </td>
+ <td class="tableinfo">
+ 2011-06-07
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">Profile stabilization</td>
+ <td class="tableinfo"><span class="code-keyword">on track</span></td>
+ <td class="tableinfo">
+ Stabilize the restructured Gentoo SELinux profiles. The existing profiles
+ have proved to be a bit more daunting to manage whereas the new profiles are
+ made to be flexible yet simple to maintain.
+ </td>
+ <td class="tableinfo">
+ 2011-06-28
+ </td>
+</tr>
+</table>
+<p class="chaphead"><a name="doc_chap8"></a><span class="chapnum">8.
</span>I Want to Participate</p>
<p>
- To participate in the SELinux project first join the mailing list at
- <span class="code" dir="ltr">gentoo-hardened@gentoo.org</span>. Then ask if there are plans to support
- something that you are interested in, propose a new subproject that you are
- interested in or choose one of the planned subprojects to work on. You may talk
- to the developers and users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on
- <span class="code" dir="ltr">irc.freenode.net</span> for more information or just to chat about the project
- or any subprojects. If you don't have the ability to actively help by
- contributing work we will always need testers to use and audit the SELinux
- policies. All development, testing, feedback, and productive comments will
- be greatly appreciated.
+To participate in the SELinux project first join the mailing list at
+<span class="code" dir="ltr">gentoo-hardened@gentoo.org</span>. Then ask if there are plans to support
+something that you are interested in, propose a new subproject that you are
+interested in or choose one of the planned subprojects to work on. You may talk
+to the developers and users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on
+<span class="code" dir="ltr">irc.freenode.net</span> for more information or just to chat about the project
+or any subprojects. If you don't have the ability to actively help by
+contributing work we will always need testers to use and audit the SELinux
+policies. All development, testing, feedback, and productive comments will
+be greatly appreciated.
</p>
-<p class="secthead"><a name="doc_chap9_sect2">Policy Submissions</a></p>
+<p class="secthead"><a name="doc_chap8_sect2">Policy Submissions</a></p>
<p>
- The critical component of a SELinux system is having a strong policy. The
- team does its best to support as many daemons as possible. However, we cannot
- create policies for daemons with which we are unfamiliar. But we are happy
- to receive policy submissions for consideration. There are a few requirements:
+The critical component of a SELinux system is having a strong policy. The
+team does its best to support as many daemons as possible. However, we cannot
+create policies for daemons with which we are unfamiliar. But we are happy
+to receive policy submissions for consideration. There are a few requirements:
</p>
<ul>
-<li>
- Make comments (in the policy and/or bug), so we can understand changes
- from the NSA example policy.
-</li>
-<li>
- The policy should cover common installations. Please do not submit policies
- for odd or nonstandard daemon configurations.
-</li>
-<li>
- We need to know if the policy is dependent on another policy (for example
- rpcd is dependent on portmap) other than base-policy.
-</li>
-<li>
- An ebuild for the policy can also be submitted to help the developers
- integrate the policy into Portage more quickly, if it is accepted.
- See current daemon policies in Portage for example uses of the
- selinux-policy eclass.
-</li>
+ <li>
+ Make comments (in the policy and/or bug), so we can understand changes
+ from the Reference Policy example policy.
+ </li>
+ <li>
+ The policy should cover common installations. Please do not submit policies
+ for odd or nonstandard daemon configurations.
+ </li>
+ <li>
+ We need to know if the policy is dependent on another policy (for example
+ rpcd is dependent on portmap) other than base-policy.
+ </li>
+ <li>
+ An ebuild for the policy can also be submitted to help the developers
+ integrate the policy into Portage more quickly, if it is accepted.
+ See current daemon policies in Portage for example uses of the
+ selinux-policy eclass.
+ </li>
</ul>
<p>
- The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>.
- Please attach the .te and .fc files separately to the bug, not as a tarball.
- The bug should be assigned to <span class="code" dir="ltr">selinux@gentoo.org</span>.
+The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>.
+Please attach the .te and .fc files separately to the bug, not as a tarball.
+The bug should be Cc'ed to <span class="code" dir="ltr">selinux@gentoo.org</span> and will be properly
+reassigned by the team.
</p>
<br><br>
</td>
diff --git a/html/support-state.html b/html/support-state.html
new file mode 100644
index 0000000..45c51bd
--- /dev/null
+++ b/html/support-state.html
@@ -0,0 +1,264 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+ Gentoo Hardened Support State</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
+ This document is a work in progress and should not be considered official yet.
+ </p></td></tr></table>
+<br><h1>Gentoo Hardened Support State</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
+<option value="#doc_chap2">2. Support Matrices</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Introduction</p>
+<p>
+The Gentoo Hardened project aims to support as many platforms as possible.
+However, this aim is restrained as we do not have access to as many platforms
+that we want (nor do we have the resources to work on all these platforms). As a
+result, support for the individual subprojects becomes limited to those
+platforms that we have access and resources to.
+</p>
+<p>
+This document gives an overview of the supported platforms and, if necessary,
+elaborates on the specific requirements in order to work with one of Gentoo
+Hardened's subprojects. Note that each subproject has its own support matrix,
+based on upstream support (which platforms are supported by the technology) and
+Gentoo Hardened (for which platforms can we run tests and validate users'
+reports and feedback).
+</p>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+ </span>Support Matrices</p>
+<p class="secthead"><a name="doc_chap2_sect1">Hardened Toolchain</a></p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>Architecture</b></td>
+ <td class="infohead"><b>Support</b></td>
+ <td class="infohead"><b>Additional notes</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">x86</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">amd64 / x86_64</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ppc</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ppc64</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ia64</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">arm</td>
+ <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">Contact blueness for more information</td>
+</tr>
+<tr>
+ <td class="tableinfo">mips</td>
+ <td class="tableinfo"><span class="code-variable">In progress</span></td>
+ <td class="tableinfo">Contact blueness for more information</td>
+</tr>
+<tr>
+ <td class="tableinfo">sparc32</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">sparc64</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">s390</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">hppa</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect2">grSecurity (incl. PAX)</a></p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>Architecture</b></td>
+ <td class="infohead"><b>Support</b></td>
+ <td class="infohead"><b>Additional notes</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">x86</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">amd64 / x86_64</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ppc</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ppc64</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ia64</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">arm</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">mips</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">sparc32</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">sparc64</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">s390</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">hppa</td>
+ <td class="tableinfo"><span class="code-constant">Yet to be determined</span></td>
+ <td class="tableinfo"></td>
+</tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect3">SELinux</a></p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>Architecture</b></td>
+ <td class="infohead"><b>Support</b></td>
+ <td class="infohead"><b>Additional notes</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">x86</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">Still ~arch for the time being</td>
+</tr>
+<tr>
+ <td class="tableinfo">amd64 / x86_64</td>
+ <td class="tableinfo"><span class="code-keyword">In place</span></td>
+ <td class="tableinfo">Still ~arch for the time being</td>
+</tr>
+<tr>
+ <td class="tableinfo">ppc</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ppc64</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">ia64</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">arm</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">mips</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">sparc32</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">sparc64</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">s390</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+<tr>
+ <td class="tableinfo">hppa</td>
+ <td class="tableinfo"><span class="code-comment">Unsupported</span></td>
+ <td class="tableinfo"></td>
+</tr>
+</table>
+<br><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 25, 2011</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+The support state of the Gentoo Hardened project describes the supported
+platforms, setups and additional requirements for each of the subprojects
+involved.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+ <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-08-24 21:10 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-08-24 21:10 UTC (permalink / raw
To: gentoo-commits
commit: 6ddaa4de2de37eadb633a9423c226b3c7983ac8b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 24 21:09:35 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 24 21:09:35 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ddaa4de
Updates on previews
---
html/roadmap.html | 49 +++++++++++++++++++----------------
html/selinux/hb-using-install.html | 2 +-
2 files changed, 28 insertions(+), 23 deletions(-)
diff --git a/html/roadmap.html b/html/roadmap.html
index f12a2bd..c623185 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -270,48 +270,53 @@ of the packages and improved support for MCS.
<td class="infohead"><b>Related Bugs</b></td>
</tr>
<tr>
- <td class="tableinfo">Stabilize the userland tools and libraries</td>
- <td class="tableinfo">2011-05-24</td>
+ <td class="tableinfo">Add support for MCS (driver is virtualization)</td>
+ <td class="tableinfo">2011-08-15</td>
<td class="tableinfo">Done</td>
- <td class="tableinfo">blueness, SwifT</td>
+ <td class="tableinfo">SwifT</td>
<td class="tableinfo"></td>
</tr>
<tr>
- <td class="tableinfo">
- Stabilize the ~arch SELinux policies based on 2.20101213 upstream branch
- </td>
- <td class="tableinfo">2011-06-07</td>
+ <td class="tableinfo">Stabilize the new SELinux profile structure</td>
+ <td class="tableinfo">2011-08-20</td>
<td class="tableinfo">Done</td>
<td class="tableinfo">blueness, SwifT</td>
- <td class="tableinfo"></td>
+ <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
</tr>
<tr>
- <td class="tableinfo">Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</td>
- <td class="tableinfo">2011-07-18</td>
- <td class="tableinfo">Done</td>
- <td class="tableinfo">blueness, SwifT</td>
+ <td class="tableinfo">Merge 20110726 policies in ~arch</td>
+ <td class="tableinfo">2011-08-28</td>
+ <td class="tableinfo">Busy</td>
+ <td class="tableinfo">SwifT</td>
<td class="tableinfo"></td>
</tr>
<tr>
- <td class="tableinfo">Stabilize the new SELinux profile structure</td>
- <td class="tableinfo">2011-08-01</td>
- <td class="tableinfo">In progress</td>
- <td class="tableinfo">blueness, SwifT</td>
- <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
+ <td class="tableinfo">Stabilize the 20110727 userland tools and libraries</td>
+ <td class="tableinfo">2011-09-30</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo">SwifT</td>
+ <td class="tableinfo"></td>
</tr>
<tr>
- <td class="tableinfo">Add support for MCS (driver is virtualization)</td>
- <td class="tableinfo">2011-08-15</td>
- <td class="tableinfo">Done</td>
+ <td class="tableinfo">Stabilize the 20110726 policies</td>
+ <td class="tableinfo">2011-09-30</td>
+ <td class="tableinfo"></td>
<td class="tableinfo">SwifT</td>
<td class="tableinfo"></td>
</tr>
+<tr>
+ <td class="tableinfo">Deprecate old profiles</td>
+ <td class="tableinfo">2011-12-01</td>
+ <td class="tableinfo"></td>
+ <td class="tableinfo">blueness</td>
+ <td class="tableinfo"></td>
+</tr>
</table>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 21, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated August 24, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
A roadmap that plots current needs and goals of the
Hardened Gentoo project.
@@ -339,7 +344,7 @@ Hardened Gentoo project.
<br><i>Contributor</i><br><br>
<a href="mailto:blueness@gentoo.org" class="altlink"><b>Anthony G. Basile</b></a>
<br><i>Contributor</i><br><br>
- <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
+ <a href="mailto:swift@gentoo.org" class="altlink"><b>Sven Vermeulen</b></a>
<br><i>Contributor</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index 7de949c..b711d55 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -491,7 +491,7 @@ in Gentoo Hardened and as such not recommended.
<p>
When you have made your choice between the SELinux policy types, save
this in your <span class="path" dir="ltr">/etc/make.conf</span> file as well. That way, Portage will
-only install the policy modules for that SELinux type rather than both.
+only install the policy modules for that SELinux type.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting the policy type in make.conf</p></td></tr>
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-09-04 19:54 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-09-04 19:54 UTC (permalink / raw
To: gentoo-commits
commit: 555cbf18bfca18194bfe699c67337b1f2f9030b6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep 4 19:53:39 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep 4 19:53:39 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=555cbf18
Update previews
---
html/index.html | 12 +++-
html/index2.html | 16 +++--
html/selinux-development.html | 147 +++++++++++++++++++++--------------------
html/selinux-policy.html | 25 +-------
html/selinux/index.html | 74 ++++----------------
5 files changed, 112 insertions(+), 162 deletions(-)
diff --git a/html/index.html b/html/index.html
index 22740ea..f85729e 100644
--- a/html/index.html
+++ b/html/index.html
@@ -269,16 +269,22 @@ GNU Stack Quickstart
</b>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
<li>
- <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
</li>
<li>
- <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
</li>
</ul>
</li>
diff --git a/html/index2.html b/html/index2.html
index 469ee86..6ed1a19 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -98,12 +98,12 @@ Gentoo once they've been tested for security and stability by the Hardened team.
<tr>
<td class="tableinfo">Sven Vermeulen</td>
<td class="tableinfo">swift</td>
- <td class="tableinfo">Documentation, Userspace tools, Policy development</td>
+ <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
</tr>
<tr>
<td class="tableinfo">Anthony G. Basile</td>
<td class="tableinfo">blueness</td>
- <td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
+ <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
</tr>
<tr>
<td class="tableinfo">Chris PeBenito</td>
@@ -242,16 +242,22 @@ GNU Stack Quickstart</a>
</b>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
<li>
- <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
</li>
<li>
- <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
</li>
</ul>
</li>
diff --git a/html/selinux-development.html b/html/selinux-development.html
index b028321..1249769 100644
--- a/html/selinux-development.html
+++ b/html/selinux-development.html
@@ -132,45 +132,46 @@ Let's create the first workspace:
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">mkdir dev/hardened</span>
~$ <span class="code-input">cd dev/hardened</span>
-~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r12.ebuild compile</span>
-~$ <span class="code-input">cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12/work/* .</span>
-~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r12</span>
+~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-base-policy/selinux-base-policy-2.20110726-r3.ebuild prepare</span>
+~$ <span class="code-input">cp -r /var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r3/work/refpolicy .</span>
+~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r3</span>
</pre></td></tr>
</table>
<p>
-As result, you should have two or three directories in
-<span class="path" dir="ltr">dev/hardened</span> called <span class="path" dir="ltr">refpolicy</span> and <span class="path" dir="ltr">strict</span>
-and/or <span class="path" dir="ltr">targeted</span>. The only one of interest is the
-<span class="path" dir="ltr">strict</span> and/or <span class="path" dir="ltr">targeted</span> one, depending on the policy
-type you are working with. In the remainder of the document, I'm assuming you
-work with <span class="path" dir="ltr">strict</span>.
-</p>
-<p>
-Now the <span class="path" dir="ltr">dev/hardened</span> workspace is patched with the Gentoo Hardened
-SELinux patches applicable to the base policy. Gentoo Hardened has two "flavors"
-of patches:
+As result, you now have a subdirectory called <span class="path" dir="ltr">refpolicy</span> inside
+<span class="path" dir="ltr">dev/hardened</span>. This directory contains all the SELinux policy rules
+available. Now the <span class="path" dir="ltr">dev/hardened</span> workspace is patched with the
+Gentoo Hardened SELinux patches applicable to the policy. Gentoo Hardened has
+two "flavors" of patches:
</p>
<ol>
<li>
- <span class="emphasis">Base policy patches</span> contain the patches for the SELinux modules that
- take part of the base policy as well as all interface patches for the
- modules
+ patches in the <span class="emphasis">patchbundle</span> contain the majority of patches
</li>
<li>
- <span class="emphasis">Module-specific patches</span> that contain the permissions affecting the
+ <span class="emphasis">module patches</span> that contain the permissions affecting the
domains and types that are defined in a single module (for instance, all
interaction between <span class="path" dir="ltr">portage_t</span> and <span class="path" dir="ltr">portage_exec_t</span>
or even <span class="path" dir="ltr">portage_t</span> and <span class="path" dir="ltr">portage_fetch_t</span>)
</li>
</ol>
<p>
-The base policy patches are important to have available at all times. The
-module-specific ones can be added when you work with that particular module.
+When we develop changes on the SELinux policy, we currently try to put those
+changes in the patchbundle as soon as possible. Currently, the
+<span class="code" dir="ltr">selinux-base-policy</span> package is updated fast enough to hold off module
+patches and wait for a new release of <span class="code" dir="ltr">selinux-base-policy</span> (after which
+the SELinux modules themselves can just refer to the new base policy to get
+their patches).
</p>
<p>
+However, when the <span class="code" dir="ltr">selinux-base-policy</span> is more stable, then patches might
+be made part of the modules themselves. In that case, a <span class="emphasis">module patch</span> is
+made.
+</p>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
Every time a new revision comes out, you'll need to clean the
<span class="path" dir="ltr">dev/hardened</span> workspace and rebuild it.
-</p>
+</p></td></tr></table>
<p class="secthead"><a name="doc_chap2_sect2">Add specific module files</a></p>
<p>
To update your policy workspace, use the same tactic as describes
@@ -180,49 +181,38 @@ earlier, but now for the specific SELinux policy module package (like
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Updating the dev/hardened workspace</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">ls dev/hardened/strict/policy/modules/*/postfix.te</span>
-dev/hardened/strict/policy/modules/services/postfix.te
-<span class="code-comment"> ^^^^^^^^</span>
-~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild compile</span>
+~$ <span class="code-input">ls dev/hardened/refpolicy/policy/modules/*/postfix.te</span>
+dev/hardened/refpolicy/policy/modules/services/postfix.te
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">ebuild /usr/portage/sec-policy/selinux-postfix/selinux-postfix-2.20110726-r1.ebuild prepare</span>
<span class="code-comment"># Next, we copy the postfix.te and postfix.fc files.
# Do NOT copy the postfix.if file (as the one available there is a stub)</span>
-~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.te \
- dev/hardened/strict/policy/modules/services/</span>
-<span class="code-comment"> ^^^^^^^^</span>
-~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12/work/strict/postfix.fc \
- dev/hardened/strict/policy/modules/services/</span>
-<span class="code-comment"> ^^^^^^^^</span>
-~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20101213-r12</span>
-</pre></td></tr>
-</table>
-<p>
-Finally, clean up the workspace (as it contains built policies and other
-material we do not want to see in our patches)
-</p>
-<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Cleaning up the workspace</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict</span>
-~$ <span class="code-input">make clean</span>
+~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1/work/strict/postfix.te \
+ dev/hardened/refpolicy/policy/modules/services/</span>
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">cp /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1/work/strict/postfix.fc \
+ dev/hardened/refpolicy/policy/modules/services/</span>
+<span class="code-comment"> ^^^^^^^^</span>
+~$ <span class="code-input">rm -rf /var/tmp/portage/sec-policy/selinux-postfix-2.20110726-r1</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect3">Setting up a local workspace</a></p>
<p>
-Setting up a local workspace is easy: just copy the <span class="path" dir="ltr">dev/hardened</span>
-one:
+Setting up a local workspace (where we will create changes and generate patches
+out of later) is easy: just copy the <span class="path" dir="ltr">dev/hardened</span> one:
</p>
-<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Setting up a local workspace</p></td></tr>
+<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Setting up a local workspace</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">cd dev/hardened</span>
-~$ <span class="code-input">cp -r strict strict.local/</span>
+~$ <span class="code-input">cp -r refpolicy refpolicy.local/</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect4">Navigating the policy workspace</a></p>
<p>
The main location you will work with is
-<span class="path" dir="ltr">dev/hardened/strict.local/policy/modules</span>. This location is subdivided in
+<span class="path" dir="ltr">dev/hardened/refpolicy.local/policy/modules</span>. This location is subdivided in
categories:
</p>
<dl>
@@ -247,10 +237,10 @@ category!
<p>
Inside the categories, the modules are available using their three files
</p>
-<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Listing the available sudo files</p></td></tr>
+<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Listing the available sudo files</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules/admin</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local/policy/modules/admin</span>
~$ <span class="code-input">ls sudo.*</span>
sudo.fc sudo.if sudo.te
</pre></td></tr>
@@ -260,11 +250,16 @@ sudo.fc sudo.if sudo.te
To build a module, go to the location where the module code is. Then, run
<span class="code" dir="ltr">make</span> with the development Makefile as provided by the reference policy.
</p>
-<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Building the portage module</p></td></tr>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
+You can ignore warnings about duplicate interface definitions and such. That is
+because the Makefile will include both the existing interfaces as well as the
+current working directory - which of course contains the same interfaces.
+</p></td></tr></table>
+<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Building the portage module</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules/admin</span>
-~$ <span class="code-input">make -f ../../../support/Makefile.devel portage.pp</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local/policy/modules/admin</span>
+~$ <span class="code-input">make -f /usr/share/selinux/strict/include/Makefile portage.pp</span>
</pre></td></tr>
</table>
<p>
@@ -275,10 +270,10 @@ You now have a <span class="path" dir="ltr">portage.pp</span> file available whi
<p>
If you want to build the base policy, run <span class="code" dir="ltr">make base</span>.
</p>
-<a name="doc_chap2_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.7: Building the base policy</p></td></tr>
+<a name="doc_chap2_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.6: Building the base policy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local</span>
~$ <span class="code-input">make base</span>
</pre></td></tr>
</table>
@@ -1053,9 +1048,9 @@ are best generated from the <span class="path" dir="ltr">policy/modules</span> l
<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Example generating patch for modular changes</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local/policy/modules</span>
-~$ <span class="code-input">diff -ut ../../../strict/policy/modules/services/openct.te services/openct.te</span>
---- ../../../../strict/policy/modules/services/openct.te 2011-04-22 23:28:17.932918002 +0200
+~$ <span class="code-input">cd dev/hardened/refpolicy.local/policy/modules</span>
+~$ <span class="code-input">diff -ut ../../../refpolicy/policy/modules/services/openct.te services/openct.te</span>
+--- ../../../../refpolicy/policy/modules/services/openct.te 2011-04-22 23:28:17.932918002 +0200
+++ services/openct.te 2011-04-23 09:55:08.156918002 +0200
@@ -47,6 +47,10 @@
@@ -1088,8 +1083,8 @@ patch is best made from the upper location.
<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Generating a base policy patch</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cd dev/hardened/strict.local</span>
-~$ <span class="code-input">diff -ut ../strict/policy/modules/services/openct.if policy/modules/services/openct.if</span>
+~$ <span class="code-input">cd dev/hardened/refpolicy.local</span>
+~$ <span class="code-input">diff -ut ../refpolicy/policy/modules/services/openct.if policy/modules/services/openct.if</span>
--- ../strict/policy/modules/services/openct.if 2011-04-22 23:28:17.918918002 +0200
+++ policy/modules/services/openct.if 2011-04-23 10:01:38.753918001 +0200
@@ -15,7 +15,7 @@
@@ -1170,19 +1165,21 @@ ebuilds:
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
+EAPI="4"
+IUSE=""
<span class="code-comment"># Set the MODS variable to the refpolicy name used, so services/postfix.te gives "postfix"</span>
MODS="postfix"
-IUSE=""
+<span class="code-comment"># BASEPOL is optional, set it to the selinux-base-policy version which
+# includes the latest patch (or interface you use in the policy)</span>
+BASEPOL="2.20110726-r3"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for postfix"
-
KEYWORDS="~amd64 ~x86"
-<span class="code-comment"># POLICY_PATCH is optional (only when you have a patch), without it just uses the
-# refpolicy version.</span>
+<span class="code-comment"># POLICY_PATCH is optional (only when you have a module patch)</span>
POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"
</pre></td></tr>
</table>
@@ -1206,15 +1203,21 @@ create a patchbundle from your patch directory, put the bundle in the
<a name="doc_chap7_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing7.5: Building a base policy package</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Go to the location where all patches are currently extracted</span>
~$ <span class="code-input">cd dev/hardened/base-patches</span>
-~$ <span class="code-input">tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r13.tar.bz2 *</span>
+
+<span class="code-comment"># Add the patches you want to include, cfr Submitting Patches</span>
+<span class="code-comment"># Then, create a new patch bundle</span>
+~$ <span class="code-input">tar cjvf ../overlay/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20110726-r3.tar.bz2 *</span>
+
+<span class="code-comment"># Finally, bump the revision of the ebuild in the overlay</span>
~$ <span class="code-input">cd ../overlay/sec-policy/selinux-base-policy</span>
-~$ <span class="code-input">cp selinux-base-policy-2.20101213-r12.ebuild selinux-base-policy-2.20101213-r13.ebuild</span>
+~$ <span class="code-input">cp selinux-base-policy-2.20110726-r3.ebuild selinux-base-policy-2.20110726-r4.ebuild</span>
</pre></td></tr>
</table>
<p>
Don't forget to run <span class="code" dir="ltr">repoman manifest</span> and <span class="code" dir="ltr">repoman scan</span>. You can
-then install <span class="path" dir="ltr">sec-policy/selinux-base-policy-2.20101213-r13</span> and test
+then install <span class="path" dir="ltr">sec-policy/selinux-base-policy-2.20110726-r4</span> and test
it out.
</p>
<br><p class="copyright">
@@ -1236,7 +1239,7 @@ it out.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
When planning to help Gentoo Hardened in the development of SELinux policies,
or when trying to debug existing policies, this document should help you get
diff --git a/html/selinux-policy.html b/html/selinux-policy.html
index 63704fa..88d2d70 100644
--- a/html/selinux-policy.html
+++ b/html/selinux-policy.html
@@ -125,28 +125,7 @@ domain needs to transition back to the caller (<span class="emphasis">staff_t</s
<span class="emphasis">staff_screen_t</span> which launches a shell or command in the <span class="emphasis">staff_t</span>
domain).
</p>
-<p class="secthead"><a name="doc_chap2_sect2">Use 'gentoo_' prefix</a></p>
-<p>
-When Gentoo Hardened updates policy rules, the patches it applies will strive to
-use a <span class="emphasis">gentoo_</span> prefix where possible:
-</p>
-<ul>
- <li>
- added interfaces for existing modules will start with the <span class="emphasis">gentoo_</span>
- prefix
- </li>
- <li>
- new booleans will start with the <span class="emphasis">gentoo_</span> prefix
- </li>
-</ul>
-<p>
-This ensures that, if the changes (and their use) is included upstream, we can
-safely migrate towards the upstream implementation rather than face a collision
-of names. Also, this ensures that no unwanted accesses are granted (or
-functionalities suddenly prohibited) when upstream includes a change with the
-same name but totally different meaning or implementation.
-</p>
-<p class="secthead"><a name="doc_chap2_sect3">Do Not Allow Cosmetic Denials</a></p>
+<p class="secthead"><a name="doc_chap2_sect2">Do Not Allow Cosmetic Denials</a></p>
<p>
When developing SELinux rules, the Gentoo Hardened SELinux developers will
implement the access permissions needed for an application to function properly
@@ -216,7 +195,7 @@ of the packages clean.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-policy.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 26, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Developing a set of security rules is or should always be done with a common set
of principles and rules in mind. This document explains the policy used by
diff --git a/html/selinux/index.html b/html/selinux/index.html
index a51aad4..c9ffd77 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -24,9 +24,8 @@
<option value="#doc_chap2">2. Project Goals</option>
<option value="#doc_chap3">3. Developers</option>
<option value="#doc_chap4">4. Contributors</option>
-<option value="#doc_chap5">5. Subprojects</option>
-<option value="#doc_chap6">6. Resources</option>
-<option value="#doc_chap7">7. I Want to Participate</option></select>
+<option value="#doc_chap5">5. Resources</option>
+<option value="#doc_chap6">6. I Want to Participate</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Project Description</p>
@@ -92,12 +91,12 @@ As a result, we
<tr>
<td class="tableinfo">Sven Vermeulen</td>
<td class="tableinfo">swift</td>
- <td class="tableinfo">Documentation, Userspace tools, Policy development</td>
+ <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
</tr>
<tr>
<td class="tableinfo">Anthony G. Basile</td>
<td class="tableinfo">blueness</td>
- <td class="tableinfo">Policy development, Proxy (non developer contributors)</td>
+ <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
</tr>
</table>
<p>
@@ -121,68 +120,31 @@ The following people, although non-developer, are actively contributing to the p
</tr>
</table>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
- </span>Subprojects</p>
-<p>The SELinux
- project has the following subprojects:
- </p>
-<table class="ntable">
- <tr>
- <td class="infohead"><b>Project</b></td>
- <td class="infohead"><b>Lead</b></td>
- <td class="infohead"><b>Description</b></td>
- </tr>
- <tr>
- <td class="tableinfo">Policy</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Develop and maintain a secure, default set of policies for the system, including
-user and role definitions, service policies and application policies.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Userland</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Develop and maintain the packages for SELinux userland utilities and libraries,
-including SELinux-aware patches for more general applications and libraries.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Kernel</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Integrate, improve and maintain SELinux patches in the Linux kernel for Gentoo
-Hardened.
-</td>
- </tr>
- <tr>
- <td class="tableinfo">Documentation</td>
- <td class="tableinfo">Chris PeBenito</td>
- <td class="tableinfo">
-Develop and maintain SELinux documentation specific to the Gentoo distribution
-</td>
- </tr>
- </table>
-<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>Resources</p>
<p>Resources offered by the
SELinux
project are:</p>
<ul>
<li>
- <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (including installation)</a>
+ <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
</li>
<li>
<a href="selinux-faq.html">Gentoo SELinux FAQ</a>
</li>
<li>
- <a href="roadmap.html">Gentoo Hardened Roadmap (incl. SELinux development)</a>
+ <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
</li>
<li>
- <a href="support-state.html">Gentoo Hardened Support Matrices (incl. SELinux)</a>
+ <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
+ </li>
+ <li>
+ <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
+ </li>
+ <li>
+ <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
</li>
</ul>
-<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
+<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>I Want to Participate</p>
<p>
To participate in the SELinux project first join the mailing list at
@@ -196,7 +158,7 @@ contributing work we will always need testers to use and audit the SELinux
policies. All development, testing, feedback, and productive comments will
be greatly appreciated.
</p>
-<p class="secthead"><a name="doc_chap7_sect2">Policy Submissions</a></p>
+<p class="secthead"><a name="doc_chap6_sect2">Policy Submissions</a></p>
<p>
The critical component of a SELinux system is having a strong policy. The
team does its best to support as many daemons as possible. However, we cannot
@@ -216,12 +178,6 @@ to receive policy submissions for consideration. There are a few requirements:
We need to know if the policy is dependent on another policy (for example
rpcd is dependent on portmap) other than base-policy.
</li>
- <li>
- An ebuild for the policy can also be submitted to help the developers
- integrate the policy into Portage more quickly, if it is accepted.
- See current daemon policies in Portage for example uses of the
- selinux-policy eclass.
- </li>
</ul>
<p>
The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>.
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2011-10-15 13:05 Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2011-10-15 13:05 UTC (permalink / raw
To: gentoo-commits
commit: db4e145c0d418e14eb73223d31f8117b6ac37778
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 13:05:21 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 13:05:21 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=db4e145c
Update on previews
---
html/selinux-faq.html | 42 +-
html/selinux/hb-intro-concepts.html | 179 ++++-
...ndix-reference.html => hb-intro-resources.html} | 0
html/selinux/hb-using-configuring.html | 919 ++++++++++++++++++++
html/selinux/hb-using-install.html | 29 +-
html/selinux/hb-using-permissive.html | 19 +-
...roubleshoot.html => hb-using-troubleshoot.html} | 0
html/selinux/selinux-handbook.html | 66 +-
8 files changed, 1184 insertions(+), 70 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 611eaf5..252906f 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -81,6 +81,8 @@ as well.
FAILED (crontabs/root)'
</a></li>
<li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li>
+<li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li>
+<li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>General SELinux Support Questions</p>
@@ -656,11 +658,49 @@ If your system is upgrading its kernel, higher version(s) can be supported. In
this case, either unset the value again to automatically "jump" to a higher
version, or force set it to the higher version.
</p></td></tr></table>
+<p class="secthead"><a name="recoverportage"></a><a name="doc_chap5_sect8">Portage fails to label files because "setfiles" does not work anymore</a></p>
+<p>
+Portage uses the <span class="code" dir="ltr">setfiles</span> command to set the labels of the files it
+installs. However, that command is a dynamically linked executable, so any
+update in its depending libraries (<span class="path" dir="ltr">libselinux.so</span>,
+<span class="path" dir="ltr">libsepol.so</span>, <span class="path" dir="ltr">libaudit.so</span> and of course
+<span class="path" dir="ltr">libc.so</span>) might cause for the application to fail. Gentoo's standard
+solution (<span class="code" dir="ltr">revdep-rebuild</span>) will not work, since the tool will try to
+rebuild policycoreutils, which will fail to install because Portage cannot set
+the file labels.
+</p>
+<p>
+The solution is to rebuild policycoreutils while disabling Portage' selinux
+support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on
+the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
+</p>
+<a name="doc_chap5_pre14"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.14: Recovering from Portage installation failures</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span>
+# <span class="code-input">for FILE in $(qlist policycoreutils); do \
+CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</span>
+</pre></td></tr>
+</table>
+<p>
+Now Portage will function properly again, labeling files as they should.
+</p>
+<p class="secthead"><a name="nosuid"></a><a name="doc_chap5_sect9">Applications do not transition on a nosuid-mounted partition</a></p>
+<p>
+If you have file systems mounted with the <span class="code" dir="ltr">nosuid</span> option, then
+applications started from these file systems will not transition into their
+appropriate domain. This is intentional.
+</p>
+<p>
+So, a <span class="code" dir="ltr">passwd</span> binary, although correctly labeled <span class="emphasis">passwd_exec_t</span>,
+will not transition into the <span class="emphasis">passwd_t</span> domain if the binary is stored on a
+file system mounted with <span class="code" dir="ltr">nosuid</span>.
+</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 13, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-concepts.html
index 362203a..c5cf801 100644
--- a/html/selinux/hb-intro-concepts.html
+++ b/html/selinux/hb-intro-concepts.html
@@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
@@ -191,6 +191,21 @@ getattr ptrace setkeycreate sigchld transition
</pre></td></tr>
</table>
<p>
+The most common SELinux access control rule (<span class="emphasis">allow</span>) is described as
+follows:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux allow statement</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+allow ACTOR TARGET:CLASS PRIVILEGE;
+ +-+-+ +-+--+ +-+-+ +---+---+
+ | | | `- Permission to be granted (like "write")
+ | | `- Class on which permission is given (like "file")
+ | `- Resource (label) on which permission is valid (like "portage_conf_t")
+ `- Actor (domain) which gets the privilege (like "sysadm_t")
+</pre></td></tr>
+</table>
+<p>
Let's take a look at a small example to explain the permission rules and how
SELinux uses them. The example user is in the <span class="emphasis">staff_u:staff_r:staff_t</span>
context and wants to write to its own home directory. As we can expect, this
@@ -269,8 +284,7 @@ security contexts, let's start from the last definition in the context (the
</li>
</ul>
<p>
-The rules that identify the allowed actions for a domain have the following
-syntax:
+The rules that identify the allowed actions for a domain have been described earlier. Again:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Standard SELinux policy rules</p></td></tr>
@@ -584,6 +598,158 @@ would require the development of new policies for each new client that a system
wants to serve).
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Reference Policy</p>
+<p class="secthead"><a name="doc_chap1_sect1">About refpolicy</a></p>
+<p>
+As described previously, SELinux uses type enforcement to describe the state of
+your system. This is done by giving each resource on your system (be it a
+process, a network port, a file or directory) a specific type and describe the
+rules how types can work with each other.
+</p>
+<p>
+Managing such a policy is not easy. Unlike some other MAC systems, which rely
+on a learning mode and do not use domain definitions (they rather keep track of
+which commands a process is allowed to execute), a proper SELinux definition
+requires lots (thousands and thousands) of permission lines.
+</p>
+<p>
+To ensure that no duplicate effort is made, and to help distributions like
+Gentoo, Fedora, RedHat, Debian, ... with their SELinux integration efforts, a
+project is launched called <span class="emphasis">The Reference Policy</span>.
+</p>
+<p>
+This project, managed by <a href="http://oss.tresys.com/projects/refpolicy">Tresys</a>, is used by almost
+all SELinux supporting distributions, including Gentoo Hardened, Fedora, RedHat
+Enterprise Linux, Debian, Ubuntu and more. This implementation not only offers
+the modular policies that users are looking for, but also enhances the SELinux
+experience with additional development tools that make it easier to work with
+the SELinux policies on your system. Updates in the reference policy eventually
+make it in all supported distributions. The same goes for Gentoo Hardened, which
+aims to use a policy as close as possible to the reference policy, and submits
+its own patches to the reference policy as well, which benefits the entire
+community.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Reference Policy API</a></p>
+<p>
+One major advantage of the reference policy is its API. To help policy writers,
+the reference policy uses a macro language which generates the necessary allow
+(and other) rules. This macro language makes it a lot easier to add rights to
+particular domains. You can find the API documented <a href="http://oss.tresys.com/docs/refpolicy/api/">online</a>, but if you have
+USE="doc" set, it will be stored on your system as well the moment you install
+and configure SELinux.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Modular Approach</a></p>
+<p>
+Another feature of the reference policy is its use of <span class="emphasis">modules</span>. If you
+would build all rules in a single policy (a binary file readable by the Linux
+kernel, allowing it to interpret and enforce SELinux rules), the file would
+quickly become too huge and inefficient.
+</p>
+<p>
+Instead, the reference policy defines the rules in what it calls modules, which
+define one domain (like <span class="code" dir="ltr">portage_t</span>) or more (if they are all tightly
+related) and the rights and privileges that that domain would need in order to
+function properly. Any right that the domain needs with respect to another
+domain needs to be defined through that domains' interfaces (see earlier),
+forcing the modules to be specific and manageable.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example overview of installed SELinux modules</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semodule -l</span>
+alsa 1.11.0
+apache 2.3.0
+audioentropy 1.6.0
+dbus 1.15.0
+dmidecode 1.4.0
+<span class="code-comment">(...)</span>
+</pre></td></tr>
+</table>
+<p>
+By using a modular approach, one only needs to load the base policy (kernel
+layer as well as other, core definitions) and the modules related to his system.
+You can then safely ignore the other modules. This improves performance (smaller
+policy, which also causes rebuilds to be a lot less painful) and manageability
+(properly defined boundaries for policy rules).
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Tunables and Conditionals</a></p>
+<p>
+But wait, there's more. The reference policy also supports <span class="emphasis">booleans</span>.
+Those are flags that a security administrator can enable or disable to change
+the active policy. Properly defined booleans allow security administrators to
+fine-tune the policy for their system.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Overview of available booleans</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">getsebool -a</span>
+allow_execheap --> off
+allow_execmem --> off
+allow_execmod --> off
+allow_execstack --> off
+allow_gssd_read_tmp --> on
+allow_httpd_anon_write --> off
+</pre></td></tr>
+</table>
+<p>
+Booleans are an important part to make a generic reference policy which is still
+usable for the majority of SELinux users. Although they have specific
+requirements (such as allowing ptrace, or disallowing execmem) they can still
+use the same reference policy and only need to toggle the booleans they need.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Versions</a></p>
+<p>
+The SELinux policy infrastructure that is used (i.e. the capabilities and
+functionalities that it offers) isn't in its first version. Currently, SELinux
+deployments use a binary version of 24 or 26 (depending on the kernel version
+used).
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the binary policy version</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">sestatus</span>
+SELinux status: enabled
+SELinuxfs mount: /selinux
+Current mode: enforcing
+Mode from config file: enforcing
+Policy version: 24
+Policy from config file: strict
+</pre></td></tr>
+</table>
+<p>
+Every time functionalities or capabilities are added which require
+changes to the internal structure of the compiled policy, this version is
+incremented. The following is an overview of the policy versions' history.
+</p>
+<dl>
+ <dt>Version 12</dt>
+ <dd>"Old API" for SELinux, which is now deprecated</dd>
+ <dt>Version 15</dt>
+ <dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd>
+ <dt>Version 16</dt>
+ <dd>Conditional policy extensions added (2.6.5)</dd>
+ <dt>Version 17</dt>
+ <dd>IPV6 support added (2.6.6 - 2.6.7)</dd>
+ <dt>Version 18</dt>
+ <dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd>
+ <dt>Version 19</dt>
+ <dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd>
+ <dt>Version 20</dt>
+ <dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd>
+ <dt>Version 21</dt>
+ <dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd>
+ <dt>Version 22</dt>
+ <dd>Policy capabilities (features) (2.6.25)</dd>
+ <dt>Version 23</dt>
+ <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
+ <dt>Version 24</dt>
+ <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
+ <dt>Version 25</dt>
+ <dd>Filename based transition support (2.6.39)</dd>
+ <dt>Version 26</dt>
+ <dd>Role transition support for non-process classes (3.0)</dd>
+</dl>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Next Steps</p>
<p class="secthead"><a name="doc_chap1_sect1">What Next</a></p>
<p>
@@ -593,9 +759,10 @@ when SELinux is disabled, then you will need to dive into the security contexts,
rules, types and domain transitions to find out why.
</p>
<p>
-The next chapter in line will discuss how distributions such as Gentoo Hardened
-manage the various permission rules and how they use a macro language to
-generate the permissions instead of creating the allow-rules one by one.
+The next chapter in line will give you some background resource information
+(online resources, books, FAQs, etc.) After that, we'll dive into the
+installation and configuration of SELinux on your Gentoo Hardened system. Then,
+we'll configure and tune the SELinux policy to our needs.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
diff --git a/html/selinux/hb-appendix-reference.html b/html/selinux/hb-intro-resources.html
similarity index 100%
rename from html/selinux/hb-appendix-reference.html
rename to html/selinux/hb-intro-resources.html
diff --git a/html/selinux/hb-using-configuring.html b/html/selinux/hb-using-configuring.html
new file mode 100644
index 0000000..05bd80b
--- /dev/null
+++ b/html/selinux/hb-using-configuring.html
@@ -0,0 +1,919 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Handbook Page
+--
+ </title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Administering Users</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+During the installation, we already covered how to map a Linux user to a SELinux
+user. In the example, we used a hypothetical user "john" and mapped him to the
+SELinux user "staff_u". If you are running a multi-user system, managing the
+right mappings is important. A user that is mapped to the SELinux user "user_u"
+will not get any additional rights. Even if you would give that user additional
+rights through commands such as <span class="code" dir="ltr">sudo</span>, the SELinux policy will not allow
+this user to do anything that is administration related.
+</p>
+<p>
+For this reason, it is important to go over the SELinux user mappings and the
+Linux users on your system.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">User Mappings</a></p>
+<p>
+Run <span class="code" dir="ltr">semanage login -l</span> to show the current mappings between Linux logins
+and SELinux users.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running semanage login -l</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage login -l</span>
+
+Login Name SELinux User
+
+__default__ user_u
+root root
+john staff_u
+system_u system_u
+</pre></td></tr>
+</table>
+<p>
+The "user_u" SELinux user is for regular accounts. As such, the special
+<span class="emphasis">__default__</span> mapping is defined by SELinux to denote every login that is
+not defined otherwise. This makes sure that a newly defined account does not get
+elevated privileges by default.
+</p>
+<p>
+The next table gives an overview of the standard SELinux users available after
+an installation.
+</p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>SELinux User</b></td>
+ <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">user_u</td>
+ <td class="tableinfo">
+ Default regular SELinux user, which should be used by end-user accounts that
+ are not going to administer any service(s) on the system
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">staff_u</td>
+ <td class="tableinfo">
+ SELinux user for administrators. This user has the right to switch roles and
+ as such gain elevated privileges
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">root</td>
+ <td class="tableinfo">
+ SELinux user for the root account. It differs little from the staff_u
+ account beyond being a different ID. This ensures that files protected by
+ the user based access control for root cannot be handled by the staff_u
+ (and other) users
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">sysadm_u</td>
+ <td class="tableinfo">
+ SELinux user for system administration. By default, this account is not
+ immediately used as this user immediately gets the administrative role
+ (whereas staff_u and root still need to switch roles).
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">system_u</td>
+ <td class="tableinfo">
+ SELinux user for system services. It should never be used for end users or
+ administrators as it provides direct access to the system role (and
+ privileges)
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">unconfined_u</td>
+ <td class="tableinfo">
+ Used when the policy is <span class="emphasis">targeted</span>, this SELinux user has many
+ privileges (it is essentially not limited in its actions, although it is
+ still handled through SELinux - just through a "wide open" policy).
+ </td>
+</tr>
+</table>
+<p>
+To map a user to a specific SELinux user, use <span class="code" dir="ltr">semanage login -a</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping a user 'sophie' to the staff_u user</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage login -a -s staff_u sophie</span>
+</pre></td></tr>
+</table>
+<p>
+However, when you update such mapping, the files in that users' home directory
+will be owned by a wrong SELinux user. It is therefor important to relabel the
+files of that user:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling sophie's files</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">restorecon -R -F /home/sophie</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Additional SELinux Accounts</a></p>
+<p>
+It is perfectly possible to create additional SELinux accounts, and then map the
+Linux logins to these new accounts. This can be necessary when you want a more
+thorough auditing (on end user level) or when you will be enhancing the policy
+with additional roles. Also, if you want to use the User Based Access Control
+feature, using different SELinux users is important to enforce the control on
+different users (if they all use the same SELinux user, then UBAC has little to
+no effect).
+</p>
+<p>
+Managing the SELinux accounts is done through <span class="code" dir="ltr">semanage user</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a SELinux user</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage user -a -R "staff_r sysadm_r" sophie</span>
+</pre></td></tr>
+</table>
+<p>
+Let's verify how the SELinux users are currently configured:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the SELinux user identities</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage user -l</span>
+SELinux User SELinux Roles
+
+root staff_r sysadm_r
+sophie staff_r sysadm_r
+staff_u staff_r sysadm_r
+sysadm_u sysadm_r
+system_u system_r
+unconfined_u unconfined_r
+user_u user_r
+
+# <span class="code-input">semanage login -l</span>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie staff_u
+swift staff_u
+system_u system_u
+</pre></td></tr>
+</table>
+<p>
+Now that a new SELinux user called "sophie" exists, we can now update the Linux
+user mapping for "sophie" towards the new SELinux user "sophie":
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Updating the Linux user mapping</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage login -m -s sophie sophie</span>
+# <span class="code-input">semanage login -l</span>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie sophie
+swift staff_u
+system_u system_u
+</pre></td></tr>
+</table>
+<p>
+Again, do not forget to relabel this users' files.
+</p>
+<p>
+As you can see, managing SELinux users means defining the roles to which the
+user has access to. We already gave a high-level introduction to the default
+roles in <span title="Link to other book part not available"><font color="#404080">(SELinux Concepts)</font></span>, but as roles are
+important when using a Mandatory Access Control system, let's refresh our memory
+again:
+</p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>SELinux Role</b></td>
+ <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">user_r</td>
+ <td class="tableinfo">
+ Default end-user role. This role provides access to regular applications and
+ activities, but does not allow any system or service administration beyond
+ what is expected for a regular user.
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">staff_r</td>
+ <td class="tableinfo">
+ Default administration role for day-to-day activities. This role has some
+ additional privileges beyond what is offered through user_r, but is not a
+ full system administrative role. It is meant for the non-administrative
+ activities done by operators and administrators
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">sysadm_r</td>
+ <td class="tableinfo">
+ System administration role. This role is highly privileged (since it also
+ contains the privileges to update the policy) and should only be given to
+ fully trusted administrators. It is almost never immediately granted to
+ users (they first need to switch roles) except for direct root access (for
+ instance through the console)
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">system_r</td>
+ <td class="tableinfo">
+ System service role, which is used for the runtime services (processes). It
+ is never granted to users directly.
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">unconfined_r</td>
+ <td class="tableinfo">
+ The unconfined role is used when the <span class="emphasis">targeted</span> policy is supported.
+ This role is given to unconfined users (such as the SELinux unconfined_u
+ user) which have very wide privileges (they almost run without constraints).
+ </td>
+</tr>
+</table>
+<p>
+It should be noted that these roles are the default ones, but the security
+administrator - yes, that means you - can create additional roles and add
+particular privileges to it. We will discuss this later in this book as it means
+you'll need to update the Gentoo Hardened SELinux policy.
+</p>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Reading Audit Logs</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+When working with a SELinux-enabled system, you will eventually notice that
+things behave differently, but without giving any meaningful error message.
+Usually, when SELinux "denies" a particular access, it logs it into the audit
+log of the system, but for the application itself, it is perfectly possible that
+it just silently dies. If not, you're most likely to get a <span class="emphasis">permission
+denied</span> error message.
+</p>
+<p>
+Initially, SELinux is running in <span class="code" dir="ltr">permissive</span> mode, which means that
+SELinux will log what it <span class="emphasis">would</span> deny, but still let it through.
+This mode is perfect for getting the system in shape without having too
+much problems keeping it running. Once you think your security settings are
+in order, then this mode can be switched from <span class="code" dir="ltr">permissive</span> to
+<span class="code" dir="ltr">enforcing</span>. We'll talk about these modes later.
+</p>
+<p>
+First, let's take a look at the audit log and see what it is saying...
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Audit Log Location(s)</a></p>
+<p>
+The SELinux kernel code writes its denials (and sometimes even allowed but
+audited activities) into the audit log. If you are running on a Gentoo Hardened
+installation with the <span class="code" dir="ltr">syslog-ng</span> system logger, then the logger is already
+configured to place these audit lines in <span class="path" dir="ltr">/var/log/avc.log</span>. However,
+different system loggers or system logger configurations might put the entries
+in a different log location (such as <span class="path" dir="ltr">/var/log/audit.log</span>).
+</p>
+<p>
+Below, you'll find the appropriate lines for the syslog-ng system logger
+configuration for writing the events in <span class="path" dir="ltr">/var/log/avc.log</span>.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng.conf excerpt for SELinux AVC entries</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># The following lines are only /part/ of the configuration file!</span>
+source kernsrc { file("http://www.gentoo.org/proc/kmsg"); };
+destination avc { file("http://www.gentoo.org/var/log/avc.log"); };
+filter f_avc { message(".*avc: .*"); };
+
+log {
+ source(kernsrc);
+ filter(f_avc);
+ destination(avc);
+};
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p>
+<p>
+As we mentioned, SELinux writes its entries in the audit log. These entries are
+called <span class="emphasis">avc messages</span> or <span class="emphasis">avc log entries</span>. The abbreviation AVC
+stands for <span class="emphasis">Access Vector Cache</span> and, like the name sais, is a caching
+system.
+</p>
+<p>
+Using an access vector cache improves performance on dealing with (and
+enforcing) activities and privileges. Since SELinux offers a very detailed
+approach on privileges and permissions, it would become quite painful
+(performance-wise) if each call means that the SELinux code needs to look up the
+domain, the target resource label, the privilege and if it is allowed or not
+over and over again. Instead, SELinux uses the Access Vector Cache to store past
+requests/responses. It is the AVC subsystem that is responsible for checking
+accesses and (if necessary) logging it.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Reading an AVC Denial Message</a></p>
+<p>
+Below you'll find a typical AVC denial message.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC denial message</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre></td></tr>
+</table>
+<p>
+Let's analyze each part of this message one by one.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: Timestamp and location information</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-input">Oct 15 13:04:54 hpl kernel: [963185.177043]</span> type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre></td></tr>
+</table>
+<p>
+This first part of the message informs you when the message was written (Oct 15
+13:04:54), on which host (hpl) and how many seconds since the system was booted
+(963185.177043).
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: source information</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for <span class="code-input">pid=14561 comm="firefox"</span> kmod="net-pf-10"
+ <span class="code-input">scontext=staff_u:staff_r:mozilla_t</span> tcontext=system_u:system_r:kernel_t tclass=system
+</pre></td></tr>
+</table>
+<p>
+Next is the source of the denial, i.e. what process is trying to do something.
+In this case, the process is firefox, with PID 14561, which is running in the
+source domain staff_u:staff_r:mozilla_t.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: target resource</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" <span class="code-input">kmod="net-pf-10"</span>
+ scontext=staff_u:staff_r:mozilla_t <span class="code-input">tcontext=system_u:system_r:kernel_t</span> tclass=system
+</pre></td></tr>
+</table>
+<p>
+The target of the activity is a kernel module (net-pf-10, which is the internal
+name given for IPv6), labeled system_u:system_r:kernel_t
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: denied action</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { <span class="code-input">module_request</span> } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t <span class="code-input">tclass=system</span>
+</pre></td></tr>
+</table>
+<p>
+Finally, the action that is denied (module_request) and its class (system).
+These classes help you to identify what is denied, because a read on a file is
+different from a read on a directory.
+</p>
+<p>
+For instance, in the following case, a process <span class="code" dir="ltr">gorg</span> with PID 13935 is
+trying to read a file called <span class="path" dir="ltr">localtime</span> with inode 130867 which
+resides on the device <span class="path" dir="ltr">/dev/md3</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial example</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 14:40:30 hpl kernel: [968909.807802] type=1400 audit(1318682430.323:2614):
+ avc: denied { read } for pid=13935 comm="gorg" name="localtime" dev=md3 ino=130867
+ scontext=staff_u:sysadm_r:gorg_t tcontext=system_u:object_r:locale_t tclass=file
+</pre></td></tr>
+</table>
+<p>
+In this case, it might be obvious that the file is <span class="path" dir="ltr">/etc/localtime</span>,
+but when that isn't the case, then you can find the following two commands
+useful:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding out the target resource based on inode and device</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment">(Find out which device /dev/md3 is)</span>
+# <span class="code-input">mount | grep /dev/md3</span>
+/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=1,nodelalloc,data=journal)
+
+<span class="code-comment">(Find out what file has inode 130867)</span>
+# <span class="code-input">find / -xdev -inum 130867</span>
+/etc/localtime
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Handling AVC denials</a></p>
+<p>
+The major part of configuring SELinux is reading the denials, finding out what
+needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully, the
+rest of this handbook will help you figure out what is causing a denial.
+</p>
+<p>
+Denials can be cosmetic (an activity that is denied, but has no effect on the
+application's functional behaviour). If that is the case, the denial can be
+marked as <span class="emphasis">dontaudit</span>, meaning that the denial is not logged by default
+anymore. If you think that a denial is occurring but you do not see it in the
+logs, try disabling the <span class="emphasis">dontaudit</span> rules:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disabling dontaudit</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment">(The command can also be abbreviated to "semodule -DB")</span>
+# <span class="code-input">semodule --build --disable_dontaudit</span>
+</pre></td></tr>
+</table>
+<p>
+In most cases though, denials need to be acted upon. Actions that might need to
+happen are:
+</p>
+<ul>
+ <li>
+ relabeling the target resource (wrong labels might cause legitimate actions
+ to be denied)
+ </li>
+ <li>
+ relabeling the source (process' binary file) as a wrong label might cause
+ the application to run in the wrong domain
+ </li>
+ <li>
+ loading a necessary SELinux module, since the modules contain the rules to
+ allow (and label) resources. Without the appropriate module loaded, you will
+ notice denials since no other module gives the necessary grants (allow
+ statements)
+ </li>
+ <li>
+ granting the right role to the user executing the application. We have
+ covered users and their roles initially but we will go deeper into this
+ subject later in the handbook.
+ </li>
+ <li>
+ adding your own SELinux policy statements, most likely because no SELinux
+ policy module exists for the application you are trying to run
+ </li>
+</ul>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Using (File) Labels</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+Within SELinux, access privileges are based on the label given on the
+originating part (called the <span class="emphasis">domain</span>) and its target resource. For
+instance, a process running in the passwd_t domain wants to read (= privilege)
+the file <span class="path" dir="ltr">/etc/shadow</span> which is labeled shadow_t (= the target
+resource). It comes to no surprise then that the majority of SELinux
+administration is (re)labeling the resources correctly (and ensuring their label
+stays correct).
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Getting File Label(s)</a></p>
+<p>
+There are many ways to relabel commands, and none of them are equal to another.
+But before we explain this in more detail, let's first take a look at a few file
+labels (and how you can query them).
+</p>
+<p>
+In SELinux, labels are given on a file level through the file systems' ability
+to keep <span class="emphasis">extended attributes</span>. For SELinux, the attribute is called
+<span class="code" dir="ltr">security.selinux</span> and can be obtained through <span class="code" dir="ltr">getfattr</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file's extended attribute for SELinux</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">getfattr -n security.selinux /etc/hosts</span>
+# file: etc/hosts
+security.selinux="system_u:object_r:net_conf_t"
+</pre></td></tr>
+</table>
+<p>
+Of course, getting the file attribute this way is time consuming and not that
+flexible. For this purpose, most important applications (including
+<span class="code" dir="ltr">coreutils</span>) are made SELinux-aware. These applications mostly use the
+<span class="code" dir="ltr">-Z</span> option to display the SELinux context information. In case of files,
+this means the extended attribute content:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the context of a file</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z /etc/hosts</span>
+system_u:object_r:net_conf_t /etc/hosts
+</pre></td></tr>
+</table>
+<p>
+Other commands exist that display the context as it should be, like
+<span class="code" dir="ltr">matchpathcon</span>. However, their purpose is to query the SELinux policy on
+your system to find out what the policy ought to be, not what it is:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Difference between context and matchpathcon result</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z /etc/make.conf</span>
+staff_u:object_r:etc_t /etc/make.conf
+$ <span class="code-input">matchpathcon /etc/make.conf</span>
+/etc/make.conf system_u:object_r:portage_conf_t
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Setting File Label(s)</a></p>
+<p>
+Now how can you manipulate file labels? Well, first of all: you will not be
+allowed to change the file labels of any possible file (not even if you are the
+owner of that file) unless the SELinux policy allows you to. These allow rules
+are made on two privilege types: which labels are you allowed to change
+(<span class="code" dir="ltr">relabelfrom</span>) and to which labels are you allowed to change
+(<span class="code" dir="ltr">relabelto</span>). You can query these rules through <span class="code" dir="ltr">sesearch</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying the relabelto/relabelfrom types</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># From which label on files (-c) is user_t (-s) allowed (-A) to relabel from (-p)?</span>
+$ <span class="code-input">sesearch -s user_t -c file -p relabelfrom -A</span>
+<span class="code-comment">[...]</span>
+allow user_t mozilla_home_t : file { <span class="code-comment">...</span> relabelfrom relabelto } ;
+</pre></td></tr>
+</table>
+<p>
+If you have the permission, then you can use <span class="code" dir="ltr">chcon</span> to <span class="emphasis">ch</span>ange the
+<span class="emphasis">con</span>text of a file:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing a file context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z strace.log</span>
+staff_u:object_r:user_home_t strace.log
+$ <span class="code-input">chcon -t mutt_home_t strace.log</span>
+$ <span class="code-input">ls -Z strace.log</span>
+staff_u:object_r:mutt_home_t strace.log
+</pre></td></tr>
+</table>
+<p>
+If you do not hold the right privileges, you will get a descriptive error
+message:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Trying to change file context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">chcon -t shadow_t strace.log</span>
+chcon: failed to change context of `strace.log' to `staff_u:object_r:shadow_t': Permission denied
+</pre></td></tr>
+</table>
+<p>
+Now, if you now think that <span class="code" dir="ltr">chcon</span> is all you need, you're wrong. The
+<span class="code" dir="ltr">chcon</span> command does nothing more than what it sais - change context. But
+when the system relabels files, these changes are gone. Relabeling files is
+often done to ensure that the file labels are correct (as in: the labels match
+what the SELinux policy sais they ought to be). The SELinux policy contains, for
+each policy module, the list of files, directories, sockets, ... and their
+appropriate file context (label).
+</p>
+<p>
+We will look at SELinux policy modules later, but below you'll find an excerpt
+from such a definition, for the <span class="code" dir="ltr">mozilla</span> module:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Excerpt of the mozilla module file contexts</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+</pre></td></tr>
+</table>
+<p>
+To put the right label on a file, you can use the <span class="code" dir="ltr">setfiles</span> or
+<span class="code" dir="ltr">restorecon</span> commands. Since they are both the same command (but with a
+slightly different way of using) we'll only talk about <span class="code" dir="ltr">restorecon</span> for now
+- more information on the <span class="code" dir="ltr">setfiles</span> command can be found in its man page.
+</p>
+<p>
+When you use <span class="code" dir="ltr">restorecon</span>, the application will query the SELinux policy to
+find out what the right label of the file should be. If it differs, it will
+change the label to the right setting. That means that you do not need to
+provide the label for a file in order for the command to work. Also,
+<span class="code" dir="ltr">restorecon</span> supports recursivity, so you do not need to relabel files one
+by one.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using restorecon</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z /etc/make.conf</span>
+staff_u:object_r:etc_t /etc/make.conf
+$ <span class="code-input">restorecon /etc/make.conf</span>
+$ <span class="code-input">ls -Z /etc/make.conf</span>
+system_u:object_r:portage_conf_t /etc/make.conf
+</pre></td></tr>
+</table>
+<p>
+Finally, Gentoo also provides a useful application: <span class="code" dir="ltr">rlpkg</span>. This script
+relabels the files of a Gentoo package (<span class="code" dir="ltr">rlpkg <packagename></span>) or,
+given the right arguments, all files on the file system:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using rlpkg</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Relabel the files of the firefox-bin package:</span>
+# <span class="code-input">rlpkg firefox</span>
+
+<span class="code-comment"># Relabel all files on the file system:</span>
+# <span class="code-input">rlpkg -a -r</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Overriding the SELinux Policy File Labels</a></p>
+<p>
+You might not always agree with the label that the SELinux policy enforces on
+the files: you might have your files located elsewhere (a different location for
+your Portage tree is a nice example) or you need to label them differently in
+order for other applications to work. To not have to <span class="code" dir="ltr">chcon</span> these files
+over and over again, you can enhance the SELinux policy on your system with
+additional file context rules. These rules are used when you call
+<span class="code" dir="ltr">restorecon</span> as well and override the rules provided by the SELinux policy.
+</p>
+<p>
+To add additional file context rules, you need to use the <span class="code" dir="ltr">semanage</span>
+command. This command is used to manage, manipulate and update the local SELinux
+policy on your system. In this particular case, we will use the <span class="code" dir="ltr">semanage
+fcontext</span> command:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using semanage to add a file context rule</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Mark /mnt/gentoo/etc/make.conf as a portage_conf_t type</span>
+# <span class="code-input">semanage fcontext -a -t portage_conf_t /mnt/gentoo/etc/make.conf</span>
+
+<span class="code-comment"># Mark /mnt/gentoo/usr/portage as portage_ebuild_t</span>
+# <span class="code-input">semanage fcontext -a -t portage_ebuild_t "http://www.gentoo.org/mnt/gentoo/usr/portage(/.*)?"</span>
+</pre></td></tr>
+</table>
+<p>
+As you can see from the example, you can use wildcards. But beware about using
+wildcards: when a rule holds a wildcard, it has a lower priority than a rule
+without a wildcard. And the priority on rules with a wildcard is based on how
+"down" the string the first occurance of a wildcard is. For more information,
+please check out our <a href="../selinux-faq.xml#matchcontext">FAQ on "How do
+I know which file context rule is used for a particular file?."</a>
+</p>
+<p>
+If you want to delete a file context definition, you use <span class="code" dir="ltr">semanage fcontext
+-d</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Deleting a file context definition</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage fcontext -d -t portage_ebuild_t /mnt/gentoo/etc/make.conf</span>
+</pre></td></tr>
+</table>
+<p>
+Finally, to view all file context definitions (both user-set and SELinux policy
+provided), you can use <span class="code" dir="ltr">semanage fcontext -l</span>. To only see the locally set,
+add <span class="code" dir="ltr">-C</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Viewing user-set file context enhancements</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage fcontext -C -l</span>
+SELinux fcontext type Context
+/opt/xxe/bin/.*\.jar all files system_u:object_r:lib_t
+/srv/virt/gentoo(/.*)? all files system_u:object_r:qemu_image_t
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Customizable types</a></p>
+<p>
+Labels on files are not that hard to understand, but you might come into some
+surprises if you do not know that there are also customizable types.
+</p>
+<p>
+A <span class="emphasis">customizable type</span> is a specific type which is not touched by the
+SELinux administration tools by default. If you want to relabel a file that
+currently holds a customizable type, you will need to force this through the
+commands (such as <span class="code" dir="ltr">restorecon -F</span>).
+</p>
+<p>
+There are not that many customizable types by default. The list of types that
+SELinux considers as customizable are mentioned in the
+<span class="path" dir="ltr">customizable_types</span> file within the
+<span class="path" dir="ltr">/etc/selinux/*/contexts</span> location:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the customizable types</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">cat /etc/selinux/strict/contexts/customizable_types</span>
+mount_loopback_t
+public_content_rw_t
+public_content_t
+swapfile_t
+textrel_shlib_t
+</pre></td></tr>
+</table>
+<p>
+Such types exist because these types are used for files whose location is known
+not to be fixed (and as such, the SELinux policy cannot without a doubt know if
+the label on the files is correct or not). The <span class="code" dir="ltr">public_content_t</span> one,
+which is used for files that are readable by several services (like FTP, web
+server, ...), might give you a nice example for such a case.
+</p>
+<p>
+If you look at the <span class="code" dir="ltr">restorecon</span> man page, it mentions both customizable
+types as well as the user section. The latter is for rules that are identified
+in the SELinux policy as being files for an end user, like the following
+definitions in the <span class="code" dir="ltr">mozilla</span> policy module:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: User section definition within mozilla module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+</pre></td></tr>
+</table>
+<p>
+Although in the above example, forcing <span class="code" dir="ltr">restorecon</span> on the files is
+probably correct, there are examples where you do not want this. For instance,
+the firefox policy by default only allows the application to write to
+directories labeled <span class="code" dir="ltr">mozilla_home_t</span>. If you want to download something,
+this isn't possible (unless you download it into <span class="path" dir="ltr">~/.mozilla</span>). The
+solution there is to label a directory (say <span class="path" dir="ltr">~/Downloads</span>) as
+<span class="code" dir="ltr">mozilla_home_t</span>.
+</p>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>SELinux Policy and Booleans</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+We have dealt with users and labels now, but there is still a third aspect that
+we haven't touched: the SELinux policy itself.
+</p>
+<p>
+The SELinux policy as offered by Gentoo Hardened is a carefully tuned SELinux
+policy, based on the reference policy (a distribution-agnostic SELinux policy)
+with minor changes. Hopefully, you will not need to rewrite the policy to suit
+it for your needs, but changes are very likely to occur here and there.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Changing the SELinux Policy Behavior: Booleans</a></p>
+<p>
+A common and user friendly way of tweaking the SELinux policy is through
+booleans. A <span class="emphasis">SELinux boolean</span>, also known as a conditional, changes how the
+SELinux policy behaves based on the setting that the user provides. To make this
+a bit more clear, let's look at a few booleans available:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting SELinux booleans</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">getsebool -a | grep ^user</span>
+user_direct_mouse --> off
+user_dmesg --> off
+user_ping --> on
+user_rw_noexattrfile --> off
+user_tcp_server --> off
+user_ttyfile_stat --> off
+</pre></td></tr>
+</table>
+<p>
+Although they might not say much on first sight, these booleans alter how the
+SELinux policy enforces user activity (hence the booleans starting with
+<span class="path" dir="ltr">user_</span>). For instance, <span class="code" dir="ltr">user_ping</span> is set to <span class="code" dir="ltr">on</span>, so a
+user is allowed to use <span class="code" dir="ltr">ping</span>. If it was set to <span class="code" dir="ltr">off</span>, the SELinux
+policy would not allow a user to execute <span class="code" dir="ltr">ping</span>.
+</p>
+<p>
+Booleans can be toggled on or off using <span class="code" dir="ltr">setsebool</span> or <span class="code" dir="ltr">togglesebool</span>.
+With <span class="code" dir="ltr">setsebool</span> you need to give the value (on or off) whereas
+<span class="code" dir="ltr">togglesebool</span> switches the value.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disallowing the use of ping by users</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">setsebool user_ping off</span>
+</pre></td></tr>
+</table>
+<p>
+By default, <span class="code" dir="ltr">setsebool</span> does not store the boolean values - after a reboot,
+the old values are used again. To persist such changes, you need to add the
+<span class="code" dir="ltr">-P</span> option:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Persistedly allow users to run dmesg</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">setsebool -P user_dmesg on</span>
+</pre></td></tr>
+</table>
+<p>
+Booleans allow administrators to tune the policy, and allow security
+administrators to write policies that are flexible enough for a more widespread
+use. In terms of Gentoo flexibility, these booleans might not be used enough (it
+would be nice to couple these booleans on USE flags, so that a server build with
+USE="ldap" gets the SELinux policy to use ldap, whereas USE="-ldap" disallows
+it). But still, the use of booleans is a popular method for making a more
+flexible SELinux policy.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Managing SELinux Policy Modules</a></p>
+<p>
+In this last part, we'll cover SELinux policy modules. We mentioned before that
+the SELinux policy used by Gentoo Hardened is based on the reference policy,
+which offers a modular approach to SELinux policies. There is one base policy,
+which is mandatory on every system and is kept as small as possible. The rest
+are SELinux policy modules, usually providing the declarations, rules and file
+contexts for a single application (or type of applications).
+</p>
+<p>
+With <span class="code" dir="ltr">semodule -l</span> you can see the list of SELinux policy modules loaded:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the loaded SELinux modules</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semodule -l</span>
+alsa 1.11.0
+apache 2.3.0
+entropyd 1.6.0
+dbus 1.15.0
+dnsmasq 1.9.0
+<span class="code-comment">(...)</span>
+</pre></td></tr>
+</table>
+<p>
+Within Gentoo Hardened, each module is provided by the package
+<span class="path" dir="ltr">sec-policy/selinux-<modulename></span>. For instance, the first
+module encountered in the above example is provided by
+<span class="path" dir="ltr">selinux-alsa</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELinux policy module package in Gentoo</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">emerge --search selinux-alsa</span>
+Searching...
+[ Results for search key : selinux-alsa ]
+[ Applications found : 1]
+
+* sec-policy/selinux-alsa
+ Latest version available: 2.20110726
+ Latest version installed: 2.20110726
+ Size of files: 574 kB
+ Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
+ Description: SELinux policy for alsa
+ License: GPL-2
+</pre></td></tr>
+</table>
+<p>
+If you need a module that isn't installed on your system, this is considered a
+bug (packages that need it should depend on the SELinux policy package if the
+selinux USE flag is set). But once you install the package yourself, the module
+will be loaded automatically:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing a SELinux policy package</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">emerge selinux-screen</span>
+</pre></td></tr>
+</table>
+<p>
+If you want to remove a module from your system though, uninstalling the package
+will not suffice: the SELinux policy module itself is copied to the policy store
+earlier (as part of the installation process) and is not removed from this store
+by Portage. Instead, you will need to remove the module manually:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Uninstalling a SELinux policy module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">emerge -C selinux-screen</span>
+# <span class="code-input">semodule -r screen</span>
+</pre></td></tr>
+</table>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 30, 2011</p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index b711d55..061fe7b 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -39,10 +39,10 @@ this chapter.
<p>
Install Gentoo Linux according to the <a href="http://www.gentoo.org/doc/en/handbook">Gentoo
Handbook</a> installation instructions. We recommend the use of the hardened
-stage 3 tarballs instead of the standard ones, but standard stage
-installations are also supported for SELinux. Perform a full installation to
-the point that you have booted your system into a (primitive) Gentoo base
-installation.
+stage 3 tarballs and <span class="code" dir="ltr">hardened-sources</span> kernel instead of the standard
+ones, but standard stage installations are also supported for SELinux.
+Perform a full installation to the point that you have booted your system
+into a (primitive) Gentoo base installation.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
If you are an XFS user, make sure that the inode sizes of the XFS file
@@ -403,7 +403,7 @@ flag), but until that time, you will need to install them yourself.
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux modules</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">eix selinux-</span>
+~# <span class="code-input">emerge --search selinux-</span>
[...]
<span class="code-comment">(Select the modules you want to install)</span>
~# <span class="code-input">emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</span>
@@ -562,7 +562,8 @@ correctly. For instance, if you have installed
<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p>
<p>
Reboot your system. Log on and, if you have indeed installed Gentoo using the
-hardened sources (as we recommended), enable the SSP SELinux boolean:
+hardened sources (as we recommended), enable the SSP SELinux boolean, allowing
+every domain read access to the <span class="path" dir="ltr">/dev/urandom</span> device:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling the global_ssp boolean</p></td></tr>
@@ -573,12 +574,14 @@ hardened sources (as we recommended), enable the SSP SELinux boolean:
<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
<p>
Finally, we need to map the account(s) you use to manage your system (those
-that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. By default,
-users are mapped to the <span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the
-appropriate rights (nor access to the appropriate roles) to manage a system.
-Accounts that are mapped to <span class="code" dir="ltr">staff_u</span> can, but might need to switch roles
-from <span class="code" dir="ltr">staff_r</span> to <span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate
-privileges.
+that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none
+of your accounts will be able to succesfully manage the system (except for
+<span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not
+through <span class="code" dir="ltr">sudo</span> or <span class="code" dir="ltr">su</span>.) By default, users are mapped to the
+<span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the appropriate rights (nor access
+to the appropriate roles) to manage a system. Accounts that are mapped to
+<span class="code" dir="ltr">staff_u</span> can, but might need to switch roles from <span class="code" dir="ltr">staff_r</span> to
+<span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate privileges.
</p>
<p>
Assuming that your account name is <span class="emphasis">john</span>:
@@ -610,7 +613,7 @@ With that done, enjoy - your first steps into the SELinux world are now made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
index d5e77aa..4212a95 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -243,11 +243,18 @@ screen: /usr/bin/screen
~# <span class="code-input">qfile /usr/bin/screen</span>
app-misc/screen (/usr/bin/screen)
-~# <span class="code-input">eix selinux-screen</span>
-* sec-policy/selinux-screen
- Available versions: ~2.20090730 ~2.20091215 ~2.20101213
- Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
- Description: SELinux policy for general applications
+~# <span class="code-input">emerge --search selinux-screen</span>
+Searching...
+[ Results for search key : selinux-screen ]
+[ Applications found : 1 ]
+
+* sec-policy/selinux-screen
+ Latest version available: 2.20110726
+ Latest version installed: 2.20110726
+ Size of files: 574 kB
+ Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
+ Description: SELinux policy for screen
+ License: GPL-2
~# <span class="code-input">emerge selinux-screen</span>
[...]
@@ -584,7 +591,7 @@ The same tool can be used to relabel the entire system:
</table>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-appendix-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html
similarity index 100%
rename from html/selinux/hb-appendix-troubleshoot.html
rename to html/selinux/hb-using-troubleshoot.html
diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html
index 7006609..bd04178 100644
--- a/html/selinux/selinux-handbook.html
+++ b/html/selinux/selinux-handbook.html
@@ -53,12 +53,10 @@ a basic understanding of these aspects, it will be difficult to understand
how SELinux policies work and how to troubleshoot if things go wrong.
</li>
<li>
-<b><a href="?part=1&chap=3">The SELinux (Reference) Policy</a></b><br>
-To streamline SELinux policy development, a reference policy is being developed
-that is used by all SELinux-supporting distributions. In this chapter we give
-some intel on what this reference policy is and why it is brought to life, but
-also how this policy functions and how its development is progressing. We also
-cover the basics on SELinux policies in general.
+<b><a href="?part=1&chap=3">SELinux Resources</a></b><br>
+To get more acquainted with SELinux, many resources exist on the Internet.
+In this chapter we give a quick overview of the various resources as well
+as places where you can get more help when you are fighting with SELinux.
</li>
</ol>
</li>
@@ -75,55 +73,35 @@ update your system to become a SELinux-managed system. This chapter will guide
you through this process.
</li>
<li>
-<b><a href="?part=2&chap=2">SELinux Commands</a></b><br>
-Before we start with SELinux, we first take a step back and get to know a few
-commands. As we are currently running a SELinux enabled system (but in
-permissive mode) we can now get acquainted with the various SELinux-specific
-commands.
+<b><a href="?part=2&chap=2">Configuring SELinux For Your Needs</a></b><br>
+With SELinux now "installed" and enabled (although in permissive mode), we now
+configure it to suit your particular needs. After all, SELinux is a Mandatory
+Access Control system where you, as security administrator, define what is
+allowed and what not.
</li>
<li>
-<b><a href="?part=2&chap=3">Running in Permissive Mode</a></b><br>
-Once SELinux is active, we first start by running the system in permissive mode.
-In this chapter, we tell you how to get acquainted with SELinux more in-depth
-with live command information, but without interfering with the standard access
-controls (i.e. in permissive mode).
+<b><a href="?part=2&chap=3">SELinux Commands</a></b><br>
+Let's take a step back and get to know a few more commands. We covered most of
+them in the previous section, but we will now dive a bit deeper in its
+syntax, features and potential pitfalls.
</li>
<li>
-<b><a href="?part=2&chap=4">Switching to Enforcing Mode</a></b><br>
-Once you believe that the system can be ran in enforcing mode, we switch the
-system to verify if this is true. Once verified, the next step is to (re)boot in
-enforcing mode. Finally, if we are confident that the enforcing is working
-properly and that the system is still doing its job correctly, we fix the
-enforcing mode so that it cannot be disabled anymore.
+<b><a href="?part=2&chap=4">Permissive, Unconfined, Disabled or What Not...</a></b><br>
+Your system can be in many SELinux states. In this chapter, we help you switch
+between the various states / policies.
</li>
<li>
-<b><a href="?part=2&chap=5">Adding SELinux Policy Modules</a></b><br>
-Far from all packages where SELinux policy modules are available for have a
-corresponding package in Gentoo/Hardened. In this chapter, we help you to add
-more modules yourself or create your own modules for those packages that have no
-SELinux policies yet.
+<b><a href="?part=2&chap=5">Modifying the Gentoo Hardened SELinux Policy</a></b><br>
+Gentoo Hardened offers a default policy, but this might not allow what you want
+(or allows too much). In this chapter we tell you how you can tweak Gentoo's
+policy, or even run your own.
</li>
-</ol>
-</li>
-<li>
-<b><a href="?part=3">Appendices</a></b><br>
-Additional resources and referenced materials within this book are mentioned in
-this appendix.
-<ol>
<li>
-<b><a href="?part=3&chap=1">Troubleshooting SELinux</a></b><br>
+<b><a href="?part=2&chap=6">Troubleshooting SELinux</a></b><br>
Everything made by a human can and will fail. In this chapter we will try to
keep track of all potential issues you might come across and how to resolve
them.
</li>
-<li>
-<b><a href="?part=3&chap=2">SELinux Reference Material</a></b><br>
-This Gentoo Hardened SELinux handbook gives a first introduction to SELinux and
-how it is integrated in Gentoo Hardened. But more seasoned administrators will
-most definitely want to read up on the more advanced uses (and managerial
-challenges) of SELinux - which we definitely recommend. A non-exhaustive list is
-compiled in this chapter.
-</li>
</ol>
</li>
</ul>
@@ -160,7 +138,7 @@ compiled in this chapter.
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-handbook.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="selinux-handbook.xml?full=1">View all</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 18, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
This is the Gentoo SELinux Handbook.
</p></td></tr>
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
@ 2012-04-28 19:23 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 9+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2012-04-28 19:23 UTC (permalink / raw
To: gentoo-commits
commit: 5dff830dc201fb5a1927aee293f3fc62ccf09a22
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Apr 28 19:15:34 2012 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Apr 28 19:15:34 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5dff830d
Update previews
---
html/revdep-pax.html | 551 ++-----------------------------
html/roadmap.html | 22 +-
html/selinux-faq.html | 27 ++-
html/selinux/hb-using-install.html | 18 +-
html/selinux/hb-using-troubleshoot.html | 27 ++-
5 files changed, 106 insertions(+), 539 deletions(-)
diff --git a/html/revdep-pax.html b/html/revdep-pax.html
index ee4e6d4..accbeee 100644
--- a/html/revdep-pax.html
+++ b/html/revdep-pax.html
@@ -21,13 +21,18 @@
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What's revdep-pax about?</option>
-<option value="#doc_chap2">2. Using revdep-pax</option>
-<option value="#doc_chap3">3. Listing PaX Flags and Capabilities</option>
-<option value="#doc_chap4">4. Programming with ELF files</option></select>
+<option value="#doc_chap2">2. Using revdep-pax</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>What's revdep-pax about?</p>
-<p class="secthead"><a name="doc_chap1_sect1">A quick introduction to PaX markings.</a></p>
+<p class="epigraph">
+Since the early days of PaX it was known that all programs were equal although
+some were more equal than others and needed an environment with less
+restrictions in order to be able to run. Thus, in order to have a secure way of
+allowing system administrators and users telling the system which binaries
+needed this lessened environment the PaX marks were created.
+<br><br><span class="episig">—Geroge Orwell</span><br><br></p>
+<p class="secthead"><a name="doc_chap1_sect2">A quick introduction to PaX markings.</a></p>
<p>
There are some programs which won't be able to run in an environment with all
the PaX features enabled, for example you may have a program which has so called
@@ -88,7 +93,7 @@ marks to the library to state it needs trampoline emulation but still we haven't
fixed the issue since the kernel will only read the marks on the binary being
called. In order to solve this issue we have created <span class="code" dir="ltr">revdep-pax</span>.
</p>
-<p class="secthead"><a name="doc_chap1_sect2">What's revdep-pax?</a></p>
+<p class="secthead"><a name="doc_chap1_sect3">What's revdep-pax?</a></p>
<p>
<span class="code" dir="ltr">revdep-pax</span> is a tool that allows to check for differences in PaX markings
between elf objects linking to libraries (for example <span class="path" dir="ltr">/bin/bash</span>)
@@ -108,530 +113,42 @@ libraries linked by an object and backwards to the objects linked by a library.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Using revdep-pax</p>
-<p class="secthead"><a name="doc_chap2_sect1">Propagating PaX marks backwards from a library to objects that link at it
+<p class="epigraph">
+In order to witness the firepower of this fully ARMED and OPERATIONAL tool
+you'll first need to learn how to use it, once you are done, you'll be
+able to fire at will.
+<br><br><span class="episig">—The Emperor</span><br><br></p>
+<p class="secthead"><a name="doc_chap2_sect2">Propagating PaX marks backwards from a library to objects that link at it
</a></p>
<p>
This is going to be probably the main way in which you are going to use this
-utility. What it does is check all the libraries linked statically
-The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package.
-With this application you can print out information specific to the ELF
-structure of a binary. The following table sums up the various options.
-</p>
-<table class="ntable">
-<tr>
- <td class="infohead"><b>Option</b></td>
- <td class="infohead"><b>Long Option</b></td>
- <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
- <td class="tableinfo">-p</td>
- <td class="tableinfo">--path</td>
- <td class="tableinfo">Scan all directories in PATH environment</td>
-</tr>
-<tr>
- <td class="tableinfo">-l</td>
- <td class="tableinfo">--ldpath</td>
- <td class="tableinfo">Scan all directories in /etc/ld.so.conf</td>
-</tr>
-<tr>
- <td class="tableinfo">-R</td>
- <td class="tableinfo">--recursive</td>
- <td class="tableinfo">Scan directories recursively</td>
-</tr>
-<tr>
- <td class="tableinfo">-m</td>
- <td class="tableinfo">--mount</td>
- <td class="tableinfo">Don't recursively cross mount points</td>
-</tr>
-<tr>
- <td class="tableinfo">-y</td>
- <td class="tableinfo">--symlink</td>
- <td class="tableinfo">Don't scan symlinks</td>
-</tr>
-<tr>
- <td class="tableinfo">-A</td>
- <td class="tableinfo">--archives</td>
- <td class="tableinfo">Scan archives (.a files)</td>
-</tr>
-<tr>
- <td class="tableinfo">-L</td>
- <td class="tableinfo">--ldcache</td>
- <td class="tableinfo">Utilize ld.so.cache information (use with -r/-n)</td>
-</tr>
-<tr>
- <td class="tableinfo">-X</td>
- <td class="tableinfo">--fix</td>
- <td class="tableinfo">Try and 'fix' bad things (use with -r/-e)</td>
-</tr>
-<tr>
- <td class="tableinfo">-z [arg]</td>
- <td class="tableinfo">--setpax [arg]</td>
- <td class="tableinfo">Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</td>
-</tr>
-<tr>
- <td class="infohead"><b>Option</b></td>
- <td class="infohead"><b>Long Option</b></td>
- <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
- <td class="tableinfo">-x</td>
- <td class="tableinfo">--pax</td>
- <td class="tableinfo">Print PaX markings</td>
-</tr>
-<tr>
- <td class="tableinfo">-e</td>
- <td class="tableinfo">--header</td>
- <td class="tableinfo">Print GNU_STACK/PT_LOAD markings</td>
-</tr>
-<tr>
- <td class="tableinfo">-t</td>
- <td class="tableinfo">--textrel</td>
- <td class="tableinfo">Print TEXTREL information</td>
-</tr>
-<tr>
- <td class="tableinfo">-r</td>
- <td class="tableinfo">--rpath</td>
- <td class="tableinfo">Print RPATH information</td>
-</tr>
-<tr>
- <td class="tableinfo">-n</td>
- <td class="tableinfo">--needed</td>
- <td class="tableinfo">Print NEEDED information</td>
-</tr>
-<tr>
- <td class="tableinfo">-i</td>
- <td class="tableinfo">--interp</td>
- <td class="tableinfo">Print INTERP information</td>
-</tr>
-<tr>
- <td class="tableinfo">-b</td>
- <td class="tableinfo">--bind</td>
- <td class="tableinfo">Print BIND information</td>
-</tr>
-<tr>
- <td class="tableinfo">-S</td>
- <td class="tableinfo">--soname</td>
- <td class="tableinfo">Print SONAME information</td>
-</tr>
-<tr>
- <td class="tableinfo">-s [arg]</td>
- <td class="tableinfo">--symbol [arg]</td>
- <td class="tableinfo">Find a specified symbol</td>
-</tr>
-<tr>
- <td class="tableinfo">-k [arg]</td>
- <td class="tableinfo">--section [arg]</td>
- <td class="tableinfo">Find a specified section</td>
-</tr>
-<tr>
- <td class="tableinfo">-N [arg]</td>
- <td class="tableinfo">--lib [arg]</td>
- <td class="tableinfo">Find a specified library</td>
-</tr>
-<tr>
- <td class="tableinfo">-g</td>
- <td class="tableinfo">--gmatch</td>
- <td class="tableinfo">Use strncmp to match libraries. (use with -N)</td>
-</tr>
-<tr>
- <td class="tableinfo">-T</td>
- <td class="tableinfo">--textrels</td>
- <td class="tableinfo">Locate cause of TEXTREL</td>
-</tr>
-<tr>
- <td class="tableinfo">-E [arg]</td>
- <td class="tableinfo">--etype [arg]</td>
- <td class="tableinfo">Print only ELF files matching etype ET_DYN,ET_EXEC ...</td>
-</tr>
-<tr>
- <td class="tableinfo">-M [arg]</td>
- <td class="tableinfo">--bits [arg]</td>
- <td class="tableinfo">Print only ELF files matching numeric bits</td>
-</tr>
-<tr>
- <td class="tableinfo">-a</td>
- <td class="tableinfo">--all</td>
- <td class="tableinfo">Print all scanned info (-x -e -t -r -b)</td>
-</tr>
-<tr>
- <td class="infohead"><b>Option</b></td>
- <td class="infohead"><b>Long Option</b></td>
- <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
- <td class="tableinfo">-q</td>
- <td class="tableinfo">--quiet</td>
- <td class="tableinfo">Only output 'bad' things</td>
-</tr>
-<tr>
- <td class="tableinfo">-v</td>
- <td class="tableinfo">--verbose</td>
- <td class="tableinfo">Be verbose (can be specified more than once)</td>
-</tr>
-<tr>
- <td class="tableinfo">-F [arg]</td>
- <td class="tableinfo">--format [arg]</td>
- <td class="tableinfo">Use specified format for output</td>
-</tr>
-<tr>
- <td class="tableinfo">-f [arg]</td>
- <td class="tableinfo">--from [arg]</td>
- <td class="tableinfo">Read input stream from a filename</td>
-</tr>
-<tr>
- <td class="tableinfo">-o [arg]</td>
- <td class="tableinfo">--file [arg]</td>
- <td class="tableinfo">Write output stream to a filename</td>
-</tr>
-<tr>
- <td class="tableinfo">-B</td>
- <td class="tableinfo">--nobanner</td>
- <td class="tableinfo">Don't display the header</td>
-</tr>
-<tr>
- <td class="tableinfo">-h</td>
- <td class="tableinfo">--help</td>
- <td class="tableinfo">Print this help and exit</td>
-</tr>
-<tr>
- <td class="tableinfo">-V</td>
- <td class="tableinfo">--version</td>
- <td class="tableinfo">Print version and exit</td>
-</tr>
-</table>
-<p>
-The format specifiers for the <span class="code" dir="ltr">-F</span> option are given in the following table.
-Prefix each specifier with <span class="code" dir="ltr">%</span> (verbose) or <span class="code" dir="ltr">#</span> (silent) accordingly.
-</p>
-<table class="ntable">
-<tr>
- <td class="infohead"><b>Specifier</b></td>
- <td class="infohead"><b>Full Name</b></td>
- <td class="infohead"><b>Specifier</b></td>
- <td class="infohead"><b>Full Name</b></td>
-</tr>
-<tr>
- <td class="tableinfo">F</td>
- <td class="tableinfo">Filename</td>
- <td class="tableinfo">x</td>
- <td class="tableinfo">PaX Flags</td>
-</tr>
-<tr>
- <td class="tableinfo">e</td>
- <td class="tableinfo">STACK/RELRO</td>
- <td class="tableinfo">t</td>
- <td class="tableinfo">TEXTREL</td>
-</tr>
-<tr>
- <td class="tableinfo">r</td>
- <td class="tableinfo">RPATH</td>
- <td class="tableinfo">n</td>
- <td class="tableinfo">NEEDED</td>
-</tr>
-<tr>
- <td class="tableinfo">i</td>
- <td class="tableinfo">INTERP</td>
- <td class="tableinfo">b</td>
- <td class="tableinfo">BIND</td>
-</tr>
-<tr>
- <td class="tableinfo">s</td>
- <td class="tableinfo">Symbol</td>
- <td class="tableinfo">N</td>
- <td class="tableinfo">Library</td>
-</tr>
-<tr>
- <td class="tableinfo">o</td>
- <td class="tableinfo">Type</td>
- <td class="tableinfo">p</td>
- <td class="tableinfo">File name</td>
-</tr>
-<tr>
- <td class="tableinfo">f</td>
- <td class="tableinfo">Base file name</td>
- <td class="tableinfo">k</td>
- <td class="tableinfo">Section</td>
-</tr>
-<tr>
- <td class="tableinfo">a</td>
- <td class="tableinfo">ARCH/e_machine</td>
- <td class="tableinfo"></td>
- <td class="tableinfo"></td>
-</tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect2">Using scanelf for Text Relocations</a></p>
-<p>
-As an example, we will use <span class="code" dir="ltr">scanelf</span> to find binaries containing text
-relocations.
-</p>
-<p>
-A relocation is an operation that rewrites an address in a loaded segment. Such
-an address rewrite can happen when a segment has references to a shared object
-and that shared object is loaded in memory. In this case, the references are
-substituted with the real address values. Similar events can occur inside the
-shared object itself.
-</p>
-<p>
-A text relocation is a relocation in the text segment. Since text segments
-contain executable code, system administrators might prefer not to have these
-segments writable. This is perfectly possible, but since text relocations
-actually write in the text segment, it is not always feasible.
-</p>
-<p>
-If you want to eliminate text relocations, you will need to make sure
-that the application and shared object is built with <span class="emphasis">Position Independent
-Code</span> (PIC), making references obsolete. This not only increases security,
-but also increases the performance in case of shared objects (allowing writes in
-the text segment requires a swap space reservation and a private copy of the
-shared object for each application that uses it).
-</p>
-<p>
-The following example will search your library paths recursively, without
-leaving the mounted file system and ignoring symbolic links, for any ELF binary
-containing a text relocation:
+utility. What it does is check all the libraries linked statically by the
+binaries using <span class="code" dir="ltr">ldd</span> and then smartly add the paxmarks of those libraries
+to generate the new set. As a result if <span class="path" dir="ltr">/usr/games/bin/armagetronad</span>
+links with <span class="path" dir="ltr">/usr/lib64/libGL.so.1</span> which has the <span class="emphasis">-m</span> PaX mark
+(allow RWX mappings) because you are using a llvm requiring graphics driver
+you'll get that binary marked with the <span class="emphasis">-m</span> PaX mark too since it needs it.
+Below you can see how to run it.
</p>
<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Scanning the system for text relocation binaries</p></td></tr>
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Propagating the PaX marks from the libraries</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -lqtmyR</span>
+# <span class="code-input">mv /etc/grsec/learning.roles /etc/grsec/policy</span>
+# <span class="code-input">chmod 0600 /etc/grsec/policy</span>
</pre></td></tr>
</table>
-<p>
-If you want to scan your entire system for <span class="emphasis">any</span> file containing text
-relocations:
-</p>
-<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Scanning the entire system for text relocation files</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -qtmyR /</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect3">Using scanelf for Specific Header</a></p>
-<p>
-The scanelf util can be used to quickly identify files that contain a
-given section header using the -k .section option.
-</p>
-<p>
-In this example we are looking for all files in /usr/lib/debug
-recursively using a format modifier with quiet mode enabled that have been
-stripped. A stripped elf will lack a .symtab entry, so we use the '!'
-to invert the matching logic.
-</p>
-<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Scanning for stripped or non stripped executables</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect4">Using scanelf for Specific Segment Markings</a></p>
-<p>
-Each segment has specific flags assigned to it in the Program Header of the
-binary. One of those flags is the type of the segment. Interesting values are
-PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
-segment contains dynamic linking information), PT_INTERP (the segment
-contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
-for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
-(a PaX extension for the ELF format, used by the security-minded
-<a href="http://pax.grsecurity.net/">PaX Project</a>.
-</p>
-<p>
-If we want to scan all executables in the current working directory, PATH
-environment and library paths and report those who have a writable and
-executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
-</p>
-<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -lpqe .</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect5">Using scanelf's Format Modifier Handler</a></p>
-<p>
-A useful feature of the <span class="code" dir="ltr">scanelf</span> utility is the format modifier handler.
-With this option you can control the output of <span class="code" dir="ltr">scanelf</span>, thereby
-simplifying parsing the output with scripts.
-</p>
-<p>
-As an example, we will use <span class="code" dir="ltr">scanelf</span> to print the file names that contain
-text relocations:
-</p>
-<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Example of the scanelf format modifier handler</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -l -p -R -q -F "%F #t"</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="pspax"></a><a name="doc_chap3"></a><span class="chapnum">3.
- </span>Listing PaX Flags and Capabilities</p>
-<p class="secthead"><a name="doc_chap3_sect1">About PaX</a></p>
-<p>
-<a href="http://pax.grsecurity.net">PaX</a> is a project hosted by the <a href="http://www.grsecurity.net">grsecurity</a> project. Quoting the <a href="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</a>, its main
-goal is "to research various defense mechanisms against the exploitation of
-software bugs that give an attacker arbitrary read/write access to the
-attacked task's address space. This class of bugs contains among others
-various forms of buffer overflow bugs (be they stack or heap based), user
-supplied format string bugs, etc."
-</p>
-<p>
-To be able to benefit from these defense mechanisms, you need to run a Linux
-kernel patched with the latest PaX code. The <a href="http://hardened.gentoo.org">Hardened Gentoo</a> project supports PaX and
-its parent project, grsecurity. The supported kernel package is
-<span class="code" dir="ltr">sys-kernel/hardened-sources</span>.
-</p>
-<p>
-The Gentoo/Hardened project has a <a href="pax-quickstart.html">Gentoo PaX Quickstart Guide</a>
-for your reading pleasure.
-</p>
-<p class="secthead"><a name="doc_chap3_sect2">Flags and Capabilities</a></p>
-<p>
-If your toolchain supports it, your binaries can have additional PaX flags in
-their Program Header. The following flags are supported:
-</p>
-<table class="ntable">
-<tr>
- <td class="infohead"><b>Flag</b></td>
- <td class="infohead"><b>Name</b></td>
- <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
- <td class="tableinfo">P</td>
- <td class="tableinfo">PAGEEXEC</td>
- <td class="tableinfo">
- Refuse code execution on writable pages based on the NX bit
- (or emulated NX bit)
- </td>
-</tr>
-<tr>
- <td class="tableinfo">S</td>
- <td class="tableinfo">SEGMEXEC</td>
- <td class="tableinfo">
- Refuse code execution on writable pages based on the
- segmentation logic of IA-32
- </td>
-</tr>
-<tr>
- <td class="tableinfo">E</td>
- <td class="tableinfo">EMUTRAMP</td>
- <td class="tableinfo">
- Allow known code execution sequences on writable pages that
- should not cause any harm
- </td>
-</tr>
-<tr>
- <td class="tableinfo">M</td>
- <td class="tableinfo">MPROTECT</td>
- <td class="tableinfo">
- Prevent the creation of new executable code to the process
- address space
- </td>
-</tr>
-<tr>
- <td class="tableinfo">R</td>
- <td class="tableinfo">RANDMMAP</td>
- <td class="tableinfo">
- Randomize the stack base to prevent certain stack overflow
- attacks from being successful
- </td>
-</tr>
-<tr>
- <td class="tableinfo">X</td>
- <td class="tableinfo">RANDEXEC</td>
- <td class="tableinfo">
- Randomize the address where the application maps to prevent
- certain attacks from being exploitable
- </td>
-</tr>
-</table>
-<p>
-The default Linux kernel also supports certain capabilities, grouped in the
-so-called <span class="emphasis">POSIX.1e Capabilities</span>. You can find a listing of those
-capabilities in our <a href="capabilities.html">POSIX Capabilities</a> document.
-</p>
-<p class="secthead"><a name="doc_chap3_sect3">Using pspax</a></p>
-<p>
-The <span class="code" dir="ltr">pspax</span> application, part of the <span class="code" dir="ltr">pax-utils</span> package, displays the
-run-time capabilities of all programs you have permission for. On Linux kernels
-with additional support for extended attributes (such as SELinux) those
-attributes are shown as well.
-</p>
-<p>
-When ran, <span class="code" dir="ltr">pspax</span> shows the following information:
-</p>
-<table class="ntable">
-<tr>
- <td class="infohead"><b>Column</b></td>
- <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
- <td class="tableinfo">USER</td>
- <td class="tableinfo">Owner of the process</td>
-</tr>
-<tr>
- <td class="tableinfo">PID</td>
- <td class="tableinfo">Process id</td>
-</tr>
-<tr>
- <td class="tableinfo">PAX</td>
- <td class="tableinfo">Run-time PaX flags (if applicable)</td>
-</tr>
-<tr>
- <td class="tableinfo">MAPS</td>
- <td class="tableinfo">Write/eXecute markings for the process map</td>
-</tr>
-<tr>
- <td class="tableinfo">ELF_TYPE</td>
- <td class="tableinfo">Process executable type: ET_DYN or ET_EXEC</td>
-</tr>
-<tr>
- <td class="tableinfo">NAME</td>
- <td class="tableinfo">Name of the process</td>
-</tr>
-<tr>
- <td class="tableinfo">CAPS</td>
- <td class="tableinfo">POSIX.1e capabilities (see note)</td>
-</tr>
-<tr>
- <td class="tableinfo">ATTR</td>
- <td class="tableinfo">Extended attributes (if applicable)</td>
-</tr>
-</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-<span class="code" dir="ltr">pspax</span> only displays these capabilities when it is linked with
-the external capabilities library. This requires you to build <span class="code" dir="ltr">pax-utils</span>
-with -DWANT_SYSCAP.
+Due to the way in which <span class="code" dir="ltr">ldd</span> works you'll get all the libraries required
+at runtime, even those required by libraries you link to (and so on recursively)
+as a result <span class="code" dir="ltr">revdep-pax</span> will detect all dependencies in a single pass. If
+the behaviour of <span class="code" dir="ltr">ldd</span> changes so may change the behaviour of
+<span class="code" dir="ltr">revdep-pax</span>
</p></td></tr></table>
<p>
-By default, <span class="code" dir="ltr">pspax</span> does not show any kernel processes. If you want those
-to be taken as well, use the <span class="code" dir="ltr">-a</span> switch.
-</p>
-<p class="chaphead"><a name="dumpelf"></a><a name="doc_chap4"></a><span class="chapnum">4.
- </span>Programming with ELF files</p>
-<p class="secthead"><a name="doc_chap4_sect1">The dumpelf Utility</a></p>
-<p>
-With the <span class="code" dir="ltr">dumpelf</span> utility you can convert a ELF file into human readable C
-code that defines a structure with the same image as the original ELF file.
+The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
</p>
-<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: dumpelf example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">dumpelf /bin/hostname</span>
-#include <elf.h>
-
-<span class="code-comment">/*
- * ELF dump of '/bin/hostname'
- * 10276 (0x2824) bytes
- */</span>
-
-struct {
- Elf32_Ehdr ehdr;
- Elf32_Phdr phdrs[8];
- Elf32_Shdr shdrs[26];
-} dumpedelf_0 = {
-
-.ehdr = {
-<span class="code-comment">(... Output stripped ...)</span>
-</pre></td></tr>
-</table>
<br><p class="copyright">
The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
</p>
diff --git a/html/roadmap.html b/html/roadmap.html
index 17be1a3..e35467e 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -270,29 +270,15 @@ of the packages and standard policies.
<td class="infohead"><b>Related Bugs</b></td>
</tr>
<tr>
- <td class="tableinfo">Deprecate old policies</td>
- <td class="tableinfo">2011-11-10</td>
- <td class="tableinfo">done</td>
- <td class="tableinfo">SwifT</td>
- <td class="tableinfo"></td>
-</tr>
-<tr>
- <td class="tableinfo">Deprecate old profiles</td>
- <td class="tableinfo">2011-12-01</td>
- <td class="tableinfo">done</td>
- <td class="tableinfo">blueness</td>
- <td class="tableinfo"></td>
-</tr>
-<tr>
- <td class="tableinfo">Get mainstream packages the proper dependencies on the SELinux policies</td>
- <td class="tableinfo">2011-12-31</td>
+ <td class="tableinfo">Stabilize 20120215 policies</td>
+ <td class="tableinfo">2012-04-30</td>
<td class="tableinfo"></td>
<td class="tableinfo">SwifT</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Have SELinux-enabled stage3 available on the mirrors</td>
- <td class="tableinfo">2012-01-31</td>
+ <td class="tableinfo">2012-06-31</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
@@ -302,7 +288,7 @@ of the packages and standard policies.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated December 10, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
A roadmap that plots current needs and goals of the
Hardened Gentoo project.
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 41695b4..29c7826 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -79,6 +79,7 @@ FAILED (crontabs/root)'</a></li>
<li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
<li><a href="#auth-run_init">Why do I always need to re-authenticate when operating init scripts?</a></li>
<li><a href="#initramfs">How do I use SELinux with initramfs?</a></li>
+<li><a href="#xdm">Logons through xdm (or similar) fail</a></li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>General SELinux Support Questions</p>
@@ -728,11 +729,35 @@ When enabled, enforcing mode cannot be disabled anymore (until you reboot).
# <span class="code-input">setsebool secure_mode_policyload on</span>
</pre></td></tr>
</table>
+<p class="secthead"><a name="xdm"></a><a name="doc_chap5_sect12">Logons through xdm (or similar) fail</a></p>
+<p>
+If you log on through xdm, gdm, kdm, slim or any other graphical logon manager,
+you might notice in permissive mode that your context is off, and in enforcing
+mode that you just cannot log on.
+</p>
+<p>
+The reason of this is that PAM needs to be configured to include SELinux
+awareness in your session handling:
+</p>
+<a name="doc_chap5_pre18"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.18: Updating pam setting for gdm</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+...
+session required pam_loginuid.so
+session optional pam_console.so
+<span class="code-input">session optional pam_selinux.so</span>
+</pre></td></tr>
+</table>
+<p>
+Replicate the calls towards <span class="path" dir="ltr">pam_selinux.so</span> in the various
+<span class="path" dir="ltr">/etc/pam.d/gdm*</span> files (or similar depending on your graphical
+logon manager).
+</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated February 26, 2012</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index fc61177..9e97553 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -58,6 +58,7 @@ we recommend to switch to Python 2 until the packages are updated and fixed.
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching to python 2</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">emerge '<=dev-lang/python-3.0'</span>
~# <span class="code-input">eselect python list</span>
Available Python interpreters:
[1] python2.7
@@ -184,6 +185,7 @@ The following changes <span class="emphasis">might</span> be necessary on your s
tools or configurations that apply.
</p>
<ul>
+
<li>
If you use LVM for one or more file systems, you need to edit
<span class="path" dir="ltr">/lib/rcscripts/addons/lvm-start.sh</span> (or <span class="path" dir="ltr">/lib64/..</span>)
@@ -200,6 +202,12 @@ tools or configurations that apply.
which mess up the file labelling. For instance, <span class="code" dir="ltr">cp /bin/hostname
/bin/hostname.old</span>.
</li>
+
+ <li>
+ Edit <span class="path" dir="ltr">/etc/sandbox.conf</span> and add in
+ <span class="path" dir="ltr">/sys/fs/selinux/context</span> to the <span class="code" dir="ltr">SANDBOX_WRITE</span> parameter.
+ This is currently needed to work around bug <a href="https://bugs.gentoo.org/410687">410687</a>.
+ </li>
</ul>
<p class="secthead"><a name="doc_chap1_sect1">Installing a SELinux Kernel</a></p>
<p>
@@ -560,7 +568,8 @@ access to the <span class="path" dir="ltr">/dev/urandom</span> device:
</table>
<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
<p>
-Finally, we need to map the account(s) you use to manage your system (those
+If the <span class="code" dir="ltr">SELINUXTYPE</span> is set to <span class="code" dir="ltr">strict</span>, then we
+need to map the account(s) you use to manage your system (those
that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none
of your accounts will be able to succesfully manage the system (except for
<span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not
@@ -596,11 +605,16 @@ staff_u:sysadm_r:sysadm_t
</pre></td></tr>
</table>
<p>
+If you however use a <span class="code" dir="ltr">targeted</span> policy, then the user you work with will be
+of type <span class="emphasis">unconfined_t</span> and will already have the necessary privileges to
+perform system administrative tasks.
+</p>
+<p>
With that done, enjoy - your first steps into the SELinux world are now made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated January 29, 2012</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-using-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html
index 983cc5a..c18afc1 100644
--- a/html/selinux/hb-using-troubleshoot.html
+++ b/html/selinux/hb-using-troubleshoot.html
@@ -95,6 +95,31 @@ selinux USE flag is in place, and reinstall <span class="path" dir="ltr">sys-app
the selinux USE flag is not in place, check your Gentoo profile and make sure it
points to a <span class="path" dir="ltr">selinux/v2refpolicy/...</span> profile.
</p>
+<p class="secthead"><a name="doc_chap1_sect1">Policy Store is Corrupt</a></p>
+<p>
+If you encounter problems during boot-up or <span class="code" dir="ltr">semodule</span> operations which
+fail with loading problems, but cannot be resolved with the above solution, then
+you might need to reinstall the policies after eliminating the corrupt store.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recovering from store corruption</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">semodule -n -B</span>
+libsemanage.semanage_load_module: Error while reading from module file
+/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)
+
+~# <span class="code-input">setenforce 0</span>
+~# <span class="code-input">mv /etc/selinux/targeted /etc/selinux/targeted.old</span>
+~# <span class="code-input">FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)</span>
+~# <span class="code-input">restorecon -R /etc/selinux</span>
+</pre></td></tr>
+</table>
+<p>
+This will effectively disable the current, corrupted SELinux policy store and
+then use Portage to reinstall all SELinux policy packages that are installed on
+the system. When done, the file contexts of <span class="path" dir="ltr">/etc/selinux</span> are
+restored, after which you should be able to continue.
+</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Unable to Log On</p>
<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
@@ -267,7 +292,7 @@ disable its SELinux support. To relabel the entire file system, use <span class=
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated December 11, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-04-28 19:23 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-24 21:10 [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2012-04-28 19:23 Francisco Blas Izquierdo Riera
2011-10-15 13:05 Sven Vermeulen
2011-09-04 19:54 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-15 9:11 Sven Vermeulen
2011-04-22 22:35 Sven Vermeulen
2011-04-22 19:18 Sven Vermeulen
2011-02-19 3:45 Francisco Blas Izquierdo Riera
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox