From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
Date: Fri, 1 Apr 2011 17:45:09 +0000 (UTC) [thread overview]
Message-ID: <6ead14e833d7958b6f5b89c45d520be1accfa615.SwifT@gentoo> (raw)
commit: 6ead14e833d7958b6f5b89c45d520be1accfa615
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 1 17:44:41 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 1 17:44:41 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ead14e8
drop unneeded files
---
xml/selinux/hb-selinux-conv-profile.xml | 107 -------
xml/selinux/hb-selinux-conv-reboot1.xml | 193 ------------
xml/selinux/hb-selinux-conv-reboot2.xml | 213 -------------
xml/selinux/hb-selinux-faq.xml | 154 ---------
xml/selinux/hb-selinux-howto.xml | 250 ---------------
xml/selinux/hb-selinux-initpol.xml | 48 ---
xml/selinux/hb-selinux-libsemanage.xml | 246 ---------------
xml/selinux/hb-selinux-localmod.xml | 134 --------
xml/selinux/hb-selinux-loglocal.xml | 166 ----------
xml/selinux/hb-selinux-logremote.xml | 177 -----------
xml/selinux/hb-selinux-overview.xml | 521 -------------------------------
xml/selinux/hb-selinux-references.xml | 111 -------
12 files changed, 0 insertions(+), 2320 deletions(-)
diff --git a/xml/selinux/hb-selinux-conv-profile.xml b/xml/selinux/hb-selinux-conv-profile.xml
deleted file mode 100644
index 01f5ead..0000000
--- a/xml/selinux/hb-selinux-conv-profile.xml
+++ /dev/null
@@ -1,107 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>2.1</version>
-<date>2010-06-15</date>
-
-<section><title>Change Profile</title>
-<subsection><body>
-
-<warn>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems
-lack the complete extended attribute support.</warn>
-
-<warn>Users should convert from a 2006.1 or newer profile otherwise
-there may be unpredictable results.</warn>
-
-<impo>As always, keep a LiveCD at hand in case things go wrong.</impo>
-
-<p>First switch your profile to the SELinux profile for your architecture:</p>
-
-<pre caption="Switch profiles">
-# <i>rm -f /etc/make.profile</i>
-
-
-<comment>x86 (server):</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</i>
-<comment>x86 (hardened):</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</i>
-<comment>AMD64:</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</i>
-<comment>AMD64 (hardened):</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</i>
-</pre>
-
-<note>You can also switch profiles with eselect if you have the gentoolkit
- package installed. That method is not shown here because the specific options
- available and their numbering will vary according to your system
- configuration.</note>
-
-<impo>Do not use any profiles other than the ones listed above, even
-if they seem to be out of date. SELinux profiles are not necessarily
-created as often as default Gentoo profiles.</impo>
-
-<impo>The SELinux profile has significanly fewer USE flags asserted than
-the default profile. Use <c>emerge info</c> to see if any use flags
-need to be reenabled in make.conf.</impo>
-
-<note>It is not necessary to add selinux to your USE flags in make.conf.
-The SELinux profile already does this for you.
-</note>
-
-<note>
- You may encounter this message from portage: "!!! SELinux module not found.
- Please verify that it was installed." This is normal, and will be fixed
- later in the conversion process.
-</note>
-</body>
-</subsection>
-</section>
-
-<section><title>Update Kernel Headers</title>
-<subsection><body>
-<p>
- We will start by updating essential packages. First check which version
- of linux-headers is installed.
-</p>
-
-<pre caption="Check linux-headers version">
-# <i>emerge -s linux-headers</i>
-<comment>or if you have gentoolkit installed:</comment>
-# <i>equery list -i linux-headers</i>
-</pre>
-
-<p>
- If the linux-headers version is older than 2.4.20, newer headers must be merged.
-</p>
-
-<pre caption="Merge newer headers">
-# <i>emerge \>=sys-kernel/linux-headers-2.4.20</i>
-</pre>
-</body>
-</subsection>
-</section>
-
-<section><title>Update Glibc</title>
-<subsection><body>
-<p>
- If you have merged new headers, or you are unsure if your glibc was
- compiled with newer headers, you must recompile glibc.
-</p>
-
-<pre caption="Recompile glibc">
-# <i>emerge glibc</i>
-</pre>
-
-<impo>
- This is a critical operation. Glibc must be compiled with newer linux-headers,
- otherwise some operations will malfunction.
-</impo>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-conv-reboot1.xml b/xml/selinux/hb-selinux-conv-reboot1.xml
deleted file mode 100644
index bfc8692..0000000
--- a/xml/selinux/hb-selinux-conv-reboot1.xml
+++ /dev/null
@@ -1,193 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.11 2010/10/06 15:11:15 pebenito Exp $ -->
-
-<sections>
-<version>2.2</version>
-<date>2010-11-27</date>
-
-<section><title>Merge a SELinux Kernel</title>
-<subsection><body>
-<p>Merge an appropriate kernel. A 2.6 kernel is required. The
- suggested kernel is hardened-sources.
-</p>
-
-<note>2.6.28-r9 is the current hardened release version at the time of this writing,
- and all instructions in this document assume at least this version.</note>
-
-<warn>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they
- have bugs in the SELinux XFS support.</warn>
-
-<pre caption="Merge an appropriate kernel">
-<comment>Any 2.6 kernel</comment>
-# <i>emerge hardened-sources</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Compile the Kernel with SELinux Options</title>
-<subsection><body>
-<p>The kernel must be compiled with security module support, SELinux support,
-devpts, and extended attribute security labels. Refer to the main installation
-guide for futher kernel options.</p>
-
-<note>
-The available options may vary slightly depending on the kernel version
-being used. In particular, Btrfs first became available with the 2.6.29
-kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels
-options were obsoleted in kernel 2.6.13 (they are now enabled by default).
-"Default Linux Capabilies" under "Security options" was obsoleted in the
-2.6.26 kernel (it is now enabled by default).
-
-XFS always enables security labeling, so there is no additional option
-to set for this file system
-
-Ext4 should work, but is NOT well tested at the time of this writing!
-
-Any extended attribute options not specifically enabled below should be turned
-off.
-</note>
-
-<pre caption="Location and required options under menuconfig">
-<comment>Under "General setup"</comment>
-[*] Prompt for development and/or incomplete code/drivers
-[*] Auditing support
-[*] Enable system-call auditing support
-
-<comment>Under "File systems"</comment>
-<*> Second extended fs support <comment>(If using ext2)</comment>
-[*] Ext2 extended attributes
-[ ] Ext2 POSIX Access Control Lists
-[*] Ext2 Security Labels
-[ ] Ext2 Execute in place support
-<*> Ext3 journalling file system support <comment>(If using ext3)</comment>
-[*] Ext3 extended attributes
-[ ] Ext3 POSIX Access Control Lists
-[*] Ext3 Security labels
-<*> The Extended 4 (ext4) filesystem <comment>(If using ext4)</comment>
-[ ] Enable ext4dev compatibility
-[*] Ext4 extended attrributes
-[ ] Ext4 POSIX Access Control Lists
-[*] Ext4 Security Labels
-<*> JFS filesystem support <comment>(If using JFS)</comment>
-[ ] JFS POSIX Access Control Lists
-[*] JFS Security Labels
-[ ] JFS debugging
-[ ] JFS statistics
-<*> XFS filesystem support <comment>(If using XFS)</comment>
-[ ] XFS Quota support
-[ ] XFS POSIX ACL support
-[ ] XFS Realtime subvolume support (EXPERIMENTAL)
-[ ] XFS Debugging Support
-<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format <comment>(if
-using Btrfs)</comment>
-[ ] Btrfs POSIX Access Control Lists (NEW)
-<comment>Under "Pseudo filesystems (via "File systems")</comment>
-[ ] /dev file system support (EXPERIMENTAL)
-[*] /dev/pts Extended Attributes
-[*] /dev/pts Security Labels
-[*] Virtual memory file system support (former shm fs)
-[*] tmpfs Extended Attributes
-[*] tmpfs Security Labels
-
-<comment>Under "Security options"</comment>
-[*] Enable different security models
-[*] Socket and Networking Security Hooks
-<*> Default Linux Capabilities
-[*] NSA SELinux Support
-[ ] NSA SELinux boot parameter
-[ ] NSA SELinux runtime disable
-[*] NSA SELinux Development Support
-[ ] NSA SELinux AVC Statistics
-(1) NSA SELinux checkreqprot default value
-[ ] NSA SELinux enable new secmark network controls by default
-[ ] NSA SELinux maximum supported policy format version
- Default security module (SELinux) --->
-</pre>
-
-<p>
- The extended attribute security labels must be turned on for devpts and
- your filesystem(s). Devfs is not usable in SELinux, and should be
- turned off. Not all options exist on older 2.6 kernels,
- such as Auditing support, and runtime disable. In newer kernels,
- the extended attributes support for proc and the virtual memory fs (tmpfs)
- are enabled by default; thus, no options will appear in menuconfig.
-</p>
-
-<note>It is recommended to configure PaX if you are using harded-sources (also
-recommended). More information about Pax can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo
-PaX Quickstart Guide</uri>.
-</note>
-
-<warn>
- Do not enable the SELinux MLS policy option if its available, as it is
- not supported, and will cause your machine to not start.
-</warn>
-
-<p>
- Now compile and install the kernel and modules, but do not reboot.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Update fstab</title>
-<subsection><body>
-<p>
- SElinuxfs must also be enabled to mount at boot.
- Add this to /etc/fstab:
-</p>
-<pre caption="Fstab settings for selinuxfs">
-none /selinux selinuxfs defaults 0 0
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Configure Baselayout</title>
-<subsection><body>
-<p>
-SELinux does not support devfs. You must configure baselayout to
-use either static device nodes or udev. If using udev, the
-device tarball must be disabled. Edit the /etc/conf.d/rc file.
-Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no.
-If you have several custom device nodes, static is suggested,
-otherwise udev is suggested (udev is the default at the time of this writing).
-For more information on udev, consult the <uri link="/doc/en/udev-guide.xml">Gentoo UDEV Guide</uri>.
-</p>
-<pre caption="Init script configuration">
-# Use this variable to control the /dev management behavior.
-# auto - let the scripts figure out what's best at boot
-# devfs - use devfs (requires sys-fs/devfsd)
-# udev - use udev (requires sys-fs/udev)
-# static - let the user manage /dev
-
-RC_DEVICES="<comment>udev</comment>"
-
-# UDEV OPTION:
-# Set to "yes" if you want to save /dev to a tarball on shutdown
-# and restore it on startup. This is useful if you have a lot of
-# custom device nodes that udev does not handle/know about.
-
-RC_DEVICE_TARBALL="<comment>no</comment>"
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Reboot</title>
-<subsection><body>
-<p>
- We need to make some directories before we reboot.
-</p>
-<pre caption="Making Required Directories">
-# <i>mkdir /selinux</i>
-# <i>mkdir /sys</i>
-</pre>
-<p>
- Now reboot.
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-conv-reboot2.xml b/xml/selinux/hb-selinux-conv-reboot2.xml
deleted file mode 100644
index 95383da..0000000
--- a/xml/selinux/hb-selinux-conv-reboot2.xml
+++ /dev/null
@@ -1,213 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.11 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>2.3</version>
-<date>2010-11-27</date>
-
-<section><title>Merge SELinux Packages</title>
-<subsection>
-<body>
-<p>Merge the libraries, utilities and base-policy. The policy version may need
- be adjusted, refer to the SELinux Overview
- for more information on policy versions. Then load the policy.</p>
-
-<pre caption="Merge base SELinux packages and policy">
-# <i>emerge -1 checkpolicy policycoreutils</i>
-# <i>FEATURES=-selinux emerge -1 selinux-base-policy</i>
-</pre>
-<note>
-The "FEATURES=-selinux" part of the emerge command should only be used on the above command.
-It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail.
-</note>
-</body></subsection>
-</section>
-
-<section><title>Choose the policy type</title>
-<body>
-<p>
-New in 2006.1, users now have the choice between the strict policy and the
-targeted policy.
-</p>
-<p>
-In the strict policy, all processes are confined.
-If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy.
-Strict policy is suggested for servers.
-Gentoo does not support the strict policy on desktops.
-</p>
-<p>
-The targeted policy differs with strict, as only network-facing services are
-confined and local users are unconfined. Gentoo only supports desktops with
-the targeted policy. This policy can also be used on servers.
-</p>
-<p>
-Edit the /etc/selinux/config file to set the policy type.
-</p>
-<pre caption="/etc/selinux/config contents">
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=permissive <comment>(This should be set permissive for the remainder of the install)</comment>
-
-# SELINUXTYPE can take one of these two values:
-# targeted - Only targeted network daemons are protected.
-# strict - Full SELinux protection.
-SELINUXTYPE=strict <comment>(Set this as strict or targeted)</comment>
-</pre>
-</body>
-</section>
-
-<section><title>Merge SELinux-patched packages</title>
-<subsection><body>
-<p>
- There are several system packages that have SELinux patches. These patches
- provide a variety of additional SELinux functionality, such as displaying
- file contexts.
-</p>
-<pre caption="Remerge Packages">
-# <i>emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</i>
-</pre>
-<note>
- If you find that you can't use portage due to a errors like these:
- !!! 'module' object has no attribute 'secure_rename' or
- AttributeError: 'module' object has no attribute 'getcontext', this is
- a portage bug, where it can't handle a missing python-selinux. Merge it
- with "FEATURES=-selinux emerge python-selinux" to fix the problem. See
- bug <uri link="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</uri>
- for more information.
-</note>
-<p>There are other packages that have SELinux patches, but are optional. These
-should be remerged if they are already installed, so the SELinux patches are
-applied:</p>
-<ul>
-<li>app-admin/logrotate</li>
-<li>sys-apps/fcron</li>
-<li>sys-apps/vixie-cron</li>
-<li>sys-fs/device-mapper</li>
-<li>sys-fs/udev</li>
-<li>sys-libs/pwdb</li>
-</ul>
-<note>
- Fcron and Vixie-cron are the only crons with SELinux support.
-</note>
-<note>The above packages are NOT an exhaustive list; they are only the most
-common ones. In general, any package installed on the system which has the
-selinux USE flag should be remerged. To see which packages may need to be
-merged, you can:
-emerge -upDN world
-
-Since changing to the selinux profile has changed your USE flags, the above
-will get everything that is listening to the selinux USE flag. It will
-probably also get some other stuff as well. To actually remerge everything,
-simply remove the 'p', or manually specify the packages you want to remerge.
-</note>
-</body></subsection>
-</section>
-
-<section><title>Merge Application Policies</title>
-<subsection><body>
-<p>
- In future, when merging a package, the policy will be set as a dependency so
- that it is merged first; however, since the system is being converted, policy
- for currently installed packages must be merged. The selinux-base-policy
- already covers most packages in the system profile.
-</p>
-<p>
- Look in the <c>/usr/portage/sec-policy</c>, it has several entries, each which
- represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is
- the name of the package that the policy is associated. For example, the
- selinux-apache package is the SELinux policy package for net-www/apache.
- Merge each of the needed policy packages and then load the policy.
- If you are converting a desktop, make sure to include the selinux-desktop policy package.
-</p>
-<pre caption="Example Merge of Apache and BIND policies">
-# <i>ls /usr/portage/sec-policy</i>
-<comment>(many directories listed)</comment>
-
-# <i>emerge -1 selinux-apache selinux-bind</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Label Filesystems</title>
-<subsection><body>
-<p>
- Before you can relabel the rest of the filesystems, you need to first relabel
- /dev. Strictly speaking, this is only necessary if you aren't using a static
- /dev. However, as the vast majority of current and new systems are going to
- be built with udev, this probably means you are using udev as well. There
- are a lot of different ways to get at this problem, but the steps below are
- easy to do and work.
-</p>
- <pre caption="Relabel /dev">
-<i># mkdir /mnt/gentoo
-# mount -o bind / /mnt/gentoo
-# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
-# umount /mnt/gentoo
-</i>
- </pre>
- <note>Remember to select one of {strict,targeted} above based on your
- enforcement mode.</note>
-<p>
- Now label the filesystems. This gives each of the files in the filesystems
- a security label. Keeping these labels consistent is important.
-</p>
-<pre caption="Label filesystems">
-# <i>rlpkg -a -r</i>
-</pre>
-<warn>
- There is a known issue with older versions of GRUB
- not being able to read symlinks that have been labeled.
- Please make sure you have at least GRUB 0.94 installed.
- Also rerun GRUB and reinstall it into the MBR to ensure
- the updated code is in use.
- You do have a LiveCD handy, right?
-</warn>
-<pre caption="Reinstall GRUB on the MBR (GRUB users only)">
-# <i>grub</i>
-
-grub> root (hd0,0) <comment>(Your boot partition)</comment>
-grub> setup (hd0) <comment>(Where the boot record is installed; here, it is the MBR)</comment>
-</pre>
-<p>
- If you've installed Gentoo using the hardened sources, then you'll need to
- tell SELinux that you are using the hardened tool-chain with ssp. You do
- this by setting an SELinux global boolean
-</p>
-<pre caption="SELinux global_ssp">
-<i>setsebool -P global_ssp on</i>
-</pre>
-<note>Make sure you use the -P flag, or the setting won't survive the reboot,
-and you'll likely see a lot of errors relating to /dev/null and /dev/random
-</note>
-</body></subsection>
-</section>
-
-<section><title>Final reboot</title>
-<subsection><body>
-<p>Reboot. Log in, then relabel again to ensure all files
-are labeled correctly (some files may have been created during shutdown and
-reboot)</p>
-<pre caption="Relabel">
-# <i>rlpkg -a -r</i>
-</pre>
-<note>
- It is strongly suggested to <uri link="/main/en/lists.xml">subscribe</uri>
- to the gentoo-hardened mail list. It is generally a low traffic list, and
- SELinux announcements are made there.
-</note>
-<p>
- SELinux is now installed!
-</p>
-</body></subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-faq.xml b/xml/selinux/hb-selinux-faq.xml
deleted file mode 100644
index dc35969..0000000
--- a/xml/selinux/hb-selinux-faq.xml
+++ /dev/null
@@ -1,154 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-faq.xml,v 1.4 2006/09/07 10:37:46 neysx Exp $ -->
-
-<sections>
-<version>1.3</version>
-<date>2006-05-01</date>
-
-<section><title>SELinux features</title>
-<subsection><title>Does SELinux enforce resource limits?</title>
-<body>
-<p>
- No, resource limits are outside the scope of an access control system. If you
- are looking for this type of support, GRSecurity and RSBAC are better choices.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux and other hardened projects</title>
-<subsection><title>Can I use SELinux and GRSecurity (and PaX)?</title>
-<body>
-<p>
- Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however,
- it is suggested that GRACL should not be used, since it would be redundant
- to SELinux's access control.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux and the hardened compiler (PIE-SSP)?</title>
-<body>
-<p>
- Yes. It is also suggested that PaX be used to take full advantage
- of the PIE features of the compiler.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux and RSBAC?</title>
-<body>
-<p>
- Unknown. Please report your results if you try this combination.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux and filesystems</title>
-<subsection><title>Can I use SELinux with my primary filesystems?</title>
-<body>
-<p>
- SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has
- extended attributes, but the support was never complete, and has been broken
- since 2.6.14. Reiser4 is not supported.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux with my ancillary filesystems?</title>
-<body>
-<p>
- Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660
- filesystems, with an important caveat. All files in each filesystem will
- have the same SELinux type, since the filesystems do not support extended
- attributes. Tmpfs is the only ancillary filesystem with complete extended
- attribute support, which allows it to behave like a primary filesystem.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux with my network filesystems?</title>
-<body>
-<p>
- Yes, SELinux can mount network filesystems, such as NFS and CIFS
- filesystems, with an important caveat. All files in each filesystem will
- have the same SELinux type, since the filesystems do not support extended
- attributes. In the future, hopefully network filesystems will begin to
- support extended attributes, then they will work like a primary filesystem.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Portage error messages</title>
-<subsection><title>I get a missing SELinux module error when using emerge:</title>
-<body>
-<pre caption="Portage message">
-!!! SELinux module not found. Please verify that it was installed.
-</pre>
-<p>
- This indicates that the portage SELinux module is missing or damaged.
- Also python may have been upgraded to a new version which requires
- python-selinux to be recompiled. Remerge dev-python/python-selinux.
- If packages have been merged under this condition, they must be relabed
- after fixing this condition. If the packages needing to be remerged cannot
- be determined, a full relabel may be required.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux kernel error messages</title>
-<subsection><title>I get a register_security error message when booting:</title>
-<body>
-<pre caption="Kernel message">
-There is already a security framework initialized, register_security failed.
-Failure registering capabilities with the kernel
-selinux_register_security: Registering secondary module capability
-Capability LSM initialized
-</pre>
-<p>
- This means that the Capability LSM module couldn't register as the primary
- module, since SELinux is the primary module. The third message means that it
- registers with SELinux as a secondary module. This is normal.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Setfiles error messages</title>
-<subsection><title>When I try to relabel, it fails with invalid contexts:</title><body>
-<pre caption="Invalid contexts example">
-# make relabel
-/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
-/usr/sbin/setfiles: read 559 specifications
-/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39
-/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378
-/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494
-Exiting after 10 errors.
-make: *** [relabel] Error 1
-</pre>
-<p>
- First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles
- cannot validate any contexts, causing it to believe all contexts are
- invalid. If /selinux is mounted, then most likely there is new policy that
- has not yet been loaded; therefore, the contexts have not yet become valid.
-</p>
-</body></subsection>
-</section>
-
-
-<!-- always keep this one as the bottom FAQ :) -->
-<!-- comment out since the demo machine is down for an indefinite period of time
-<section><title>Gentoo SELinux Demonstration Machine</title>
-<subsection><body>
-<p>
- This machine is not running user-mode linux, or in a chroot, it has SELinux
- mandatory access control. No, you cannot install psybnc or an irc bot on the
- machine, unless you break the SELinux security and gain higher priviledge.
-</p>
-</body></subsection>
-</section>
--->
-<!-- dont put anything below here, this demo machine faq should be the last one -->
-</sections>
diff --git a/xml/selinux/hb-selinux-howto.xml b/xml/selinux/hb-selinux-howto.xml
deleted file mode 100644
index b8f7db0..0000000
--- a/xml/selinux/hb-selinux-howto.xml
+++ /dev/null
@@ -1,250 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-howto.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>2.0</version>
-<date>2006-10-14</date>
-
-<section><title>Load policy into a running SELinux kernel</title>
-<subsection><body>
-<p>
- This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="Semodule command">
-# <i>semodule -B</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Change roles</title>
-<subsection><body>
-<p>
- This requires your user have access to the target role. This example
- is for changing to the <c>sysadm_r</c> role.
-</p>
-<pre caption="Newrole">
-# <i>newrole -r sysadm_r</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Specify available roles for a user</title>
-<subsection><body>
-<p>
- There is a mapping of linux users to SELinux identities. The policy has
- generic SELinux users for relevant configurations of roles. For example, to
- map the user <c>pebenito</c> to the SELinux identity <c>staff_u</c>, run:
-</p>
-<pre caption="Map pebenito to staff_u">
-# <i>semanage login -a -s staff_u pebenito</i>
-</pre>
-<p>
- The policy does not need to be reloaded. If the user is logged in, it
- must log out and log in again to take effect.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Relabel filesystems</title>
-<subsection><body>
-<p>
- This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="Relabel">
-# <i>rlpkg -a</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Relabel an individual package</title>
-<subsection><body>
-<p>
- In addition to relabeling entire filesystems, individual portage packages
- can be relabeled. This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="rlpkg example">
-# <i>rlpkg shadow sash</i>
-</pre>
-<p>
- The script rlpkg is used, and any number of packages can be specified
- on the command line.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Scan for libraries with text relocations</title>
-<subsection><body>
-<p>
- SELinux has improved memory protections. One feature supported is
- the permission for ELF text relocations. The libraries with text relocations
- have a special label, and the <c>rlpkg</c> tool has an option to scan for
- these libraries.
-</p>
-<pre caption="TEXTREL Scan">
-# <i>rlpkg -t</i>
-</pre>
-<p>
- This will also be done by automatically after a full relabel.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Start daemons in the correct domain</title>
-<subsection><body>
-<p>
- Controlling daemons that have init scripts in /etc/init.d is slightly
- different in SELinux. The <c>run_init</c> command must be used to run
- the scripts, to ensure they are ran in the correct domain. The command
- can be ran normally, except the command is prefixed with <c>run_init</c>.
- This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="run_init examples">
-# <i>run_init /etc/init.d/ntpd start</i>
-# <i>run_init /etc/init.d/apache2 restart</i>
-# <i>run_init /etc/init.d/named stop</i>
-</pre>
-</body></subsection>
-<subsection><title>Gentoo run_init integration</title><body>
-<p>
- <c>run_init</c> has been integrated into Gentoo's init script system. With
- SELinux installed, services can be started and stopped as usual, but will
- now authenticate the user.
-</p>
-<pre caption="Integrated run_init example">
-# <i>/etc/init.d/sshd restart</i>
-Authenticating root.
-Password:
- * Stopping sshd... [ ok ]
- * Starting sshd... [ ok ]
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Switch between enforcing and permissive modes</title>
-<subsection><body>
-<p>
- Switching between modes in SELinux is very simple. Write a 1 for
- enforcing, or 0 for permissive to /selinux/enforce to set the mode.
- The current mode can be queried by reading /selinux/enforce; 0 means
- permissive mode, and 1 means enforcing mode. If the kernel option
- "NSA SELinux Development Support" is turned off, the system will always
- be in enforcing mode, and cannot be switched to permissive mode.
-</p>
-<pre caption="">
-<comment>Query current mode</comment>
-# <i>cat /selinux/enforce</i>
-<comment>Switch to enforcing mode</comment>
-# <i>echo 1 > /selinux/enforce</i>
-<comment>Switch to permissive mode</comment>
-# <i>echo 0 > /selinux/enforce</i>
-</pre>
-<p>
- A machine with development support turned on can be started in enforcing
- mode by adding <c>enforcing=1</c> to the kernel command line, in the
- bootloader (GRUB, lilo, etc).
-</p>
-</body></subsection>
-
-<subsection><title>Managed policy</title><body>
-<p>
- In addition to the above kernel options, the mode at boot can be
- set by the <c>/etc/selinux/config</c> file.
-</p>
-<pre caption="/etc/selinux/config">
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=<comment>permissive</comment>
-</pre>
-<p>
- The setting in this file will be overridden by the kernel command line
- options described above.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Understand sestatus output</title>
-<subsection><body>
-<p>
- The <c>sestatus</c> tool can be used to determine detailed SELinux-specific
- status information about the system. The <c>-v</c> option provides extra
- detail about the context of processes and files. The output will be
- divided into four sections. Sestatus only provides complete information
- for a user logged in as root (or su/sudo), in the <c>sysadm_r</c> role.
-</p>
-<pre caption="Status example">
-SELinux status: enabled
-SELinuxfs mount: /selinux
-Current mode: enforcing
-Policy version: 18
-</pre>
-<p>
- The main status information is provided in the first section. The first
- line shows if SELinux kernel functions exists and are enabled. If the
- status is disabled, either the kernel does not have SELinux support, or
- the policy is not loaded. The second line shows the mount point for
- the SELinux filesystem. During the normal use, the filesystem should be
- mounted at the default location of <c>/selinux</c>. The third line
- shows the current SELinux mode, either enforcing or permissive. The fourth
- line shows the policy database version supported by the currently running
- kernel.
-</p>
-<pre caption="Booleans example">
-Policy booleans:
-secure_mode inactive
-ssh_sysadm_login inactive
-user_ping inactive
-</pre>
-<p>
- The second section displays the status of the conditional policy booleans. The
- left column is the name of boolean. The right column is the status of the
- boolean, either active, or inactive. This section will not be shown on
- policy version 15 kernels, as they do not support conditional policy.
-</p>
-<pre caption="Process context example">
-Process contexts:
-Current context: pebenito:sysadm_r:sysadm_t
-Init context: system_u:system_r:init_t
-/sbin/agetty system_u:system_r:getty_t
-/usr/sbin/sshd system_u:system_r:sshd_t
-</pre>
-<p>
- The third section displays the context of the current process, and of several
- key processes. If a process is running in the incorrect context, it will not
- function correctly.
-</p>
-<pre caption="File context example">
-File contexts:
-Controlling term: pebenito:object_r:sysadm_devpts_t
-/sbin/init system_u:object_r:init_exec_t
-/sbin/agetty system_u:object_r:getty_exec_t
-/bin/login system_u:object_r:login_exec_t
-/sbin/rc system_u:object_r:initrc_exec_t
-/sbin/runscript.sh system_u:object_r:initrc_exec_t
-/usr/sbin/sshd system_u:object_r:sshd_exec_t
-/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
-/etc/passwd system_u:object_r:etc_t
-/etc/shadow system_u:object_r:shadow_t
-/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
-/bin/bash system_u:object_r:shell_exec_t
-/bin/sash system_u:object_r:shell_exec_t
-/usr/bin/newrole system_u:object_r:newrole_exec_t
-/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
-/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:shlib_t
-</pre>
-<p>
- The fourth section displays the context of the current process's controlling
- terminal, and of several key files. For symbolic links, the context of
- the link and then the context of the link target is displayed. If a file has
- an incorrect context, the file may be inaccessable or have incorrect
- permissions for a particular process.
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-initpol.xml b/xml/selinux/hb-selinux-initpol.xml
deleted file mode 100644
index b13a0de..0000000
--- a/xml/selinux/hb-selinux-initpol.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-initpol.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>1.3</version>
-<date>2004-11-16</date>
-
-<section><title>Verify Available Policy</title>
-<subsection><body>
-<p>
- You must be in <c>sysadm_r</c> to perform this action.
-</p>
-<p>
- A binary policy must be available in
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install
- the policy.
-</p>
-<pre caption="Install policy">
-# <i>semodule -n -B</i>
-</pre>
-</body>
-</subsection>
-</section>
-
-<section><title>Verify Init Can Load the Policy</title>
-<subsection><body>
-<p>
- The final check is to ensure init can load the policy. Run <c>ldd</c> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<pre caption="">
-# <i>ldd /sbin/init</i>
- linux-gate.so.1 => (0xffffe000)
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-libsemanage.xml b/xml/selinux/hb-selinux-libsemanage.xml
deleted file mode 100644
index a441f29..0000000
--- a/xml/selinux/hb-selinux-libsemanage.xml
+++ /dev/null
@@ -1,246 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-libsemanage.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ -->
-
-<sections>
-<version>1.0</version>
-<date>2006-10-15</date>
-
-<section><title>SELinux Management Infrastructure</title>
-<subsection><body>
-<p>
- The SElinux management infrastructure manages several aspects of SELinux
- policy. These management tools are based on the core library libsemanage.
- There are several management programs to to various tasks, including
- <c>semanage</c> and <c>semodule</c>. They allow you to configure aspects
- of the policy without requiring the policy sources.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux Policy Module Management</title>
-<subsection><title>What is a policy module?</title><body>
-<p>
- SELinux supports a modular policy. This means several pieces of policy
- are brought together to form one complete policy to be loaded in the
- kernel. This is a similar structure as the kernel itself and kernel modules.
- There is a main kernel image that is loaded, and various kernel modules can
- be added (assuming their dependencies are met) and removed on a running
- system without restarting. Similarly each policy has a base module and
- zero or more policy modules, all used to create a policy.
- Modules are built by compiling a piece of policy, and creating a policy
- package (*.pp) with that compiled policy, and optionally file contexts.
-</p>
-<p>
- The base module policy package (base.pp) contains the basic requirements of
- the policy. All modular policies must have a base module at minimum.
- In Gentoo we have these plus policies for all parts of the system profile.
- This is contained in the selinux-base-policy ebuild. The other policy ebuilds
- in portage have one or more policy modules.
-</p>
-<p>
- For more information on writing a policy module, in particular for managing
- your local customizations to the policy, please see the
- <uri link="selinux-handbook.xml?part=3&chap=5">policy module guide</uri>.
-</p>
-</body></subsection>
-
-<subsection><title>The SELinux module store</title><body>
-<p>
- When a policy module is inserted or removed, modules are copied into or
- removed from the module store. This repository has a copy of the
- modules that were used to create the current policy, in addition to several
- auxilliary files. This repository is stored in the
- /etc/selinux/{strict,targeted}/modules. You should never need to directly
- access the contents of the module store. A libsemanage-based tool should be
- used instead.
-</p>
-<p>
- Libsemanage handles the module store transactionally. This means that if
- a set of operations (a transaction) is performed on the store and one part
- fails, the entire transaction is aborted. This keeps the store in a
- consistent state.
-</p>
-<p>
- Managing the module store is accomplished with the <c>semodule</c> command.
- Listing the contents of the module store is done with the <c>-l</c> option.
-</p>
-<pre caption="">
-# semodule -l
-distcc 1.1.1
-</pre>
-<p>
- Since the base module is required in all cases, and is not versioned, it will
- not be shown in the list. All other modules will be listed, along with their
- versions.
-</p>
-</body></subsection>
-
-<subsection><title>Inserting a policy module</title><body>
-<p>
- The module should be referenced by its file name.
-</p>
-<pre caption="">
-# <i>semodule -i module.pp</i>
-</pre>
-<p>
- This will insert the module into module store for the currently configured
- policy as specified in /etc/selinux/config. If the insert succeeds, the
- policy will be loaded, unless the <c>-n</c> option is used. To insert the
- module into an alternate module store, the <c>-s</c> option.
-</p>
-<pre caption="">
-# <i>semodule -s targeted -i module.pp</i>
-</pre>
-<p>
- Since this refers to an alternate module store, the policy will not be loaded.
-</p>
-</body></subsection>
-
-<subsection><title>Removing a policy module</title><body>
-<p>
- The module is referenced by its name in the module store.
-</p>
-<pre caption="">
-# <i>semodule -r module</i>
-</pre>
-<p>
- This will remove the module into module store for the currently configured
- policy as specified in /etc/selinux/config. If the remove succeeds, the
- policy will be loaded, unless the <c>-n</c> option is used. The remove
- command also respects the <c>-s</c> option.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Configuring User Login Mappings</title>
-<subsection><body>
-<p>
- The current method of assigning sets of roles to a user is by setting
- up a mapping between linux users and SELinux identities. When a user
- logs in, the login program will set the SELinux identity based on the
- this map. If there is no explicit map, the <c>__default__</c> map is
- used.
-</p>
-<p>
- Managing the SELinux user login map is accomplished with the <c>semanage</c>
- tool.
-</p>
-<pre caption="SELinux login user map">
-# <i>semanage login -l</i>
-Login Name SELinux User
-
-__default__ user_u
-root root
-</pre>
-</body></subsection>
-
-<subsection><title>Add a user login mapping</title><body>
-<p>
- To map the linux user <c>pebenito</c> to the SELinux identity <c>staff_u</c>:
-</p>
-<pre caption="">
-# <i>semanage login -a -s staff_u pebenito</i>
-</pre>
-<p>
- For descriptions on the available SELinux identities, see the
- <uri link="selinux-handbook.xml?part=3&chap=1#doc_chap3">SELinux Overview</uri>.
-</p>
-</body></subsection>
-
-<subsection><title>Remove a user login mapping</title><body>
-<p>
- To remove a login map for the linux user <c>pebenito</c>:
-</p>
-<pre caption="">
-# <i>semanage login -d pebenito</i>
-</pre>
-<note>
- User login maps specified by the policy (not by the management infrastructure)
- cannot be removed.
-</note>
-</body></subsection>
-</section>
-
-<section><title>Configuring Initial Boolean States</title>
-<subsection><body>
-<p>
- The <c>setsebool</c> program is now a libsemanage tool. This tool's basic
- function is to set the state of a Boolean. However, if the machine is
- restarted, the Booelans will be set using the initial state as specified in
- the policy. To set the Boolean state, and make that the new initial state
- in the policy, the <c>-P</c> option of <c>setsebool</c> is used.
-</p>
-<pre caption="Set Boolean default state">
-# <i>setsebool -P fcron_crond 1</i>
-</pre>
-<p>
- This will set the fcron_crond Boolean to true and also make the initial state
- for the Boolean true.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Configuring SELinux Identities</title>
-<subsection><body>
-<p>
- Generally SELinux identities need not be added to the policy, as user
- login mappings are sufficient. However, one reason to add them is for
- improved auditing, since the SELinux identity is part of the scontext of a
- denial message.
-</p>
-<p>
- Managing the SELinux identities is accomplished with the <c>semanage</c> tool.
-</p>
-<pre caption="SELinux identity list">
-# <i>semanage user -l</i>
-SELinux User SELinux Roles
-
-root sysadm_r staff_r
-staff_u sysadm_r staff_r
-sysadm_u sysadm_r
-system_u system_r
-user_u user_r
-</pre>
-</body></subsection>
-
-<subsection><title>Add a SELinux identity</title><body>
-<p>
- In addition to specifying the roles for an identity, a prefix must
- also be specified. This prefix should match a role, for example
- <c>staff</c> or <c>sysadm</c>, and it is used for home directory
- entries. So if <c>staff</c> is used for the prefix, linux users that
- are mapped to this identity will have their home directory labeled
- <c>staff_home_dir_t</c>.
-</p>
-<p>
- To add the <c>test_u</c> identity with the roles <c>staff_r</c> and
- <c>sysadm_r</c> with the prefix <c>staff</c>:
-</p>
-<pre caption="">
-# <i>semanage user -a -R 'staff_r sysadm_r' -P staff test_u</i>
-</pre>
-<note>
- To use the SELinux identity, a user login map still must be added.
-</note>
-</body></subsection>
-
-<subsection><title>Remove a SELinux user identity</title><body>
-<p>
- To remove the test_u SELinux identity:
-</p>
-<pre caption="">
-# <i>semanage user -d test_u</i>
-</pre>
-<note>
- SELinux identities specified by the policy (not by the management
- infrastructure) cannot be removed.
-</note>
-</body></subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-localmod.xml b/xml/selinux/hb-selinux-localmod.xml
deleted file mode 100644
index 8674b9f..0000000
--- a/xml/selinux/hb-selinux-localmod.xml
+++ /dev/null
@@ -1,134 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-localmod.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ -->
-
-<sections>
-<version>1.0</version>
-<date>2006-10-15</date>
-
-<section><title>Introduction</title>
-<subsection><body>
-<p>
- This guide discusses how to set up a policy module for local additions
- of rules to the policy.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Preparation</title>
-<subsection><body>
-<p>
- Copy the example Makefile from the selinux-base-policy doc directory to the
- directory that will be used for building the policy. It is suggested that
- /root be used. The places that the <c>semodule</c> tool can read policy
- modules includes sysadm home directories.
-</p>
-<pre caption="">
-# <i>zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Write a TE file</title>
-<subsection><body>
-<p>
- In a policy module, most policy statements are usable in modules.
- There are a few extra statements that must be added for proper operation.
-</p>
-<pre caption="Example local.te">
-policy_module(local,1.0)
-
-require {
- type sysadm_su_t, newrole_t;
-}
-allow sysadm_su_t newrole_t:process sigchld;
-</pre>
-<p>
- In addition to the basic allow rule, it has a couple statements required
- by policy modules. The first is a policy_module() macro that has the
- name of the module, and the module's version. It also has a require
- block. This block specifies all types that are required for this module
- to function. All types used in the module must either be declared in the
- module or required by this module.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Write a FC File (optional)</title>
-<subsection><body>
-<p>
- The file contexts file is optional and has the same syntax as as always.
-</p>
-<pre caption="Example local.fc">
-/opt/myprogs/mybin -- system_u:object_r:bin_t
-</pre>
-<p>
- Types used in the file context file should be required or declared in
- the TE file.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Compile Policy Modules</title>
-<subsection><body>
-<p>
- Simply run <c>make</c> to build all modules in the directory. The module
- will be compiled for the current policy as specified by /etc/selinux/config.
-</p>
-<pre caption="">
-# <i>make</i>
-Compiling strict local module
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule: policy configuration loaded
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
-Creating strict local.pp policy package
-</pre>
-<p>
- To build the module for a policy other than the configured policy, use the
- <c>NAME=</c> option.
-</p>
-<pre caption="">
-# <i>make NAME=targeted</i>
-Compiling targeted local module
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule: policy configuration loaded
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
-Creating targeted local.pp policy package
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Load the Modules</title>
-<subsection><body>
-<p>
- The modules can be loaded into the currently configured policy simply
- by using the load target of the Makefile.
-</p>
-<pre caption="">
-# <i>make load</i>
-</pre>
-<p>
- The load target also respects the <c>NAME=</c> option. Alternatively,
- the <c>semodule</c> command can be used to load individual modules.
-</p>
-<pre caption="">
-# <i>semodule -i local.pp</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Building Reference Policy Modules</title>
-<subsection><body>
-<p>
-The new Gentoo policy is based on the <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri>.
-For more information on building a complete Reference Policy module, see the
-<uri link="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Reference Policy Wiki</uri>.
-</p>
-</body></subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-loglocal.xml b/xml/selinux/hb-selinux-loglocal.xml
deleted file mode 100644
index 7cc5506..0000000
--- a/xml/selinux/hb-selinux-loglocal.xml
+++ /dev/null
@@ -1,166 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-loglocal.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>1.4</version>
-<date>2004-11-16</date>
-
-<section><title>Begin Here</title>
-<subsection><body>
-<p>
- You must be in <c>sysadm_r</c> to perform these actions.
-</p>
-<p>
- Run <c>sestatus -v</c>. Click the first context that doesn't match:
-</p>
-<table>
-<tr><th>Process</th><th>Context</th></tr>
-<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr>
-<tr><ti>/sbin/agetty</ti><ti><uri link="#doc_chap3">system_u:system_r:getty_t</uri></ti></tr>
-<tr><th>File</th><th>Context</th></tr>
-<tr><ti>/bin/login</ti><ti><uri link="#doc_chap4">system_u:object_r:login_exec_t</uri></ti></tr>
-<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap5">system_u:object_r:chkpwd_exec_t</uri></ti></tr>
-<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap6">system_u:object_r:etc_t</uri></ti></tr>
-<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap6">system_u:object_r:shadow_t</uri></ti></tr>
-<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap7">system_u:object_r:shell_exec_t</uri></ti></tr>
-</table>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Init Context</title>
-<subsection><title>Verify Init Label</title>
-<body>
-<p>
- There are several possible reasons why init may have the wrong context.
- First, verify that init is labeled correctly, refer to the sestatus's output
- for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit.
-</p>
-<pre caption="Fix init context">
-# <i>rlpkg sysvinit</i>
-</pre>
-</body></subsection>
-<subsection><title>Verify Available Policy</title><body>
-<p>
- You must be in <c>sysadm_r</c> to perform this action.
-</p>
-<p>
- A binary policy must be available in /etc/selinux/{strict,targeted}/policy.
- If it is missing, then install the policy.
-</p>
-<pre caption="Install binary policy">
-# <i>semodule -n -B</i>
-</pre>
-</body>
-</subsection>
-
-<subsection><title>Verify Init Can Load the Policy</title><body>
-<p>
- The final check is to ensure init can load the policy. Run <c>ldd</c> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<pre caption="Check init linking">
-# <i>ldd /sbin/init</i>
- linux-gate.so.1 => (0xffffe000)
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect agetty Context</title>
-<subsection><body>
-<p>
- Verify that agetty is labeled correctly. Refer to the sestatus's output
- for /sbin/agetty. If it is not <c>system_u:object_r:getty_exec_t</c>, relabel
- util-linux. Then restart all gettys.
-</p>
-<pre caption="Fix agetty context">
-# <i>rlpkg util-linux</i>
-# <i>killall agetty</i> <comment>(they will respawn)</comment>
-</pre>
-<p>
- All of the agettys should now be in the correct <c>system_u:object_r:getty_exec_t</c>
- context. Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect Login Context</title>
-<subsection><body>
-<p>
- The login program (/bin/login) is not labeled correctly. Relabel shadow.
-</p>
-<pre caption="Relabel shadow">
-# <i>rlpkg shadow</i>
-</pre>
-<p>
- /bin/login should now be <c>system_u:object_r:login_exec_t</c>.
- Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect PAM Context</title>
-<subsection><body>
-<p>
- Sshd must be able to use PAM for authenticating the user. The PAM password
- checking program (/sbin/unix_chkpwd) must be labeled correctly so
- sshd can transition to the password checking context. Relabel PAM.
-</p>
-<pre caption="Fix unix_chkpwd context">
-# <i>rlpkg pam</i>
-</pre>
-<p>
- The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>.
- Try loggin in again.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Password File Contexts</title>
-<subsection><body>
-<p>
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must
- be labeled correctly, otherwise PAM will not be able to
- authenticate your user. Relabel the files.
-</p>
-<pre caption="Fix shadow context">
-# <i>restorecon /etc/passwd /etc/shadow</i>
-</pre>
-<p>
- The password and shadow files should now be <c>system_u:object_r:etc_t</c>
- and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect Bash File Context</title>
-<subsection><body>
-<p>
- Bash must be labeled correctly so the user can transition into the user
- domain when logging in. Relabel bash.
-</p>
-<pre caption="Fix bash context">
-# <i>rlpkg bash</i>
-</pre>
-<p>
- Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>.
- Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-logremote.xml b/xml/selinux/hb-selinux-logremote.xml
deleted file mode 100644
index 1a95f7b..0000000
--- a/xml/selinux/hb-selinux-logremote.xml
+++ /dev/null
@@ -1,177 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-logremote.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>1.4</version>
-<date>2004-11-16</date>
-
-<section><title>Begin Here</title>
-<subsection><body>
-<p>
- You must be in <c>sysadm_r</c> to perform these actions.
-</p>
-<p>
- Run <c>sestatus -v</c>. Click the first context that doesn't match:
-</p>
-<table>
-<tr><th>Process</th><th>Context</th></tr>
-<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr>
-<tr><ti>/usr/sbin/sshd</ti><ti><uri link="#doc_chap3">system_u:system_r:sshd_t</uri></ti></tr>
-<tr><th>File</th><th>Context</th></tr>
-<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap4">system_u:object_r:chkpwd_exec_t</uri></ti></tr>
-<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap5">system_u:object_r:etc_t</uri></ti></tr>
-<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap5">system_u:object_r:shadow_t</uri></ti></tr>
-<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap6">system_u:object_r:shell_exec_t</uri></ti></tr>
-</table>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Init Context</title>
-<subsection><title>Verify Init Label</title>
-<body>
-<p>
- There are several possible reasons why init may have the wrong context.
- First, verify that init is labeled correctly, refer to the sestatus's output
- for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit.
-</p>
-<pre caption="">
-# <i>rlpkg sysvinit</i>
-</pre>
-</body></subsection>
-
-<subsection><title>Verify Available Policy</title><body>
-<p>
- You must be in <c>sysadm_r</c> to perform this action.
-</p>
-<p>
- A binary policy must be available in
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install
- the policy.
-</p>
-<pre caption="Install policy">
-# <i>semodule -n -B</i>
-</pre>
-</body>
-</subsection>
-
-<subsection><title>Verify Init Can Load the Policy</title><body>
-<p>
- The final check is to ensure init can load the policy. Run <c>ldd</c> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<pre caption="">
-# <i>ldd /sbin/init</i>
- linux-gate.so.1 => (0xffffe000)
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect sshd Context</title>
-<subsection><body>
-<p>
- Another possibility is sshd is not labeled correctly, meaning it is not running
- in the right context. Relabel openssh, then restart sshd.
-</p>
-<pre caption="">
-# <i>rlpkg openssh</i>
-# <i>/etc/init.d/sshd restart</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Incorrect PAM Context</title>
-<subsection><body>
-<p>
- Sshd must be able to use PAM for authenticating the user. The PAM password
- checking program (/sbin/unix_chkpwd) must be labeled correctly so
- sshd can transition to the password checking context. Relabel PAM.
-</p>
-<pre caption="">
-# <i>rlpkg pam</i>
-</pre>
-<p>
- The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>.
- Try loggin in again.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Password File Contexts</title>
-<subsection><body>
-<p>
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must
- be labeled correctly, otherwise PAM will not be able to
- authenticate your user. Relabel the files.
-</p>
-<pre caption="">
-# <i>restorecon /etc/passwd /etc/shadow</i>
-</pre>
-<p>
- The password and shadow files should now be <c>system_u:object_r:etc_t</c>
- and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect Bash File Context</title>
-<subsection><body>
-<p>
- Bash must be labeled correctly so the user can transition into the user
- domain when logging in. Relabel bash.
-</p>
-<pre caption="">
-# <i>rlpkg bash</i>
-</pre>
-<p>
- Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>.
- Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Other sshd Issues</title>
-<subsection><title>Valid Shell</title><body>
-<p>
- First, make sure the user has a valid shell.
-</p>
-<pre caption="">
-# <i>grep</i> <comment>username</comment> <i>/etc/passwd | cut -d: -f7</i>
-/bin/bash <comment>(or your shell of choice)</comment>
-</pre>
-<p>
- If the above command does not return anything, or the shell is wrong,
- set the user's shell.
-</p>
-<pre caption="">
-# <i>usermod -s /bin/bash</i> <comment>username</comment>
-</pre>
-</body></subsection>
-<subsection><title>PAM enabled</title><body>
-<p>
- PAM also must be enabled in sshd. Make sure this line
- in <c>/etc/ssh/sshd_config</c> is uncommented:
-</p>
-<pre caption="">
-UsePAM yes
-</pre>
-<p>
- SELinux currently only allows PAM and a select few programs direct access
- to <c>/etc/shadow</c>; therefore, openssh must now
- use PAM for password authentication (public key still works).
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-overview.xml b/xml/selinux/hb-selinux-overview.xml
deleted file mode 100644
index d02943d..0000000
--- a/xml/selinux/hb-selinux-overview.xml
+++ /dev/null
@@ -1,521 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>1.5</version>
-<date>2009-07-13</date>
-
-<!--
-<section><title>Mandatory Access Control</title>
-<subsection><body>
-<p>
- Security Enhanced Linux is an implementation of mandatory access control
- (MAC) using type enforcement. In Linux, the regular security permissions
- are a discretionary access control system (DAC). In DAC, the permissions
- for a particular object, such as a file, are set at the discrection of the
- owner and can be changed at any time by the owner. In MAC, the access a
- process or user has to an object is defined by the operating system
- security policy, and cannot be bypassed.
-!!! still need to update other links in the handbook
-</p>
-</body></subsection>
-</section>
--->
-<section><title>SELinux Types</title>
-<subsection><body>
-<p>
- A type is a security attribute given to objects such as files, and network
- ports, etc. The type of a process is commonly referred to as its domain.
- The SELinux policy is primarily composed of type enforcement rules, which
- describe how domains are allowed to interact with objects, and how domains
- are allowed to interact with other domains. A type is generally suffixed
- with a '_t', such as <c>sysadm_t</c>. This is the most important
- attribute for a process or object, as most policy decisions are based on
- the source and target types.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux Roles</title>
-<subsection><body>
-<p>
- SELinux is type enforcement, so the SELinux role is not the same as those
- in a role-based access control system. Permissions are not given to roles.
- A role describes the set of types a user can use. For example, a system
- administrator that is using the system for regular user tasks should be
- in the <c>staff_r</c> role. If they need to administrate the system, then
- a role change to <c>sysadm_r</c> is required. In SELinux terms, the
- domains that a user can be in is determined by their role. If a role is not
- allowed to have a certain domain, a transition to that domain will be denied,
- even if the type enforcement rules allow the domain transition. A role is
- generally suffixed with a '_r', such as <c>system_r</c>.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux Identities</title>
-<subsection><title>What is a SELinux Identity?</title><body>
-<p>
- The SELinux identity is similar to a Linux username. The change of identity
- should be limited to very specific cases, since the role-based access control
- relies on the SELinux identity. Therfore, in general, a user’s SELinux
- identity will not change during a session. The user ID in Linux can be
- changed by set(e)uid, making it inappropriate for a SELinux identity.
- If a user is given a SELinux identity, it must match the Linux username. Each
- SELinux identity is allowed a set of roles.
-</p>
-</body></subsection>
-
-<subsection><title>Configure SELinux Identity Mapping</title><body>
-<p>
- The SELinux policy has several generic SELinux identities that should
- be sufficient for all users. This mapping only needs to be configured
- on the strict policy. The identity mapping for the targeted policy
- need not be configured, as the default identity (user_u) is sufficient
- in all cases.
-</p>
-<p>
- When a user logs in, the SELinux identity used is determined by this mapping.
-</p>
-<table>
-<tr><th>SELinux Identity</th>
- <th>Roles</th>
- <th>Description</th></tr>
-<tr><ti>system_u</ti>
- <ti>system_r</ti>
- <ti>System (non-interactive) processes. Should not be used on users.</ti></tr>
-<tr><ti>user_u</ti>
- <ti>user_r</ti>
- <ti>Generic unprivileged users. The default identity mapping.</ti></tr>
-<tr><ti>staff_u</ti>
- <ti>staff_r, sysadm_r</ti>
- <ti>System administrators that also log in to do regular user activties.</ti></tr>
-<tr><ti>sysadm_u</ti>
- <ti>sysadm_r</ti>
- <ti>System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</ti></tr>
-<tr><ti>root</ti>
- <ti>staff_r, sysadm_r</ti>
- <ti>Special identity for root. Other users should use staff_u instead.</ti></tr>
-</table>
-<p>
- See the <uri link="selinux-handbook.xml?part=3&chap=2#doc_chap3">SELinux HOWTO</uri>
- for semanage syntax for configuring SELinux identity mappings.
-</p>
-</body></subsection>
-
-</section>
-
-<section><title>SELinux Contexts</title>
-<subsection><body>
-<p>
- Using the above three security models together is called a SELinux
- context. A context takes the form <c>identity</c>:<c>role</c>:<c>type</c>.
- The SELinux context is the most important value for determining access.
-</p>
-</body></subsection>
-
-<subsection><title>Object Contexts</title><body>
-<p>
- A typical <c>ls -Z</c> may have an output similar to this:
-</p>
-<pre caption="Example ls -Z output">
-drwxr-xr-x root root system_u:object_r:bin_t bin
-drwxr-xr-x root root system_u:object_r:boot_t boot
-drwxr-xr-x root root system_u:object_r:device_t dev
-drwxr-xr-x root root system_u:object_r:etc_t etc
-</pre>
-<p>
- The first three columns are the typical linux permissions, user and group.
- The fourth column is the file or directory's security context. Objects
- are given the generic <c>object_r</c> role. From the other two fields of
- the context, it can be seen that the files are in the system identity,
- and have four different types, <c>bin_t</c>, <c>boot_t</c>, <c>device_t</c>,
- and <c>etc_t</c>.
-</p>
-</body></subsection>
-
-<subsection><title>Process Contexts</title><body>
-<p>
- A typical <c>ps ax -Z</c> may have an output similar to this:
-</p>
-<pre caption="Example ps ax -Z output">
- PID CONTEXT COMMAND
- 1 system_u:system_r:init_t [init]
- 2 system_u:system_r:kernel_t [keventd]
- 3 system_u:system_r:kernel_t [ksoftirqd_CPU0]
- 4 system_u:system_r:kernel_t [kswapd]
- 5 system_u:system_r:kernel_t [bdflush]
- 6 system_u:system_r:kernel_t [kupdated]
- 706 system_u:system_r:syslogd_t [syslog-ng]
- 712 system_u:system_r:httpd_t [apache]
- 791 system_u:system_r:sshd_t [sshd]
- 814 system_u:system_r:crond_t [cron]
- 826 system_u:system_r:getty_t [agetty]
- 827 system_u:system_r:getty_t [agetty]
- 828 system_u:system_r:getty_t [agetty]
- 829 system_u:system_r:getty_t [agetty]
- 830 system_u:system_r:getty_t [agetty]
- 831 system_u:system_r:httpd_t [apache]
- 832 system_u:system_r:httpd_t [apache]
- 833 system_u:system_r:httpd_t [apache]
-23093 system_u:system_r:sshd_t [sshd]
-23095 user_u:user_r:user_t [bash]
-23124 system_u:system_r:sshd_t [sshd]
-23126 user_u:user_r:user_t [bash]
-23198 system_u:system_r:sshd_t [sshd]
-23204 user_u:user_r:user_t [bash]
-23274 system_u:system_r:sshd_t [sshd]
-23275 pebenito:staff_r:staff_t [bash]
-23290 pebenito:staff_r:staff_t ps ax -Z
-</pre>
-<p>
- In this example, the typical process information is displayed, in addition
- to the process's context. By inspection, all of the system's kernel
- processes and daemons run under the <c>system_u</c> identity, and
- <c>system_r</c> role. The individual domains depend on the program.
- There are a few users logged in over ssh, using the generic <c>user_u</c>
- identity. Finally there is a user with the identity <c>pebenito</c> logged in
- with the <c>staff_r</c> role, running in the <c>staff_t</c> domain.
-</p>
-</body></subsection>
-
-</section>
-
-<section>
-<title>SELinux Policy Files</title>
-<subsection><body>
-<p>
- The SELinux policy source files are no longer installed onto the system.
- In the <c>/usr/share/selinux/{strict,targeted}</c> directory there are a
- collection of policy packages and headers for building local modules.
- The policy files are processed by m4, and then the policy compiler <c>checkmodule</c>
- verifies that there are no syntactic errors, and a policy module is created.
- Then a policy package is created with with the <c>semodule_package</c>
- program, using the policy module and the module file contexts.
- The policy packaged then can be loaded into a running SELinux kernel
- by inserting it into the module store.
-</p>
-</body></subsection>
-
-<subsection><title>*.pp</title><body>
-<p>
- Policy packages for this policy. These must be inserted into the module
- store so they can be loaded into the policy. Inside the package
- there is a loadable policy module, and optionally a file context file.
-</p>
-</body></subsection>
-
-<subsection><title>include/</title><body>
-<p>
- Policy headers for this policy.
-</p>
-</body></subsection>
-
-</section>
-
-<section>
-<title>Binary Policy Versions</title>
-<subsection><body>
-<p>
- When compiling the policy, the resultant binary policy is versioned.
- The first version that was merged into 2.6 was version 15.
- The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy.
- For example, in 2.6.5, conditional policy extensions were added.
- This required the policy version to be incremented to version 16.
-</p>
-</body></subsection>
-<subsection><title>What Policy Version Does My Kernel Use?</title>
-<body>
-<p>
- The policy version of a running kernel can be determined by executing
- <c>sestatus</c> or <c>policyvers</c>. Current kernels can load
- the previous version policy for compatibility. For example a version 17
- kernel can also load a version 16 policy. However, this compatibility
- code may be removed in the future.
-</p>
-<note>
- The policy management infrastructure (libsemanage) will automatically
- create and use the correct version policies. No extra steps need be taken.
-</note>
-</body></subsection>
-<subsection><title>Policy Versions</title>
-<body>
-<p>
- The following table contains the policy versions in 2.6 kernels.
-</p>
-<table>
-<tr><th>Version</th>
- <th>Description</th>
- <th>Kernel Versions</th></tr>
-<tr><ti>12</ti>
- <ti>"Old API" SELinux (deprecated).</ti></tr>
-<tr><ti>15</ti>
- <ti>"New API" SELinux merged into 2.6.</ti>
- <ti>2.6.0 - 2.6.4</ti></tr>
-<tr><ti>16</ti>
- <ti>Conditional policy extensions added.</ti>
- <ti>2.6.5</ti></tr>
-<tr><ti>17</ti>
- <ti>IPV6 support added.</ti>
- <ti>2.6.6 - 2.6.7</ti></tr>
-<tr><ti>18</ti>
- <ti>Fine-grained netlink socket support added.</ti>
- <ti>2.6.8 - 2.6.11</ti></tr>
-<tr><ti>19</ti>
- <ti>Enhanced multi-level security.</ti>
- <ti>2.6.12 - 2.6.13</ti></tr>
-<tr><ti>20</ti>
- <ti>Access vector table size optimizations.</ti>
- <ti>2.6.14 - 2.6.18</ti></tr>
-<tr><ti>21</ti>
- <ti>Object classes in range transitions.</ti>
- <ti>2.6.19 - 2.6.24</ti></tr>
-<tr><ti>22</ti>
- <ti>Policy capabilities (features).</ti>
- <ti>2.6.25</ti></tr>
-<tr><ti>23</ti>
- <ti>Per-domain permissive mode.</ti>
- <ti>2.6.26 - 2.6.27</ti></tr>
-<tr><ti>24</ti>
- <ti>Explicit hierarchy (type bounds).</ti>
- <ti>2.6.28 - current</ti></tr>
-</table>
-</body></subsection>
-</section>
-
-<section>
-<title>Conditional Policy Extensions</title>
-<subsection><body>
-<p>
- The conditional policy extensions allow the enabling and disabling of policy
- rules at runtime, without loading a modified policy. Using policy booleans
- and expressions, policy rules can be conditionally applied.
-</p>
-</body></subsection>
-
-<subsection><title>Determine Boolean Values</title>
-<body>
-<p>
- The status of policy booleans in the current running policy can be determined
- two ways. The first is by using <c>sestatus</c>.
-</p>
-<pre caption="Example sestatus output">
-# sestatus
-SELinux status: enabled
-SELinuxfs mount: /selinux
-Current mode: enforcing
-Policy version: 17
-
-Policy booleans:
-user_ping inactive
-</pre>
-<p>
- The second is <c>getsebool</c> which is a simple tool that displays
- the status of policy booleans, and if a value change is pending.
-</p>
-<pre caption="Example getsebool command">
-# getsebool -a
-user_ping --> active: 0 pending: 0
-</pre>
-</body></subsection>
-
-<subsection><title>Changing Boolean Values</title>
-<body>
-<p>
- The value of a boolean can be toggled by using the <c>togglesebool</c>
- command. Multiple booleans can be specified on the command line. The
- new value of the boolean will be displayed.
-</p>
-<pre caption="Example togglesebool command">
-# togglesebool user_ping
-user_ping: active
-</pre>
-<p>
- The value of a boolean can be set specifically by using the <c>setsebool</c>
- command.
-</p>
-<pre caption="Example setsebool command">
-# setsebool user_ping 0
-</pre>
-<p>
- To set the value of a boolean, and make it the devault value, use the <c>-P</c> option.
-</p>
-<pre caption="Change default value">
-# setsebool -P user_ping 1
-</pre>
-</body></subsection>
-</section>
-
-<section>
-<title>Policy Kernel Messages</title>
-<subsection><body>
-<p>
- While a system is running, a program or user may attempt to do something
- that violates the security policy. If the system is enforcing the policy,
- the access will be denied, and there will be a message in the kernel log.
- If the system is not enforcing (permissive mode), the access will be allowed,
- but there will still be a kernel message.
-</p>
-</body></subsection>
-
-<subsection><title>AVC Messages</title><body>
-<p>
- Most kernel messages from SELinux come from the access vector cache (AVC).
- Understanding denials is important to understand if an attack is happening,
- or if the program is requiring unexpected accesses. An example denial
- may look like this:
-</p>
-
-<pre caption="Example AVC Message">
-avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554
-scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file
-</pre>
-
-<p>
- While most AVC messages are denials, occasionally there might be an audit
- message for an access that was granted:
-</p>
-<pre caption="Example AVC Message 2">
-avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy
-scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
-</pre>
-<p>
- In this case, the ability to load the policy was granted. This is a critical
- security event, and thus is always audited. Another event that is always
- audited is switching between enforcing and permissive modes.
-</p>
-
-<p>
- SELinux will supress logging of denials if many are received in a short
- amount of time. However, This does not always imply there is an attack
- in progress. A program may be doing something that could cause
- many denials in a short time, such as doing a stat() on device nodes in
- /dev. To protect from filling up the system logs, SELinux has rate limiting
- for its messages:
-</p>
-
-<pre caption="Example AVC Message 3">
-AVC: 12 messages suppressed.
-</pre>
-
-<p>
- The policy would have to be modified to not audit these accesses if they
- are normal program behavior, but still need to be denied.
-</p>
-
-</body></subsection>
-
-<subsection><title>Other kernel messages</title>
-<body>
-<pre caption="inode_doinit_with_dentry">
-inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610
-</pre>
-<p>
- This means that the file on /dev/hda3 with inode number 517610 has the context
- system_u:object_r:bar_t, which is invalid. Objects with an invalid context
- are treated as if they had the system_u:object_r:unlabeled_t context.
-</p>
-</body></subsection>
-
-</section>
-
-<section><title>Dissecting a Denial</title>
-<subsection><body>
-<p>
- Denials contain varying amounts of information, depending on the access type.
-</p>
-
-<pre caption="Example Denials">
-avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406
-scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file
-
-avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t
-tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket
-
-avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7
-scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability
-
-</pre>
-
-<p>
- The most common denial relates to access of files. For better understanding,
- the first denial message will be broken down:
-</p>
-<table>
-<tr><th>Component</th><th>Description</th></tr>
-<tr><ti>avc: denied</ti>
- <ti>SELinux has denied this access.</ti></tr>
-<tr><ti>{ lock }</ti>
- <ti>The attempted access is a lock.</ti></tr>
-<tr><ti>pid=28341</ti>
- <ti>The process ID performing this access is 28341.</ti></tr>
-<tr><ti>exec=/sbin/agetty</ti>
- <ti>The full path and name of the process's executable is /sbin/agetty.</ti></tr>
-<tr><ti>path=/var/log/wtmp</ti>
- <ti>The path and name of the target object is /var/log/wtmp. Note: a complete
- path is not always available.</ti></tr>
-<tr><ti>dev=03:03</ti>
- <ti>The target object resides on device 03:03 (major:minor number).
- On 2.6 kernels this may resolve to a name, hda3 in this example.</ti></tr>
-<tr><ti>ino=475406</ti>
- <ti>The inode number of the target object is 475406.</ti></tr>
-<tr><ti>scontext=system_u:system_r:getty_t</ti>
- <ti>The context of the program is system_u:system_r:getty_t.</ti></tr>
-<tr><ti>tcontext=system_u:object_r:var_log_t</ti>
- <ti>The context of the target object is system_u:object_r:var_log_t.</ti></tr>
-<tr><ti>tclass=file</ti>
- <ti>The target object is a normal file.</ti></tr>
-</table>
-
-<p>
- Not all AVC messages will have all of these fields, as shown in the other
- two denials. The fields vary depending on the target object's class.
- However, the most important fields: access type, source and target contexts,
- and the target object's class will always be in an AVC message.
-</p>
-</body></subsection>
-
-<subsection><title>Understanding the Denial</title><body>
-<p>
- Denials can be very confusing since they can be triggered for several reasons.
- The key to understanding what is happening is to know the behavior of the
- program, and to correctly interpret the denial message. The target is not
- limited to files; it could also be related to network sockets,
- interprocess communications, or others.
-</p>
-<p>
- In the above example, the agetty is denied locking of a file. The file's type
- is var_log_t, therefore it is implied that the target file is in /var/log.
- With the extra information from the path= field in the denial message, it is
- confirmed to be the file /var/log/wtmp. If path information was unavailable,
- this could be further confirmed by searching for the inode. Wtmp is a file that has
- information about users currently logged in, and agetty handles logins on
- ttys. It can be concluded that this is an expected access of agetty, for
- updating wtmp. However, why is this access being denied? Is there a flaw
- in the policy by not allowing agetty to update wtmp? It turns out that wtmp
- has the incorrect context. It should be system_u:object_r:wtmp_t, rather
- than system_u:object_r:var_log_t.
-</p>
-<p>
- If this access was not understood, an administrator might mistakenly allow getty_t
- read/write access to var_log_t files, which would be incorrect, since agetty
- only needs to modify /var/log/wtmp. This underscores how critical keeping
- file contexts consistent is.
-</p>
-</body></subsection>
-</section>
-
-<section><title>References</title>
-<subsection><body>
-<p>
- <uri link="http://www.nsa.gov/selinux">U.S. National Security Agency</uri>,
- SELinux Policy README
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-references.xml b/xml/selinux/hb-selinux-references.xml
deleted file mode 100644
index 5bceac4..0000000
--- a/xml/selinux/hb-selinux-references.xml
+++ /dev/null
@@ -1,111 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>1.2</version>
-<date>2006-05-07</date>
-
-
-<section><title>Background</title>
-<subsection><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure:
- The Flawed Assumption of Security in Modern Computing Environments</uri>
- explains the need for mandatory access controls.</li>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture:
- System Support for Diverse Security Policies</uri>
- explains the security architecture of Flask, the architecture used by SELinux.</li>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</uri>
- has specifics about SELinux access checks in the kernel.</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Policy</title>
-<subsection><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</uri></li>
-<li>
- <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri></li>
-<li>
- SELinux <uri link="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</uri>
- Overview</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Books</title>
-<subsection><body>
-<ul>
-<li>
- <c>SELinux by Example: Using Security Enhanced Linux</c>, Frank Mayer,
- Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694</li>
-<li>
- <c>SELinux: NSA's Open Source Security Enhanced Linux</c>, Bill McCarty,
- O'Reilly Media, 2004; ISBN 0596007167</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Meeting Notes</title>
-<subsection><body>
-<ul>
-<li>
- <uri link="http://www.selinux-symposium.org/2006/summit.php">March 3rd, 2006 SELinux Developer Summit</uri></li>
-<li>
- <uri link="http://www.selinux-symposium.org/meeting.php">May 6th, 2004 Informal Meeting</uri></li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Presentations</title>
-<subsection><title>2006 SELinux Symposium</title><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/selinux/papers/selsymp2006-abs.cfm">SELinux Year in Review</uri>,
- Stephen Smalley, National Security Agency</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2006/slides/03-refpolicy-slides.pdf">Reference Policy for Security Enhanced Linux</uri>,
- Karl MacMillan, Tresys Technology (<uri link="http://www.selinux-symposium.org/2006/papers/05-refpol.pdf">Paper</uri>)</li>
-</ul>
-</body>
-</subsection>
-<subsection><title>2005 SELinux Symposium</title><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</uri>,
- NSA</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</uri>,
- Karl MacMillan, Tresys Technology</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf">Targeted vs. Strict Policy History and Strategy</uri>,
- Dan Walsh, Red Hat</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-4-mayer.pdf">Tresys SETools: Tools and Libraries for Policy Analysis and Management</uri>,
- Frank Mayer, Tresys Technology</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session5/5-3-macmillan.pdf">Information Flow Analysis for Type Enforcement Policies</uri>,
- Karl MacMillan, Tresys Technology</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session6/6-2-mayer.pdf">SELinux Policy Analysis Concepts and Techniques</uri>,
- David Caplan, Frank Mayer, Tresys Technology</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-</sections>
next reply other threads:[~2011-04-01 17:45 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-01 17:45 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-05-07 20:20 [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ Sven Vermeulen
2012-05-07 20:07 Sven Vermeulen
2012-05-05 18:56 Sven Vermeulen
2012-04-29 14:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-05 16:24 Sven Vermeulen
2012-03-01 20:09 Sven Vermeulen
2012-01-29 12:42 Sven Vermeulen
2012-01-21 13:20 Sven Vermeulen
2011-12-17 10:52 Sven Vermeulen
2011-12-11 14:39 Sven Vermeulen
2011-12-11 14:36 Sven Vermeulen
2011-12-10 14:00 Sven Vermeulen
2011-11-22 20:08 Sven Vermeulen
2011-11-11 19:59 Sven Vermeulen
2011-10-27 19:18 José María Alonso
2011-10-26 22:05 José María Alonso
2011-10-23 13:01 Sven Vermeulen
2011-10-19 12:55 Sven Vermeulen
2011-10-15 18:24 Sven Vermeulen
2011-10-15 17:43 Sven Vermeulen
2011-10-15 17:12 Sven Vermeulen
2011-10-15 15:54 Sven Vermeulen
2011-10-15 15:18 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-09-30 17:36 Sven Vermeulen
2011-09-18 13:49 Sven Vermeulen
2011-09-11 9:51 Sven Vermeulen
2011-09-04 19:22 Sven Vermeulen
2011-08-16 16:58 José María Alonso
2011-08-12 21:00 Sven Vermeulen
2011-07-22 16:03 Sven Vermeulen
2011-07-21 19:11 Sven Vermeulen
2011-07-13 21:39 Sven Vermeulen
2011-07-09 18:56 Sven Vermeulen
2011-06-09 18:54 José María Alonso
2011-06-09 17:49 Sven Vermeulen
2011-06-09 17:40 Francisco Blas Izquierdo Riera
2011-06-09 17:24 Sven Vermeulen
2011-06-07 19:38 Sven Vermeulen
2011-06-07 19:26 Sven Vermeulen
2011-06-02 19:50 Sven Vermeulen
2011-06-02 11:57 Sven Vermeulen
2011-06-02 11:55 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-05-31 20:22 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-24 19:56 Sven Vermeulen
2011-05-20 19:32 Sven Vermeulen
2011-05-14 12:51 Sven Vermeulen
2011-05-13 19:43 Sven Vermeulen
2011-05-03 20:47 Sven Vermeulen
2011-05-03 20:12 Sven Vermeulen
2011-04-22 21:43 Sven Vermeulen
2011-04-22 19:30 Sven Vermeulen
2011-04-22 19:28 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-16 9:06 Sven Vermeulen
2011-04-15 19:10 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-10 7:49 Sven Vermeulen
2011-03-09 16:54 Sven Vermeulen
2011-03-02 20:48 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 15:53 Sven Vermeulen
2011-02-24 21:19 Sven Vermeulen
2011-02-20 13:26 Sven Vermeulen
2011-02-19 17:00 Francisco Blas Izquierdo Riera
2011-02-19 3:21 Francisco Blas Izquierdo Riera
2011-02-19 3:12 Francisco Blas Izquierdo Riera
2011-02-13 18:20 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 20:50 Sven Vermeulen
2011-02-12 20:49 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 17:33 Sven Vermeulen
2011-02-06 19:53 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ead14e833d7958b6f5b89c45d520be1accfa615.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox