* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-06 19:53 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-06 19:53 UTC (permalink / raw
To: gentoo-commits
commit: e166a946c4e0e78deda5eb4ef5ff7efdfad31b45
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 6 19:50:50 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Feb 6 19:50:50 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e166a946
Most of hardened-dev is moved to official Portage, so update docs to reflect this
---
xml/selinux/hb-using-install.xml | 43 ++++++++++++++++++++++++++++---------
1 files changed, 32 insertions(+), 11 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index d341941..9d72e36 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -8,7 +8,7 @@
<sections>
<version>0</version>
-<date>2011-01-16</date>
+<date>2011-02-06</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -60,18 +60,14 @@ system is 512 byte. Since the default is 256, you will need to run the
<title>Installing the Hardened Development Overlay</title>
<body>
-<warn>
-The current SELinux ebuilds and packages in the official Portage tree are not
-sufficient to get SELinux working. The Gentoo Hardened team is working hard to
-get the SELinux related packages in good shape and is using the
-<c>hardened-development</c> overlay as the current development repository. As
-documentation is equally important as packages, this book is already written
-taking this overlay in mind. Once the packages are migrated to the stable
-Portage tree, the documentation will be updated accordingly.
-</warn>
+<p>
+Although optional, we recommend to enable the <c>hardened-development</c>
+overlay. The state of SELinux within Gentoo Hardened is still undergoing
+major development.
+</p>
<p>
-Now install <c>app-portage/layman</c> and add the <c>hardened-development</c>
+Install <c>app-portage/layman</c> and add the <c>hardened-development</c>
overlay. This overlay uses a git repository, so either install <c>git</c> as
well, or set <c>USE="git"</c> in <path>/etc/make.conf</path>.
Make sure to include layman's <path>make.conf</path> in your
@@ -345,6 +341,31 @@ utilities, label our file system and configure the policy.
</body>
</subsection>
<subsection>
+<title>Enabling ~Arch Packages</title>
+<body>
+
+<p>
+The current stable SELinux related packages are not fit for use anymore (or are
+even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
+the following settings to the right file (for instance
+<path>/etc/portage/package.accept_keywords/selinux</path>):
+</p>
+
+<pre caption="SELinux ~arch packages">
+sys-libs/libselinux
+sys-apps/policycoreutils
+sys-libs/libsemanage
+sys-libs/libsepol
+app-admin/setools
+dev-python/sepolgen
+sys-apps/checkpolicy
+sec-policy/*
+=sys-process/vixie-cron-4.1-r11
+</pre>
+
+</body>
+</subsection>
+<subsection>
<title>Install Policies and Utilities</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 17:33 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 17:33 UTC (permalink / raw
To: gentoo-commits
commit: 7ace453a9ad57f2c7e33c1278a5caed6d7380dcf
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 17:33:46 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 17:33:46 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=7ace453a
Sync layman, mention -loadpolicy, set POLICY_TYPES, use setsebool after reboot
---
xml/selinux/hb-using-install.xml | 31 +++++++++++++++++++++++++------
1 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 9d72e36..e4e7dda 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -8,7 +8,7 @@
<sections>
<version>0</version>
-<date>2011-02-06</date>
+<date>2011-02-12</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -77,6 +77,8 @@ Make sure to include layman's <path>make.conf</path> in your
<pre caption="Installing hardened-development overlay">
~# <i>emerge layman</i>
+~# <i>layman -S</i>
+
~# <i>layman -a hardened-development</i>
~# <i>nano /etc/make.conf</i>
@@ -120,6 +122,12 @@ Available profile symlink targets:
</pre>
<p>
+Edit your <path>/etc/make.conf</path> file and set
+<c>FEATURES="-loadpolicy"</c>. The current SELinux profile enables the
+loadpolicy feature, but this isn't supported anymore so can be safely ignored.
+</p>
+
+<p>
Next, rebuild those packages affected by the profile change through a standard
world update, taking into account USE-flag changes (as the new profile will
change many default USE flags, including enabling the <c>selinux</c> USE flag).
@@ -490,12 +498,14 @@ every application "out there".
</p>
<p>
-Finally, if you have indeed installed Gentoo using the hardened sources (as we
-recommended), enable the SSP SELinux boolean:
+When you have made your choice between <c>strict</c> and <c>targeted</c>, save
+this in your <path>/etc/make.conf</path> file as well. That way, Portage will
+only install the policy modules for that SELinux type rather than both.
</p>
-<pre caption="Enabling the global_ssp boolean">
-~# <i>setsebool -P global_ssp on</i>
+<pre caption="Setting the policy type in make.conf">
+~# <i>nano /etc/make.conf</i>
+POLICY_TYPES="<i>strict</i>"
</pre>
</body>
@@ -556,7 +566,16 @@ correctly. For instance, if you have installed
<body>
<p>
-Reboot your system and enjoy - your first steps into the SELinux world are now
+Reboot your system. Log on and, if you have indeed installed Gentoo using the
+hardened sources (as we recommended), enable the SSP SELinux boolean:
+</p>
+
+<pre caption="Enabling the global_ssp boolean">
+~# <i>setsebool -P global_ssp on</i>
+</pre>
+
+<p>
+With that done, enjoy - your first steps into the SELinux world are now
made.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 20:47 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 20:47 UTC (permalink / raw
To: gentoo-commits
commit: cecf5818146f14e80414ca9585a1e579906a62a3
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 20:41:30 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 20:41:30 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cecf5818
Lock location for LVM is defined both in start and in stop scripts
---
xml/selinux/hb-using-install.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index a359b90..4536618 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -185,9 +185,9 @@ tools or configurations that apply.
<li>
If you use LVM for one or more file systems, you need to edit
<path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
- and set the config location from <path>/dev/.lvm</path> to
- <path>/etc/lvm/lock</path>. Next, create the <path>/etc/lvm/lock</path>
- directory and run <c>restorecon /etc/lvm/lock</c>.
+ and <path>lvm-stop.sh</path> and set the config location from
+ <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the
+ <path>/etc/lvm/lock</path> directory and run <c>restorecon /etc/lvm/lock</c>.
</li>
<li>
If you use the <c>dhcpcd</c> client, edit
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 20:47 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 20:47 UTC (permalink / raw
To: gentoo-commits
commit: 3b62083625d11e9d3b9010c1e90706c8a7a82bde
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 20:36:49 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 20:36:49 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3b620836
Put ~arch before profile switch, otherwise we perform double installations
---
xml/selinux/hb-using-install.xml | 50 +++++++++++++++++++-------------------
1 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index e4e7dda..a359b90 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -89,6 +89,31 @@ Make sure to include layman's <path>make.conf</path> in your
</body>
</subsection>
<subsection>
+<title>Enabling ~Arch Packages</title>
+<body>
+
+<p>
+The current stable SELinux related packages are not fit for use anymore (or are
+even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
+the following settings to the right file (for instance
+<path>/etc/portage/package.accept_keywords/selinux</path>):
+</p>
+
+<pre caption="SELinux ~arch packages">
+sys-libs/libselinux
+sys-apps/policycoreutils
+sys-libs/libsemanage
+sys-libs/libsepol
+app-admin/setools
+dev-python/sepolgen
+sys-apps/checkpolicy
+sec-policy/*
+=sys-process/vixie-cron-4.1-r11
+</pre>
+
+</body>
+</subsection>
+<subsection>
<title>Change the Gentoo Profile</title>
<body>
@@ -349,31 +374,6 @@ utilities, label our file system and configure the policy.
</body>
</subsection>
<subsection>
-<title>Enabling ~Arch Packages</title>
-<body>
-
-<p>
-The current stable SELinux related packages are not fit for use anymore (or are
-even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
-the following settings to the right file (for instance
-<path>/etc/portage/package.accept_keywords/selinux</path>):
-</p>
-
-<pre caption="SELinux ~arch packages">
-sys-libs/libselinux
-sys-apps/policycoreutils
-sys-libs/libsemanage
-sys-libs/libsepol
-app-admin/setools
-dev-python/sepolgen
-sys-apps/checkpolicy
-sec-policy/*
-=sys-process/vixie-cron-4.1-r11
-</pre>
-
-</body>
-</subsection>
-<subsection>
<title>Install Policies and Utilities</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 20:47 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 20:47 UTC (permalink / raw
To: gentoo-commits
commit: c74c31fdef1f9c353b83b9baac16346bc5c31afb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 20:46:55 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 20:46:55 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c74c31fd
Move upgrade after specific package order installations
---
xml/selinux/hb-using-install.xml | 20 +++++++++++++-------
1 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 4536618..1ef48e9 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -153,15 +153,10 @@ loadpolicy feature, but this isn't supported anymore so can be safely ignored.
</p>
<p>
-Next, rebuild those packages affected by the profile change through a standard
-world update, taking into account USE-flag changes (as the new profile will
-change many default USE flags, including enabling the <c>selinux</c> USE flag).
+Don't update your system yet - we will need to install a couple of packages in a
+particular order which Portage isn't aware of in the next couple of sections.
</p>
-<pre caption="Update your Gentoo Linux system">
-~# <i>emerge -uDN world</i>
-</pre>
-
</body>
</subsection>
<subsection>
@@ -403,6 +398,17 @@ it yet).
</pre>
<p>
+Next, rebuild those packages affected by the profile change we did previously
+through a standard world update, taking into account USE-flag changes (as the
+new profile will change many default USE flags, including enabling the
+<c>selinux</c> USE flag).
+</p>
+
+<pre caption="Update your Gentoo Linux system">
+~# <i>emerge -uDN world</i>
+</pre>
+
+<p>
Next, install the additional SELinux tools that you might need in the future to
debug or help with your SELinux installation. These packages are optional, but
recommended.
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 20:49 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 20:49 UTC (permalink / raw
To: gentoo-commits
commit: 0fb19cab9e5d88c7cd17cc5771f1189b9f54afcd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 20:49:17 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 20:49:17 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=0fb19cab
Add note about "Unable to set SELinux security labels"
---
xml/selinux/hb-using-install.xml | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 1ef48e9..ff9eb80 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -146,6 +146,14 @@ Available profile symlink targets:
~# <i>eselect profile set 15</i>
</pre>
+<note>
+Starting from the profile change, Portage will warn you after every installation
+that it was "Unable to set SELinux security labels". This is to be expected,
+because the tools and capabilities that Portage requires to set the security
+labels aren't available yet. This warning will vanish the moment the SELinux
+installation is completed.
+</note>
+
<p>
Edit your <path>/etc/make.conf</path> file and set
<c>FEATURES="-loadpolicy"</c>. The current SELinux profile enables the
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 20:50 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 20:50 UTC (permalink / raw
To: gentoo-commits
commit: bc5b669e6c9e3881a22f55847bda67d2088404ef
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 20:50:19 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 20:50:19 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=bc5b669e
restorecon is not available at this moment, and is also not required to be performed as the rlpkg -a -r activity will place the label anyhow
---
xml/selinux/hb-using-install.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index ff9eb80..a42538d 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -190,7 +190,7 @@ tools or configurations that apply.
<path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
and <path>lvm-stop.sh</path> and set the config location from
<path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the
- <path>/etc/lvm/lock</path> directory and run <c>restorecon /etc/lvm/lock</c>.
+ <path>/etc/lvm/lock</path> directory.
</li>
<li>
If you use the <c>dhcpcd</c> client, edit
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 23:44 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 23:44 UTC (permalink / raw
To: gentoo-commits
commit: 1e1eefef7276c65afb8ac2d349bdba1b950ddcb9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 23:43:54 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 23:43:54 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=1e1eefef
tmp should be tmp_t, not tmpfs_t
---
xml/selinux/hb-using-install.xml | 30 ++++++++++++++++++++++++++++++
1 files changed, 30 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index de9ca9d..bb3a984 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -89,6 +89,36 @@ Make sure to include layman's <path>make.conf</path> in your
</body>
</subsection>
<subsection>
+<title>Optional: Setting the /tmp context</title>
+<body>
+
+<p>
+If your <path>/tmp</path> location is a tmpfs-mounted file system, then you need
+to tell the kernel that the root context of this location is <c>tmp_t</c>
+instead of <c>tmpfs_t</c>. Many SELinux policy objects (including various
+server-level policies) assume that <path>/tmp</path> is <c>tmp_t</c>.
+</p>
+
+<p>
+To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
+</p>
+
+<pre caption="Update /etc/fstab for /tmp">
+tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0
+</pre>
+
+<p>
+Unmount and remount the <path>/tmp</path> file system.
+</p>
+
+<pre caption="Remount the /tmp file system">
+~# <i>umount /tmp</i>
+~# <i>mount /tmp</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
<title>Enabling ~Arch Packages</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-12 23:44 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-12 23:44 UTC (permalink / raw
To: gentoo-commits
commit: bd40fcec338db1a3d1e9484687a1397e8f8b047f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 12 21:34:20 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 12 21:34:20 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=bd40fcec
You never know how literally people take an installation guide...
---
xml/selinux/hb-using-install.xml | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index a42538d..de9ca9d 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -243,6 +243,7 @@ of the <path>sys-kernel/hardened-sources</path> package.
</p>
<pre caption="Installing hardened-sources">
+<comment>(Only if you have not installed it previously of course)</comment>
~# <i>emerge hardened-sources</i>
</pre>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-13 18:20 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-13 18:20 UTC (permalink / raw
To: gentoo-commits
commit: 02f3404eaabd63ffe014e7b3c4dd8770ca743b6e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 13 18:20:15 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Feb 13 18:20:15 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=02f3404e
Remount is not needed, we perform a reboot later anyhow
---
xml/selinux/hb-using-install.xml | 11 +----------
1 files changed, 1 insertions(+), 10 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index bb3a984..0255f41 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -8,7 +8,7 @@
<sections>
<version>0</version>
-<date>2011-02-12</date>
+<date>2011-02-13</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -107,15 +107,6 @@ To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0
</pre>
-<p>
-Unmount and remount the <path>/tmp</path> file system.
-</p>
-
-<pre caption="Remount the /tmp file system">
-~# <i>umount /tmp</i>
-~# <i>mount /tmp</i>
-</pre>
-
</body>
</subsection>
<subsection>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-19 3:12 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 95+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 3:12 UTC (permalink / raw
To: gentoo-commits
commit: 83073fb72bbd479447682852fd072ce85ef82bc1
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 03:12:18 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 03:12:18 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=83073fb7
Adding devs as requested
---
xml/selinux/index.xml | 23 +++++++++++++++++++++++
1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index b6dd1f0..6cf6041 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -49,6 +49,7 @@
</extrachapter>
<dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
+<dev role="Proxy" description="non developer contributors">blueness</dev>
<extraproject name="Base Policy" lead="pebenito">
SELinux policy for the core system, including users, administrators, and
@@ -77,6 +78,28 @@
-->
<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</resource>
+<extrachapter position="devs">
+<title>Contributors</title>
+<section>
+<body>
+
+<p>
+The following people although not developer is actively contributing with the
+project:
+</p>
+<table>
+<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
+<tr><ti>Chris Richards</ti><ti>gizmo</ti>
+<ti>Policy development, support</ti></tr>
+<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti>
+<ti>Documentation writting, support</ti></tr>
+</table>
+
+</body>
+</section>
+</extrachapter>
+
+
<extrachapter position="resources">
<title>How Do I Use This?</title>
<section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-19 3:21 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 95+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 3:21 UTC (permalink / raw
To: gentoo-commits
commit: 54d5456ecb83e35b7f92b0106fa3921d6dfe8e24
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 03:21:56 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 03:21:56 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=54d5456e
Updating blueness and minor typos
---
xml/selinux/index.xml | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 6cf6041..9da1c1a 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -49,7 +49,8 @@
</extrachapter>
<dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
-<dev role="Proxy" description="non developer contributors">blueness</dev>
+<dev role="Policy development, Proxy (non developer contributors)">blueness
+</dev>
<extraproject name="Base Policy" lead="pebenito">
SELinux policy for the core system, including users, administrators, and
@@ -84,7 +85,7 @@
<body>
<p>
-The following people although not developer is actively contributing with the
+The following people although non-developer is actively contributing with the
project:
</p>
<table>
@@ -92,7 +93,7 @@ project:
<tr><ti>Chris Richards</ti><ti>gizmo</ti>
<ti>Policy development, support</ti></tr>
<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti>
-<ti>Documentation writting, support</ti></tr>
+<ti>Documentation writing, support</ti></tr>
</table>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-19 17:00 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 95+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-02-19 17:00 UTC (permalink / raw
To: gentoo-commits
commit: 8618d4cedd90e8dd8d480d20f09e249ae733797e
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Sat Feb 19 17:00:09 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Sat Feb 19 17:00:09 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8618d4ce
Fix bad link ppointed by ago bug #355571
---
xml/selinux/index.xml | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 695dd55..c9cd173 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -31,12 +31,12 @@
<title>What is SELinux?</title>
<section><body>
<p>
- <uri link="http://www.nsa.gov/selinux">Security-Enhanced Linux</uri> (SELinux)
- is a system of mandatory access control using type enforcement and role-based
- access control. It is implemented as a
- <uri link="http://lsm.immunix.org/">Linux Security Module</uri> (LSM).
- In addition to the kernel portion, SELinux consists of a library (libselinux)
- and userland utilities for compiling policy (checkpolicy), and loading policy
+ <uri link="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
+ Linux</uri> (SELinux) is a system of mandatory access control using type
+ enforcement and role-based access control. It is implemented as a <uri
+ link="http://lsm.immunix.org/">Linux Security Module</uri> (LSM). In addition
+ to the kernel portion, SELinux consists of a library (libselinux) and userland
+ utilities for compiling policy (checkpolicy), and loading policy
(policycoreutils), in addition to other user programs.
</p>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-20 13:26 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-20 13:26 UTC (permalink / raw
To: gentoo-commits
commit: a2434d77d94b9fd2249c59121c222a5ceaf47a35
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 20 13:25:56 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Feb 20 13:25:56 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a2434d77
Add note on when the glibc rebuild section can be removed
---
xml/selinux/hb-using-install.xml | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 0255f41..e58d898 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -233,6 +233,17 @@ tools or configurations that apply.
<title>Optional: Upgrading Linux Kernel Headers</title>
<body>
+<!--
+TODO linux-headers-2.6.36.1 has been stabilized recently, so it should not be
+long before the stage3 tarballs include a glibc built with the more recent
+linux-headers. However, existing systems can still require glibc to be rebuild,
+so we need to wait until glibc is also stabilized (at the time of writing, stable
+glibc for x86/amd64 is 2.11.2-r3).
+
+So, in other words, when 2.11.3 or higher is stabilized for glibc, then this
+section can be dropped from the installation instructions.
+-->
+
<p>
If you have a system with ext4 file systems, you will need to upgrade the
<path>sys-kernel/linux-headers</path> package to at least version 2.6.34. This
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-02-24 21:19 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-02-24 21:19 UTC (permalink / raw
To: gentoo-commits
commit: 28a35d0765de52918a7a6e81ffd92e4f6ec6c8a5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Feb 24 21:19:00 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Feb 24 21:19:00 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=28a35d07
Adding sestatus output if SELinux is not loaded
---
xml/selinux/hb-appendix-troubleshoot.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-appendix-troubleshoot.xml b/xml/selinux/hb-appendix-troubleshoot.xml
index c5297b8..0af5aca 100644
--- a/xml/selinux/hb-appendix-troubleshoot.xml
+++ b/xml/selinux/hb-appendix-troubleshoot.xml
@@ -8,7 +8,7 @@
<sections>
<version>0</version>
-<date>2011-01-08</date>
+<date>2011-02-24</date>
<section>
<title>Unable To Load SELinux Policy</title>
@@ -23,7 +23,7 @@ If you get the following output, no SELinux policy is loaded:
</p>
<pre caption="sestatus output">
-$$$TODO
+SELinux status: disabled
</pre>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 15:53 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 15:53 UTC (permalink / raw
To: gentoo-commits
commit: 33a526d4538f10fe629ad73e8166b54b2cab6cb0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 15:35:32 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 15:35:32 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=33a526d4
Add more information on why .old files need to become copies
---
xml/selinux/hb-using-install.xml | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index e58d898..780d085 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>0</version>
-<date>2011-02-13</date>
+<version>1</version>
+<date>2011-03-02</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -221,9 +221,10 @@ tools or configurations that apply.
</li>
<li>
Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
- either remove those or make them a copy of their counterpart. The
- <path>.old</path> files are hard links which mess up the file labelling. For
- instance, <c>cp /bin/hostname /bin/hostname.old</c>.
+ either remove those or make them a copy of their counterpart so that they
+ get their own security context. The <path>.old</path> files are hard links
+ which mess up the file labelling. For instance, <c>cp /bin/hostname
+ /bin/hostname.old</c>.
</li>
</ul>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 20:13 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 20:13 UTC (permalink / raw
To: gentoo-commits
commit: 4e8af34fb6fab6f7d14e1ccd7f3f19377f858c70
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 20:12:02 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 20:12:02 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4e8af34f
fix typos
---
xml/selinux/hb-intro-concepts.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index 306a525..d9e89c9 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -188,7 +188,7 @@ touch: cannot touch '/var/tmp/portage/foo': Permission denied
<p>
As SELinux could not find a rule that allows the staff_t domain to write to any
-directory labelled with the portage_tmp_t type, the permission was denied.
+directory labeled with the portage_tmp_t type, the permission was denied.
</p>
</body>
@@ -209,7 +209,7 @@ security contexts, let's start from the last definition in the context (the
<ul>
<li>
A <e>SELinux type</e> is a particular label assigned to a resource. The
- <c>passwd</c> command for instance is labelled with the passwd_exec_t type.
+ <c>passwd</c> command for instance is labeled with the passwd_exec_t type.
</li>
<li>
A <e>SELinux domain</e> is the security state of a process and identifies the rights
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 20:13 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 20:13 UTC (permalink / raw
To: gentoo-commits
commit: 13cb118c7797b2ae913d31e9c1fde065968c97c2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 20:11:32 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 20:11:32 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=13cb118c
fix typo
---
xml/selinux/hb-intro-concepts.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index 91c2de0..306a525 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -123,7 +123,7 @@ but SELinux also manages classes such as <e>filesystem</e>, <e>tcp_socket</e>,
<p>
On each object class, a set of <e>permissions</e> is declared which are possible
against a resource within this object class. For instance, the <e>process</e>
-obejct class supports at least the following permissions:
+object class supports at least the following permissions:
</p>
<pre caption="Supported permissions against a 'process' resource">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 20:13 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 20:13 UTC (permalink / raw
To: gentoo-commits
commit: c25f55178a6197abbdbe7b0e491f896532119735
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 20:12:58 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 20:12:58 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c25f5517
fix typo
---
xml/selinux/hb-intro-concepts.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index d9e89c9..b8933ed 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -436,7 +436,7 @@ running <c>sudo</c>, he is still inside the <e>user_r</e> role.
<p>
A SELinux user is not the same as the Linux user. Whereas standard Linux user
accounts can be switched using commands such as <c>su</c> or <c>sudo</c>, a
-SELinux user can not be changed. Even when you succesfully execute <c>sudo</c>,
+SELinux user can not be changed. Even when you successfully execute <c>sudo</c>,
your SELinux user will remain the same.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 20:38 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 20:38 UTC (permalink / raw
To: gentoo-commits
commit: d2b90545002cf5e566271453c17a8a92eedcee9f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 20:28:35 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 20:28:35 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=d2b90545
update on policy and refer to bugzilla
---
xml/selinux/hb-using-permissive.xml | 19 +++++++++++++++++--
1 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index 54e7392..83f3d73 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>1</version>
-<date>2010-12-31</date>
+<version>2</version>
+<date>2011-03-02</date>
<section>
<title>Keeping Track of Denials</title>
@@ -403,6 +403,21 @@ The module definition (in our example called <path>fixsudo.te</path>) can be
modified as you please - it's content is standard ASCII, human readable.
</p>
+<p>
+Not all denials that you might get are bugs in the default security policy.
+It is very probable that you use your system in a slightly different way than
+intended within the Gentoo Hardened SELinux default policy. However, if you
+believe that you had to change your runtime policy due to a bug in the
+current policy, please report it on <uri
+link="https://bugs.gentoo.org">Bugzilla</uri> so that the Gentoo Hardened
+SELinux developers can take a look at it. Also, don't hesitate to contact
+the Gentoo Hardened SELinux developers if you are uncertain about things.
+</p>
+
+<p>
+They don't bite. They get fed regularly so they don't have to.
+</p>
+
</body>
</subsection>
</section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 20:38 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 20:38 UTC (permalink / raw
To: gentoo-commits
commit: 8db9b0399314b72b932262256199102062fcf401
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 20:37:37 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 20:37:37 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8db9b039
Add information on gentoo_try_dontaudit boolean
---
xml/selinux/hb-using-enforcing.xml | 14 +++++++++++---
xml/selinux/hb-using-permissive.xml | 19 +++++++++++++++++++
2 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-enforcing.xml b/xml/selinux/hb-using-enforcing.xml
index 01ef065..66e24a9 100644
--- a/xml/selinux/hb-using-enforcing.xml
+++ b/xml/selinux/hb-using-enforcing.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>0</version>
-<date>2011-01-04</date>
+<version>1</version>
+<date>2011-03-02</date>
<section>
<title>Switching to Enforcing Mode</title>
@@ -44,7 +44,8 @@ mode, run <c>setenforce 1</c>.
<p>
It is wise to ensure that you have booted the system but not logged in anywhere
except as the root user. Also verify that the session you're currently in (as
-root) uses the <c>root:sysadm_r:sysadm_t</c> context (otherwise trying to
+root) uses the <c>root:sysadm_r:sysadm_t</c> or
+<c>unconfined_u:unconfined_r:unconfined_t</c> context (otherwise trying to
disable enforcing mode might not work).
</p>
@@ -210,6 +211,13 @@ If you are confident to continue with the dontaudit statements again, run the
same command without the <c>-D</c>.
</p>
+<p>
+Gentoo Hardened uses a specific boolean called <c>gentoo_try_dontaudit</c> to
+show or hide the denials that the developers believe are cosmetic. Thanks to
+this approach, you can first disable the Gentoo-selected dontaudit statements
+before showing all of them - which can be quite a lot more.
+</p>
+
</body>
</subsection>
</section>
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index 83f3d73..3d9e1fb 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -225,6 +225,25 @@ shouldn't be. But a few ground-rules do apply.
</li>
</ul>
+<p>
+During development of the policies, Gentoo Hardened developers will try to
+hide denials they believe are cosmetic. This hiding can be toggled using the
+SELinux <c>gentoo_try_dontaudit</c> boolean:
+</p>
+
+<pre caption="Getting and setting Gentoo's gentoo_try_dontaudit boolean">
+~# <i>getsebool gentoo_try_dontaudit</i>
+gentoo_try_dontaudit --> off
+~# <i>setsebool -P gentoo_try_dontaudit on</i>
+</pre>
+
+<p>
+When set, the denials that are believed to be cosmetic are hidden from your
+audit logs. But if your system is not functioning properly and you do not see
+any denials, it is wise to toggle this boolean again to verify if the denial
+is now shown or not.
+</p>
+
</body>
</subsection>
<subsection>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-02 20:48 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-02 20:48 UTC (permalink / raw
To: gentoo-commits
commit: 381ff168558a6cdf10b1f0112e068e7e266dfdba
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 2 20:42:37 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 2 20:42:37 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=381ff168
Improve information on reference policy writing a bit
---
xml/selinux/hb-using-policymodules.xml | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/xml/selinux/hb-using-policymodules.xml b/xml/selinux/hb-using-policymodules.xml
index f716e5d..c27df36 100644
--- a/xml/selinux/hb-using-policymodules.xml
+++ b/xml/selinux/hb-using-policymodules.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>0</version>
-<date>2010-12-01</date>
+<version>1</version>
+<date>2011-03-02</date>
<section>
<title>Writing Simple Policies</title>
@@ -218,8 +218,15 @@ This interface allows other modules to use the
<c>mozilla_read_user_home_files</c> function if they want their domain to be
able to (in this case) read the files in the mozilla_home_t domain. Of course,
they can add all statements inside their own definition, but then they would
-have to require that the mozilla module is loaded or known. Instead, developers
-can <e>optionally</e> call an interface.
+have to require that the mozilla module is loaded, which might be a wrong
+assumption, and duplicate the same allow statements for each application.
+The use of interfaces makes policy development easier.
+</p>
+
+<p>
+Also, the reference policy allows the use of <e>optional</e> statements:
+a module can call an interface of another module, but this may not fail if
+the other module is not available on a users' system.
</p>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-03-09 16:54 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-03-09 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 9078540a63388eb4e9eaecea83cceea3a65cfe24
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 9 16:51:42 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 9 16:51:42 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9078540a
glibc stabilized, dhcpcd fix not needed anymore with recent stable dhcpcd packages
---
xml/selinux/hb-using-install.xml | 46 +------------------------------------
1 files changed, 2 insertions(+), 44 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 780d085..4633d0e 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>1</version>
-<date>2011-03-02</date>
+<version>2</version>
+<date>2011-03-09</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -214,12 +214,6 @@ tools or configurations that apply.
<path>/etc/lvm/lock</path> directory.
</li>
<li>
- If you use the <c>dhcpcd</c> client, edit
- <path>/lib/dhcpcd/dhcpcd-hooks/50-dhcpcd-compat</path> and change the
- location of all <path>*.info</path> files from <path>/var/lib</path> to
- <path>/var/lib/dhcpcd</path>
- </li>
- <li>
Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
either remove those or make them a copy of their counterpart so that they
get their own security context. The <path>.old</path> files are hard links
@@ -231,42 +225,6 @@ tools or configurations that apply.
</body>
</subsection>
<subsection>
-<title>Optional: Upgrading Linux Kernel Headers</title>
-<body>
-
-<!--
-TODO linux-headers-2.6.36.1 has been stabilized recently, so it should not be
-long before the stage3 tarballs include a glibc built with the more recent
-linux-headers. However, existing systems can still require glibc to be rebuild,
-so we need to wait until glibc is also stabilized (at the time of writing, stable
-glibc for x86/amd64 is 2.11.2-r3).
-
-So, in other words, when 2.11.3 or higher is stabilized for glibc, then this
-section can be dropped from the installation instructions.
--->
-
-<p>
-If you have a system with ext4 file systems, you will need to upgrade the
-<path>sys-kernel/linux-headers</path> package to at least version 2.6.34. This
-might require you to unmask this particular version. This is needed to support
-extended attributes on ext4 file systems.
-</p>
-
-<pre caption="Installing the Linux kernel headers">
-~# <i>emerge -u \>=sys-kernel/linux-headers-2.6.34</i>
-</pre>
-
-<p>
-With the headers upgraded, you will need to recompile the glibc package:
-</p>
-
-<pre caption="Reinstalling the glibc package">
-~# <i>emerge -1 glibc</i>
-</pre>
-
-</body>
-</subsection>
-<subsection>
<title>Installing a SELinux Kernel</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-01 17:45 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-01 17:45 UTC (permalink / raw
To: gentoo-commits
commit: 6ead14e833d7958b6f5b89c45d520be1accfa615
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 1 17:44:41 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 1 17:44:41 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ead14e8
drop unneeded files
---
xml/selinux/hb-selinux-conv-profile.xml | 107 -------
xml/selinux/hb-selinux-conv-reboot1.xml | 193 ------------
xml/selinux/hb-selinux-conv-reboot2.xml | 213 -------------
xml/selinux/hb-selinux-faq.xml | 154 ---------
xml/selinux/hb-selinux-howto.xml | 250 ---------------
xml/selinux/hb-selinux-initpol.xml | 48 ---
xml/selinux/hb-selinux-libsemanage.xml | 246 ---------------
xml/selinux/hb-selinux-localmod.xml | 134 --------
xml/selinux/hb-selinux-loglocal.xml | 166 ----------
xml/selinux/hb-selinux-logremote.xml | 177 -----------
xml/selinux/hb-selinux-overview.xml | 521 -------------------------------
xml/selinux/hb-selinux-references.xml | 111 -------
12 files changed, 0 insertions(+), 2320 deletions(-)
diff --git a/xml/selinux/hb-selinux-conv-profile.xml b/xml/selinux/hb-selinux-conv-profile.xml
deleted file mode 100644
index 01f5ead..0000000
--- a/xml/selinux/hb-selinux-conv-profile.xml
+++ /dev/null
@@ -1,107 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>2.1</version>
-<date>2010-06-15</date>
-
-<section><title>Change Profile</title>
-<subsection><body>
-
-<warn>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems
-lack the complete extended attribute support.</warn>
-
-<warn>Users should convert from a 2006.1 or newer profile otherwise
-there may be unpredictable results.</warn>
-
-<impo>As always, keep a LiveCD at hand in case things go wrong.</impo>
-
-<p>First switch your profile to the SELinux profile for your architecture:</p>
-
-<pre caption="Switch profiles">
-# <i>rm -f /etc/make.profile</i>
-
-
-<comment>x86 (server):</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</i>
-<comment>x86 (hardened):</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</i>
-<comment>AMD64:</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</i>
-<comment>AMD64 (hardened):</comment>
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</i>
-</pre>
-
-<note>You can also switch profiles with eselect if you have the gentoolkit
- package installed. That method is not shown here because the specific options
- available and their numbering will vary according to your system
- configuration.</note>
-
-<impo>Do not use any profiles other than the ones listed above, even
-if they seem to be out of date. SELinux profiles are not necessarily
-created as often as default Gentoo profiles.</impo>
-
-<impo>The SELinux profile has significanly fewer USE flags asserted than
-the default profile. Use <c>emerge info</c> to see if any use flags
-need to be reenabled in make.conf.</impo>
-
-<note>It is not necessary to add selinux to your USE flags in make.conf.
-The SELinux profile already does this for you.
-</note>
-
-<note>
- You may encounter this message from portage: "!!! SELinux module not found.
- Please verify that it was installed." This is normal, and will be fixed
- later in the conversion process.
-</note>
-</body>
-</subsection>
-</section>
-
-<section><title>Update Kernel Headers</title>
-<subsection><body>
-<p>
- We will start by updating essential packages. First check which version
- of linux-headers is installed.
-</p>
-
-<pre caption="Check linux-headers version">
-# <i>emerge -s linux-headers</i>
-<comment>or if you have gentoolkit installed:</comment>
-# <i>equery list -i linux-headers</i>
-</pre>
-
-<p>
- If the linux-headers version is older than 2.4.20, newer headers must be merged.
-</p>
-
-<pre caption="Merge newer headers">
-# <i>emerge \>=sys-kernel/linux-headers-2.4.20</i>
-</pre>
-</body>
-</subsection>
-</section>
-
-<section><title>Update Glibc</title>
-<subsection><body>
-<p>
- If you have merged new headers, or you are unsure if your glibc was
- compiled with newer headers, you must recompile glibc.
-</p>
-
-<pre caption="Recompile glibc">
-# <i>emerge glibc</i>
-</pre>
-
-<impo>
- This is a critical operation. Glibc must be compiled with newer linux-headers,
- otherwise some operations will malfunction.
-</impo>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-conv-reboot1.xml b/xml/selinux/hb-selinux-conv-reboot1.xml
deleted file mode 100644
index bfc8692..0000000
--- a/xml/selinux/hb-selinux-conv-reboot1.xml
+++ /dev/null
@@ -1,193 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.11 2010/10/06 15:11:15 pebenito Exp $ -->
-
-<sections>
-<version>2.2</version>
-<date>2010-11-27</date>
-
-<section><title>Merge a SELinux Kernel</title>
-<subsection><body>
-<p>Merge an appropriate kernel. A 2.6 kernel is required. The
- suggested kernel is hardened-sources.
-</p>
-
-<note>2.6.28-r9 is the current hardened release version at the time of this writing,
- and all instructions in this document assume at least this version.</note>
-
-<warn>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they
- have bugs in the SELinux XFS support.</warn>
-
-<pre caption="Merge an appropriate kernel">
-<comment>Any 2.6 kernel</comment>
-# <i>emerge hardened-sources</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Compile the Kernel with SELinux Options</title>
-<subsection><body>
-<p>The kernel must be compiled with security module support, SELinux support,
-devpts, and extended attribute security labels. Refer to the main installation
-guide for futher kernel options.</p>
-
-<note>
-The available options may vary slightly depending on the kernel version
-being used. In particular, Btrfs first became available with the 2.6.29
-kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels
-options were obsoleted in kernel 2.6.13 (they are now enabled by default).
-"Default Linux Capabilies" under "Security options" was obsoleted in the
-2.6.26 kernel (it is now enabled by default).
-
-XFS always enables security labeling, so there is no additional option
-to set for this file system
-
-Ext4 should work, but is NOT well tested at the time of this writing!
-
-Any extended attribute options not specifically enabled below should be turned
-off.
-</note>
-
-<pre caption="Location and required options under menuconfig">
-<comment>Under "General setup"</comment>
-[*] Prompt for development and/or incomplete code/drivers
-[*] Auditing support
-[*] Enable system-call auditing support
-
-<comment>Under "File systems"</comment>
-<*> Second extended fs support <comment>(If using ext2)</comment>
-[*] Ext2 extended attributes
-[ ] Ext2 POSIX Access Control Lists
-[*] Ext2 Security Labels
-[ ] Ext2 Execute in place support
-<*> Ext3 journalling file system support <comment>(If using ext3)</comment>
-[*] Ext3 extended attributes
-[ ] Ext3 POSIX Access Control Lists
-[*] Ext3 Security labels
-<*> The Extended 4 (ext4) filesystem <comment>(If using ext4)</comment>
-[ ] Enable ext4dev compatibility
-[*] Ext4 extended attrributes
-[ ] Ext4 POSIX Access Control Lists
-[*] Ext4 Security Labels
-<*> JFS filesystem support <comment>(If using JFS)</comment>
-[ ] JFS POSIX Access Control Lists
-[*] JFS Security Labels
-[ ] JFS debugging
-[ ] JFS statistics
-<*> XFS filesystem support <comment>(If using XFS)</comment>
-[ ] XFS Quota support
-[ ] XFS POSIX ACL support
-[ ] XFS Realtime subvolume support (EXPERIMENTAL)
-[ ] XFS Debugging Support
-<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format <comment>(if
-using Btrfs)</comment>
-[ ] Btrfs POSIX Access Control Lists (NEW)
-<comment>Under "Pseudo filesystems (via "File systems")</comment>
-[ ] /dev file system support (EXPERIMENTAL)
-[*] /dev/pts Extended Attributes
-[*] /dev/pts Security Labels
-[*] Virtual memory file system support (former shm fs)
-[*] tmpfs Extended Attributes
-[*] tmpfs Security Labels
-
-<comment>Under "Security options"</comment>
-[*] Enable different security models
-[*] Socket and Networking Security Hooks
-<*> Default Linux Capabilities
-[*] NSA SELinux Support
-[ ] NSA SELinux boot parameter
-[ ] NSA SELinux runtime disable
-[*] NSA SELinux Development Support
-[ ] NSA SELinux AVC Statistics
-(1) NSA SELinux checkreqprot default value
-[ ] NSA SELinux enable new secmark network controls by default
-[ ] NSA SELinux maximum supported policy format version
- Default security module (SELinux) --->
-</pre>
-
-<p>
- The extended attribute security labels must be turned on for devpts and
- your filesystem(s). Devfs is not usable in SELinux, and should be
- turned off. Not all options exist on older 2.6 kernels,
- such as Auditing support, and runtime disable. In newer kernels,
- the extended attributes support for proc and the virtual memory fs (tmpfs)
- are enabled by default; thus, no options will appear in menuconfig.
-</p>
-
-<note>It is recommended to configure PaX if you are using harded-sources (also
-recommended). More information about Pax can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo
-PaX Quickstart Guide</uri>.
-</note>
-
-<warn>
- Do not enable the SELinux MLS policy option if its available, as it is
- not supported, and will cause your machine to not start.
-</warn>
-
-<p>
- Now compile and install the kernel and modules, but do not reboot.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Update fstab</title>
-<subsection><body>
-<p>
- SElinuxfs must also be enabled to mount at boot.
- Add this to /etc/fstab:
-</p>
-<pre caption="Fstab settings for selinuxfs">
-none /selinux selinuxfs defaults 0 0
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Configure Baselayout</title>
-<subsection><body>
-<p>
-SELinux does not support devfs. You must configure baselayout to
-use either static device nodes or udev. If using udev, the
-device tarball must be disabled. Edit the /etc/conf.d/rc file.
-Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no.
-If you have several custom device nodes, static is suggested,
-otherwise udev is suggested (udev is the default at the time of this writing).
-For more information on udev, consult the <uri link="/doc/en/udev-guide.xml">Gentoo UDEV Guide</uri>.
-</p>
-<pre caption="Init script configuration">
-# Use this variable to control the /dev management behavior.
-# auto - let the scripts figure out what's best at boot
-# devfs - use devfs (requires sys-fs/devfsd)
-# udev - use udev (requires sys-fs/udev)
-# static - let the user manage /dev
-
-RC_DEVICES="<comment>udev</comment>"
-
-# UDEV OPTION:
-# Set to "yes" if you want to save /dev to a tarball on shutdown
-# and restore it on startup. This is useful if you have a lot of
-# custom device nodes that udev does not handle/know about.
-
-RC_DEVICE_TARBALL="<comment>no</comment>"
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Reboot</title>
-<subsection><body>
-<p>
- We need to make some directories before we reboot.
-</p>
-<pre caption="Making Required Directories">
-# <i>mkdir /selinux</i>
-# <i>mkdir /sys</i>
-</pre>
-<p>
- Now reboot.
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-conv-reboot2.xml b/xml/selinux/hb-selinux-conv-reboot2.xml
deleted file mode 100644
index 95383da..0000000
--- a/xml/selinux/hb-selinux-conv-reboot2.xml
+++ /dev/null
@@ -1,213 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.11 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>2.3</version>
-<date>2010-11-27</date>
-
-<section><title>Merge SELinux Packages</title>
-<subsection>
-<body>
-<p>Merge the libraries, utilities and base-policy. The policy version may need
- be adjusted, refer to the SELinux Overview
- for more information on policy versions. Then load the policy.</p>
-
-<pre caption="Merge base SELinux packages and policy">
-# <i>emerge -1 checkpolicy policycoreutils</i>
-# <i>FEATURES=-selinux emerge -1 selinux-base-policy</i>
-</pre>
-<note>
-The "FEATURES=-selinux" part of the emerge command should only be used on the above command.
-It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail.
-</note>
-</body></subsection>
-</section>
-
-<section><title>Choose the policy type</title>
-<body>
-<p>
-New in 2006.1, users now have the choice between the strict policy and the
-targeted policy.
-</p>
-<p>
-In the strict policy, all processes are confined.
-If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy.
-Strict policy is suggested for servers.
-Gentoo does not support the strict policy on desktops.
-</p>
-<p>
-The targeted policy differs with strict, as only network-facing services are
-confined and local users are unconfined. Gentoo only supports desktops with
-the targeted policy. This policy can also be used on servers.
-</p>
-<p>
-Edit the /etc/selinux/config file to set the policy type.
-</p>
-<pre caption="/etc/selinux/config contents">
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=permissive <comment>(This should be set permissive for the remainder of the install)</comment>
-
-# SELINUXTYPE can take one of these two values:
-# targeted - Only targeted network daemons are protected.
-# strict - Full SELinux protection.
-SELINUXTYPE=strict <comment>(Set this as strict or targeted)</comment>
-</pre>
-</body>
-</section>
-
-<section><title>Merge SELinux-patched packages</title>
-<subsection><body>
-<p>
- There are several system packages that have SELinux patches. These patches
- provide a variety of additional SELinux functionality, such as displaying
- file contexts.
-</p>
-<pre caption="Remerge Packages">
-# <i>emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</i>
-</pre>
-<note>
- If you find that you can't use portage due to a errors like these:
- !!! 'module' object has no attribute 'secure_rename' or
- AttributeError: 'module' object has no attribute 'getcontext', this is
- a portage bug, where it can't handle a missing python-selinux. Merge it
- with "FEATURES=-selinux emerge python-selinux" to fix the problem. See
- bug <uri link="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</uri>
- for more information.
-</note>
-<p>There are other packages that have SELinux patches, but are optional. These
-should be remerged if they are already installed, so the SELinux patches are
-applied:</p>
-<ul>
-<li>app-admin/logrotate</li>
-<li>sys-apps/fcron</li>
-<li>sys-apps/vixie-cron</li>
-<li>sys-fs/device-mapper</li>
-<li>sys-fs/udev</li>
-<li>sys-libs/pwdb</li>
-</ul>
-<note>
- Fcron and Vixie-cron are the only crons with SELinux support.
-</note>
-<note>The above packages are NOT an exhaustive list; they are only the most
-common ones. In general, any package installed on the system which has the
-selinux USE flag should be remerged. To see which packages may need to be
-merged, you can:
-emerge -upDN world
-
-Since changing to the selinux profile has changed your USE flags, the above
-will get everything that is listening to the selinux USE flag. It will
-probably also get some other stuff as well. To actually remerge everything,
-simply remove the 'p', or manually specify the packages you want to remerge.
-</note>
-</body></subsection>
-</section>
-
-<section><title>Merge Application Policies</title>
-<subsection><body>
-<p>
- In future, when merging a package, the policy will be set as a dependency so
- that it is merged first; however, since the system is being converted, policy
- for currently installed packages must be merged. The selinux-base-policy
- already covers most packages in the system profile.
-</p>
-<p>
- Look in the <c>/usr/portage/sec-policy</c>, it has several entries, each which
- represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is
- the name of the package that the policy is associated. For example, the
- selinux-apache package is the SELinux policy package for net-www/apache.
- Merge each of the needed policy packages and then load the policy.
- If you are converting a desktop, make sure to include the selinux-desktop policy package.
-</p>
-<pre caption="Example Merge of Apache and BIND policies">
-# <i>ls /usr/portage/sec-policy</i>
-<comment>(many directories listed)</comment>
-
-# <i>emerge -1 selinux-apache selinux-bind</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Label Filesystems</title>
-<subsection><body>
-<p>
- Before you can relabel the rest of the filesystems, you need to first relabel
- /dev. Strictly speaking, this is only necessary if you aren't using a static
- /dev. However, as the vast majority of current and new systems are going to
- be built with udev, this probably means you are using udev as well. There
- are a lot of different ways to get at this problem, but the steps below are
- easy to do and work.
-</p>
- <pre caption="Relabel /dev">
-<i># mkdir /mnt/gentoo
-# mount -o bind / /mnt/gentoo
-# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
-# umount /mnt/gentoo
-</i>
- </pre>
- <note>Remember to select one of {strict,targeted} above based on your
- enforcement mode.</note>
-<p>
- Now label the filesystems. This gives each of the files in the filesystems
- a security label. Keeping these labels consistent is important.
-</p>
-<pre caption="Label filesystems">
-# <i>rlpkg -a -r</i>
-</pre>
-<warn>
- There is a known issue with older versions of GRUB
- not being able to read symlinks that have been labeled.
- Please make sure you have at least GRUB 0.94 installed.
- Also rerun GRUB and reinstall it into the MBR to ensure
- the updated code is in use.
- You do have a LiveCD handy, right?
-</warn>
-<pre caption="Reinstall GRUB on the MBR (GRUB users only)">
-# <i>grub</i>
-
-grub> root (hd0,0) <comment>(Your boot partition)</comment>
-grub> setup (hd0) <comment>(Where the boot record is installed; here, it is the MBR)</comment>
-</pre>
-<p>
- If you've installed Gentoo using the hardened sources, then you'll need to
- tell SELinux that you are using the hardened tool-chain with ssp. You do
- this by setting an SELinux global boolean
-</p>
-<pre caption="SELinux global_ssp">
-<i>setsebool -P global_ssp on</i>
-</pre>
-<note>Make sure you use the -P flag, or the setting won't survive the reboot,
-and you'll likely see a lot of errors relating to /dev/null and /dev/random
-</note>
-</body></subsection>
-</section>
-
-<section><title>Final reboot</title>
-<subsection><body>
-<p>Reboot. Log in, then relabel again to ensure all files
-are labeled correctly (some files may have been created during shutdown and
-reboot)</p>
-<pre caption="Relabel">
-# <i>rlpkg -a -r</i>
-</pre>
-<note>
- It is strongly suggested to <uri link="/main/en/lists.xml">subscribe</uri>
- to the gentoo-hardened mail list. It is generally a low traffic list, and
- SELinux announcements are made there.
-</note>
-<p>
- SELinux is now installed!
-</p>
-</body></subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-faq.xml b/xml/selinux/hb-selinux-faq.xml
deleted file mode 100644
index dc35969..0000000
--- a/xml/selinux/hb-selinux-faq.xml
+++ /dev/null
@@ -1,154 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-faq.xml,v 1.4 2006/09/07 10:37:46 neysx Exp $ -->
-
-<sections>
-<version>1.3</version>
-<date>2006-05-01</date>
-
-<section><title>SELinux features</title>
-<subsection><title>Does SELinux enforce resource limits?</title>
-<body>
-<p>
- No, resource limits are outside the scope of an access control system. If you
- are looking for this type of support, GRSecurity and RSBAC are better choices.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux and other hardened projects</title>
-<subsection><title>Can I use SELinux and GRSecurity (and PaX)?</title>
-<body>
-<p>
- Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however,
- it is suggested that GRACL should not be used, since it would be redundant
- to SELinux's access control.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux and the hardened compiler (PIE-SSP)?</title>
-<body>
-<p>
- Yes. It is also suggested that PaX be used to take full advantage
- of the PIE features of the compiler.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux and RSBAC?</title>
-<body>
-<p>
- Unknown. Please report your results if you try this combination.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux and filesystems</title>
-<subsection><title>Can I use SELinux with my primary filesystems?</title>
-<body>
-<p>
- SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has
- extended attributes, but the support was never complete, and has been broken
- since 2.6.14. Reiser4 is not supported.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux with my ancillary filesystems?</title>
-<body>
-<p>
- Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660
- filesystems, with an important caveat. All files in each filesystem will
- have the same SELinux type, since the filesystems do not support extended
- attributes. Tmpfs is the only ancillary filesystem with complete extended
- attribute support, which allows it to behave like a primary filesystem.
-</p>
-</body></subsection>
-<subsection><title>Can I use SELinux with my network filesystems?</title>
-<body>
-<p>
- Yes, SELinux can mount network filesystems, such as NFS and CIFS
- filesystems, with an important caveat. All files in each filesystem will
- have the same SELinux type, since the filesystems do not support extended
- attributes. In the future, hopefully network filesystems will begin to
- support extended attributes, then they will work like a primary filesystem.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Portage error messages</title>
-<subsection><title>I get a missing SELinux module error when using emerge:</title>
-<body>
-<pre caption="Portage message">
-!!! SELinux module not found. Please verify that it was installed.
-</pre>
-<p>
- This indicates that the portage SELinux module is missing or damaged.
- Also python may have been upgraded to a new version which requires
- python-selinux to be recompiled. Remerge dev-python/python-selinux.
- If packages have been merged under this condition, they must be relabed
- after fixing this condition. If the packages needing to be remerged cannot
- be determined, a full relabel may be required.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux kernel error messages</title>
-<subsection><title>I get a register_security error message when booting:</title>
-<body>
-<pre caption="Kernel message">
-There is already a security framework initialized, register_security failed.
-Failure registering capabilities with the kernel
-selinux_register_security: Registering secondary module capability
-Capability LSM initialized
-</pre>
-<p>
- This means that the Capability LSM module couldn't register as the primary
- module, since SELinux is the primary module. The third message means that it
- registers with SELinux as a secondary module. This is normal.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Setfiles error messages</title>
-<subsection><title>When I try to relabel, it fails with invalid contexts:</title><body>
-<pre caption="Invalid contexts example">
-# make relabel
-/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
-/usr/sbin/setfiles: read 559 specifications
-/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39
-/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378
-/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494
-Exiting after 10 errors.
-make: *** [relabel] Error 1
-</pre>
-<p>
- First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles
- cannot validate any contexts, causing it to believe all contexts are
- invalid. If /selinux is mounted, then most likely there is new policy that
- has not yet been loaded; therefore, the contexts have not yet become valid.
-</p>
-</body></subsection>
-</section>
-
-
-<!-- always keep this one as the bottom FAQ :) -->
-<!-- comment out since the demo machine is down for an indefinite period of time
-<section><title>Gentoo SELinux Demonstration Machine</title>
-<subsection><body>
-<p>
- This machine is not running user-mode linux, or in a chroot, it has SELinux
- mandatory access control. No, you cannot install psybnc or an irc bot on the
- machine, unless you break the SELinux security and gain higher priviledge.
-</p>
-</body></subsection>
-</section>
--->
-<!-- dont put anything below here, this demo machine faq should be the last one -->
-</sections>
diff --git a/xml/selinux/hb-selinux-howto.xml b/xml/selinux/hb-selinux-howto.xml
deleted file mode 100644
index b8f7db0..0000000
--- a/xml/selinux/hb-selinux-howto.xml
+++ /dev/null
@@ -1,250 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-howto.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>2.0</version>
-<date>2006-10-14</date>
-
-<section><title>Load policy into a running SELinux kernel</title>
-<subsection><body>
-<p>
- This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="Semodule command">
-# <i>semodule -B</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Change roles</title>
-<subsection><body>
-<p>
- This requires your user have access to the target role. This example
- is for changing to the <c>sysadm_r</c> role.
-</p>
-<pre caption="Newrole">
-# <i>newrole -r sysadm_r</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Specify available roles for a user</title>
-<subsection><body>
-<p>
- There is a mapping of linux users to SELinux identities. The policy has
- generic SELinux users for relevant configurations of roles. For example, to
- map the user <c>pebenito</c> to the SELinux identity <c>staff_u</c>, run:
-</p>
-<pre caption="Map pebenito to staff_u">
-# <i>semanage login -a -s staff_u pebenito</i>
-</pre>
-<p>
- The policy does not need to be reloaded. If the user is logged in, it
- must log out and log in again to take effect.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Relabel filesystems</title>
-<subsection><body>
-<p>
- This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="Relabel">
-# <i>rlpkg -a</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Relabel an individual package</title>
-<subsection><body>
-<p>
- In addition to relabeling entire filesystems, individual portage packages
- can be relabeled. This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="rlpkg example">
-# <i>rlpkg shadow sash</i>
-</pre>
-<p>
- The script rlpkg is used, and any number of packages can be specified
- on the command line.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Scan for libraries with text relocations</title>
-<subsection><body>
-<p>
- SELinux has improved memory protections. One feature supported is
- the permission for ELF text relocations. The libraries with text relocations
- have a special label, and the <c>rlpkg</c> tool has an option to scan for
- these libraries.
-</p>
-<pre caption="TEXTREL Scan">
-# <i>rlpkg -t</i>
-</pre>
-<p>
- This will also be done by automatically after a full relabel.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Start daemons in the correct domain</title>
-<subsection><body>
-<p>
- Controlling daemons that have init scripts in /etc/init.d is slightly
- different in SELinux. The <c>run_init</c> command must be used to run
- the scripts, to ensure they are ran in the correct domain. The command
- can be ran normally, except the command is prefixed with <c>run_init</c>.
- This requires you to be in the <c>sysadm_r</c> role.
-</p>
-<pre caption="run_init examples">
-# <i>run_init /etc/init.d/ntpd start</i>
-# <i>run_init /etc/init.d/apache2 restart</i>
-# <i>run_init /etc/init.d/named stop</i>
-</pre>
-</body></subsection>
-<subsection><title>Gentoo run_init integration</title><body>
-<p>
- <c>run_init</c> has been integrated into Gentoo's init script system. With
- SELinux installed, services can be started and stopped as usual, but will
- now authenticate the user.
-</p>
-<pre caption="Integrated run_init example">
-# <i>/etc/init.d/sshd restart</i>
-Authenticating root.
-Password:
- * Stopping sshd... [ ok ]
- * Starting sshd... [ ok ]
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Switch between enforcing and permissive modes</title>
-<subsection><body>
-<p>
- Switching between modes in SELinux is very simple. Write a 1 for
- enforcing, or 0 for permissive to /selinux/enforce to set the mode.
- The current mode can be queried by reading /selinux/enforce; 0 means
- permissive mode, and 1 means enforcing mode. If the kernel option
- "NSA SELinux Development Support" is turned off, the system will always
- be in enforcing mode, and cannot be switched to permissive mode.
-</p>
-<pre caption="">
-<comment>Query current mode</comment>
-# <i>cat /selinux/enforce</i>
-<comment>Switch to enforcing mode</comment>
-# <i>echo 1 > /selinux/enforce</i>
-<comment>Switch to permissive mode</comment>
-# <i>echo 0 > /selinux/enforce</i>
-</pre>
-<p>
- A machine with development support turned on can be started in enforcing
- mode by adding <c>enforcing=1</c> to the kernel command line, in the
- bootloader (GRUB, lilo, etc).
-</p>
-</body></subsection>
-
-<subsection><title>Managed policy</title><body>
-<p>
- In addition to the above kernel options, the mode at boot can be
- set by the <c>/etc/selinux/config</c> file.
-</p>
-<pre caption="/etc/selinux/config">
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=<comment>permissive</comment>
-</pre>
-<p>
- The setting in this file will be overridden by the kernel command line
- options described above.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Understand sestatus output</title>
-<subsection><body>
-<p>
- The <c>sestatus</c> tool can be used to determine detailed SELinux-specific
- status information about the system. The <c>-v</c> option provides extra
- detail about the context of processes and files. The output will be
- divided into four sections. Sestatus only provides complete information
- for a user logged in as root (or su/sudo), in the <c>sysadm_r</c> role.
-</p>
-<pre caption="Status example">
-SELinux status: enabled
-SELinuxfs mount: /selinux
-Current mode: enforcing
-Policy version: 18
-</pre>
-<p>
- The main status information is provided in the first section. The first
- line shows if SELinux kernel functions exists and are enabled. If the
- status is disabled, either the kernel does not have SELinux support, or
- the policy is not loaded. The second line shows the mount point for
- the SELinux filesystem. During the normal use, the filesystem should be
- mounted at the default location of <c>/selinux</c>. The third line
- shows the current SELinux mode, either enforcing or permissive. The fourth
- line shows the policy database version supported by the currently running
- kernel.
-</p>
-<pre caption="Booleans example">
-Policy booleans:
-secure_mode inactive
-ssh_sysadm_login inactive
-user_ping inactive
-</pre>
-<p>
- The second section displays the status of the conditional policy booleans. The
- left column is the name of boolean. The right column is the status of the
- boolean, either active, or inactive. This section will not be shown on
- policy version 15 kernels, as they do not support conditional policy.
-</p>
-<pre caption="Process context example">
-Process contexts:
-Current context: pebenito:sysadm_r:sysadm_t
-Init context: system_u:system_r:init_t
-/sbin/agetty system_u:system_r:getty_t
-/usr/sbin/sshd system_u:system_r:sshd_t
-</pre>
-<p>
- The third section displays the context of the current process, and of several
- key processes. If a process is running in the incorrect context, it will not
- function correctly.
-</p>
-<pre caption="File context example">
-File contexts:
-Controlling term: pebenito:object_r:sysadm_devpts_t
-/sbin/init system_u:object_r:init_exec_t
-/sbin/agetty system_u:object_r:getty_exec_t
-/bin/login system_u:object_r:login_exec_t
-/sbin/rc system_u:object_r:initrc_exec_t
-/sbin/runscript.sh system_u:object_r:initrc_exec_t
-/usr/sbin/sshd system_u:object_r:sshd_exec_t
-/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
-/etc/passwd system_u:object_r:etc_t
-/etc/shadow system_u:object_r:shadow_t
-/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
-/bin/bash system_u:object_r:shell_exec_t
-/bin/sash system_u:object_r:shell_exec_t
-/usr/bin/newrole system_u:object_r:newrole_exec_t
-/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
-/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:shlib_t
-</pre>
-<p>
- The fourth section displays the context of the current process's controlling
- terminal, and of several key files. For symbolic links, the context of
- the link and then the context of the link target is displayed. If a file has
- an incorrect context, the file may be inaccessable or have incorrect
- permissions for a particular process.
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-initpol.xml b/xml/selinux/hb-selinux-initpol.xml
deleted file mode 100644
index b13a0de..0000000
--- a/xml/selinux/hb-selinux-initpol.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-initpol.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>1.3</version>
-<date>2004-11-16</date>
-
-<section><title>Verify Available Policy</title>
-<subsection><body>
-<p>
- You must be in <c>sysadm_r</c> to perform this action.
-</p>
-<p>
- A binary policy must be available in
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install
- the policy.
-</p>
-<pre caption="Install policy">
-# <i>semodule -n -B</i>
-</pre>
-</body>
-</subsection>
-</section>
-
-<section><title>Verify Init Can Load the Policy</title>
-<subsection><body>
-<p>
- The final check is to ensure init can load the policy. Run <c>ldd</c> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<pre caption="">
-# <i>ldd /sbin/init</i>
- linux-gate.so.1 => (0xffffe000)
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-libsemanage.xml b/xml/selinux/hb-selinux-libsemanage.xml
deleted file mode 100644
index a441f29..0000000
--- a/xml/selinux/hb-selinux-libsemanage.xml
+++ /dev/null
@@ -1,246 +0,0 @@
-<?xml version='1.0' encoding="utf-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-libsemanage.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ -->
-
-<sections>
-<version>1.0</version>
-<date>2006-10-15</date>
-
-<section><title>SELinux Management Infrastructure</title>
-<subsection><body>
-<p>
- The SElinux management infrastructure manages several aspects of SELinux
- policy. These management tools are based on the core library libsemanage.
- There are several management programs to to various tasks, including
- <c>semanage</c> and <c>semodule</c>. They allow you to configure aspects
- of the policy without requiring the policy sources.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux Policy Module Management</title>
-<subsection><title>What is a policy module?</title><body>
-<p>
- SELinux supports a modular policy. This means several pieces of policy
- are brought together to form one complete policy to be loaded in the
- kernel. This is a similar structure as the kernel itself and kernel modules.
- There is a main kernel image that is loaded, and various kernel modules can
- be added (assuming their dependencies are met) and removed on a running
- system without restarting. Similarly each policy has a base module and
- zero or more policy modules, all used to create a policy.
- Modules are built by compiling a piece of policy, and creating a policy
- package (*.pp) with that compiled policy, and optionally file contexts.
-</p>
-<p>
- The base module policy package (base.pp) contains the basic requirements of
- the policy. All modular policies must have a base module at minimum.
- In Gentoo we have these plus policies for all parts of the system profile.
- This is contained in the selinux-base-policy ebuild. The other policy ebuilds
- in portage have one or more policy modules.
-</p>
-<p>
- For more information on writing a policy module, in particular for managing
- your local customizations to the policy, please see the
- <uri link="selinux-handbook.xml?part=3&chap=5">policy module guide</uri>.
-</p>
-</body></subsection>
-
-<subsection><title>The SELinux module store</title><body>
-<p>
- When a policy module is inserted or removed, modules are copied into or
- removed from the module store. This repository has a copy of the
- modules that were used to create the current policy, in addition to several
- auxilliary files. This repository is stored in the
- /etc/selinux/{strict,targeted}/modules. You should never need to directly
- access the contents of the module store. A libsemanage-based tool should be
- used instead.
-</p>
-<p>
- Libsemanage handles the module store transactionally. This means that if
- a set of operations (a transaction) is performed on the store and one part
- fails, the entire transaction is aborted. This keeps the store in a
- consistent state.
-</p>
-<p>
- Managing the module store is accomplished with the <c>semodule</c> command.
- Listing the contents of the module store is done with the <c>-l</c> option.
-</p>
-<pre caption="">
-# semodule -l
-distcc 1.1.1
-</pre>
-<p>
- Since the base module is required in all cases, and is not versioned, it will
- not be shown in the list. All other modules will be listed, along with their
- versions.
-</p>
-</body></subsection>
-
-<subsection><title>Inserting a policy module</title><body>
-<p>
- The module should be referenced by its file name.
-</p>
-<pre caption="">
-# <i>semodule -i module.pp</i>
-</pre>
-<p>
- This will insert the module into module store for the currently configured
- policy as specified in /etc/selinux/config. If the insert succeeds, the
- policy will be loaded, unless the <c>-n</c> option is used. To insert the
- module into an alternate module store, the <c>-s</c> option.
-</p>
-<pre caption="">
-# <i>semodule -s targeted -i module.pp</i>
-</pre>
-<p>
- Since this refers to an alternate module store, the policy will not be loaded.
-</p>
-</body></subsection>
-
-<subsection><title>Removing a policy module</title><body>
-<p>
- The module is referenced by its name in the module store.
-</p>
-<pre caption="">
-# <i>semodule -r module</i>
-</pre>
-<p>
- This will remove the module into module store for the currently configured
- policy as specified in /etc/selinux/config. If the remove succeeds, the
- policy will be loaded, unless the <c>-n</c> option is used. The remove
- command also respects the <c>-s</c> option.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Configuring User Login Mappings</title>
-<subsection><body>
-<p>
- The current method of assigning sets of roles to a user is by setting
- up a mapping between linux users and SELinux identities. When a user
- logs in, the login program will set the SELinux identity based on the
- this map. If there is no explicit map, the <c>__default__</c> map is
- used.
-</p>
-<p>
- Managing the SELinux user login map is accomplished with the <c>semanage</c>
- tool.
-</p>
-<pre caption="SELinux login user map">
-# <i>semanage login -l</i>
-Login Name SELinux User
-
-__default__ user_u
-root root
-</pre>
-</body></subsection>
-
-<subsection><title>Add a user login mapping</title><body>
-<p>
- To map the linux user <c>pebenito</c> to the SELinux identity <c>staff_u</c>:
-</p>
-<pre caption="">
-# <i>semanage login -a -s staff_u pebenito</i>
-</pre>
-<p>
- For descriptions on the available SELinux identities, see the
- <uri link="selinux-handbook.xml?part=3&chap=1#doc_chap3">SELinux Overview</uri>.
-</p>
-</body></subsection>
-
-<subsection><title>Remove a user login mapping</title><body>
-<p>
- To remove a login map for the linux user <c>pebenito</c>:
-</p>
-<pre caption="">
-# <i>semanage login -d pebenito</i>
-</pre>
-<note>
- User login maps specified by the policy (not by the management infrastructure)
- cannot be removed.
-</note>
-</body></subsection>
-</section>
-
-<section><title>Configuring Initial Boolean States</title>
-<subsection><body>
-<p>
- The <c>setsebool</c> program is now a libsemanage tool. This tool's basic
- function is to set the state of a Boolean. However, if the machine is
- restarted, the Booelans will be set using the initial state as specified in
- the policy. To set the Boolean state, and make that the new initial state
- in the policy, the <c>-P</c> option of <c>setsebool</c> is used.
-</p>
-<pre caption="Set Boolean default state">
-# <i>setsebool -P fcron_crond 1</i>
-</pre>
-<p>
- This will set the fcron_crond Boolean to true and also make the initial state
- for the Boolean true.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Configuring SELinux Identities</title>
-<subsection><body>
-<p>
- Generally SELinux identities need not be added to the policy, as user
- login mappings are sufficient. However, one reason to add them is for
- improved auditing, since the SELinux identity is part of the scontext of a
- denial message.
-</p>
-<p>
- Managing the SELinux identities is accomplished with the <c>semanage</c> tool.
-</p>
-<pre caption="SELinux identity list">
-# <i>semanage user -l</i>
-SELinux User SELinux Roles
-
-root sysadm_r staff_r
-staff_u sysadm_r staff_r
-sysadm_u sysadm_r
-system_u system_r
-user_u user_r
-</pre>
-</body></subsection>
-
-<subsection><title>Add a SELinux identity</title><body>
-<p>
- In addition to specifying the roles for an identity, a prefix must
- also be specified. This prefix should match a role, for example
- <c>staff</c> or <c>sysadm</c>, and it is used for home directory
- entries. So if <c>staff</c> is used for the prefix, linux users that
- are mapped to this identity will have their home directory labeled
- <c>staff_home_dir_t</c>.
-</p>
-<p>
- To add the <c>test_u</c> identity with the roles <c>staff_r</c> and
- <c>sysadm_r</c> with the prefix <c>staff</c>:
-</p>
-<pre caption="">
-# <i>semanage user -a -R 'staff_r sysadm_r' -P staff test_u</i>
-</pre>
-<note>
- To use the SELinux identity, a user login map still must be added.
-</note>
-</body></subsection>
-
-<subsection><title>Remove a SELinux user identity</title><body>
-<p>
- To remove the test_u SELinux identity:
-</p>
-<pre caption="">
-# <i>semanage user -d test_u</i>
-</pre>
-<note>
- SELinux identities specified by the policy (not by the management
- infrastructure) cannot be removed.
-</note>
-</body></subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-localmod.xml b/xml/selinux/hb-selinux-localmod.xml
deleted file mode 100644
index 8674b9f..0000000
--- a/xml/selinux/hb-selinux-localmod.xml
+++ /dev/null
@@ -1,134 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-localmod.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ -->
-
-<sections>
-<version>1.0</version>
-<date>2006-10-15</date>
-
-<section><title>Introduction</title>
-<subsection><body>
-<p>
- This guide discusses how to set up a policy module for local additions
- of rules to the policy.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Preparation</title>
-<subsection><body>
-<p>
- Copy the example Makefile from the selinux-base-policy doc directory to the
- directory that will be used for building the policy. It is suggested that
- /root be used. The places that the <c>semodule</c> tool can read policy
- modules includes sysadm home directories.
-</p>
-<pre caption="">
-# <i>zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Write a TE file</title>
-<subsection><body>
-<p>
- In a policy module, most policy statements are usable in modules.
- There are a few extra statements that must be added for proper operation.
-</p>
-<pre caption="Example local.te">
-policy_module(local,1.0)
-
-require {
- type sysadm_su_t, newrole_t;
-}
-allow sysadm_su_t newrole_t:process sigchld;
-</pre>
-<p>
- In addition to the basic allow rule, it has a couple statements required
- by policy modules. The first is a policy_module() macro that has the
- name of the module, and the module's version. It also has a require
- block. This block specifies all types that are required for this module
- to function. All types used in the module must either be declared in the
- module or required by this module.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Write a FC File (optional)</title>
-<subsection><body>
-<p>
- The file contexts file is optional and has the same syntax as as always.
-</p>
-<pre caption="Example local.fc">
-/opt/myprogs/mybin -- system_u:object_r:bin_t
-</pre>
-<p>
- Types used in the file context file should be required or declared in
- the TE file.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Compile Policy Modules</title>
-<subsection><body>
-<p>
- Simply run <c>make</c> to build all modules in the directory. The module
- will be compiled for the current policy as specified by /etc/selinux/config.
-</p>
-<pre caption="">
-# <i>make</i>
-Compiling strict local module
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule: policy configuration loaded
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
-Creating strict local.pp policy package
-</pre>
-<p>
- To build the module for a policy other than the configured policy, use the
- <c>NAME=</c> option.
-</p>
-<pre caption="">
-# <i>make NAME=targeted</i>
-Compiling targeted local module
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule: policy configuration loaded
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
-Creating targeted local.pp policy package
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Load the Modules</title>
-<subsection><body>
-<p>
- The modules can be loaded into the currently configured policy simply
- by using the load target of the Makefile.
-</p>
-<pre caption="">
-# <i>make load</i>
-</pre>
-<p>
- The load target also respects the <c>NAME=</c> option. Alternatively,
- the <c>semodule</c> command can be used to load individual modules.
-</p>
-<pre caption="">
-# <i>semodule -i local.pp</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Building Reference Policy Modules</title>
-<subsection><body>
-<p>
-The new Gentoo policy is based on the <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri>.
-For more information on building a complete Reference Policy module, see the
-<uri link="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Reference Policy Wiki</uri>.
-</p>
-</body></subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-loglocal.xml b/xml/selinux/hb-selinux-loglocal.xml
deleted file mode 100644
index 7cc5506..0000000
--- a/xml/selinux/hb-selinux-loglocal.xml
+++ /dev/null
@@ -1,166 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-loglocal.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>1.4</version>
-<date>2004-11-16</date>
-
-<section><title>Begin Here</title>
-<subsection><body>
-<p>
- You must be in <c>sysadm_r</c> to perform these actions.
-</p>
-<p>
- Run <c>sestatus -v</c>. Click the first context that doesn't match:
-</p>
-<table>
-<tr><th>Process</th><th>Context</th></tr>
-<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr>
-<tr><ti>/sbin/agetty</ti><ti><uri link="#doc_chap3">system_u:system_r:getty_t</uri></ti></tr>
-<tr><th>File</th><th>Context</th></tr>
-<tr><ti>/bin/login</ti><ti><uri link="#doc_chap4">system_u:object_r:login_exec_t</uri></ti></tr>
-<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap5">system_u:object_r:chkpwd_exec_t</uri></ti></tr>
-<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap6">system_u:object_r:etc_t</uri></ti></tr>
-<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap6">system_u:object_r:shadow_t</uri></ti></tr>
-<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap7">system_u:object_r:shell_exec_t</uri></ti></tr>
-</table>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Init Context</title>
-<subsection><title>Verify Init Label</title>
-<body>
-<p>
- There are several possible reasons why init may have the wrong context.
- First, verify that init is labeled correctly, refer to the sestatus's output
- for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit.
-</p>
-<pre caption="Fix init context">
-# <i>rlpkg sysvinit</i>
-</pre>
-</body></subsection>
-<subsection><title>Verify Available Policy</title><body>
-<p>
- You must be in <c>sysadm_r</c> to perform this action.
-</p>
-<p>
- A binary policy must be available in /etc/selinux/{strict,targeted}/policy.
- If it is missing, then install the policy.
-</p>
-<pre caption="Install binary policy">
-# <i>semodule -n -B</i>
-</pre>
-</body>
-</subsection>
-
-<subsection><title>Verify Init Can Load the Policy</title><body>
-<p>
- The final check is to ensure init can load the policy. Run <c>ldd</c> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<pre caption="Check init linking">
-# <i>ldd /sbin/init</i>
- linux-gate.so.1 => (0xffffe000)
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect agetty Context</title>
-<subsection><body>
-<p>
- Verify that agetty is labeled correctly. Refer to the sestatus's output
- for /sbin/agetty. If it is not <c>system_u:object_r:getty_exec_t</c>, relabel
- util-linux. Then restart all gettys.
-</p>
-<pre caption="Fix agetty context">
-# <i>rlpkg util-linux</i>
-# <i>killall agetty</i> <comment>(they will respawn)</comment>
-</pre>
-<p>
- All of the agettys should now be in the correct <c>system_u:object_r:getty_exec_t</c>
- context. Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect Login Context</title>
-<subsection><body>
-<p>
- The login program (/bin/login) is not labeled correctly. Relabel shadow.
-</p>
-<pre caption="Relabel shadow">
-# <i>rlpkg shadow</i>
-</pre>
-<p>
- /bin/login should now be <c>system_u:object_r:login_exec_t</c>.
- Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect PAM Context</title>
-<subsection><body>
-<p>
- Sshd must be able to use PAM for authenticating the user. The PAM password
- checking program (/sbin/unix_chkpwd) must be labeled correctly so
- sshd can transition to the password checking context. Relabel PAM.
-</p>
-<pre caption="Fix unix_chkpwd context">
-# <i>rlpkg pam</i>
-</pre>
-<p>
- The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>.
- Try loggin in again.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Password File Contexts</title>
-<subsection><body>
-<p>
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must
- be labeled correctly, otherwise PAM will not be able to
- authenticate your user. Relabel the files.
-</p>
-<pre caption="Fix shadow context">
-# <i>restorecon /etc/passwd /etc/shadow</i>
-</pre>
-<p>
- The password and shadow files should now be <c>system_u:object_r:etc_t</c>
- and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect Bash File Context</title>
-<subsection><body>
-<p>
- Bash must be labeled correctly so the user can transition into the user
- domain when logging in. Relabel bash.
-</p>
-<pre caption="Fix bash context">
-# <i>rlpkg bash</i>
-</pre>
-<p>
- Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>.
- Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-</sections>
diff --git a/xml/selinux/hb-selinux-logremote.xml b/xml/selinux/hb-selinux-logremote.xml
deleted file mode 100644
index 1a95f7b..0000000
--- a/xml/selinux/hb-selinux-logremote.xml
+++ /dev/null
@@ -1,177 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-logremote.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ -->
-
-<sections>
-<version>1.4</version>
-<date>2004-11-16</date>
-
-<section><title>Begin Here</title>
-<subsection><body>
-<p>
- You must be in <c>sysadm_r</c> to perform these actions.
-</p>
-<p>
- Run <c>sestatus -v</c>. Click the first context that doesn't match:
-</p>
-<table>
-<tr><th>Process</th><th>Context</th></tr>
-<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr>
-<tr><ti>/usr/sbin/sshd</ti><ti><uri link="#doc_chap3">system_u:system_r:sshd_t</uri></ti></tr>
-<tr><th>File</th><th>Context</th></tr>
-<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap4">system_u:object_r:chkpwd_exec_t</uri></ti></tr>
-<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap5">system_u:object_r:etc_t</uri></ti></tr>
-<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap5">system_u:object_r:shadow_t</uri></ti></tr>
-<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap6">system_u:object_r:shell_exec_t</uri></ti></tr>
-</table>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Init Context</title>
-<subsection><title>Verify Init Label</title>
-<body>
-<p>
- There are several possible reasons why init may have the wrong context.
- First, verify that init is labeled correctly, refer to the sestatus's output
- for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit.
-</p>
-<pre caption="">
-# <i>rlpkg sysvinit</i>
-</pre>
-</body></subsection>
-
-<subsection><title>Verify Available Policy</title><body>
-<p>
- You must be in <c>sysadm_r</c> to perform this action.
-</p>
-<p>
- A binary policy must be available in
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install
- the policy.
-</p>
-<pre caption="Install policy">
-# <i>semodule -n -B</i>
-</pre>
-</body>
-</subsection>
-
-<subsection><title>Verify Init Can Load the Policy</title><body>
-<p>
- The final check is to ensure init can load the policy. Run <c>ldd</c> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<pre caption="">
-# <i>ldd /sbin/init</i>
- linux-gate.so.1 => (0xffffe000)
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect sshd Context</title>
-<subsection><body>
-<p>
- Another possibility is sshd is not labeled correctly, meaning it is not running
- in the right context. Relabel openssh, then restart sshd.
-</p>
-<pre caption="">
-# <i>rlpkg openssh</i>
-# <i>/etc/init.d/sshd restart</i>
-</pre>
-</body></subsection>
-</section>
-
-<section><title>Incorrect PAM Context</title>
-<subsection><body>
-<p>
- Sshd must be able to use PAM for authenticating the user. The PAM password
- checking program (/sbin/unix_chkpwd) must be labeled correctly so
- sshd can transition to the password checking context. Relabel PAM.
-</p>
-<pre caption="">
-# <i>rlpkg pam</i>
-</pre>
-<p>
- The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>.
- Try loggin in again.
-</p>
-</body></subsection>
-</section>
-
-<section><title>Incorrect Password File Contexts</title>
-<subsection><body>
-<p>
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must
- be labeled correctly, otherwise PAM will not be able to
- authenticate your user. Relabel the files.
-</p>
-<pre caption="">
-# <i>restorecon /etc/passwd /etc/shadow</i>
-</pre>
-<p>
- The password and shadow files should now be <c>system_u:object_r:etc_t</c>
- and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Incorrect Bash File Context</title>
-<subsection><body>
-<p>
- Bash must be labeled correctly so the user can transition into the user
- domain when logging in. Relabel bash.
-</p>
-<pre caption="">
-# <i>rlpkg bash</i>
-</pre>
-<p>
- Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>.
- Try logging in again.
-</p>
-</body>
-</subsection>
-</section>
-
-<section><title>Other sshd Issues</title>
-<subsection><title>Valid Shell</title><body>
-<p>
- First, make sure the user has a valid shell.
-</p>
-<pre caption="">
-# <i>grep</i> <comment>username</comment> <i>/etc/passwd | cut -d: -f7</i>
-/bin/bash <comment>(or your shell of choice)</comment>
-</pre>
-<p>
- If the above command does not return anything, or the shell is wrong,
- set the user's shell.
-</p>
-<pre caption="">
-# <i>usermod -s /bin/bash</i> <comment>username</comment>
-</pre>
-</body></subsection>
-<subsection><title>PAM enabled</title><body>
-<p>
- PAM also must be enabled in sshd. Make sure this line
- in <c>/etc/ssh/sshd_config</c> is uncommented:
-</p>
-<pre caption="">
-UsePAM yes
-</pre>
-<p>
- SELinux currently only allows PAM and a select few programs direct access
- to <c>/etc/shadow</c>; therefore, openssh must now
- use PAM for password authentication (public key still works).
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-overview.xml b/xml/selinux/hb-selinux-overview.xml
deleted file mode 100644
index d02943d..0000000
--- a/xml/selinux/hb-selinux-overview.xml
+++ /dev/null
@@ -1,521 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>1.5</version>
-<date>2009-07-13</date>
-
-<!--
-<section><title>Mandatory Access Control</title>
-<subsection><body>
-<p>
- Security Enhanced Linux is an implementation of mandatory access control
- (MAC) using type enforcement. In Linux, the regular security permissions
- are a discretionary access control system (DAC). In DAC, the permissions
- for a particular object, such as a file, are set at the discrection of the
- owner and can be changed at any time by the owner. In MAC, the access a
- process or user has to an object is defined by the operating system
- security policy, and cannot be bypassed.
-!!! still need to update other links in the handbook
-</p>
-</body></subsection>
-</section>
--->
-<section><title>SELinux Types</title>
-<subsection><body>
-<p>
- A type is a security attribute given to objects such as files, and network
- ports, etc. The type of a process is commonly referred to as its domain.
- The SELinux policy is primarily composed of type enforcement rules, which
- describe how domains are allowed to interact with objects, and how domains
- are allowed to interact with other domains. A type is generally suffixed
- with a '_t', such as <c>sysadm_t</c>. This is the most important
- attribute for a process or object, as most policy decisions are based on
- the source and target types.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux Roles</title>
-<subsection><body>
-<p>
- SELinux is type enforcement, so the SELinux role is not the same as those
- in a role-based access control system. Permissions are not given to roles.
- A role describes the set of types a user can use. For example, a system
- administrator that is using the system for regular user tasks should be
- in the <c>staff_r</c> role. If they need to administrate the system, then
- a role change to <c>sysadm_r</c> is required. In SELinux terms, the
- domains that a user can be in is determined by their role. If a role is not
- allowed to have a certain domain, a transition to that domain will be denied,
- even if the type enforcement rules allow the domain transition. A role is
- generally suffixed with a '_r', such as <c>system_r</c>.
-</p>
-</body></subsection>
-</section>
-
-<section><title>SELinux Identities</title>
-<subsection><title>What is a SELinux Identity?</title><body>
-<p>
- The SELinux identity is similar to a Linux username. The change of identity
- should be limited to very specific cases, since the role-based access control
- relies on the SELinux identity. Therfore, in general, a user’s SELinux
- identity will not change during a session. The user ID in Linux can be
- changed by set(e)uid, making it inappropriate for a SELinux identity.
- If a user is given a SELinux identity, it must match the Linux username. Each
- SELinux identity is allowed a set of roles.
-</p>
-</body></subsection>
-
-<subsection><title>Configure SELinux Identity Mapping</title><body>
-<p>
- The SELinux policy has several generic SELinux identities that should
- be sufficient for all users. This mapping only needs to be configured
- on the strict policy. The identity mapping for the targeted policy
- need not be configured, as the default identity (user_u) is sufficient
- in all cases.
-</p>
-<p>
- When a user logs in, the SELinux identity used is determined by this mapping.
-</p>
-<table>
-<tr><th>SELinux Identity</th>
- <th>Roles</th>
- <th>Description</th></tr>
-<tr><ti>system_u</ti>
- <ti>system_r</ti>
- <ti>System (non-interactive) processes. Should not be used on users.</ti></tr>
-<tr><ti>user_u</ti>
- <ti>user_r</ti>
- <ti>Generic unprivileged users. The default identity mapping.</ti></tr>
-<tr><ti>staff_u</ti>
- <ti>staff_r, sysadm_r</ti>
- <ti>System administrators that also log in to do regular user activties.</ti></tr>
-<tr><ti>sysadm_u</ti>
- <ti>sysadm_r</ti>
- <ti>System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</ti></tr>
-<tr><ti>root</ti>
- <ti>staff_r, sysadm_r</ti>
- <ti>Special identity for root. Other users should use staff_u instead.</ti></tr>
-</table>
-<p>
- See the <uri link="selinux-handbook.xml?part=3&chap=2#doc_chap3">SELinux HOWTO</uri>
- for semanage syntax for configuring SELinux identity mappings.
-</p>
-</body></subsection>
-
-</section>
-
-<section><title>SELinux Contexts</title>
-<subsection><body>
-<p>
- Using the above three security models together is called a SELinux
- context. A context takes the form <c>identity</c>:<c>role</c>:<c>type</c>.
- The SELinux context is the most important value for determining access.
-</p>
-</body></subsection>
-
-<subsection><title>Object Contexts</title><body>
-<p>
- A typical <c>ls -Z</c> may have an output similar to this:
-</p>
-<pre caption="Example ls -Z output">
-drwxr-xr-x root root system_u:object_r:bin_t bin
-drwxr-xr-x root root system_u:object_r:boot_t boot
-drwxr-xr-x root root system_u:object_r:device_t dev
-drwxr-xr-x root root system_u:object_r:etc_t etc
-</pre>
-<p>
- The first three columns are the typical linux permissions, user and group.
- The fourth column is the file or directory's security context. Objects
- are given the generic <c>object_r</c> role. From the other two fields of
- the context, it can be seen that the files are in the system identity,
- and have four different types, <c>bin_t</c>, <c>boot_t</c>, <c>device_t</c>,
- and <c>etc_t</c>.
-</p>
-</body></subsection>
-
-<subsection><title>Process Contexts</title><body>
-<p>
- A typical <c>ps ax -Z</c> may have an output similar to this:
-</p>
-<pre caption="Example ps ax -Z output">
- PID CONTEXT COMMAND
- 1 system_u:system_r:init_t [init]
- 2 system_u:system_r:kernel_t [keventd]
- 3 system_u:system_r:kernel_t [ksoftirqd_CPU0]
- 4 system_u:system_r:kernel_t [kswapd]
- 5 system_u:system_r:kernel_t [bdflush]
- 6 system_u:system_r:kernel_t [kupdated]
- 706 system_u:system_r:syslogd_t [syslog-ng]
- 712 system_u:system_r:httpd_t [apache]
- 791 system_u:system_r:sshd_t [sshd]
- 814 system_u:system_r:crond_t [cron]
- 826 system_u:system_r:getty_t [agetty]
- 827 system_u:system_r:getty_t [agetty]
- 828 system_u:system_r:getty_t [agetty]
- 829 system_u:system_r:getty_t [agetty]
- 830 system_u:system_r:getty_t [agetty]
- 831 system_u:system_r:httpd_t [apache]
- 832 system_u:system_r:httpd_t [apache]
- 833 system_u:system_r:httpd_t [apache]
-23093 system_u:system_r:sshd_t [sshd]
-23095 user_u:user_r:user_t [bash]
-23124 system_u:system_r:sshd_t [sshd]
-23126 user_u:user_r:user_t [bash]
-23198 system_u:system_r:sshd_t [sshd]
-23204 user_u:user_r:user_t [bash]
-23274 system_u:system_r:sshd_t [sshd]
-23275 pebenito:staff_r:staff_t [bash]
-23290 pebenito:staff_r:staff_t ps ax -Z
-</pre>
-<p>
- In this example, the typical process information is displayed, in addition
- to the process's context. By inspection, all of the system's kernel
- processes and daemons run under the <c>system_u</c> identity, and
- <c>system_r</c> role. The individual domains depend on the program.
- There are a few users logged in over ssh, using the generic <c>user_u</c>
- identity. Finally there is a user with the identity <c>pebenito</c> logged in
- with the <c>staff_r</c> role, running in the <c>staff_t</c> domain.
-</p>
-</body></subsection>
-
-</section>
-
-<section>
-<title>SELinux Policy Files</title>
-<subsection><body>
-<p>
- The SELinux policy source files are no longer installed onto the system.
- In the <c>/usr/share/selinux/{strict,targeted}</c> directory there are a
- collection of policy packages and headers for building local modules.
- The policy files are processed by m4, and then the policy compiler <c>checkmodule</c>
- verifies that there are no syntactic errors, and a policy module is created.
- Then a policy package is created with with the <c>semodule_package</c>
- program, using the policy module and the module file contexts.
- The policy packaged then can be loaded into a running SELinux kernel
- by inserting it into the module store.
-</p>
-</body></subsection>
-
-<subsection><title>*.pp</title><body>
-<p>
- Policy packages for this policy. These must be inserted into the module
- store so they can be loaded into the policy. Inside the package
- there is a loadable policy module, and optionally a file context file.
-</p>
-</body></subsection>
-
-<subsection><title>include/</title><body>
-<p>
- Policy headers for this policy.
-</p>
-</body></subsection>
-
-</section>
-
-<section>
-<title>Binary Policy Versions</title>
-<subsection><body>
-<p>
- When compiling the policy, the resultant binary policy is versioned.
- The first version that was merged into 2.6 was version 15.
- The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy.
- For example, in 2.6.5, conditional policy extensions were added.
- This required the policy version to be incremented to version 16.
-</p>
-</body></subsection>
-<subsection><title>What Policy Version Does My Kernel Use?</title>
-<body>
-<p>
- The policy version of a running kernel can be determined by executing
- <c>sestatus</c> or <c>policyvers</c>. Current kernels can load
- the previous version policy for compatibility. For example a version 17
- kernel can also load a version 16 policy. However, this compatibility
- code may be removed in the future.
-</p>
-<note>
- The policy management infrastructure (libsemanage) will automatically
- create and use the correct version policies. No extra steps need be taken.
-</note>
-</body></subsection>
-<subsection><title>Policy Versions</title>
-<body>
-<p>
- The following table contains the policy versions in 2.6 kernels.
-</p>
-<table>
-<tr><th>Version</th>
- <th>Description</th>
- <th>Kernel Versions</th></tr>
-<tr><ti>12</ti>
- <ti>"Old API" SELinux (deprecated).</ti></tr>
-<tr><ti>15</ti>
- <ti>"New API" SELinux merged into 2.6.</ti>
- <ti>2.6.0 - 2.6.4</ti></tr>
-<tr><ti>16</ti>
- <ti>Conditional policy extensions added.</ti>
- <ti>2.6.5</ti></tr>
-<tr><ti>17</ti>
- <ti>IPV6 support added.</ti>
- <ti>2.6.6 - 2.6.7</ti></tr>
-<tr><ti>18</ti>
- <ti>Fine-grained netlink socket support added.</ti>
- <ti>2.6.8 - 2.6.11</ti></tr>
-<tr><ti>19</ti>
- <ti>Enhanced multi-level security.</ti>
- <ti>2.6.12 - 2.6.13</ti></tr>
-<tr><ti>20</ti>
- <ti>Access vector table size optimizations.</ti>
- <ti>2.6.14 - 2.6.18</ti></tr>
-<tr><ti>21</ti>
- <ti>Object classes in range transitions.</ti>
- <ti>2.6.19 - 2.6.24</ti></tr>
-<tr><ti>22</ti>
- <ti>Policy capabilities (features).</ti>
- <ti>2.6.25</ti></tr>
-<tr><ti>23</ti>
- <ti>Per-domain permissive mode.</ti>
- <ti>2.6.26 - 2.6.27</ti></tr>
-<tr><ti>24</ti>
- <ti>Explicit hierarchy (type bounds).</ti>
- <ti>2.6.28 - current</ti></tr>
-</table>
-</body></subsection>
-</section>
-
-<section>
-<title>Conditional Policy Extensions</title>
-<subsection><body>
-<p>
- The conditional policy extensions allow the enabling and disabling of policy
- rules at runtime, without loading a modified policy. Using policy booleans
- and expressions, policy rules can be conditionally applied.
-</p>
-</body></subsection>
-
-<subsection><title>Determine Boolean Values</title>
-<body>
-<p>
- The status of policy booleans in the current running policy can be determined
- two ways. The first is by using <c>sestatus</c>.
-</p>
-<pre caption="Example sestatus output">
-# sestatus
-SELinux status: enabled
-SELinuxfs mount: /selinux
-Current mode: enforcing
-Policy version: 17
-
-Policy booleans:
-user_ping inactive
-</pre>
-<p>
- The second is <c>getsebool</c> which is a simple tool that displays
- the status of policy booleans, and if a value change is pending.
-</p>
-<pre caption="Example getsebool command">
-# getsebool -a
-user_ping --> active: 0 pending: 0
-</pre>
-</body></subsection>
-
-<subsection><title>Changing Boolean Values</title>
-<body>
-<p>
- The value of a boolean can be toggled by using the <c>togglesebool</c>
- command. Multiple booleans can be specified on the command line. The
- new value of the boolean will be displayed.
-</p>
-<pre caption="Example togglesebool command">
-# togglesebool user_ping
-user_ping: active
-</pre>
-<p>
- The value of a boolean can be set specifically by using the <c>setsebool</c>
- command.
-</p>
-<pre caption="Example setsebool command">
-# setsebool user_ping 0
-</pre>
-<p>
- To set the value of a boolean, and make it the devault value, use the <c>-P</c> option.
-</p>
-<pre caption="Change default value">
-# setsebool -P user_ping 1
-</pre>
-</body></subsection>
-</section>
-
-<section>
-<title>Policy Kernel Messages</title>
-<subsection><body>
-<p>
- While a system is running, a program or user may attempt to do something
- that violates the security policy. If the system is enforcing the policy,
- the access will be denied, and there will be a message in the kernel log.
- If the system is not enforcing (permissive mode), the access will be allowed,
- but there will still be a kernel message.
-</p>
-</body></subsection>
-
-<subsection><title>AVC Messages</title><body>
-<p>
- Most kernel messages from SELinux come from the access vector cache (AVC).
- Understanding denials is important to understand if an attack is happening,
- or if the program is requiring unexpected accesses. An example denial
- may look like this:
-</p>
-
-<pre caption="Example AVC Message">
-avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554
-scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file
-</pre>
-
-<p>
- While most AVC messages are denials, occasionally there might be an audit
- message for an access that was granted:
-</p>
-<pre caption="Example AVC Message 2">
-avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy
-scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
-</pre>
-<p>
- In this case, the ability to load the policy was granted. This is a critical
- security event, and thus is always audited. Another event that is always
- audited is switching between enforcing and permissive modes.
-</p>
-
-<p>
- SELinux will supress logging of denials if many are received in a short
- amount of time. However, This does not always imply there is an attack
- in progress. A program may be doing something that could cause
- many denials in a short time, such as doing a stat() on device nodes in
- /dev. To protect from filling up the system logs, SELinux has rate limiting
- for its messages:
-</p>
-
-<pre caption="Example AVC Message 3">
-AVC: 12 messages suppressed.
-</pre>
-
-<p>
- The policy would have to be modified to not audit these accesses if they
- are normal program behavior, but still need to be denied.
-</p>
-
-</body></subsection>
-
-<subsection><title>Other kernel messages</title>
-<body>
-<pre caption="inode_doinit_with_dentry">
-inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610
-</pre>
-<p>
- This means that the file on /dev/hda3 with inode number 517610 has the context
- system_u:object_r:bar_t, which is invalid. Objects with an invalid context
- are treated as if they had the system_u:object_r:unlabeled_t context.
-</p>
-</body></subsection>
-
-</section>
-
-<section><title>Dissecting a Denial</title>
-<subsection><body>
-<p>
- Denials contain varying amounts of information, depending on the access type.
-</p>
-
-<pre caption="Example Denials">
-avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406
-scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file
-
-avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t
-tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket
-
-avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7
-scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability
-
-</pre>
-
-<p>
- The most common denial relates to access of files. For better understanding,
- the first denial message will be broken down:
-</p>
-<table>
-<tr><th>Component</th><th>Description</th></tr>
-<tr><ti>avc: denied</ti>
- <ti>SELinux has denied this access.</ti></tr>
-<tr><ti>{ lock }</ti>
- <ti>The attempted access is a lock.</ti></tr>
-<tr><ti>pid=28341</ti>
- <ti>The process ID performing this access is 28341.</ti></tr>
-<tr><ti>exec=/sbin/agetty</ti>
- <ti>The full path and name of the process's executable is /sbin/agetty.</ti></tr>
-<tr><ti>path=/var/log/wtmp</ti>
- <ti>The path and name of the target object is /var/log/wtmp. Note: a complete
- path is not always available.</ti></tr>
-<tr><ti>dev=03:03</ti>
- <ti>The target object resides on device 03:03 (major:minor number).
- On 2.6 kernels this may resolve to a name, hda3 in this example.</ti></tr>
-<tr><ti>ino=475406</ti>
- <ti>The inode number of the target object is 475406.</ti></tr>
-<tr><ti>scontext=system_u:system_r:getty_t</ti>
- <ti>The context of the program is system_u:system_r:getty_t.</ti></tr>
-<tr><ti>tcontext=system_u:object_r:var_log_t</ti>
- <ti>The context of the target object is system_u:object_r:var_log_t.</ti></tr>
-<tr><ti>tclass=file</ti>
- <ti>The target object is a normal file.</ti></tr>
-</table>
-
-<p>
- Not all AVC messages will have all of these fields, as shown in the other
- two denials. The fields vary depending on the target object's class.
- However, the most important fields: access type, source and target contexts,
- and the target object's class will always be in an AVC message.
-</p>
-</body></subsection>
-
-<subsection><title>Understanding the Denial</title><body>
-<p>
- Denials can be very confusing since they can be triggered for several reasons.
- The key to understanding what is happening is to know the behavior of the
- program, and to correctly interpret the denial message. The target is not
- limited to files; it could also be related to network sockets,
- interprocess communications, or others.
-</p>
-<p>
- In the above example, the agetty is denied locking of a file. The file's type
- is var_log_t, therefore it is implied that the target file is in /var/log.
- With the extra information from the path= field in the denial message, it is
- confirmed to be the file /var/log/wtmp. If path information was unavailable,
- this could be further confirmed by searching for the inode. Wtmp is a file that has
- information about users currently logged in, and agetty handles logins on
- ttys. It can be concluded that this is an expected access of agetty, for
- updating wtmp. However, why is this access being denied? Is there a flaw
- in the policy by not allowing agetty to update wtmp? It turns out that wtmp
- has the incorrect context. It should be system_u:object_r:wtmp_t, rather
- than system_u:object_r:var_log_t.
-</p>
-<p>
- If this access was not understood, an administrator might mistakenly allow getty_t
- read/write access to var_log_t files, which would be incorrect, since agetty
- only needs to modify /var/log/wtmp. This underscores how critical keeping
- file contexts consistent is.
-</p>
-</body></subsection>
-</section>
-
-<section><title>References</title>
-<subsection><body>
-<p>
- <uri link="http://www.nsa.gov/selinux">U.S. National Security Agency</uri>,
- SELinux Policy README
-</p>
-</body></subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-selinux-references.xml b/xml/selinux/hb-selinux-references.xml
deleted file mode 100644
index 5bceac4..0000000
--- a/xml/selinux/hb-selinux-references.xml
+++ /dev/null
@@ -1,111 +0,0 @@
-<?xml version='1.0' encoding="UTF-8"?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
-
-<sections>
-<version>1.2</version>
-<date>2006-05-07</date>
-
-
-<section><title>Background</title>
-<subsection><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure:
- The Flawed Assumption of Security in Modern Computing Environments</uri>
- explains the need for mandatory access controls.</li>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture:
- System Support for Diverse Security Policies</uri>
- explains the security architecture of Flask, the architecture used by SELinux.</li>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</uri>
- has specifics about SELinux access checks in the kernel.</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Policy</title>
-<subsection><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</uri></li>
-<li>
- <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri></li>
-<li>
- SELinux <uri link="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</uri>
- Overview</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Books</title>
-<subsection><body>
-<ul>
-<li>
- <c>SELinux by Example: Using Security Enhanced Linux</c>, Frank Mayer,
- Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694</li>
-<li>
- <c>SELinux: NSA's Open Source Security Enhanced Linux</c>, Bill McCarty,
- O'Reilly Media, 2004; ISBN 0596007167</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Meeting Notes</title>
-<subsection><body>
-<ul>
-<li>
- <uri link="http://www.selinux-symposium.org/2006/summit.php">March 3rd, 2006 SELinux Developer Summit</uri></li>
-<li>
- <uri link="http://www.selinux-symposium.org/meeting.php">May 6th, 2004 Informal Meeting</uri></li>
-</ul>
-</body>
-</subsection>
-</section>
-
-<section><title>Presentations</title>
-<subsection><title>2006 SELinux Symposium</title><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/selinux/papers/selsymp2006-abs.cfm">SELinux Year in Review</uri>,
- Stephen Smalley, National Security Agency</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2006/slides/03-refpolicy-slides.pdf">Reference Policy for Security Enhanced Linux</uri>,
- Karl MacMillan, Tresys Technology (<uri link="http://www.selinux-symposium.org/2006/papers/05-refpol.pdf">Paper</uri>)</li>
-</ul>
-</body>
-</subsection>
-<subsection><title>2005 SELinux Symposium</title><body>
-<ul>
-<li>
- <uri link="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</uri>,
- NSA</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</uri>,
- Karl MacMillan, Tresys Technology</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf">Targeted vs. Strict Policy History and Strategy</uri>,
- Dan Walsh, Red Hat</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-4-mayer.pdf">Tresys SETools: Tools and Libraries for Policy Analysis and Management</uri>,
- Frank Mayer, Tresys Technology</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session5/5-3-macmillan.pdf">Information Flow Analysis for Type Enforcement Policies</uri>,
- Karl MacMillan, Tresys Technology</li>
-<li>
- <uri link="http://www.selinux-symposium.org/2005/presentations/session6/6-2-mayer.pdf">SELinux Policy Analysis Concepts and Techniques</uri>,
- David Caplan, Frank Mayer, Tresys Technology</li>
-</ul>
-</body>
-</subsection>
-</section>
-
-</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-10 7:49 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-10 7:49 UTC (permalink / raw
To: gentoo-commits
commit: 8e04f3f061a5b9f31ccf2fcd386dbf0bf1f011c5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 10 07:44:48 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 10 07:44:48 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8e04f3f0
Use Python2 for the time being
---
xml/selinux/hb-using-install.xml | 25 +++++++++++++++++++++++--
1 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 4633d0e..5a70ec7 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>2</version>
-<date>2011-03-09</date>
+<version>3</version>
+<date>2011-04-10</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -89,6 +89,27 @@ Make sure to include layman's <path>make.conf</path> in your
</body>
</subsection>
<subsection>
+<title>Switching to Python 2</title>
+<body>
+
+<p>
+For now, the SELinux management utilities are not compatible with Python 3 so
+we recommend to switch to Python 2 until the packages are updated and fixed.
+</p>
+
+<pre caption="Switching to python 2">
+~# <i>eselect python list</i>
+Available Python interpreters:
+ [1] python2.7
+ [2] python3.1 *
+
+~# <i>eselect python set 1</i>
+~# <i>source /etc/profile</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
<title>Optional: Setting the /tmp context</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-15 17:52 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-15 17:52 UTC (permalink / raw
To: gentoo-commits
commit: e74a05ae9975bad83e373b4246e9ea45a7ffbbed
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 15 17:49:01 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 15 17:49:01 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e74a05ae
Use /selinux filesystem to display supported permissions
---
xml/selinux/hb-intro-concepts.xml | 15 +++++++++------
1 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index b8933ed..f1cbc71 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>2</version>
-<date>2011-01-10</date>
+<version>3</version>
+<date>2011-04-15</date>
<section>
<title>Introduction</title>
@@ -127,10 +127,13 @@ object class supports at least the following permissions:
</p>
<pre caption="Supported permissions against a 'process' resource">
-fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched
-getsession setpgid getpgid getcap setcap share getattr setexec setfscreate
-setrlimit noatsecure siginh rlimitinh dyntransition setcurrent execmem execstack
-execheap setkeycreate setsockcreate
+~# <i>ls /selinux/class/process/perms</i>
+dyntransition getcap rlimitinh setpgid siginh
+execheap getpgid setcap setrlimit sigkill
+execmem getsched setcurrent setsched signal
+execstack getsession setexec setsockcreate signull
+fork noatsecure setfscreate share sigstop
+getattr ptrace setkeycreate sigchld transition
</pre>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-15 17:52 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-15 17:52 UTC (permalink / raw
To: gentoo-commits
commit: ac14df51a7a18c5c98abebb19c4701b468f4b424
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 15 17:48:44 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 15 17:48:44 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ac14df51
Remove draft disclaimer
---
xml/selinux/selinux-handbook.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/selinux-handbook.xml b/xml/selinux/selinux-handbook.xml
index e8dcc3c..30d8fae 100644
--- a/xml/selinux/selinux-handbook.xml
+++ b/xml/selinux/selinux-handbook.xml
@@ -3,7 +3,7 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.9 2010/06/25 16:07:19 pebenito Exp $ -->
-<book link="selinux-handbook.xml" disclaimer="draft">
+<book link="selinux-handbook.xml">
<title>Gentoo SELinux Handbook</title>
<author title="Author">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-15 19:10 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-15 19:10 UTC (permalink / raw
To: gentoo-commits
commit: e111f56612c05000c91de709930b60f417437e57
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 15 19:10:14 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 15 19:10:14 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e111f566
Apparently, setting this to SELinux does make a difference (.37 kernels, perhaps even higher)
---
xml/selinux/hb-using-install.xml | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 5a70ec7..f46ee2a 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>3</version>
-<date>2011-04-10</date>
+<version>4</version>
+<date>2011-04-15</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -324,8 +324,7 @@ Below you can find a quick overview of the recommended settings.
[ ] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value
[ ] NSA SELinux maximum supported policy format version
- Default security module (Unix Discretionary Access Controls) --->
-<comment>(The latter can also be set to SELinux - but this serves little purpose)</comment>
+ Default security module (SELinux) --->
</pre>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-16 9:06 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-16 9:06 UTC (permalink / raw
To: gentoo-commits
commit: 40a8b2d712ca8cad6732fe37c5d6ac7d9a53eba5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 16 09:05:50 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Apr 16 09:05:50 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=40a8b2d7
Inform labelling swapfiles
---
xml/selinux/hb-using-install.xml | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index f46ee2a..30dc495 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>4</version>
-<date>2011-04-15</date>
+<version>5</version>
+<date>2011-04-16</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -562,6 +562,15 @@ First relabel your devices. This will apply the correct security contexts
</pre>
<p>
+Next, if you have a swapfile rather than a swap partition, label it accordingly:
+</p>
+
+<pre caption="Labelling the swap file">
+~# <i>semanage fcontext -a -t swapfile_t "/swapfile"</i>
+~# <i>restorecon /swapfile</i>
+</pre>
+
+<p>
Now relabel your entire file system. The next command will apply the correct
security context onto the files on your file system, based on the security
context information provided by the SELinux policy modules installed.
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 10:32 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 10:32 UTC (permalink / raw
To: gentoo-commits
commit: c520e1f8e98121d800931e3424219cded56f9327
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 10:32:27 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 10:32:27 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c520e1f8
Refer to module writing later
---
xml/selinux/hb-using-permissive.xml | 45 ++++++++--------------------------
1 files changed, 11 insertions(+), 34 deletions(-)
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index 3d9e1fb..0d1afbf 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>2</version>
-<date>2011-03-02</date>
+<version>3</version>
+<date>2011-04-22</date>
<section>
<title>Keeping Track of Denials</title>
@@ -185,15 +185,16 @@ statement so that this can be tracked in the logs.
<section>
<title>Analyzing Denials</title>
<subsection>
-<title>A Standard Setup Will Not Work</title>
+<title>A Standard Setup Might Not Work</title>
<body>
<p>
If you have taken a look at your denials, you'll probably think "If I'm going to
-go to enforcing mode, my system will not function properly" and you're right. At
-this point, Gentoo Hardened is constantly updating the SELinux policies to get
-you a working system - but we're not there yet. For this reason, being able to
-analyze the denials (and take corrective actions) is very important.
+go to enforcing mode, my system will not function properly" and you might be
+right. At this point, Gentoo Hardened is constantly updating the SELinux
+policies to get you a working system - but we're not fully there yet. For this
+reason, being able to analyze the denials (and take corrective actions) is
+very important.
</p>
<p>
@@ -336,35 +337,11 @@ module. It is a local setting - but which is persistent across reboots.
<p>
If you want to make such a definition part of a module you're writing, you will
need to create a file context file which contains the definition(s) for the
-files whose context you want to set. Its syntax can be obtained through the
-<path>/etc/selinux/strict/contexts/files/file_contexts</path> (or
-<path>.../targeted/...</path>).
+files whose context you want to set. Writing policy modules is described later
+in this book in <uri link="?part=2&chap=5">Adding SELinux Policy
+Modules</uri>.
</p>
-<pre caption="Getting the example file context syntax">
-<comment>[ Capture the syntax for a file ]</comment>
-~# <i>tail /etc/selinux/strict/contexts/files/file_contexts</i>
-/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- system_u:object_r:bin_t
-[...]
-</pre>
-
-<p>
-By just blindly copying the syntax for our example, this would yield:
-</p>
-
-<pre caption="Sample file context syntax for /etc/lvm.conf">
-/etc/lvm\.conf -- system_u:object_r:lvm_etc_t
-</pre>
-
-<p>
-Assuming this is stored in <path>fixlvm.fc</path> you can create the module
-as follows.
-</p>
-
-<pre caption="Creating the fixlvm module">
-~# <i>semodule_package -o fixlvm.pp -m fixlvm.mod -f fixlvm.fc</i>
-</pre>
-
</body>
</subsection>
<subsection>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 10:32 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 10:32 UTC (permalink / raw
To: gentoo-commits
commit: 651c4a00c4568fce6cc7bcfbb11c647a29be8ebb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 09:24:51 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 09:24:51 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=651c4a00
Refer to SELinux users
---
xml/selinux/hb-using-commands.xml | 14 ++++++++------
1 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml
index e3a66fe..ebe0afe 100644
--- a/xml/selinux/hb-using-commands.xml
+++ b/xml/selinux/hb-using-commands.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>1</version>
-<date>2010-12-31</date>
+<version>2</version>
+<date>2011-04-22</date>
<section>
<title>SELinux Information Commands</title>
@@ -274,7 +274,7 @@ You can set a boolean with both <c>setsebool</c> and <c>semanage</c>:
</body>
</subsection>
-<subsection>
+<subsection id="users">
<title>SELinux Users and Logins</title>
<body>
@@ -367,12 +367,14 @@ denied the actions assigned to that domain.
If your standard users are all SELinux user_u users (with the only supported
role being user_r) then those users will never need to switch roles (nor are
they allowed to). But users that are staff_u (or other users that have multiple
-roles) those users should be made clear how they switch between roles.
+roles) those users should be made clear how they switch between roles. We have
+already covered how to map such users to the correct SELinux user (see <uri
+link="#users">SELinux Users and Logins</uri>).
</p>
<p>
-The command that accomplishes this is called <c>newrole</c>. It's use is pretty
-straight forward.
+The command that accomplishes switching roles is called <c>newrole</c>. It's
+use is pretty straight forward.
</p>
<pre caption="Using newrole">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 19:05 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 19:05 UTC (permalink / raw
To: gentoo-commits
commit: 54cb47b7a5f87111c352cad83d7df7c51c1baad0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 17:36:28 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 17:36:28 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=54cb47b7
Add semodule -i in overview too
---
xml/selinux/hb-using-permissive.xml | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index 0d1afbf..f1007d5 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -7,7 +7,7 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>3</version>
+<version>4</version>
<date>2011-04-22</date>
<section>
@@ -432,6 +432,10 @@ order to load a module, you can use <c>semodule -i modulename.pp</c>. The
<ul>
<li>
+ With <c>semodule -i modulename.pp</c> you (re)install a module (or install
+ a higher version of said module)
+ </li>
+ <li>
With <c>semodule -u modulename.pp</c> you upgrade an existing installed
module with a new version of this module
</li>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 19:05 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 19:05 UTC (permalink / raw
To: gentoo-commits
commit: a27c75bed3da2c64fccc5552c999c2224b6ae7c5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 19:05:20 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 19:05:20 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a27c75be
Updates on handbook
---
xml/selinux/hb-using-enforcing.xml | 4 ++--
xml/selinux/hb-using-permissive.xml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-enforcing.xml b/xml/selinux/hb-using-enforcing.xml
index 66e24a9..9f218cb 100644
--- a/xml/selinux/hb-using-enforcing.xml
+++ b/xml/selinux/hb-using-enforcing.xml
@@ -173,8 +173,8 @@ system as the intention was to ignore the output anyhow.
<p>
So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need
-to create a module (like we have seen before and which we discuss in a later
-chapter again :-):
+to create a module (like we have seen before in <uri
+link="?part=2&chap=3#create_module">Creating Specific Allow Rules</uri>):
</p>
<pre caption="Creating a module to ignore these AVC denials">
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index f1007d5..a44251b 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -344,7 +344,7 @@ Modules</uri>.
</body>
</subsection>
-<subsection>
+<subsection id="create_module">
<title>Creating Specific Allow Rules</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 19:28 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 19:28 UTC (permalink / raw
To: gentoo-commits
commit: 6495b4ebd52439b3ecddaa969ae74c7dcd903ef3
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 19:28:50 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 19:28:50 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6495b4eb
Update on SELinux subproject page
---
xml/selinux/index.xml | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index c9cd173..39f4047 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -56,7 +56,7 @@
SELinux policy for the core system, including users, administrators, and
daemons in the system profile.
</extraproject>
-<extraproject name="Daemon Policy">
+<extraproject name="Daemon Policy" lead="pebenito">
SELinux policies for common daemons.
</extraproject>
<extraproject name="x86" lead="pebenito">
@@ -66,6 +66,7 @@
Support for the AMD64 (x86-64) architecture.
</extraproject>
+<!-- There's a difference between "nice-to-have" and "planned"
<plannedproject name="non-x86 Support">
Profiles, installation guides, and support for non-x86 architectures.
</plannedproject>
@@ -73,11 +74,13 @@
SELinux support on destktops. This involves enhancements to XFree's
security, and accompanying policy.
</plannedproject>
+-->
<!--
<resource link="http://selinux.dev.gentoo.org">SELinux Demonstration Machine</resource>
-->
<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</resource>
+<resource link="/proj/en/hardened/selinux/selinux-faq.xml">Gentoo SELinux FAQ</resource>
<extrachapter position="devs">
<title>Contributors</title>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 19:30 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 19:30 UTC (permalink / raw
To: gentoo-commits
commit: 74fb759f9d5db20adc89f0e177b80ac15e8f9bff
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 19:29:57 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 19:29:57 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=74fb759f
Correct location to FAQ
---
xml/selinux/index.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 39f4047..524d918 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -80,7 +80,7 @@
<resource link="http://selinux.dev.gentoo.org">SELinux Demonstration Machine</resource>
-->
<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</resource>
-<resource link="/proj/en/hardened/selinux/selinux-faq.xml">Gentoo SELinux FAQ</resource>
+<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
<extrachapter position="devs">
<title>Contributors</title>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-04-22 21:43 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-04-22 21:43 UTC (permalink / raw
To: gentoo-commits
commit: 3c24859f9c6ca59352aa3d19e4525d7c72f2c41e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 21:43:07 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 21:43:07 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3c24859f
Add id=avclog to the appropriate section
---
xml/selinux/hb-using-permissive.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index a44251b..d537f85 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -116,7 +116,7 @@ cache from which the allow/deny is triggered. Hence the "avc" messages and the
</body>
</subsection>
-<subsection>
+<subsection id="avclog">
<title>Looking at the AVC Log</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-03 20:12 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-03 20:12 UTC (permalink / raw
To: gentoo-commits
commit: 37823f895ec2add96e802cedcf0d13d909bfa08e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 3 20:09:22 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 3 20:09:22 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=37823f89
Add information on ubac USE flag as well as other SELinux-related USE flags
---
xml/selinux/hb-intro-concepts.xml | 9 ++++-
xml/selinux/hb-using-install.xml | 56 +++++++++++++++++++++++++++++++++++-
2 files changed, 61 insertions(+), 4 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index f1cbc71..4a3ea90 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
<sections>
-<version>3</version>
-<date>2011-04-15</date>
+<version>4</version>
+<date>2011-05-03</date>
<section>
<title>Introduction</title>
@@ -510,6 +510,11 @@ which has write access to the domain of the file, but can still not write to the
file because the SELinux users' differ.
</p>
+<p>
+At this moment, Gentoo Hardened SELinux' supports both policies with and
+without UBAC. This is controlled through the <c>ubac</c> USE flag.
+</p>
+
</body>
</subsection>
</section>
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 30dc495..a6a61a3 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -197,14 +197,66 @@ installation is completed.
</note>
<p>
+Don't update your system yet - we will need to install a couple of packages in a
+particular order which Portage isn't aware of in the next couple of sections.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Update make.conf</title>
+<body>
+
+<p>
Edit your <path>/etc/make.conf</path> file and set
<c>FEATURES="-loadpolicy"</c>. The current SELinux profile enables the
loadpolicy feature, but this isn't supported anymore so can be safely ignored.
</p>
<p>
-Don't update your system yet - we will need to install a couple of packages in a
-particular order which Portage isn't aware of in the next couple of sections.
+Next, take a look at the following USE flags and decide if you want to enable
+or disable them.
+</p>
+
+<table>
+<tr>
+ <th>USE flag</th>
+ <th>Default Value</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>peer_perms</ti>
+ <ti>Enabled</ti>
+ <ti>
+ The peer_perms capability controls the SELinux policy network peer controls.
+ If set, the access control mechanisms that SELinux uses for network based
+ labelling are consolidated. This setting is recommended as the policy is
+ also updated to reflect this. If not set, the old mechanisms (NetLabel and
+ Labeled IPsec) are used side by side.
+ </ti>
+</tr>
+<tr>
+ <ti>open_perms</ti>
+ <ti>Disabled</ti>
+ <ti>
+ The open_perms capability enables the SELinux permission "open" for files
+ and file-related classes.
+ </ti>
+</tr>
+<tr>
+ <ti>ubac</ti>
+ <ti>Disabled</ti>
+ <ti>
+ When enabled, the SELinux policy is built with user-based access control
+ enabled. This is optional as it introduces constraints that might be
+ difficult to notice at first when you hit them.
+ </ti>
+</tr>
+</table>
+
+<p>
+Make your choice and update the <c>USE</c> variable in
+<path>/etc/make.conf</path>.
</p>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-03 20:47 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-03 20:47 UTC (permalink / raw
To: gentoo-commits
commit: 914fe9701f65cafdbf06e63f6691ebc7f4586943
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 3 20:47:38 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 3 20:47:38 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=914fe970
Enable open_perms by default
---
xml/selinux/hb-using-install.xml | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index a6a61a3..541b1fa 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -237,10 +237,12 @@ or disable them.
</tr>
<tr>
<ti>open_perms</ti>
- <ti>Disabled</ti>
+ <ti>Enabled</ti>
<ti>
The open_perms capability enables the SELinux permission "open" for files
- and file-related classes.
+ and file-related classes. Support for the "open" call was added a bit later
+ than others so support was first made optional. However, the policies have
+ matured sufficiently to have the open permission set.
</ti>
</tr>
<tr>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-13 19:43 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-13 19:43 UTC (permalink / raw
To: gentoo-commits
commit: 338e04b26909cdbff6b6a41cdbcb10ed3c0d7269
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 13 19:41:27 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 13 19:41:27 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=338e04b2
Add rc-svcdir mount and update UBAC information
---
xml/selinux/hb-intro-concepts.xml | 3 ++-
xml/selinux/hb-using-install.xml | 20 +++++++++++++++-----
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index b0c91fe..1252d95 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -512,7 +512,8 @@ file because the SELinux users' differ.
<p>
At this moment, Gentoo Hardened SELinux' supports both policies with and
-without UBAC. This is controlled through the <c>ubac</c> USE flag.
+without UBAC, although we strongly recommend to use UBAC. This is controlled
+through the <c>ubac</c> USE flag.
</p>
</body>
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 0c9adc7..f51a62d 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -110,7 +110,7 @@ Available Python interpreters:
</body>
</subsection>
<subsection>
-<title>Optional: Setting the /tmp context</title>
+<title>Setting the filesystem contexts</title>
<body>
<p>
@@ -128,6 +128,18 @@ To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0
</pre>
+<p>
+Next to the <path>/tmp</path> location, you will need to explicitly define the
+mount for <path>rc-svcdir</path>, used by sys-apps/openrc. If not, this tmpfs
+file system is mounted with the wrong security label which will result in boot
+failures.
+</p>
+
+<pre caption="Update /etc/fstab for rc-svcdir">
+<comment># Change /lib64 with /lib for 32-bit systems / support</comment>
+rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
+</pre>
+
</body>
</subsection>
<subsection>
@@ -247,11 +259,9 @@ or disable them.
</tr>
<tr>
<ti>ubac</ti>
- <ti>Disabled</ti>
+ <ti>Enabled</ti>
<ti>
- When enabled, the SELinux policy is built with user-based access control
- enabled. This is optional as it introduces constraints that might be
- difficult to notice at first when you hit them.
+ When disabled, the SELinux policy is built without user-based access control.
</ti>
</tr>
</table>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-14 12:51 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-14 12:51 UTC (permalink / raw
To: gentoo-commits
commit: fce926f5c34fa890e16a1dec7f26ccd12ad50c51
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 14 12:50:41 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 14 12:50:41 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=fce926f5
Update on file context changes for openrc
---
xml/selinux/hb-using-install.xml | 23 ++++++-----------------
1 files changed, 6 insertions(+), 17 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index f51a62d..5cf0b13 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>5</version>
-<date>2011-04-16</date>
+<version>6</version>
+<date>2011-05-14</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -110,7 +110,7 @@ Available Python interpreters:
</body>
</subsection>
<subsection>
-<title>Setting the filesystem contexts</title>
+<title>Optional: Setting the filesystem contexts</title>
<body>
<p>
@@ -128,18 +128,6 @@ To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0
</pre>
-<p>
-Next to the <path>/tmp</path> location, you will need to explicitly define the
-mount for <path>rc-svcdir</path>, used by sys-apps/openrc. If not, this tmpfs
-file system is mounted with the wrong security label which will result in boot
-failures.
-</p>
-
-<pre caption="Update /etc/fstab for rc-svcdir">
-<comment># Change /lib64 with /lib for 32-bit systems / support</comment>
-rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
-</pre>
-
</body>
</subsection>
<subsection>
@@ -612,8 +600,8 @@ manipulate during your day-to-day activities on your system.
</impo>
<p>
-First relabel your devices. This will apply the correct security contexts
-(labels) onto the device files.
+First relabel your devices and openrc related files. This will apply the
+correct security contexts (labels) onto the necessary files.
</p>
<pre caption="Relabel /dev structure">
@@ -622,6 +610,7 @@ First relabel your devices. This will apply the correct security contexts
<comment>(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</comment>
~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</i>
+~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</i>
~# <i>umount /mnt/gentoo</i>
</pre>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-20 19:32 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-20 19:32 UTC (permalink / raw
To: gentoo-commits
commit: 5e3c2053b7b3c2728f0a4d12653ea5f550edf495
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 20 19:32:03 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 20 19:32:03 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5e3c2053
Add roadmap, improve wording
---
xml/selinux/index.xml | 264 ++++++++++++++++++++++++++++++-------------------
1 files changed, 160 insertions(+), 104 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 41535f8..049baa5 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -9,108 +9,163 @@
<longname>SELinux</longname>
<description>
- SELinux is a system of mandatory access controls. SELinux can enforce
- the security policy over all processes and objects in the system.
+SELinux is a system of mandatory access controls. SELinux can enforce
+the security policy over all processes and objects in the system.
</description>
-<longdescription><p>
- This project manages SELinux support in Gentoo. This includes providing
- kernels with SELinux support, providing patches to userland utilities, writing
- strong Gentoo-specific default profiles, and deploying policies from Portage.
-</p></longdescription>
-
-<goals><p>
- The intention of the project is to make SELinux available to more users, and
- improving its integration.
- Policy should be available for common daemons, and files merged in from Portage
- should have the correct file context. Currently we only work on servers, but
- desktops will be supported in the future.
-</p></goals>
-
-<extrachapter position="goals">
-<title>What is SELinux?</title>
-<section><body>
+<longdescription>
<p>
- <uri link="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
- Linux</uri> (SELinux) is a system of mandatory access control using type
- enforcement and role-based access control. It is implemented as a <uri
- link="http://lsm.immunix.org/">Linux Security Module</uri> (LSM). In addition
- to the kernel portion, SELinux consists of a library (libselinux) and userland
- utilities for compiling policy (checkpolicy), and loading policy
- (policycoreutils), in addition to other user programs.
+This project manages SELinux support in Gentoo. This includes providing
+kernels with SELinux support, providing patches to userland utilities, writing
+strong Gentoo-specific default profiles, and maintaining a good default set of
+policies.
</p>
<p>
- One common misconception is that SELinux is a complete security solution,
- however, it is not. SELinux only provides one piece of a security
- solution. It can work well with other Hardened projects, such as PaX,
- for a more complete solution.
+<uri link="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
+Linux</uri> (SELinux) is a Mandatory Access Control system using type
+enforcement and role-based access control. It is integrated within Linux as a
+<uri link="http://lsm.immunix.org/">Linux Security Module</uri> (LSM)
+implementation. In addition to the kernel portion, SELinux consists of a library
+(libselinux) and userland utilities for compiling policy (checkpolicy), and loading
+policy (policycoreutils), in addition to other user programs.
</p>
-</body></section>
-</extrachapter>
+<p>
+One common misconception is that SELinux is a complete security solution. It is
+not. SELinux only provides access control on system objects. It can work well
+with other Hardened projects, such as PaX, for a more complete solution.
+</p>
+</longdescription>
+
+<goals>
+<p>
+Our goal is to make SELinux (with Gentoo Hardened) available to more users.
+As a result, we
+</p>
+
+<ul>
+ <li>
+ develop, improve and maintain the proper documentation and learning
+ material for end users to master SELinux
+ </li>
+ <li>
+ maintain a stable yet progressive set of userland tools that are needed
+ to interoperate with SELinux on a Linux system (such as the core utilities,
+ libselinux and more)
+ </li>
+ <li>
+ focus on the integration of SELinux and SELinux-awareness within the Gentoo
+ distribution, offering the necessary feedback on Portage and other utilities
+ </li>
+ <li>
+ develop, improve and maintain a good and secure default policy, based on the
+ reference policy, so that end users have no difficulties working with and
+ enhancing SELinux within their environment
+ </li>
+</ul>
+</goals>
<dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
-<dev role="Policy development, Proxy (non developer contributors)">blueness
-</dev>
+<dev role="Policy development, Proxy (non developer contributors)">blueness</dev>
-<extraproject name="Base Policy" lead="pebenito">
- SELinux policy for the core system, including users, administrators, and
- daemons in the system profile.
+<extraproject name="Policy" lead="pebenito">
+Develop and maintain a secure, default set of policies for the system, including
+user and role definitions, service policies and application policies.
</extraproject>
-<extraproject name="Daemon Policy" lead="pebenito">
- SELinux policies for common daemons.
+<extraproject name="Userland" lead="pebenito">
+Develop and maintain the packages for SELinux userland utilities and libraries,
+including SELinux-aware patches for more general applications and libraries.
</extraproject>
-<extraproject name="x86" lead="pebenito">
- Support for the x86 architecture.
+<extraproject name="Kernel" lead="pebenito">
+Integrate, improve and maintain SELinux patches in the Linux kernel for Gentoo
+Hardened.
</extraproject>
-<extraproject name="AMD64" lead="pebenito">
- Support for the AMD64 (x86-64) architecture.
+<extraproject name="Documentation" lead="pebenito">
+Develop and maintain SELinux documentation specific to the Gentoo distribution
</extraproject>
-<!-- There's a difference between "nice-to-have" and "planned"
-<plannedproject name="non-x86 Support">
- Profiles, installation guides, and support for non-x86 architectures.
-</plannedproject>
-<plannedproject name="Desktop">
- SELinux support on destktops. This involves enhancements to XFree's
- security, and accompanying policy.
-</plannedproject>
--->
+<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (including installation)</resource>
+<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
<!--
-<resource link="http://selinux.dev.gentoo.org">SELinux Demonstration Machine</resource>
+ Roadmap
-->
-<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook</resource>
-<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
-
-<extrachapter position="devs">
-<title>Contributors</title>
+<extrachapter>
+<title>Roadmap</title>
<section>
<body>
<p>
-The following people although non-developer is actively contributing with the
-project:
+The following table depics the roadmap we have in mind for the Gentoo Hardened
+SELinux project:
</p>
+
<table>
-<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
-<tr><ti>Chris Richards</ti><ti>gizmo</ti>
-<ti>Policy development, support</ti></tr>
-<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti>
-<ti>Documentation writing, policy development, support</ti></tr>
+<tr>
+ <th>Milestone</th>
+ <th>Progress</th>
+ <!--
+ Use <keyword>on track</keyword>
+ Use <comment>delayed</comment>
+ -->
+ <th>Description</th>
+ <th>ETA</th>
+</tr>
+<tr>
+ <ti>Userland stabilization</ti>
+ <ti><keyword>on track</keyword></ti>
+ <ti>
+ Stabilize the SELinux userland utilities currently available in ~arch.
+ These utilities (and libraries) are needed to cover recent SELinux policies
+ and improve user experience within Gentoo Hardened SELinux
+ </ti>
+ <ti>
+ 2011-05-24
+ </ti>
+</tr>
+<tr>
+ <ti>Policy stabilization</ti>
+ <ti><keyword>on track</keyword></ti>
+ <ti>
+ Stabilize the SELinux policies based on upstream 2.20101213. The current
+ stable policies are not compatible with the current Gentoo stable state
+ (such as openrc support, networking/wireless and more.)
+ </ti>
+ <ti>
+ 2011-06-07
+ </ti>
+</tr>
+<tr>
+ <ti>Profile stabilization</ti>
+ <ti><keyword>on track</keyword></ti>
+ <ti>
+ Stabilize the restructured Gentoo SELinux profiles. The existing profiles
+ have proved to be a bit more daunting to manage whereas the new profiles are
+ made to be flexible yet simple to maintain.
+ </ti>
+ <ti>
+ 2011-06-28
+ </ti>
+</tr>
</table>
</body>
</section>
</extrachapter>
-
-<extrachapter position="resources">
-<title>How Do I Use This?</title>
+<extrachapter position="devs">
+<title>Contributors</title>
<section>
<body>
+
<p>
- SELinux can be installed on a new system by following the above install guide.
+The following people, although non-developer, are actively contributing to the project:
</p>
+<table>
+<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
+<tr><ti>Chris Richards</ti><ti>gizmo</ti><ti>Policy development, support</ti></tr>
+<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti><ti>Documentation writing, policy development, support</ti></tr>
+</table>
+
</body>
</section>
</extrachapter>
@@ -120,51 +175,52 @@ project:
<section>
<body>
<p>
- To participate in the SELinux project first join the mailing list at
- <c>gentoo-hardened@gentoo.org</c>. Then ask if there are plans to support
- something that you are interested in, propose a new subproject that you are
- interested in or choose one of the planned subprojects to work on. You may talk
- to the developers and users in the IRC channel <c>#gentoo-hardened</c> on
- <c>irc.freenode.net</c> for more information or just to chat about the project
- or any subprojects. If you don't have the ability to actively help by
- contributing work we will always need testers to use and audit the SELinux
- policies. All development, testing, feedback, and productive comments will
- be greatly appreciated.
+To participate in the SELinux project first join the mailing list at
+<c>gentoo-hardened@gentoo.org</c>. Then ask if there are plans to support
+something that you are interested in, propose a new subproject that you are
+interested in or choose one of the planned subprojects to work on. You may talk
+to the developers and users in the IRC channel <c>#gentoo-hardened</c> on
+<c>irc.freenode.net</c> for more information or just to chat about the project
+or any subprojects. If you don't have the ability to actively help by
+contributing work we will always need testers to use and audit the SELinux
+policies. All development, testing, feedback, and productive comments will
+be greatly appreciated.
</p>
</body>
</section>
<section><title>Policy Submissions</title>
<body>
<p>
- The critical component of a SELinux system is having a strong policy. The
- team does its best to support as many daemons as possible. However, we cannot
- create policies for daemons with which we are unfamiliar. But we are happy
- to receive policy submissions for consideration. There are a few requirements:
+The critical component of a SELinux system is having a strong policy. The
+team does its best to support as many daemons as possible. However, we cannot
+create policies for daemons with which we are unfamiliar. But we are happy
+to receive policy submissions for consideration. There are a few requirements:
</p>
<ul>
-<li>
- Make comments (in the policy and/or bug), so we can understand changes
- from the NSA example policy.
-</li>
-<li>
- The policy should cover common installations. Please do not submit policies
- for odd or nonstandard daemon configurations.
-</li>
-<li>
- We need to know if the policy is dependent on another policy (for example
- rpcd is dependent on portmap) other than base-policy.
-</li>
-<li>
- An ebuild for the policy can also be submitted to help the developers
- integrate the policy into Portage more quickly, if it is accepted.
- See current daemon policies in Portage for example uses of the
- selinux-policy eclass.
-</li>
+ <li>
+ Make comments (in the policy and/or bug), so we can understand changes
+ from the Reference Policy example policy.
+ </li>
+ <li>
+ The policy should cover common installations. Please do not submit policies
+ for odd or nonstandard daemon configurations.
+ </li>
+ <li>
+ We need to know if the policy is dependent on another policy (for example
+ rpcd is dependent on portmap) other than base-policy.
+ </li>
+ <li>
+ An ebuild for the policy can also be submitted to help the developers
+ integrate the policy into Portage more quickly, if it is accepted.
+ See current daemon policies in Portage for example uses of the
+ selinux-policy eclass.
+ </li>
</ul>
<p>
- The policy should be submitted on <uri link="http://bugs.gentoo.org/">bugzilla</uri>.
- Please attach the .te and .fc files separately to the bug, not as a tarball.
- The bug should be assigned to <c>selinux@gentoo.org</c>.
+The policy should be submitted on <uri link="http://bugs.gentoo.org/">bugzilla</uri>.
+Please attach the .te and .fc files separately to the bug, not as a tarball.
+The bug should be Cc'ed to <c>selinux@gentoo.org</c> and will be properly
+reassigned by the team.
</p>
</body>
</section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-24 19:56 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-24 19:56 UTC (permalink / raw
To: gentoo-commits
commit: a5d27529ffdc4aee884e9bb6e749512f9ee51ad9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 24 19:55:34 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 24 19:55:34 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a5d27529
Remove HAL mention
---
xml/selinux/hb-intro-enhancingsecurity.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-intro-enhancingsecurity.xml b/xml/selinux/hb-intro-enhancingsecurity.xml
index 105bc59..2eda75f 100644
--- a/xml/selinux/hb-intro-enhancingsecurity.xml
+++ b/xml/selinux/hb-intro-enhancingsecurity.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-enhancingsecurity.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>1</version>
-<date>2011-01-10</date>
+<version>2</version>
+<date>2011-05-25</date>
<section>
<title>Introduction</title>
@@ -343,7 +343,7 @@ Next to the kernel support and labels assigned to the resources and support
within the authorization system, SELinux also requires particular tools to
support the SELinux features. Examples are administrative tools to view and
manipulate labels, privilege management tools (like <c>sudo</c>), system
-services (like HAL or SysVInit) etc. This is reflected in a set of patches
+services (like SysVInit) etc. This is reflected in a set of patches
against these (and more) tools which are not always part of the applications'
main source code.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-24 20:39 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-24 20:39 UTC (permalink / raw
To: gentoo-commits
commit: 84eaf2e4e2924e8076cc5ee7f99a78c7edc585ea
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 24 20:38:02 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 24 20:38:02 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=84eaf2e4
Move roadmap to dedicated document. Add links to roadmap and support matrices
---
xml/selinux/index.xml | 68 +-----------------------------------------------
1 files changed, 2 insertions(+), 66 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 22f0192..1246627 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -87,72 +87,8 @@ Develop and maintain SELinux documentation specific to the Gentoo distribution
<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
<resource link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux Development</resource>
<resource link="/proj/en/hardened/selinux-policy.xml">Gentoo Hardened SELinux Development Policy</resource>
-
-<!--
- Roadmap
--->
-<extrachapter>
-<title>Roadmap</title>
-<section>
-<body>
-
-<p>
-The following table depics the roadmap we have in mind for the Gentoo Hardened
-SELinux project:
-</p>
-
-<table>
-<tr>
- <th>Milestone</th>
- <th>Progress</th>
- <!--
- Use <keyword>on track</keyword>
- Use <comment>delayed</comment>
- -->
- <th>Description</th>
- <th>ETA</th>
-</tr>
-<tr>
- <ti>Userland stabilization</ti>
- <ti><keyword>on track</keyword></ti>
- <ti>
- Stabilize the SELinux userland utilities currently available in ~arch.
- These utilities (and libraries) are needed to cover recent SELinux policies
- and improve user experience within Gentoo Hardened SELinux
- </ti>
- <ti>
- 2011-05-24
- </ti>
-</tr>
-<tr>
- <ti>Policy stabilization</ti>
- <ti><keyword>on track</keyword></ti>
- <ti>
- Stabilize the SELinux policies based on upstream 2.20101213. The current
- stable policies are not compatible with the current Gentoo stable state
- (such as openrc support, networking/wireless and more.)
- </ti>
- <ti>
- 2011-06-07
- </ti>
-</tr>
-<tr>
- <ti>Profile stabilization</ti>
- <ti><keyword>on track</keyword></ti>
- <ti>
- Stabilize the restructured Gentoo SELinux profiles. The existing profiles
- have proved to be a bit more daunting to manage whereas the new profiles are
- made to be flexible yet simple to maintain.
- </ti>
- <ti>
- 2011-06-28
- </ti>
-</tr>
-</table>
-
-</body>
-</section>
-</extrachapter>
+<resource link="/proj/en/hardened/roadmap.xml">Gentoo Hardened Roadmap (incl. SELinux development)</resource>
+<resource link="/proj/en/hardened/support-state.xml">Gentoo Hardened Support Matrices (incl. SELinux)</resource>
<extrachapter position="devs">
<title>Contributors</title>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-31 20:16 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-31 20:16 UTC (permalink / raw
To: gentoo-commits
commit: db12bdbebb0ecf60105ae6bf42871543dd6baaaa
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 31 20:10:46 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 31 20:10:46 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=db12bdbe
Tools and userland libraries have been stabilized
---
xml/selinux/hb-using-install.xml | 11 ++---------
1 files changed, 2 insertions(+), 9 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 5cf0b13..6b96109 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>6</version>
-<date>2011-05-14</date>
+<version>7</version>
+<date>2011-05-31</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -142,13 +142,6 @@ the following settings to the right file (for instance
</p>
<pre caption="SELinux ~arch packages">
-sys-libs/libselinux
-sys-apps/policycoreutils
-sys-libs/libsemanage
-sys-libs/libsepol
-app-admin/setools
-dev-python/sepolgen
-sys-apps/checkpolicy
sec-policy/*
=sys-process/vixie-cron-4.1-r11
</pre>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-31 20:16 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-31 20:16 UTC (permalink / raw
To: gentoo-commits
commit: 52787589c4ca2f84f57c933566cf27936f0961e2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 31 20:16:07 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 31 20:16:07 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=52787589
Put more focus on the staff_u user, inform users that this is necessary to work with portage
---
xml/selinux/hb-using-commands.xml | 24 +++++++++++++++++++-----
1 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml
index b9342f0..a0e8ea4 100644
--- a/xml/selinux/hb-using-commands.xml
+++ b/xml/selinux/hb-using-commands.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>2</version>
-<date>2011-04-22</date>
+<version>3</version>
+<date>2011-05-31</date>
<section>
<title>SELinux Information Commands</title>
@@ -295,16 +295,30 @@ system_u system_u
<p>
The default behavior is that users are logged on as the <e>user_u</e> SELinux
-user. If you want to allow another user (say <c>anna</c>) to log on as
-<c>staff_u</c>:
+user. This SELinux user is a non-administrator user: it has no specific
+privileges and should be used for every account that never requires elevated
+privileges (so no <c>su</c> or <c>sudo</c> rights for anything).
+</p>
+
+<p>
+The account you use to administer your system should be mapped to the
+<c>staff_u</c> SELinux user (or its own user with the appropriate roles). This
+can be accomplished as follows (example with the Unix account <e>anna</e>):
</p>
<pre caption="Letting 'anna' log on as 'staff_u'">
~# <i>semanage login -a -s staff_u anna</i>
</pre>
+<impo>
+Make sure that whatever account you use to administer your system is mapped to
+the <c>staff_u</c> user, or has the ability to switch to the <c>sysadm_r</c>
+role. Portage only works from within the <c>sysadm_r</c> role.
+</impo>
+
<p>
-SELinux users then can be configured to belong to one or more roles.
+As mentioned, SELinux users are configured to be able to join in on one or more
+roles. To list the available roles, you can use <c>semanage user -l</c>:
</p>
<pre caption="Listing login / role mappings">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-05-31 20:22 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-05-31 20:22 UTC (permalink / raw
To: gentoo-commits
commit: 3a4ebaf5500fa027538edfa79390e2cce710435b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 31 20:22:00 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 31 20:22:00 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=3a4ebaf5
Add other SELinux Gentoo resources
---
xml/selinux/hb-appendix-reference.xml | 32 ++++++++++++++++++++++++++++++--
1 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-appendix-reference.xml b/xml/selinux/hb-appendix-reference.xml
index e0c0423..e3a965f 100644
--- a/xml/selinux/hb-appendix-reference.xml
+++ b/xml/selinux/hb-appendix-reference.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-appendix-reference.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>1.3</version>
-<date>2011-01-07</date>
+<version>2</version>
+<date>2011-05-31</date>
<section>
<title>Background</title>
@@ -78,4 +78,32 @@
</subsection>
</section>
+<section>
+<title>Gentoo Specific Resources</title>
+<subsection>
+<title>Gentoo Hardened</title>
+<body>
+
+<p>
+The following resources are specific towards Gentoo Hardened's SELinux
+implementation.
+</p>
+
+<ul>
+ <li>
+ <uri link="/proj/en/hardened/selinux-faq.xml">SELinux Frequently Asked
+ Questions</uri>
+ </li>
+ <li>
+ <uri link="/proj/en/hardened/selinux-development.xml">SELinux Development
+ Guidelines</uri>
+ </li>
+ <li>
+ <uri link="/proj/en/hardened/selinux-policy.xml">SELinux Policy</uri>
+ </li>
+</ul>
+
+</body>
+</subsection>
+</section>
</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-02 11:03 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-02 11:03 UTC (permalink / raw
To: gentoo-commits
commit: cfebd3d5b895bfe05cfabefc4de4580b7e67ec25
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 2 11:02:23 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 2 11:02:23 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cfebd3d5
Bump date/version
---
xml/selinux/hb-intro-referencepolicy.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-intro-referencepolicy.xml b/xml/selinux/hb-intro-referencepolicy.xml
index 8502d99..2ace5fe 100644
--- a/xml/selinux/hb-intro-referencepolicy.xml
+++ b/xml/selinux/hb-intro-referencepolicy.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-referencepolicy.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>0</version>
-<date>2010-12-01</date>
+<version>1</version>
+<date>2011-06-02</date>
<section>
<title>About SELinux Policies</title>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-02 11:03 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-02 11:03 UTC (permalink / raw
To: gentoo-commits
commit: 5ea6418269ff868d5730dd69cdc2bad89646c2f6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 2 11:02:04 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 2 11:02:04 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5ea64182
Update binary version information
---
xml/selinux/hb-intro-referencepolicy.xml | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-intro-referencepolicy.xml b/xml/selinux/hb-intro-referencepolicy.xml
index 59d29de..8502d99 100644
--- a/xml/selinux/hb-intro-referencepolicy.xml
+++ b/xml/selinux/hb-intro-referencepolicy.xml
@@ -242,7 +242,11 @@ following is an overview of the policy versions' history.
<dt>Version 23</dt>
<dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
<dt>Version 24</dt>
- <dd>Explicit hierarchy (type bounds) (2.6.28 - current)</dd>
+ <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
+ <dt>Version 25</dt>
+ <dd>Filename based transition support (2.6.39)</dd>
+ <dt>Version 26</dt>
+ <dd>Role transition support for non-process classes (3.0)</dd>
</dl>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-02 11:55 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-02 11:55 UTC (permalink / raw
To: gentoo-commits
commit: aab31d17deaf254902e62a93d66bac29de72a1ce
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 2 11:54:09 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 2 11:54:09 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=aab31d17
Add admin account during setup, people tend to forget this
---
xml/selinux/hb-using-install.xml | 48 ++++++++++++++++++++++++++++++++++----
1 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 6b96109..428ed10 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>7</version>
-<date>2011-05-31</date>
+<version>8</version>
+<date>2011-06-02</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -643,7 +643,7 @@ correctly. For instance, if you have installed
</body>
</subsection>
<subsection>
-<title>Reboot</title>
+<title>Reboot and Set SELinux Booleans</title>
<body>
<p>
@@ -655,9 +655,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean:
~# <i>setsebool -P global_ssp on</i>
</pre>
+</body>
+</subsection>
+<subsection>
+<title>Define the Administrator Accounts</title>
+<body>
+
+<p>
+Finally, we need to map the account(s) you use to manage your system (those
+that need access to Portage) to the <c>staff_u</c> SELinux user. By default,
+users are mapped to the <c>user_u</c> SELinux user who doesn't have the
+appropriate rights (nor access to the appropriate roles) to manage a system.
+Accounts that are mapped to <c>staff_u</c> can, but might need to switch roles
+from <c>staff_r</c> to <c>sysadm_r</c> before they are granted the appropriate
+privileges.
+</p>
+
+<p>
+Assuming that your account name is <e>john</e>:
+</p>
+
+<pre caption="Mapping the Linux account john to the SELinux user staff_u">
+~# <i>semanage login -a -s staff_u john</i>
+~# <i>restorecon -R -F /home/john</i>
+</pre>
+
+<p>
+If you later log on as <e>john</e> and want to manage your system, you will
+probably need to switch your role. You can use <c>newrole</c> for this:
+</p>
+
+<pre caption="Switching roles">
+~$ <i>id -Z</i>
+staff_u:staff_r:staff_t
+~$ <i>newrole -r sysadm_r</i>
+Password: <comment>(Enter your password)</comment>
+~$ <i>id -Z</i>
+staff_u:sysadm_r:sysadm_t
+</pre>
+
<p>
-With that done, enjoy - your first steps into the SELinux world are now
-made.
+With that done, enjoy - your first steps into the SELinux world are now made.
</p>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-02 11:57 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-02 11:57 UTC (permalink / raw
To: gentoo-commits
commit: b64031b733444dd16161195b3112a551b15ab06e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 2 11:56:28 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 2 11:56:28 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b64031b7
Using semanage is not only to stay persistent across reboots, but also relabelling activities
---
xml/selinux/hb-using-permissive.xml | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index ee50590..307364e 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-permissive.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>4</version>
-<date>2011-04-22</date>
+<version>5</version>
+<date>2011-06-02</date>
<section>
<title>Keeping Track of Denials</title>
@@ -326,7 +326,8 @@ accordingly. For instance, say you have your <path>lvm.conf</path> file inside
<path>/etc</path> rather than <path>/etc/lvm</path> as the policy would expect,
then you can still label the file correctly using <c>semanage</c>. With
<c>semanage</c>, you assign a correct security context unrelated to any
-module. It is a local setting - but which is persistent across reboots.
+module. It is a local setting - but which is persistent across reboots and
+relabelling activities.
</p>
<pre caption="Setting a new file context using semanage">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-02 19:50 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-02 19:50 UTC (permalink / raw
To: gentoo-commits
commit: 674025986f7861c37b860dd144df4e68a165e904
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 2 19:49:27 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 2 19:49:27 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=67402598
Policies are stable as well now
---
xml/selinux/hb-using-install.xml | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 428ed10..41112d5 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,7 +7,7 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>8</version>
+<version>9</version>
<date>2011-06-02</date>
<section>
@@ -142,7 +142,6 @@ the following settings to the right file (for instance
</p>
<pre caption="SELinux ~arch packages">
-sec-policy/*
=sys-process/vixie-cron-4.1-r11
</pre>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-07 19:26 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-07 19:26 UTC (permalink / raw
To: gentoo-commits
commit: df03794300a127c1810ebe51971cd032bd2f7aa7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 7 19:25:49 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jun 7 19:25:49 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=df037943
Remove reference to overlay as it is not needed with recent stabilization anymore
---
xml/selinux/hb-using-install.xml | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 41112d5..b4fc8b0 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>9</version>
-<date>2011-06-02</date>
+<version>10</version>
+<date>2011-06-07</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -56,6 +56,7 @@ system is 512 byte. Since the default is 256, you will need to run the
</body>
</subsection>
+<!--
<subsection>
<title>Installing the Hardened Development Overlay</title>
<body>
@@ -88,6 +89,7 @@ Make sure to include layman's <path>make.conf</path> in your
</body>
</subsection>
+-->
<subsection>
<title>Switching to Python 2</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-07 19:38 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-07 19:38 UTC (permalink / raw
To: gentoo-commits
commit: 6427aa231d6f4b29d036c6c445dafd7ba93575ed
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 7 19:37:40 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jun 7 19:37:40 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6427aa23
Update on profiles
---
xml/selinux/hb-using-install.xml | 39 ++++++++++++++++++++++---------------
1 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index b4fc8b0..05f3006 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -42,7 +42,8 @@ this chapter.
<p>
Install Gentoo Linux according to the <uri link="/doc/en/handbook">Gentoo
Handbook</uri> installation instructions. We recommend the use of the hardened
-stage 3 tarballs instead of the standard ones. Perform a full installation to
+stage 3 tarballs instead of the standard ones, but standard stage
+installations are also supported for SELinux. Perform a full installation to
the point that you have booted your system into a (primitive) Gentoo base
installation.
</p>
@@ -156,7 +157,9 @@ the following settings to the right file (for instance
<p>
Now that you have a running Gentoo Linux installation, switch the Gentoo profile
to the right SELinux hardened profile (for instance,
-<path>selinux/v2refpolicy/amd64/hardened</path>).
+<path>hardened/linux/amd64/no-multilib/selinux</path>). Note that the older
+profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are still
+supported though.
</p>
<pre caption="Switching the Gentoo profile">
@@ -168,18 +171,20 @@ Available profile symlink targets:
[4] default/linux/amd64/10.0/desktop/kde
[5] default/linux/amd64/10.0/developer
[6] default/linux/amd64/10.0/no-multilib
- [7] default/linux/amd64/10.0/server *
+ [7] default/linux/amd64/10.0/server
[8] hardened/linux/amd64
- [9] hardened/linux/amd64/no-multilib
- [10] selinux/2007.0/amd64
- [11] selinux/2007.0/amd64/hardened
- [12] selinux/v2refpolicy/amd64
- [13] selinux/v2refpolicy/amd64/desktop
- [14] selinux/v2refpolicy/amd64/developer
- [15] selinux/v2refpolicy/amd64/hardened
- [16] selinux/v2refpolicy/amd64/server
-
-~# <i>eselect profile set 15</i>
+ [9] hardened/linux/amd64/selinux
+ [10] hardened/linux/amd64/no-multilib *
+ [11] hardened/linux/amd64/no-multilib/selinux
+ [12] selinux/2007.0/amd64
+ [13] selinux/2007.0/amd64/hardened
+ [14] selinux/v2refpolicy/amd64
+ [15] selinux/v2refpolicy/amd64/desktop
+ [16] selinux/v2refpolicy/amd64/developer
+ [17] selinux/v2refpolicy/amd64/hardened
+ [18] selinux/v2refpolicy/amd64/server
+
+~# <i>eselect profile set 11</i>
</pre>
<note>
@@ -202,9 +207,11 @@ particular order which Portage isn't aware of in the next couple of sections.
<body>
<p>
-Edit your <path>/etc/make.conf</path> file and set
-<c>FEATURES="-loadpolicy"</c>. The current SELinux profile enables the
-loadpolicy feature, but this isn't supported anymore so can be safely ignored.
+Edit your <path>/etc/make.conf</path> file. If you ues the older SELinux
+profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>), set
+<c>FEATURES="-loadpolicy"</c>. These SELinux profiles enable the
+loadpolicy feature, but this isn't supported anymore so can be safely ignored.
+More recent profiles do not set this anymore.
</p>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-09 17:24 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-09 17:24 UTC (permalink / raw
To: gentoo-commits
commit: c36a8d3f94e6d93ad1e2fb71d067cb709e6ff63f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 9 17:23:05 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 9 17:23:05 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c36a8d3f
Documents are not pushed to cvs yet
---
xml/selinux/hb-appendix-reference.xml | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-appendix-reference.xml b/xml/selinux/hb-appendix-reference.xml
index e3a965f..dd07d0d 100644
--- a/xml/selinux/hb-appendix-reference.xml
+++ b/xml/selinux/hb-appendix-reference.xml
@@ -94,6 +94,7 @@ implementation.
<uri link="/proj/en/hardened/selinux-faq.xml">SELinux Frequently Asked
Questions</uri>
</li>
+ <!--
<li>
<uri link="/proj/en/hardened/selinux-development.xml">SELinux Development
Guidelines</uri>
@@ -101,6 +102,7 @@ implementation.
<li>
<uri link="/proj/en/hardened/selinux-policy.xml">SELinux Policy</uri>
</li>
+ -->
</ul>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-09 17:40 Francisco Blas Izquierdo Riera
0 siblings, 0 replies; 95+ messages in thread
From: Francisco Blas Izquierdo Riera @ 2011-06-09 17:40 UTC (permalink / raw
To: gentoo-commits
commit: 4ae0f631670fad24b58ed1c748384ed617b8eee4
Author: klondike <klondike <AT> xiscosoft <DOT> es>
AuthorDate: Thu Jun 9 17:40:36 2011 +0000
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es>
CommitDate: Thu Jun 9 17:40:36 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4ae0f631
Updating doc headers to ease diffing
---
xml/selinux/hb-appendix-reference.xml | 2 +-
xml/selinux/hb-intro-concepts.xml | 2 +-
xml/selinux/hb-intro-enhancingsecurity.xml | 2 +-
xml/selinux/hb-intro-referencepolicy.xml | 2 +-
xml/selinux/hb-using-commands.xml | 2 +-
xml/selinux/hb-using-install.xml | 2 +-
xml/selinux/hb-using-permissive.xml | 2 +-
xml/selinux/hb-using-policymodules.xml | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/xml/selinux/hb-appendix-reference.xml b/xml/selinux/hb-appendix-reference.xml
index dd07d0d..488d72b 100644
--- a/xml/selinux/hb-appendix-reference.xml
+++ b/xml/selinux/hb-appendix-reference.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-appendix-reference.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-appendix-reference.xml,v 1.4 2011/06/09 17:37:45 klondike Exp $ -->
<sections>
<version>2</version>
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index 1252d95..b3b4f53 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>4</version>
diff --git a/xml/selinux/hb-intro-enhancingsecurity.xml b/xml/selinux/hb-intro-enhancingsecurity.xml
index 2eda75f..8a126c1 100644
--- a/xml/selinux/hb-intro-enhancingsecurity.xml
+++ b/xml/selinux/hb-intro-enhancingsecurity.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-enhancingsecurity.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-enhancingsecurity.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>2</version>
diff --git a/xml/selinux/hb-intro-referencepolicy.xml b/xml/selinux/hb-intro-referencepolicy.xml
index 2ace5fe..566dc00 100644
--- a/xml/selinux/hb-intro-referencepolicy.xml
+++ b/xml/selinux/hb-intro-referencepolicy.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-referencepolicy.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-referencepolicy.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>1</version>
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml
index a0e8ea4..d22bb3c 100644
--- a/xml/selinux/hb-using-commands.xml
+++ b/xml/selinux/hb-using-commands.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>3</version>
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 05f3006..b452fd3 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>10</version>
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index 307364e..a589502 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-permissive.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-permissive.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>5</version>
diff --git a/xml/selinux/hb-using-policymodules.xml b/xml/selinux/hb-using-policymodules.xml
index cd773c9..3032bcb 100644
--- a/xml/selinux/hb-using-policymodules.xml
+++ b/xml/selinux/hb-using-policymodules.xml
@@ -4,7 +4,7 @@
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policymodules.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policymodules.xml,v 1.5 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
<version>1</version>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-09 17:49 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-06-09 17:49 UTC (permalink / raw
To: gentoo-commits
commit: f139eb9ea8e4d03fd0a9ebb2a67f2b82fe072310
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 9 17:47:37 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun 9 17:47:37 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=f139eb9e
remove unpushed links
---
xml/selinux/index.xml | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 1246627..a153530 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -85,8 +85,10 @@ Develop and maintain SELinux documentation specific to the Gentoo distribution
<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (including installation)</resource>
<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
+<!--
<resource link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux Development</resource>
<resource link="/proj/en/hardened/selinux-policy.xml">Gentoo Hardened SELinux Development Policy</resource>
+-->
<resource link="/proj/en/hardened/roadmap.xml">Gentoo Hardened Roadmap (incl. SELinux development)</resource>
<resource link="/proj/en/hardened/support-state.xml">Gentoo Hardened Support Matrices (incl. SELinux)</resource>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-06-09 18:54 José María Alonso
0 siblings, 0 replies; 95+ messages in thread
From: José María Alonso @ 2011-06-09 18:54 UTC (permalink / raw
To: gentoo-commits
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1191 bytes --]
commit: c287b8ec6e4086303cf2a7123b6a4e47385a874c
Author: José María Alonso <nimiux <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 9 18:54:37 2011 +0000
Commit: José MarÃa Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Thu Jun 9 18:54:37 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c287b8ec
Fixed small typo, no version bump
---
xml/selinux/hb-using-install.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index b452fd3..56f11e5 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -207,7 +207,7 @@ particular order which Portage isn't aware of in the next couple of sections.
<body>
<p>
-Edit your <path>/etc/make.conf</path> file. If you ues the older SELinux
+Edit your <path>/etc/make.conf</path> file. If you use the older SELinux
profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>), set
<c>FEATURES="-loadpolicy"</c>. These SELinux profiles enable the
loadpolicy feature, but this isn't supported anymore so can be safely ignored.
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-07-09 18:56 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-07-09 18:56 UTC (permalink / raw
To: gentoo-commits
commit: 9a8ada766ea873a6030534f21ccd22b2c70fffc3
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 9 18:54:04 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul 9 18:54:04 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9a8ada76
Introduce how to query for booleans (and their result)
---
xml/selinux/hb-using-commands.xml | 29 +++++++++++++++++++++++++++--
1 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml
index d22bb3c..a76e97f 100644
--- a/xml/selinux/hb-using-commands.xml
+++ b/xml/selinux/hb-using-commands.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>3</version>
-<date>2011-05-31</date>
+<version>4</version>
+<date>2011-07-09</date>
<section>
<title>SELinux Information Commands</title>
@@ -177,6 +177,31 @@ rules: for each domain that has file_type set, the search tries to find rules
that allow file-write access to that particular domain.
</p>
+<p>
+Another interesting functionality of the <c>sesearch</c> command is to show you
+the rules that are applicable depending on the state of a boolean. If you want
+to query on a particular boolean, use <c>-b</c>. If you want to see the logic
+that the policy uses, use <c>-C</c> (and yes, both can be combined).
+</p>
+
+<p>
+As an example, we'll check what we allow (or deny) when the <c>global_ssp</c>
+boolean is set:
+</p>
+
+<pre caption="Checking the policy regarding the global_ssp boolean">
+~# <i>sesearch -b global_ssp -A -C -d</i>
+Found 2 semantic av rules:
+ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
+ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
+</pre>
+
+<p>
+Of this prefix you see (which can be ET, DT, EF or DF) the second letter is
+important as it tells you when the rule will be enabled. If the boolean needs to
+be on (true) then it is <c>T</c>. Otherwise, you'll see <c>F</c>.
+</p>
+
</body>
</subsection>
<subsection>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-07-13 21:39 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-07-13 21:39 UTC (permalink / raw
To: gentoo-commits
commit: ec1ec4a7af2ee401159659297da8398b4babf788
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 13 16:53:10 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 13 16:53:10 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ec1ec4a7
Update information on sesearch DF/DT/EF/ET flags
---
xml/selinux/hb-using-commands.xml | 17 ++++++++++++-----
1 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml
index a76e97f..d0a1cb3 100644
--- a/xml/selinux/hb-using-commands.xml
+++ b/xml/selinux/hb-using-commands.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>4</version>
-<date>2011-07-09</date>
+<version>5</version>
+<date>2011-07-13</date>
<section>
<title>SELinux Information Commands</title>
@@ -197,11 +197,18 @@ ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [
</pre>
<p>
-Of this prefix you see (which can be ET, DT, EF or DF) the second letter is
-important as it tells you when the rule will be enabled. If the boolean needs to
-be on (true) then it is <c>T</c>. Otherwise, you'll see <c>F</c>.
+The prefix you see shows two letters, relating to two important definitions:
</p>
+<ul>
+ <li>
+ Is the rule currently <b>E</b>nabled or <b>D</b>isabled?
+ </li>
+ <li>
+ Does the boolean need to be set to <b>T</b>rue or <b>F</b>alse to enable the rule?
+ </li>
+</ul>
+
</body>
</subsection>
<subsection>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-07-21 19:11 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-07-21 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 30416e1315834deb27af204391f2edb179097fe4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 21 19:11:06 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 21 19:11:06 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=30416e13
Update documentation with first blurbs on MCS and MLS
---
xml/selinux/hb-intro-concepts.xml | 138 +++++++++++++++++++++++++++++++++++--
xml/selinux/hb-using-install.xml | 43 ++++++++----
2 files changed, 159 insertions(+), 22 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index b3b4f53..19ea064 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>4</version>
-<date>2011-05-03</date>
+<version>5</version>
+<date>2011-07-21</date>
<section>
<title>Introduction</title>
@@ -36,11 +36,58 @@ important) and will be discussed further in this document.
</body>
</subsection>
+<subsection>
+<title>SELinux Policies</title>
+<body>
+
+<p>
+Within Gentoo (and other distributions as well), SELinux is supported through
+several policy levels. These are, in climbing order of complexity (meaning they
+can offer more security, but are harder to manage):
+</p>
+
+<ol>
+ <li>
+ <b>targeted</b> is a policy where network-facing services (daemons) are
+ confined (the processes can only execute those actions that are defined
+ in the policy), but other applications are running what is called
+ <e>unconfined</e>, meaning that there are little to no restrictions for
+ those processes.
+ </li>
+ <li>
+ <b>strict</b> is a policy where all processes are confined. There are no
+ unconfined domains. In other distributions, this is still considered the
+ <e>targeted</e> policy but without the unconfined domain definition.
+ </li>
+ <li>
+ <b>multi-category security</b> is a policy where the (confined) domains can
+ be categorized (split up), allowing for multiple processes running in
+ different instances of a confined domain
+ </li>
+ <li>
+ <b>multi-level security</b> is a policy where rules exist regarding the
+ sensitivity of domains and resources. This allows for a "proper"
+ information flow policy (make sure that sensitive data isn't leaked
+ to less privileged domains). Conceptually, one can understand this best
+ if one considers sensitivity levels of Public, Internal, Confidential,
+ Strictly Confidential, etc.
+ </li>
+</ol>
+
+<p>
+When using Gentoo Hardened, all these policies are available. However,
+development focuses mainly on <e>strict</e> and <e>mcs</e>. The
+<e>targeted</e> policy is assumed to work if strict works whereas we know
+that the <e>mls</e> policy is currently not fit yet for production use.
+</p>
+
+</body>
+</subsection>
</section>
<section>
<title>Security Contexts</title>
<subsection>
-<title>Users, Roles and Domains</title>
+<title>Users, Roles, Domains, Sensitivities and Categories</title>
<body>
<p>
@@ -54,7 +101,8 @@ in the spirit of lowest privilege - has little permissions to perform any action
</p>
<p>
-Within SELinux, such a security context is displayed using three definitions:
+Within SELinux, such a security context is displayed using three to five
+definitions, depending on the type of policy you are running:
</p>
<dl>
@@ -72,6 +120,19 @@ Within SELinux, such a security context is displayed using three definitions:
This is the type assigned to the resource and is the key to SELinux'
enforcement rules
</dd>
+ <dt>sensitivity</dt>
+ <dd>
+ This is a level given to a resource informing the system about the
+ sensitivity of this resource. A sensitivity is something akin to
+ Public, Internal, Restricted, Confidential, Strictly Confidential, ...
+ Sensitivity levels are only supported in MLS policies.
+ </dd>
+ <dt>category</dt>
+ <dd>
+ This is a specific instantiation of a resource. It allows segregation of
+ resources even if they are of the same type. More about categories later -
+ categories are supported in MLS and MCS policies.
+ </dd>
</dl>
<p>
@@ -93,7 +154,22 @@ staff_u:staff_r:staff_t
In this case, the user is identified as the SELinux user <e>staff_u</e>,
currently in the <e>staff_r</e> role and assigned to the <e>staff_t</e>
type. The actions the user is allowed to do are based upon this security
-context.
+context. Also, you notice that only three identifiers are shown. This is
+because the example is taken on a <e>strict</e> (or <e>targeted</e>) policy
+system. The next example gives the same result, but on an <e>MCS</e> policy
+system.
+</p>
+
+<pre caption="Getting the security context of a logged on user on an MCS policy system">
+~$ <i>id -Z</i>
+staff_u:staff_r:staff_t:s0-s0:c0.c1023
+</pre>
+
+<p>
+Here, the user is running with sensitivity level of s0 (which, in an MCS policy
+system, is the only available sensitivity) and with a category set of c0 up to
+and including c1023. However, note that in an MCS policy system categories are
+optional, so you might just see an output of <e>staff_u:staff_r:staff_t:s0</e>.
</p>
</body>
@@ -542,9 +618,57 @@ have previously explained, it would lead to an unmanageable collection of types
and permissions. The MLS implementation simplifies this.
</p>
+</body>
+</subsection>
+<subsection>
+<title>Multi-Level Security</title>
+<body>
+
+<p>
+The most flexible - but also most challenging to manage - method offered by
+SELinux is MLS, or <e>Multi-Level Security</e>. When using this policy type,
+security administrators can assign sensitivity labels to resources and define
+which domains (and which sensitivity levels) are able to read/write to which
+level. A level is always given as a range, showing the lowest and highest level
+that a particular domain is running in.
+</p>
+
+<p>
+Next to the sensitivity level, MLS supports categories on a per-level basis.
+These categories allow the security administrator to make different, possibly
+independent "containers" for sensitive resources. To give an example, the
+administrator can support the levels Public up to Strictly Confidential, and
+categories of "Finance", "Risk Analysis", "Acquisitions", "IT Systems", ...
+</p>
+
+<p>
+With such categories, one can then allow one role to have access to all
+sensitivity levels for a particular category (say "IT Systems") but still only
+have access to the Public and Internal documents of all other categories.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Multi-Category Security</title>
+<body>
+
+<p>
+The MCS or <e>Multi-Category Security</e> policy is a subset of the MLS policy.
+It supports the various categories, but without using the multiple security
+levels for the resources.
+</p>
+
<p>
-At this moment, the Gentoo Hardened SELinux handbook does not cover MLS/MCS, but
-this might (and probably will) change in the future.
+The use of MCS has become popular because it is far less difficult to manage
+while still retaining some of the flexibilities offered by the MLS policy.
+Where MLS is more chosen for business purposes (and as such has some influence
+on the organization of the business), MCS is often used for <e>multitenancy</e>
+architectures. In a multi-tenant architecture, systems are running processes for
+various clients simultaneously. Categorisation allows for separation of
+privileges across these processes without introducing multiple domains (which
+would require the development of new policies for each new client that a system
+wants to serve).
</p>
</body>
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 56f11e5..6d493e1 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>10</version>
-<date>2011-06-07</date>
+<version>11</version>
+<date>2011-07-21</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -128,7 +128,11 @@ To configure the <path>/tmp</path> mount, edit your <path>/etc/fstab</path>:
</p>
<pre caption="Update /etc/fstab for /tmp">
+<comment># For a "targeted" or "strict" policy type:</comment>
tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t</i> 0 0
+
+<comment># For an "mls" or "mcs" policy type:</comment>
+tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t:s0</i> 0 0
</pre>
</body>
@@ -207,14 +211,6 @@ particular order which Portage isn't aware of in the next couple of sections.
<body>
<p>
-Edit your <path>/etc/make.conf</path> file. If you use the older SELinux
-profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>), set
-<c>FEATURES="-loadpolicy"</c>. These SELinux profiles enable the
-loadpolicy feature, but this isn't supported anymore so can be safely ignored.
-More recent profiles do not set this anymore.
-</p>
-
-<p>
Next, take a look at the following USE flags and decide if you want to enable
or disable them.
</p>
@@ -525,9 +521,12 @@ configured at boot time.
# disabled - No SELinux policy is loaded.
SELINUX=<i>permissive</i>
-# SELINUXTYPE can take one of these two values:
+# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
-# strict - Full SELinux protection.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
SELINUXTYPE=<i>strict</i>
</pre>
@@ -557,9 +556,10 @@ Within this configuration file, two variables can be set:
</ul>
</li>
<li>
- <c>SELINUXTYPE</c> selects if an "unconfined" domain will be loaded or not.
+ <c>SELINUXTYPE</c> selects the SELinux policy type to load.
Gentoo Hardened recommends the use of <c>strict</c> for servers, and
- <c>targeted</c> for desktops.
+ <c>targeted</c> for desktops. The <c>mcs</c> type is supported, <c>mls</c>
+ is currently still considered experimental.
</li>
</ul>
@@ -577,7 +577,20 @@ every application "out there".
</p>
<p>
-When you have made your choice between <c>strict</c> and <c>targeted</c>, save
+Next to <c>targeted</c> and <c>strict</c>, you can opt for <c>mcs</c> to allow
+categorization of the process domains. This is useful on multi-tenant systems
+such as web servers, virtualization hosts, ... where multiple processes will be
+running, most of them in the same security domain, but in different categories.
+</p>
+
+<p>
+Finally, you can also select <c>mls</c> to differentiate security domains on
+a sensitivity level. However, MLS is currently still considered experimental
+in Gentoo Hardened and as such not recommended.
+</p>
+
+<p>
+When you have made your choice between the SELinux policy types, save
this in your <path>/etc/make.conf</path> file as well. That way, Portage will
only install the policy modules for that SELinux type rather than both.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-07-22 16:03 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-07-22 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 210e1a5d6a2449cf779802f976fd2c5acde3c8ed
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jul 22 16:03:32 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Jul 22 16:03:32 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=210e1a5d
Add reference to bug 373381 for the time being
---
xml/selinux/hb-using-install.xml | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 6d493e1..d620b05 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>11</version>
-<date>2011-07-21</date>
+<version>12</version>
+<date>2011-07-22</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -393,13 +393,20 @@ Build and install the new Linux kernel and its modules.
<body>
<p>
-Next, edit <path>/etc/fstab</path> and add the following line:
+Next, edit <path>/etc/fstab</path> and add the following two lines:
</p>
-<pre caption="Enabling selinux file system">
+<pre caption="Enabling selinux-specific file system options">
+<comment># The udev mount is due to bug #373381</comment>
+udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
none /selinux selinuxfs defaults 0 0
</pre>
+<note>
+In case of an MLS/MCS policy, you need to have the context with sensitivity
+level, so <c>...:device_t:s0</c>.
+</note>
+
<p>
Make the <path>/selinux</path> mountpoint as well:
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-08-12 21:00 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-08-12 21:00 UTC (permalink / raw
To: gentoo-commits
commit: cdf3815010bbf98617d32136fc8fbc638db335ac
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 12 20:57:03 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 12 20:57:03 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cdf38150
Update roles
---
xml/selinux/index.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index a153530..247963c 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -66,6 +66,7 @@ As a result, we
<dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
<dev role="Policy development, Proxy (non developer contributors)">blueness</dev>
+<dev role="Documentation, Userspace tools, Policy development">SwifT</dev>
<extraproject name="Policy" lead="pebenito">
Develop and maintain a secure, default set of policies for the system, including
@@ -103,7 +104,6 @@ The following people, although non-developer, are actively contributing to the p
<table>
<tr><th>Contributor</th><th>Nickname</th><th>Role</th></tr>
<tr><ti>Chris Richards</ti><ti>gizmo</ti><ti>Policy development, support</ti></tr>
-<tr><ti>Sven Vermeulen</ti><ti>SwifT</ti><ti>Documentation writing, policy development, support</ti></tr>
</table>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-08-16 16:58 José María Alonso
0 siblings, 0 replies; 95+ messages in thread
From: José María Alonso @ 2011-08-16 16:58 UTC (permalink / raw
To: gentoo-commits
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1129 bytes --]
commit: 8825401605bf9be00e71647ae3e4646c6843cc36
Author: José María Alonso <nimiux <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 16 16:57:42 2011 +0000
Commit: José MarÃa Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Tue Aug 16 16:57:42 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=88254016
Fixed small typo. No version bump.
---
xml/selinux/hb-using-install.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index d620b05..2c205eb 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -599,7 +599,7 @@ in Gentoo Hardened and as such not recommended.
<p>
When you have made your choice between the SELinux policy types, save
this in your <path>/etc/make.conf</path> file as well. That way, Portage will
-only install the policy modules for that SELinux type rather than both.
+only install the policy modules for that SELinux type.
</p>
<pre caption="Setting the policy type in make.conf">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-09-04 19:22 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-09-04 19:22 UTC (permalink / raw
To: gentoo-commits
commit: 43499be59db77350c9b1386c6683fdd864b6a5b1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep 4 19:20:10 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep 4 19:20:10 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=43499be5
Update on SELinux project page
---
xml/selinux/index.xml | 49 +++++++++++++++++--------------------------------
1 files changed, 17 insertions(+), 32 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 247963c..8cddd10 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -20,6 +20,7 @@ kernels with SELinux support, providing patches to userland utilities, writing
strong Gentoo-specific default profiles, and maintaining a good default set of
policies.
</p>
+
<p>
<uri link="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
Linux</uri> (SELinux) is a Mandatory Access Control system using type
@@ -29,11 +30,13 @@ implementation. In addition to the kernel portion, SELinux consists of a library
(libselinux) and userland utilities for compiling policy (checkpolicy), and loading
policy (policycoreutils), in addition to other user programs.
</p>
+
<p>
One common misconception is that SELinux is a complete security solution. It is
not. SELinux only provides access control on system objects. It can work well
with other Hardened projects, such as PaX, for a more complete solution.
</p>
+
</longdescription>
<goals>
@@ -65,33 +68,15 @@ As a result, we
</goals>
<dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
-<dev role="Policy development, Proxy (non developer contributors)">blueness</dev>
-<dev role="Documentation, Userspace tools, Policy development">SwifT</dev>
-
-<extraproject name="Policy" lead="pebenito">
-Develop and maintain a secure, default set of policies for the system, including
-user and role definitions, service policies and application policies.
-</extraproject>
-<extraproject name="Userland" lead="pebenito">
-Develop and maintain the packages for SELinux userland utilities and libraries,
-including SELinux-aware patches for more general applications and libraries.
-</extraproject>
-<extraproject name="Kernel" lead="pebenito">
-Integrate, improve and maintain SELinux patches in the Linux kernel for Gentoo
-Hardened.
-</extraproject>
-<extraproject name="Documentation" lead="pebenito">
-Develop and maintain SELinux documentation specific to the Gentoo distribution
-</extraproject>
-
-<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (including installation)</resource>
+<dev role="developer" description="Policy development, Proxy (non developer contributors)">blueness</dev>
+<dev role="developer" description="Documentation, Userspace tools, Policy development">SwifT</dev>
+
+<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (concepts, installation, maintenance)</resource>
<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
-<!--
-<resource link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux Development</resource>
+<resource link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux Development Guide</resource>
<resource link="/proj/en/hardened/selinux-policy.xml">Gentoo Hardened SELinux Development Policy</resource>
--->
-<resource link="/proj/en/hardened/roadmap.xml">Gentoo Hardened Roadmap (incl. SELinux development)</resource>
-<resource link="/proj/en/hardened/support-state.xml">Gentoo Hardened Support Matrices (incl. SELinux)</resource>
+<resource link="/proj/en/hardened/roadmap.xml">Gentoo Hardened Roadmap (includes SELinux development)</resource>
+<resource link="/proj/en/hardened/support-state.xml">Gentoo Hardened Support Matrices (includes SELinux)</resource>
<extrachapter position="devs">
<title>Contributors</title>
@@ -128,14 +113,18 @@ be greatly appreciated.
</p>
</body>
</section>
-<section><title>Policy Submissions</title>
+
+<section>
+<title>Policy Submissions</title>
<body>
+
<p>
The critical component of a SELinux system is having a strong policy. The
team does its best to support as many daemons as possible. However, we cannot
create policies for daemons with which we are unfamiliar. But we are happy
to receive policy submissions for consideration. There are a few requirements:
</p>
+
<ul>
<li>
Make comments (in the policy and/or bug), so we can understand changes
@@ -149,19 +138,15 @@ to receive policy submissions for consideration. There are a few requirements:
We need to know if the policy is dependent on another policy (for example
rpcd is dependent on portmap) other than base-policy.
</li>
- <li>
- An ebuild for the policy can also be submitted to help the developers
- integrate the policy into Portage more quickly, if it is accepted.
- See current daemon policies in Portage for example uses of the
- selinux-policy eclass.
- </li>
</ul>
+
<p>
The policy should be submitted on <uri link="http://bugs.gentoo.org/">bugzilla</uri>.
Please attach the .te and .fc files separately to the bug, not as a tarball.
The bug should be Cc'ed to <c>selinux@gentoo.org</c> and will be properly
reassigned by the team.
</p>
+
</body>
</section>
</extrachapter>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-09-11 9:51 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-09-11 9:51 UTC (permalink / raw
To: gentoo-commits
commit: feeb52c6d7549479f82f953edea95719ea9058c8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep 11 09:49:30 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep 11 09:49:30 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=feeb52c6
Do not refer to eix
The eix application is optional and the functionality used in the guides
can be met using "emerge --search" easily.
Reported by Mikkel Clausen (Aleister)
---
xml/selinux/hb-using-install.xml | 6 +++---
xml/selinux/hb-using-permissive.xml | 21 ++++++++++++++-------
2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 2c205eb..82acc81 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>12</version>
-<date>2011-07-22</date>
+<version>13</version>
+<date>2011-09-11</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -502,7 +502,7 @@ flag), but until that time, you will need to install them yourself.
</p>
<pre caption="Installing SELinux modules">
-~# <i>eix selinux-</i>
+~# <i>emerge --search selinux-</i>
[...]
<comment>(Select the modules you want to install)</comment>
~# <i>emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</i>
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
index a589502..2b331c7 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-permissive.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>5</version>
-<date>2011-06-02</date>
+<version>6</version>
+<date>2011-09-11</date>
<section>
<title>Keeping Track of Denials</title>
@@ -271,11 +271,18 @@ screen: /usr/bin/screen
~# <i>qfile /usr/bin/screen</i>
app-misc/screen (/usr/bin/screen)
-~# <i>eix selinux-screen</i>
-* sec-policy/selinux-screen
- Available versions: ~2.20090730 ~2.20091215 ~2.20101213
- Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
- Description: SELinux policy for general applications
+~# <i>emerge --search selinux-screen</i>
+Searching...
+[ Results for search key : selinux-screen ]
+[ Applications found : 1 ]
+
+* sec-policy/selinux-screen
+ Latest version available: 2.20110726
+ Latest version installed: 2.20110726
+ Size of files: 574 kB
+ Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
+ Description: SELinux policy for screen
+ License: GPL-2
~# <i>emerge selinux-screen</i>
[...]
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-09-18 13:49 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-09-18 13:49 UTC (permalink / raw
To: gentoo-commits
commit: e192a4decc6aaf25d42789816fa2d716f1d328c0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Sep 18 13:48:08 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Sep 18 13:48:08 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e192a4de
Start larger update effort on SELinux documentation
---
xml/selinux/selinux-handbook.xml | 104 ++++++++++++++++++++++----------------
1 files changed, 60 insertions(+), 44 deletions(-)
diff --git a/xml/selinux/selinux-handbook.xml b/xml/selinux/selinux-handbook.xml
index 53e4cf1..893e120 100644
--- a/xml/selinux/selinux-handbook.xml
+++ b/xml/selinux/selinux-handbook.xml
@@ -24,8 +24,8 @@ This is the Gentoo SELinux Handbook.
<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
<license/>
-<version>3.00</version>
-<date>2010-12-01</date>
+<version>4</version>
+<date>2011-09-18</date>
<part>
<title>Introduction to Gentoo/Hardened SELinux</title>
@@ -57,6 +57,17 @@ how SELinux policies work and how to troubleshoot if things go wrong.
</chapter>
<chapter>
+<title>SELinux Resources</title>
+<abstract>
+To get more acquainted with SELinux, many resources exist on the Internet.
+In this chapter we give a quick overview of the various resources as well
+as places where you can get more help when you are fighting with SELinux.
+</abstract>
+ <include href="hb-intro-resources.xml"/>
+</chapter>
+
+<!--
+<chapter>
<title>The SELinux (Reference) Policy</title>
<abstract>
To streamline SELinux policy development, a reference policy is being developed
@@ -68,10 +79,6 @@ cover the basics on SELinux policies in general.
<include href="hb-intro-referencepolicy.xml"/>
</chapter>
-<!--
- Removed for the time being, not critical.
- Moved to next major version of handbook.
-
<chapter>
<title>SELinux Virtual Machine Support</title>
<abstract>
@@ -105,79 +112,88 @@ you through this process.
</chapter>
<chapter>
+<title>Configuring SELinux For Your Needs</title>
+<abstract>
+With SELinux now "installed" and enabled (although in permissive mode), we now
+configure it to suit your particular needs. After all, SELinux is a Mandatory
+Access Control system where you, as security administrator, define what is
+allowed and what not.
+</abstract>
+ <include href="hb-using-configuring.xml"/>
+</chapter>
+
+<chapter>
<title>SELinux Commands</title>
<abstract>
-Before we start with SELinux, we first take a step back and get to know a few
-commands. As we are currently running a SELinux enabled system (but in
-permissive mode) we can now get acquainted with the various SELinux-specific
-commands.
+Let's take a step back and get to know a few more commands. We covered most of
+them in the previous section, but we will now dive a bit deeper in its
+syntax, features and potential pitfalls.
</abstract>
<include href="hb-using-commands.xml"/>
</chapter>
<chapter>
-<title>Running in Permissive Mode</title>
+<title>Permissive, Unconfined, Disabled or What Not...</title>
<abstract>
-Once SELinux is active, we first start by running the system in permissive mode.
-In this chapter, we tell you how to get acquainted with SELinux more in-depth
-with live command information, but without interfering with the standard access
-controls (i.e. in permissive mode).
+Your system can be in many SELinux states. In this chapter, we help you switch
+between the various states / policies.
</abstract>
- <include href="hb-using-permissive.xml"/>
+ <include href="hb-using-states.xml"/>
</chapter>
<chapter>
-<title>Switching to Enforcing Mode</title>
+<title>Modifying the Gentoo Hardened SELinux Policy</title>
<abstract>
-Once you believe that the system can be ran in enforcing mode, we switch the
-system to verify if this is true. Once verified, the next step is to (re)boot in
-enforcing mode. Finally, if we are confident that the enforcing is working
-properly and that the system is still doing its job correctly, we fix the
-enforcing mode so that it cannot be disabled anymore.
+Gentoo Hardened offers a default policy, but this might not allow what you want
+(or allows too much). In this chapter we tell you how you can tweak Gentoo's
+policy, or even run your own.
</abstract>
- <include href="hb-using-enforcing.xml"/>
+ <include href="hb-using-policies.xml"/>
</chapter>
<chapter>
-<title>Adding SELinux Policy Modules</title>
+<title>Troubleshooting SELinux</title>
<abstract>
-Far from all packages where SELinux policy modules are available for have a
-corresponding package in Gentoo/Hardened. In this chapter, we help you to add
-more modules yourself or create your own modules for those packages that have no
-SELinux policies yet.
+Everything made by a human can and will fail. In this chapter we will try to
+keep track of all potential issues you might come across and how to resolve
+them.
</abstract>
- <include href="hb-using-policymodules.xml"/>
+ <include href="hb-using-troubleshoot.xml"/>
</chapter>
</part>
+<!--
<part>
-<title>Appendices</title>
+<title>Advanced SELinux</title>
<abstract>
-Additional resources and referenced materials within this book are mentioned in
-this appendix.
+SELinux can be much more integrated in the system. In this part, we describe how
+to enhance SELinux configurations, tuning and securing your system even more.
</abstract>
<chapter>
-<title>Troubleshooting SELinux</title>
+<title>Working with MLS</title>
<abstract>
-Everything made by a human can and will fail. In this chapter we will try to
-keep track of all potential issues you might come across and how to resolve
-them.
+...
</abstract>
- <include href="hb-appendix-troubleshoot.xml"/>
+ <include href="hb-advanced-mls.xml"/>
</chapter>
<chapter>
-<title>SELinux Reference Material</title>
+<title>Using s(ecure) Virt(ualization)</title>
<abstract>
-This Gentoo Hardened SELinux handbook gives a first introduction to SELinux and
-how it is integrated in Gentoo Hardened. But more seasoned administrators will
-most definitely want to read up on the more advanced uses (and managerial
-challenges) of SELinux - which we definitely recommend. A non-exhaustive list is
-compiled in this chapter.
+...
</abstract>
- <include href="hb-appendix-reference.xml" />
+ <include href="hb-advanced-svirt.xml"/>
+</chapter>
+
+<chapter>
+<title>Using Netlabel</title>
+<abstract>
+...
+</abstract>
+ <include href="hb-advanced-netlabel.xml"/>
</chapter>
</part>
+-->
</book>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-09-30 17:36 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-09-30 17:36 UTC (permalink / raw
To: gentoo-commits
commit: 6ae1cd1ee8b563b826ee0c669bb7cdb4077cc1fc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Sep 30 17:35:58 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Sep 30 17:35:58 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ae1cd1e
Update new selinux handbook, information on selinux users and login mappings
---
xml/selinux/hb-using-configuring.xml | 243 +++++++++++++++++++++++++++++++++-
1 files changed, 237 insertions(+), 6 deletions(-)
diff --git a/xml/selinux/hb-using-configuring.xml b/xml/selinux/hb-using-configuring.xml
index 139295d..78ace4f 100644
--- a/xml/selinux/hb-using-configuring.xml
+++ b/xml/selinux/hb-using-configuring.xml
@@ -8,7 +8,7 @@
<sections>
<version>1</version>
-<date>2011-09-18</date>
+<date>2011-09-30</date>
<section>
<title>Administering Users</title>
@@ -45,12 +45,12 @@ and SELinux users.
<pre caption="Running semanage login -l">
# <i>semanage login -l</i>
-Login Name SELinux User
+Login Name SELinux User
-__default__ user_u
-root root
-john staff_u
-system_u system_u
+__default__ user_u
+root root
+john staff_u
+system_u system_u
</pre>
<p>
@@ -60,6 +60,237 @@ not defined otherwise. This makes sure that a newly defined account does not get
elevated privileges by default.
</p>
+<p>
+The next table gives an overview of the standard SELinux users available after
+an installation.
+</p>
+
+<table>
+<tr>
+ <th>SELinux User</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>user_u</ti>
+ <ti>
+ Default regular SELinux user, which should be used by end-user accounts that
+ are not going to administer any service(s) on the system
+ </ti>
+</tr>
+<tr>
+ <ti>staff_u</ti>
+ <ti>
+ SELinux user for administrators. This user has the right to switch roles and
+ as such gain elevated privileges
+ </ti>
+</tr>
+<tr>
+ <ti>root</ti>
+ <ti>
+ SELinux user for the root account. It differs little from the staff_u
+ account beyond being a different ID. This ensures that files protected by
+ the user based access control for root cannot be handled by the staff_u
+ (and other) users
+ </ti>
+</tr>
+<tr>
+ <ti>sysadm_u</ti>
+ <ti>
+ SELinux user for system administration. By default, this account is not
+ immediately used as this user immediately gets the administrative role
+ (whereas staff_u and root still need to switch roles).
+ </ti>
+</tr>
+<tr>
+ <ti>system_u</ti>
+ <ti>
+ SELinux user for system services. It should never be used for end users or
+ administrators as it provides direct access to the system role (and
+ privileges)
+ </ti>
+</tr>
+<tr>
+ <ti>unconfined_u</ti>
+ <ti>
+ Used when the policy is <e>targeted</e>, this SELinux user has many
+ privileges (it is essentially not limited in its actions, although it is
+ still handled through SELinux - just through a "wide open" policy).
+ </ti>
+</tr>
+</table>
+
+<p>
+To map a user to a specific SELinux user, use <c>semanage login -a</c>:
+</p>
+
+<pre caption="Mapping a user 'sophie' to the staff_u user">
+# <i>semanage login -a -s staff_u sophie</i>
+</pre>
+
+<p>
+However, when you update such mapping, the files in that users' home directory
+will be owned by a wrong SELinux user. It is therefor important to relabel the
+files of that user:
+</p>
+
+<pre caption="Relabeling sophie's files">
+# <i>restorecon -R -F /home/sophie</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Additional SELinux Accounts</title>
+<body>
+
+<p>
+It is perfectly possible to create additional SELinux accounts, and then map the
+Linux logins to these new accounts. This can be necessary when you want a more
+thorough auditing (on end user level) or when you will be enhancing the policy
+with additional roles. Also, if you want to use the User Based Access Control
+feature, using different SELinux users is important to enforce the control on
+different users (if they all use the same SELinux user, then UBAC has little to
+no effect).
+</p>
+
+<p>
+Managing the SELinux accounts is done through <c>semanage user</c>:
+</p>
+
+<pre caption="Creating a SELinux user">
+# <i>semanage user -a -R "staff_r sysadm_r" sophie</i>
+</pre>
+
+<p>
+Let's verify how the SELinux users are currently configured:
+</p>
+
+<pre caption="Checking the SELinux user identities">
+# <i>semanage user -l</i>
+SELinux User SELinux Roles
+
+root staff_r sysadm_r
+sophie staff_r sysadm_r
+staff_u staff_r sysadm_r
+sysadm_u sysadm_r
+system_u system_r
+unconfined_u unconfined_r
+user_u user_r
+
+# <i>semanage login -l</i>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie staff_u
+swift staff_u
+system_u system_u
+</pre>
+
+<p>
+Now that a new SELinux user called "sophie" exists, we can now update the Linux
+user mapping for "sophie" towards the new SELinux user "sophie":
+</p>
+
+<pre caption="Updating the Linux user mapping">
+# <i>semanage login -m -s sophie sophie</i>
+# <i>semanage login -l</i>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie sophie
+swift staff_u
+system_u system_u
+</pre>
+
+<p>
+Again, do not forget to relabel this users' files.
+</p>
+
+<p>
+As you can see, managing SELinux users means defining the roles to which the
+user has access to. We already gave a high-level introduction to the default
+roles in <uri link="?part=1&chap=2">SELinux Concepts</uri>, but as roles are
+important when using a Mandatory Access Control system, let's refresh our memory
+again:
+</p>
+
+<table>
+<tr>
+ <th>SELinux Role</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>user_r</ti>
+ <ti>
+ Default end-user role. This role provides access to regular applications and
+ activities, but does not allow any system or service administration beyond
+ what is expected for a regular user.
+ </ti>
+</tr>
+<tr>
+ <ti>staff_r</ti>
+ <ti>
+ Default administration role for day-to-day activities. This role has some
+ additional privileges beyond what is offered through user_r, but is not a
+ full system administrative role. It is meant for the non-administrative
+ activities done by operators and administrators
+ </ti>
+</tr>
+<tr>
+ <ti>sysadm_r</ti>
+ <ti>
+ System administration role. This role is highly privileged (since it also
+ contains the privileges to update the policy) and should only be given to
+ fully trusted administrators. It is almost never immediately granted to
+ users (they first need to switch roles) except for direct root access (for
+ instance through the console)
+ </ti>
+</tr>
+<tr>
+ <ti>system_r</ti>
+ <ti>
+ System service role, which is used for the runtime services (processes). It
+ is never granted to users directly.
+ </ti>
+</tr>
+<tr>
+ <ti>unconfined_r</ti>
+ <ti>
+ The unconfined role is used when the <e>targeted</e> policy is supported.
+ This role is given to unconfined users (such as the SELinux unconfined_u
+ user) which have very wide privileges (they almost run without constraints).
+ </ti>
+</tr>
+</table>
+
+<p>
+It should be noted that these roles are the default ones, but the security
+administrator - yes, that means you - can create additional roles and add
+particular privileges to it. We will discuss this later in this book as it means
+you'll need to update the Gentoo Hardened SELinux policy.
+</p>
+
+</body>
+</subsection>
+</section>
+
+<section>
+<title>Using (File) Labels</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+Within SELinux, access privileges are based on the label given on the
+originating part (called the <e>domain</e>) and its target resource. For
+instance, a process running in the passwd_t domain wants to read (= privilege)
+the file <path>/etc/shadow</path> which is labeled shadow_t (= the target
+resouce). It comes to no surprise then that the majority of SELinux
+administration is (re)labeling the resources.
+</p>
+
</body>
</subsection>
</section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 13:04 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 13:04 UTC (permalink / raw
To: gentoo-commits
commit: 772e60f6cd55d1189c4a1023fbf56cc036e510a7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Oct 13 19:17:05 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct 13 19:17:05 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=772e60f6
Lots of updates on file label management, also introduce booleans
---
xml/selinux/hb-using-configuring.xml | 374 +++++++++++++++++++++++++++++++++-
1 files changed, 372 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-configuring.xml b/xml/selinux/hb-using-configuring.xml
index 78ace4f..1a3f536 100644
--- a/xml/selinux/hb-using-configuring.xml
+++ b/xml/selinux/hb-using-configuring.xml
@@ -287,8 +287,378 @@ Within SELinux, access privileges are based on the label given on the
originating part (called the <e>domain</e>) and its target resource. For
instance, a process running in the passwd_t domain wants to read (= privilege)
the file <path>/etc/shadow</path> which is labeled shadow_t (= the target
-resouce). It comes to no surprise then that the majority of SELinux
-administration is (re)labeling the resources.
+resource). It comes to no surprise then that the majority of SELinux
+administration is (re)labeling the resources correctly (and ensuring their label
+stays correct).
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Getting File Label(s)</title>
+<body>
+
+<p>
+There are many ways to relabel commands, and none of them are equal to another.
+But before we explain this in more detail, let's first take a look at a few file
+labels (and how you can query them).
+</p>
+
+<p>
+In SELinux, labels are given on a file level through the file systems' ability
+to keep <e>extended attributes</e>. For SELinux, the attribute is called
+<c>security.selinux</c> and can be obtained through <c>getfattr</c>:
+</p>
+
+<pre caption="Getting a file's extended attribute for SELinux">
+$ <i>getfattr -n security.selinux /etc/hosts</i>
+# file: etc/hosts
+security.selinux="system_u:object_r:net_conf_t"
+</pre>
+
+<p>
+Of course, getting the file attribute this way is time consuming and not that
+flexible. For this purpose, most important applications (including
+<c>coreutils</c>) are made SELinux-aware. These applications mostly use the
+<c>-Z</c> option to display the SELinux context information. In case of files,
+this means the extended attribute content:
+</p>
+
+<pre caption="Getting the context of a file">
+$ <i>ls -Z /etc/hosts</i>
+system_u:object_r:net_conf_t /etc/hosts
+</pre>
+
+<p>
+Other commands exist that display the context as it should be, like
+<c>matchpathcon</c>. However, their purpose is to query the SELinux policy on
+your system to find out what the policy ought to be, not what it is:
+</p>
+
+<pre caption="Difference between context and matchpathcon result">
+$ <i>ls -Z /etc/make.conf</i>
+staff_u:object_r:etc_t /etc/make.conf
+$ <i>matchpathcon /etc/make.conf</i>
+/etc/make.conf system_u:object_r:portage_conf_t
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Setting File Label(s)</title>
+<body>
+
+<p>
+Now how can you manipulate file labels? Well, first of all: you will not be
+allowed to change the file labels of any possible file (not even if you are the
+owner of that file) unless the SELinux policy allows you to. These allow rules
+are made on two privilege types: which labels are you allowed to change
+(<c>relabelfrom</c>) and to which labels are you allowed to change
+(<c>relabelto</c>). You can query these rules through <c>sesearch</c>:
+</p>
+
+<pre caption="Querying the relabelto/relabelfrom types">
+<comment># From which label on files (-c) is user_t (-s) allowed (-A) to relabel from (-p)?</comment>
+$ <i>sesearch -s user_t -c file -p relabelfrom -A</i>
+<comment>[...]</comment>
+allow user_t mozilla_home_t : file { <comment>...</comment> relabelfrom relabelto } ;
+</pre>
+
+<p>
+If you have the permission, then you can use <c>chcon</c> to <e>ch</e>ange the
+<e>con</e>text of a file:
+</p>
+
+<pre caption="Changing a file context">
+$ <i>ls -Z strace.log</i>
+staff_u:object_r:user_home_t strace.log
+$ <i>chcon -t mutt_home_t strace.log</i>
+$ <i>ls -Z strace.log</i>
+staff_u:object_r:mutt_home_t strace.log
+</pre>
+
+<p>
+If you do not hold the right privileges, you will get a descriptive error
+message:
+</p>
+
+<pre caption="Trying to change file context">
+$ <i>chcon -t shadow_t strace.log</i>
+chcon: failed to change context of `strace.log' to `staff_u:object_r:shadow_t': Permission denied
+</pre>
+
+<p>
+Now, if you now think that <c>chcon</c> is all you need, you're wrong. The
+<c>chcon</c> command does nothing more than what it sais - change context. But
+when the system relabels files, these changes are gone. Relabeling files is
+often done to ensure that the file labels are correct (as in: the labels match
+what the SELinux policy sais they ought to be). The SELinux policy contains, for
+each policy module, the list of files, directories, sockets, ... and their
+appropriate file context (label).
+</p>
+
+<p>
+We will look at SELinux policy modules later, but below you'll find an excerpt
+from such a definition, for the <c>mozilla</c> module:
+</p>
+
+<pre caption="Excerpt of the mozilla module file contexts">
+/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+</pre>
+
+<p>
+To put the right label on a file, you can use the <c>setfiles</c> or
+<c>restorecon</c> commands. Since they are both the same command (but with a
+slightly different way of using) we'll only talk about <c>restorecon</c> for now
+- more information on the <c>setfiles</c> command can be found in its man page.
+</p>
+
+<p>
+When you use <c>restorecon</c>, the application will query the SELinux policy to
+find out what the right label of the file should be. If it differs, it will
+change the label to the right setting. That means that you do not need to
+provide the label for a file in order for the command to work. Also,
+<c>restorecon</c> supports recursivity, so you do not need to relabel files one
+by one.
+</p>
+
+<pre caption="Using restorecon">
+$ <i>ls -Z /etc/make.conf</i>
+staff_u:object_r:etc_t /etc/make.conf
+$ <i>restorecon /etc/make.conf</i>
+$ <i>ls -Z /etc/make.conf</i>
+system_u:object_r:portage_conf_t /etc/make.conf
+</pre>
+
+<p>
+Finally, Gentoo also provides a useful application: <c>rlpkg</c>. This script
+relabels the files of a Gentoo package (<c>rlpkg <packagename></c>) or,
+given the right arguments, all files on the file system:
+</p>
+
+<pre caption="Using rlpkg">
+<comment># Relabel the files of the firefox-bin package:</comment>
+# <i>rlpkg firefox</i>
+
+<comment># Relabel all files on the file system:</comment>
+# <i>rlpkg -a -r</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Overriding the SELinux Policy File Labels</title>
+<body>
+
+<p>
+You might not always agree with the label that the SELinux policy enforces on
+the files: you might have your files located elsewhere (a different location for
+your Portage tree is a nice example) or you need to label them differently in
+order for other applications to work. To not have to <c>chcon</c> these files
+over and over again, you can enhance the SELinux policy on your system with
+additional file context rules. These rules are used when you call
+<c>restorecon</c> as well and override the rules provided by the SELinux policy.
+</p>
+
+<p>
+To add additional file context rules, you need to use the <c>semanage</c>
+command. This command is used to manage, manipulate and update the local SELinux
+policy on your system. In this particular case, we will use the <c>semanage
+fcontext</c> command:
+</p>
+
+<pre caption="Using semanage to add a file context rule">
+<comment># Mark /mnt/gentoo/etc/make.conf as a portage_conf_t type</comment>
+# <i>semanage fcontext -a -t portage_conf_t /mnt/gentoo/etc/make.conf</i>
+
+<comment># Mark /mnt/gentoo/usr/portage as portage_ebuild_t</comment>
+# <i>semanage fcontext -a -t portage_ebuild_t "/mnt/gentoo/usr/portage(/.*)?"</i>
+</pre>
+
+<p>
+As you can see from the example, you can use wildcards. But beware about using
+wildcards: when a rule holds a wildcard, it has a lower priority than a rule
+without a wildcard. And the priority on rules with a wildcard is based on how
+"down" the string the first occurance of a wildcard is. For more information,
+please check out our <uri link="../selinux-faq.xml#matchcontext">FAQ on "How do
+I know which file context rule is used for a particular file?."</uri>
+</p>
+
+<p>
+If you want to delete a file context definition, you use <c>semanage fcontext
+-d</c>:
+</p>
+
+<pre caption="Deleting a file context definition">
+# <i>semanage fcontext -d -t portage_ebuild_t /mnt/gentoo/etc/make.conf</i>
+</pre>
+
+<p>
+Finally, to view all file context definitions (both user-set and SELinux policy
+provided), you can use <c>semanage fcontext -l</c>. To only see the locally set,
+add <c>-C</c>:
+</p>
+
+<pre caption="Viewing user-set file context enhancements">
+# <i>semanage fcontext -C -l</i>
+SELinux fcontext type Context
+/opt/xxe/bin/.*\.jar all files system_u:object_r:lib_t
+/srv/virt/gentoo(/.*)? all files system_u:object_r:qemu_image_t
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Customizable types</title>
+<body>
+
+<p>
+Labels on files are not that hard to understand, but you might come into some
+surprises if you do not know that there are also customizable types.
+</p>
+
+<p>
+A <e>customizable type</e> is a specific type which is not touched by the
+SELinux administration tools by default. If you want to relabel a file that
+currently holds a customizable type, you will need to force this through the
+commands (such as <c>restorecon -F</c>).
+</p>
+
+<p>
+There are not that many customizable types by default. The list of types that
+SELinux considers as customizable are mentioned in the
+<path>customizable_types</path> file within the
+<path>/etc/selinux/*/contexts</path> location:
+</p>
+
+<pre caption="Listing the customizable types">
+# <i>cat /etc/selinux/strict/contexts/customizable_types</i>
+mount_loopback_t
+public_content_rw_t
+public_content_t
+swapfile_t
+textrel_shlib_t
+</pre>
+
+<p>
+Such types exist because these types are used for files whose location is known
+not to be fixed (and as such, the SELinux policy cannot without a doubt know if
+the label on the files is correct or not). The <c>public_content_t</c> one,
+which is used for files that are readable by several services (like FTP, web
+server, ...), might give you a nice example for such a case.
+</p>
+
+<p>
+If you look at the <c>restorecon</c> man page, it mentions both customizable
+types as well as the user section. The latter is for rules that are identified
+in the SELinux policy as being files for an end user, like the following
+definitions in the <c>mozilla</c> policy module:
+</p>
+
+<pre caption="User section definition within mozilla module">
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+</pre>
+
+<p>
+Although in the above example, forcing <c>restorecon</c> on the files is
+probably correct, there are examples where you do not want this. For instance,
+the firefox policy by default only allows the application to write to
+directories labeled <c>mozilla_home_t</c>. If you want to download something,
+this isn't possible (unless you download it into <path>~/.mozilla</path>). The
+solution there is to label a directory (say <path>~/Downloads</path>) as
+<c>mozilla_home_t</c>.
+</p>
+
+</body>
+</subsection>
+</section>
+
+<section>
+<title>SELinux Policy and Booleans</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+We have dealt with users and labels now, but there is still a third aspect that
+we haven't touched: the SELinux policy itself.
+</p>
+
+<p>
+The SELinux policy as offered by Gentoo Hardened is a carefully tuned SELinux
+policy, based on the reference policy (a distribution-agnostic SELinux policy)
+with minor changes. Hopefully, you will not need to rewrite the policy to suit
+it for your needs, but changes are very likely to occur here and there.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Changing the SELinux Policy Behavior: Booleans</title>
+<body>
+
+<p>
+A common and user friendly way of tweaking the SELinux policy is through
+booleans. A <e>SELinux boolean</e>, also known as a conditional, changes how the
+SELinux policy behaves based on the setting that the user provides. To make this
+a bit more clear, let's look at a few booleans available:
+</p>
+
+<pre caption="Getting SELinux booleans">
+# <i>getsebool -a | grep ^user</i>
+user_direct_mouse --> off
+user_dmesg --> off
+user_ping --> on
+user_rw_noexattrfile --> off
+user_tcp_server --> off
+user_ttyfile_stat --> off
+</pre>
+
+<p>
+Although they might not say much on first sight, these booleans alter how the
+SELinux policy enforces user activity (hence the booleans starting with
+<path>user_</path>). For instance, <c>user_ping</c> is set to <c>on</c>, so a
+user is allowed to use <c>ping</c>. If it was set to <c>off</c>, the SELinux
+policy would not allow a user to execute <c>ping</c>.
+</p>
+
+<p>
+Booleans can be toggled on or off using <c>setsebool</c> or <c>togglesebool</c>.
+With <c>setsebool</c> you need to give the value (on or off) whereas
+<c>togglesebool</c> switches the value.
+</p>
+
+<pre caption="Disallowing the use of ping by users">
+# <i>setsebool user_ping off</i>
+</pre>
+
+<p>
+By default, <c>setsebool</c> does not store the boolean values - after a reboot,
+the old values are used again. To persist such changes, you need to add the
+<c>-P</c> option:
+</p>
+
+<pre caption="Persistedly allow users to run dmesg">
+# <i>setsebool -P user_dmesg on</i>
+</pre>
+
+<p>
+Booleans allow administrators to tune the policy, and allow security
+administrators to write policies that are flexible enough for a more widespread
+use. In terms of Gentoo flexibility, these booleans might not be used enough (it
+would be nice to couple these booleans on USE flags, so that a server build with
+USE="ldap" gets the SELinux policy to use ldap, whereas USE="-ldap" disallows
+it). But still, the use of booleans is a popular method for making a more
+flexible SELinux policy.
</p>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 13:04 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 13:04 UTC (permalink / raw
To: gentoo-commits
commit: f549e5b78e8acb78d71d55f877fcca6daf9eaec6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 13:03:59 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 13:03:59 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=f549e5b7
Adding AVC information as well as policy modules. Section considered "finished" for now
---
xml/selinux/hb-using-configuring.xml | 314 ++++++++++++++++++++++++++++++++++
1 files changed, 314 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-configuring.xml b/xml/selinux/hb-using-configuring.xml
index 1a3f536..8a87b54 100644
--- a/xml/selinux/hb-using-configuring.xml
+++ b/xml/selinux/hb-using-configuring.xml
@@ -277,6 +277,246 @@ you'll need to update the Gentoo Hardened SELinux policy.
</section>
<section>
+<title>Reading Audit Logs</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+When working with a SELinux-enabled system, you will eventually notice that
+things behave differently, but without giving any meaningful error message.
+Usually, when SELinux "denies" a particular access, it logs it into the audit
+log of the system, but for the application itself, it is perfectly possible that
+it just silently dies. If not, you're most likely to get a <e>permission
+denied</e> error message.
+</p>
+
+<p>
+Initially, SELinux is running in <c>permissive</c> mode, which means that
+SELinux will log what it <e>would</e> deny, but still let it through.
+This mode is perfect for getting the system in shape without having too
+much problems keeping it running. Once you think your security settings are
+in order, then this mode can be switched from <c>permissive</c> to
+<c>enforcing</c>. We'll talk about these modes later.
+</p>
+
+<p>
+First, let's take a look at the audit log and see what it is saying...
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Audit Log Location(s)</title>
+<body>
+
+<p>
+The SELinux kernel code writes its denials (and sometimes even allowed but
+audited activities) into the audit log. If you are running on a Gentoo Hardened
+installation with the <c>syslog-ng</c> system logger, then the logger is already
+configured to place these audit lines in <path>/var/log/avc.log</path>. However,
+different system loggers or system logger configurations might put the entries
+in a different log location (such as <path>/var/log/audit.log</path>).
+</p>
+
+<p>
+Below, you'll find the appropriate lines for the syslog-ng system logger
+configuration for writing the events in <path>/var/log/avc.log</path>.
+</p>
+
+<pre caption="syslog-ng.conf excerpt for SELinux AVC entries">
+<comment># The following lines are only /part/ of the configuration file!</comment>
+source kernsrc { file("/proc/kmsg"); };
+destination avc { file("/var/log/avc.log"); };
+filter f_avc { message(".*avc: .*"); };
+
+log {
+ source(kernsrc);
+ filter(f_avc);
+ destination(avc);
+};
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>What is AVC?</title>
+<body>
+
+<p>
+As we mentioned, SELinux writes its entries in the audit log. These entries are
+called <e>avc messages</e> or <e>avc log entries</e>. The abbreviation AVC
+stands for <e>Access Vector Cache</e> and, like the name sais, is a caching
+system.
+</p>
+
+<p>
+Using an access vector cache improves performance on dealing with (and
+enforcing) activities and privileges. Since SELinux offers a very detailed
+approach on privileges and permissions, it would become quite painful
+(performance-wise) if each call means that the SELinux code needs to look up the
+domain, the target resource label, the privilege and if it is allowed or not
+over and over again. Instead, SELinux uses the Access Vector Cache to store past
+requests/responses. It is the AVC subsystem that is responsible for checking
+accesses and (if necessary) logging it.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Reading an AVC Denial Message</title>
+<body>
+
+<p>
+Below you'll find a typical AVC denial message.
+</p>
+
+<pre caption="Example AVC denial message">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre>
+
+<p>
+Let's analyze each part of this message one by one.
+</p>
+
+<pre caption="AVC denial: Timestamp and location information">
+<i>Oct 15 13:04:54 hpl kernel: [963185.177043]</i> type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre>
+
+<p>
+This first part of the message informs you when the message was written (Oct 15
+13:04:54), on which host (hpl) and how many seconds since the system was booted
+(963185.177043).
+</p>
+
+<pre caption="AVC denial: source information">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for <i>pid=14561 comm="firefox"</i> kmod="net-pf-10"
+ <i>scontext=staff_u:staff_r:mozilla_t</i> tcontext=system_u:system_r:kernel_t tclass=system
+</pre>
+
+<p>
+Next is the source of the denial, i.e. what process is trying to do something.
+In this case, the process is firefox, with PID 14561, which is running in the
+source domain staff_u:staff_r:mozilla_t.
+</p>
+
+<pre caption="AVC denial: target resource">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" <i>kmod="net-pf-10"</i>
+ scontext=staff_u:staff_r:mozilla_t <i>tcontext=system_u:system_r:kernel_t</i> tclass=system
+</pre>
+
+<p>
+The target of the activity is a kernel module (net-pf-10, which is the internal
+name given for IPv6), labeled system_u:system_r:kernel_t
+</p>
+
+<pre caption="AVC denial: denied action">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { <i>module_request</i> } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t <i>tclass=system</i>
+</pre>
+
+<p>
+Finally, the action that is denied (module_request) and its class (system).
+These classes help you to identify what is denied, because a read on a file is
+different from a read on a directory.
+</p>
+
+<p>
+For instance, in the following case, a process <c>gorg</c> with PID 13935 is
+trying to read a file called <path>localtime</path> with inode 130867 which
+resides on the device <path>/dev/md3</path>:
+</p>
+
+<pre caption="AVC denial example">
+Oct 15 14:40:30 hpl kernel: [968909.807802] type=1400 audit(1318682430.323:2614):
+ avc: denied { read } for pid=13935 comm="gorg" name="localtime" dev=md3 ino=130867
+ scontext=staff_u:sysadm_r:gorg_t tcontext=system_u:object_r:locale_t tclass=file
+</pre>
+
+<p>
+In this case, it might be obvious that the file is <path>/etc/localtime</path>,
+but when that isn't the case, then you can find the following two commands
+useful:
+</p>
+
+<pre caption="Finding out the target resource based on inode and device">
+<comment>(Find out which device /dev/md3 is)</comment>
+# <i>mount | grep /dev/md3</i>
+/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=1,nodelalloc,data=journal)
+
+<comment>(Find out what file has inode 130867)</comment>
+# <i>find / -xdev -inum 130867</i>
+/etc/localtime
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Handling AVC denials</title>
+<body>
+
+<p>
+The major part of configuring SELinux is reading the denials, finding out what
+needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully, the
+rest of this handbook will help you figure out what is causing a denial.
+</p>
+
+<p>
+Denials can be cosmetic (an activity that is denied, but has no effect on the
+application's functional behaviour). If that is the case, the denial can be
+marked as <e>dontaudit</e>, meaning that the denial is not logged by default
+anymore. If you think that a denial is occurring but you do not see it in the
+logs, try disabling the <e>dontaudit</e> rules:
+</p>
+
+<pre caption="Disabling dontaudit">
+<comment>(The command can also be abbreviated to "semodule -DB")</comment>
+# <i>semodule --build --disable_dontaudit</i>
+</pre>
+
+<p>
+In most cases though, denials need to be acted upon. Actions that might need to
+happen are:
+</p>
+
+<ul>
+ <li>
+ relabeling the target resource (wrong labels might cause legitimate actions
+ to be denied)
+ </li>
+ <li>
+ relabeling the source (process' binary file) as a wrong label might cause
+ the application to run in the wrong domain
+ </li>
+ <li>
+ loading a necessary SELinux module, since the modules contain the rules to
+ allow (and label) resources. Without the appropriate module loaded, you will
+ notice denials since no other module gives the necessary grants (allow
+ statements)
+ </li>
+ <li>
+ granting the right role to the user executing the application. We have
+ covered users and their roles initially but we will go deeper into this
+ subject later in the handbook.
+ </li>
+ <li>
+ adding your own SELinux policy statements, most likely because no SELinux
+ policy module exists for the application you are trying to run
+ </li>
+</ul>
+
+</body>
+</subsection>
+</section>
+
+<section>
<title>Using (File) Labels</title>
<subsection>
<title>Introduction</title>
@@ -663,5 +903,79 @@ flexible SELinux policy.
</body>
</subsection>
+<subsection>
+<title>Managing SELinux Policy Modules</title>
+<body>
+
+<p>
+In this last part, we'll cover SELinux policy modules. We mentioned before that
+the SELinux policy used by Gentoo Hardened is based on the reference policy,
+which offers a modular approach to SELinux policies. There is one base policy,
+which is mandatory on every system and is kept as small as possible. The rest
+are SELinux policy modules, usually providing the declarations, rules and file
+contexts for a single application (or type of applications).
+</p>
+
+<p>
+With <c>semodule -l</c> you can see the list of SELinux policy modules loaded:
+</p>
+
+<pre caption="Listing the loaded SELinux modules">
+# <i>semodule -l</i>
+alsa 1.11.0
+apache 2.3.0
+entropyd 1.6.0
+dbus 1.15.0
+dnsmasq 1.9.0
+<comment>(...)</comment>
+</pre>
+
+<p>
+Within Gentoo Hardened, each module is provided by the package
+<path>sec-policy/selinux-<modulename></path>. For instance, the first
+module encountered in the above example is provided by
+<path>selinux-alsa</path>:
+</p>
+
+<pre caption="The SELinux policy module package in Gentoo">
+$ <i>emerge --search selinux-alsa</i>
+Searching...
+[ Results for search key : selinux-alsa ]
+[ Applications found : 1]
+
+* sec-policy/selinux-alsa
+ Latest version available: 2.20110726
+ Latest version installed: 2.20110726
+ Size of files: 574 kB
+ Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
+ Description: SELinux policy for alsa
+ License: GPL-2
+</pre>
+
+<p>
+If you need a module that isn't installed on your system, this is considered a
+bug (packages that need it should depend on the SELinux policy package if the
+selinux USE flag is set). But once you install the package yourself, the module
+will be loaded automatically:
+</p>
+
+<pre caption="Installing a SELinux policy package">
+# <i>emerge selinux-screen</i>
+</pre>
+
+<p>
+If you want to remove a module from your system though, uninstalling the package
+will not suffice: the SELinux policy module itself is copied to the policy store
+earlier (as part of the installation process) and is not removed from this store
+by Portage. Instead, you will need to remove the module manually:
+</p>
+
+<pre caption="Uninstalling a SELinux policy module">
+# <i>emerge -C selinux-screen</i>
+# <i>semodule -r screen</i>
+</pre>
+
+</body>
+</subsection>
</section>
</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 15:18 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 15:18 UTC (permalink / raw
To: gentoo-commits
commit: 52cac2568b9cd904e76e35f6dbe088bbba4b3a34
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 15:18:31 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 15:18:31 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=52cac256
Update on commands, start on selinux policy types and modes
---
xml/selinux/hb-using-commands.xml | 82 +++++++++--
xml/selinux/hb-using-states.xml | 290 +++++++++++++++++++++++++++++++++++++
2 files changed, 356 insertions(+), 16 deletions(-)
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml
index d0a1cb3..ae55d83 100644
--- a/xml/selinux/hb-using-commands.xml
+++ b/xml/selinux/hb-using-commands.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>5</version>
-<date>2011-07-13</date>
+<version>6</version>
+<date>2011-10-15</date>
<section>
<title>SELinux Information Commands</title>
@@ -40,7 +40,7 @@ The first command we will talk about is <c>sestatus</c>.
</p>
<pre caption="Running sestatus">
-~# <i>sestatus</i>
+# <i>sestatus</i>
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
@@ -55,6 +55,56 @@ the <e>permissive</e> mode. It also tells you that the system is configured to
run in <e>strict</e> mode - so no unconfined_t domain here.
</p>
+<p>
+The <c>sestatus</c> command also has an extended output if you run it with the
+<c>-v</c> option. When this is done, the command returns the contexts of
+important processes and files:
+</p>
+
+<pre caption="Running sestatus -v">
+# <i>sestatus -v</i>
+SELinux status: enabled
+SELinuxfs mount: /selinux
+Current mode: enforcing
+Mode from config file: enforcing
+Policy version: 24
+Policy from config file: strict
+
+Process contexts:
+Current context: staff_u:sysadm_r:sysadm_t
+Init context: system_u:system_r:init_t
+/sbin/agetty system_u:system_r:getty_t
+/usr/sbin/sshd system_u:system_r:sshd_t
+
+File contexts:
+Controlling term: staff_u:object_r:user_devpts_t
+/sbin/init system_u:object_r:init_exec_t
+/sbin/agetty system_u:object_r:getty_exec_t
+/bin/login system_u:object_r:login_exec_t
+/sbin/rc system_u:object_r:rc_exec_t
+/usr/sbin/sshd system_u:object_r:sshd_exec_t
+/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
+/etc/passwd system_u:object_r:etc_t
+/etc/shadow system_u:object_r:shadow_t
+/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
+/bin/bash system_u:object_r:shell_exec_t
+/usr/bin/newrole system_u:object_r:newrole_exec_t
+/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
+/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
+</pre>
+
+<p>
+Another general SELinux status command is <c>getenforce</c>, which allows you to
+quickly see if your SELinux is running in enforcing mode (SELinux policies are
+enforced), permissive (SELinux policies are checked and logged, but not
+enforced) or disabled (SELinux policy is not loaded and thus not checked).
+</p>
+
+<pre caption="Using the getenforce command">
+# <i>getenforce</i>
+Enforcing
+</pre>
+
</body>
</subsection>
<subsection>
@@ -95,9 +145,9 @@ attribute set.
</p>
<pre caption="Using seinfo">
-~# <i>seinfo -tcrontab_t</i>
+# <i>seinfo -tcrontab_t</i>
crontab_t
-~# <i>seinfo -ruser_r -x</i>
+# <i>seinfo -ruser_r -x</i>
user_r
Dominated Roles:
user_r
@@ -105,7 +155,7 @@ attribute set.
[...]
crontab_t
[...]
-~# <i>seinfo -acron_spool_type -x</i>
+# <i>seinfo -acron_spool_type -x</i>
cron_spool_type
user_cron_spool_t
system_cron_spool_t
@@ -136,7 +186,7 @@ shadow_t domain:
</p>
<pre caption="Querying allow rules with sesearch">
-~# <i>sesearch -t shadow_t -c file -p write -A</i>
+# <i>sesearch -t shadow_t -c file -p write -A</i>
Found 8 semantic av rules:
[...]
allow portage_t shadow_t : file { ioctl read write ... };
@@ -163,7 +213,7 @@ that this is only portage:
</p>
<pre caption="Querying domains with file-write privileges to file_type domains">
-~# <i>sesearch -t file_type -c file -p write -A -d</i>
+# <i>sesearch -t file_type -c file -p write -A -d</i>
Found 1 semantic av rules:
allow portage_t file_type : file { ioctl read write ... };
</pre>
@@ -190,7 +240,7 @@ boolean is set:
</p>
<pre caption="Checking the policy regarding the global_ssp boolean">
-~# <i>sesearch -b global_ssp -A -C -d</i>
+# <i>sesearch -b global_ssp -A -C -d</i>
Found 2 semantic av rules:
ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
@@ -237,7 +287,7 @@ To get the security context of a process, use <c>ps -Z</c>:
</p>
<pre caption="Getting a process security context">
-~# <i>ps -Z $(pidof init)</i>
+# <i>ps -Z $(pidof init)</i>
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:init_t 1 ? Ss 0:00 init [3]
</pre>
@@ -283,7 +333,7 @@ this area).
</p>
<pre caption="Listing the available SELinux booleans">
-~# <i>semanage boolean -l</i>
+# <i>semanage boolean -l</i>
SELinux boolean Description
allow_ptrace -> off allow_ptrace
@@ -301,7 +351,7 @@ You can set a boolean with both <c>setsebool</c> and <c>semanage</c>:
</p>
<pre caption="Setting SELinux boolean values">
-~# <i>semanage boolean -m --on -F user_dmesg</i>
+# <i>semanage boolean -m --on -F user_dmesg</i>
</pre>
</body>
@@ -316,7 +366,7 @@ you to map a Unix account to a SELinux user:
</p>
<pre caption="Listing the SELinux logins">
-~# <i>semanage login -l</i>
+# <i>semanage login -l</i>
Login Name SELinux User
__default__ user_u
@@ -339,7 +389,7 @@ can be accomplished as follows (example with the Unix account <e>anna</e>):
</p>
<pre caption="Letting 'anna' log on as 'staff_u'">
-~# <i>semanage login -a -s staff_u anna</i>
+# <i>semanage login -a -s staff_u anna</i>
</pre>
<impo>
@@ -354,7 +404,7 @@ roles. To list the available roles, you can use <c>semanage user -l</c>:
</p>
<pre caption="Listing login / role mappings">
-~# <i>semanage user -l</i>
+# <i>semanage user -l</i>
SELinux User SELinux Roles
root staff_r sysadm_r
@@ -375,7 +425,7 @@ overview of which domains are assigned to which ports (or port ranges) use
</p>
<pre caption="Listing SELinux managed ports">
-~# <i>semanage port -l | grep '22$'</i>
+# <i>semanage port -l | grep '22$'</i>
ssh_port_t tcp 22
</pre>
diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
new file mode 100644
index 0000000..63d3f52
--- /dev/null
+++ b/xml/selinux/hb-using-states.xml
@@ -0,0 +1,290 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
+
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
+
+<sections>
+<version>1</version>
+<date>2011-10-15</date>
+
+<section>
+<title>SELinux States</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+When SELinux is available, it will generally be in one of three states on your
+system: disabled, permissive or enforcing.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Disabled</title>
+<body>
+
+<p>
+When <c>getenforce</c> returns "Disabled", then SELinux is not running on your
+system. Even though it might be built in your kernel, it is definitely disabled.
+Your system will still run with regular discretionary access controls (the usual
+permission rules for standard Linux environments) but the mandatory access
+controls are not active.
+</p>
+
+<p>
+When SELinux is disabled, it also means that files, directories, etc that are
+modified or created will not get the proper SELinux context assigned to them.
+When you later start your system with SELinux enabled (permissive or enforcing),
+issues will arise since the SELinux subsystem will not know which label the
+files have (it will default the label to one that is not accessible by most
+domains).
+</p>
+
+<p>
+The best way to go forward in such case is to boot in permissive mode and then
+relabel the entire file system:
+</p>
+
+<pre caption="Relabeling the entire file system">
+# <i>rlpkg -a -r</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Permissive</title>
+<body>
+
+<p>
+When SELinux is enabled in permissive mode (<c>getenforce</c> returns
+"Permissive"), then SELinux is enabled and it has a policy loaded. Every access
+a process makes is checked against the policy rules and, if an access is not
+allowed, it will be logged (unless the denial is marked as dontaudit) but it
+will <e>not</e> be prohibited.
+</p>
+
+<p>
+The permissive mode is perfect to get acquainted with SELinux and have the
+system made ready for future "enforcing" mode. While running in permissive mode,
+applications <e>that are not SELinux aware</e> will behave as if SELinux is not
+running. This is perfect to validate if a problem is caused by SELinux or not:
+if in permissive mode the problem still persists, then it is not caused by
+SELinux.
+</p>
+
+<p>
+There is one caveat though: if the application is <e>SELinux-aware</e> (it knows
+that it can run in a SELinux environment and is able to make SELinux-specific
+calls) it might still react differently. Although this is often (but not always)
+a bad programming practice, some applications check if SELinux is enabled and
+base their functional flow on the results, regardless of the state being
+permissive or enforcing.
+</p>
+
+<p>
+To find out if an application is SELinux aware, simply check if it is linked
+against libselinux (with <c>ldd</c> or <c>scanelf</c> - part of
+<path>app-misc/pax-utils</path>):
+</p>
+
+<pre caption="Checking if /bin/ls is SELinux-aware">
+# <i>scanelf -n /bin/ls</i>
+ TYPE NEEDED FILE
+ET_DYN libselinux.so.1,librt.so.1,libc.so.6 /bin/ls
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Enforcing</title>
+<body>
+
+<p>
+If <c>getenforce</c> returns "Enforcing", then SELinux is loaded and will act
+based on the policy. When a process tries some activity that is not allowed by
+the policy, it will be logged (unless a dontaudit is set) and the activity will
+not go through. This is the only mode where you can truely say that SELinux is
+active, because it is only now that the policy is acted upon.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Switching States</title>
+<body>
+
+<p>
+Depending on your Linux kernel configuration, you can switch between states
+using one of the following methods. The kernel configuration however can be made
+so that some of these options are disabled (for instance, a fully hardened
+system will not allow disabling SELinux in any way).
+</p>
+
+<p>
+Using the command <c>setenforce</c>:
+</p>
+
+<pre caption="Switching between enforcing and permissive">
+<comment>(Switching to permissive mode)</comment>
+# <i>setenforce 0</i>
+
+<comment>(Switching to enforcing mode)</comment>
+# <i>setenforce 1</i>
+</pre>
+
+<p>
+Using the kernel boot option <c>enforcing</c>:
+</p>
+
+<pre caption="Switching between enforcing and permissive through boot options">
+<comment>(The following GRUB kernel line would boot in permissive mode)</comment>
+kernel /kernel-2.6.39-hardened-r8 root=/dev/md3 rootflags=data=journal <i>enforcing=0</i>
+</pre>
+
+<p>
+Using the <path>/etc/selinux/config</path> <c>SELINUX</c> variable:
+</p>
+
+<pre caption="/etc/selinux/config SELINUX setting">
+# <i>cat /etc/selinux/config</i>
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+<i>SELINUX=enforcing</i>
+
+# SELINUXTYPE can take one of these four values:
+# targeted - Only targeted network daemons are protected.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
+SELINUXTYPE=strict
+</pre>
+
+</body>
+</subsection>
+</section>
+
+<section>
+<title>SELinux Policy Types</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+Next to the SELinux state, SELinux also offers different policy types. These
+types differentiate themselves in specific SELinux features that are enabled or
+disabled. Within Gentoo, three are supported (and a fourth is available):
+<c>targeted</c>, <c>strict</c>, <c>mcs</c> (and <c>mls</c>).
+</p>
+
+<p>
+The type used on a system is declared in <path>/etc/selinux/config</path>:
+</p>
+
+<pre caption="The SELINUXTYPE information in /etc/selinux/config">
+# <i>cat /etc/selinux/config</i>
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+
+# SELINUXTYPE can take one of these four values:
+# targeted - Only targeted network daemons are protected.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
+<i>SELINUXTYPE=strict</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>strict (without unconfined domains)</title>
+<body>
+
+<p>
+The <c>strict</c> policy type is the policy type that was described in the
+earlier chapters, and coincidentally the type that is the easiest to understand.
+With the strict policy type, each and every application runs in a domain that
+has limited privileges. Although there are highly privileged domains, they are
+never truely unlimited in their privileges.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>targeted (using unconfined domains)</title>
+<body>
+
+<p>
+The <c>targeted</c> policy type is similar to the strict one, with one major
+addition: support for unconfined domains. Applications (or users) that run in an
+unconfined domain are almost unlimited in their privileges. The unconfined
+domains are usually used for users and user applications, but also the init
+system and other domains are marked as "unconfined" domains.
+</p>
+
+<p>
+The idea behind the targeted policy is that network-facing services are running
+in (confined) regular domains whereas the rest uses the standard discretionary
+access controls offered by Linux. These other domains are running as
+"unconfined".
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>mcs (using multiple categories)</title>
+<body>
+
+<p>
+The introduction of <c>mls</c> and <c>mcs</c> offers the ability for
+<e>multi-tenancy</e>: multiple instances of the same application should be able
+to run, but each instance should be confined with respect to the others (instead
+of all these processes running in the same domain and, hence, the same
+privileges).
+</p>
+
+<p>
+A simple example is virtualization: a virtual guest which runs in the
+<c>qemu_t</c> domain needs write privileges on the image file that contains the
+guest operating system. However, if you run two guests, you do not want each
+guest to write to the other guests' file. With regular domains, you will need to
+provide this. With <c>mcs</c>, you can give each running instance a specific
+category (number) and only grant it write privileges to the guest file with the
+correct category (number).
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>mls (using multiple security levels)</title>
+<body>
+
+<p>
+The <c>mls</c> policy type is available but not yet supported by Gentoo
+Hardened. With this policy type, it is possible to give sensitivity levels on
+files and resources as well as domains. Sensitivity levels can best be expressed
+in terms of <e>public</e>, <e>private</e>, <e>confidential</e> or <e>strictly
+confidential</e>. With MLS, you can mark a file as one (or a set of)
+sensitivity level(s) and ensure that only domains with the right sensitivity
+level can access it.
+</p>
+
+</body>
+</subsection>
+</section>
+
+</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 15:54 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 15:54 UTC (permalink / raw
To: gentoo-commits
commit: baca22a640bda143c6f0779866786742aaf73c86
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 15:54:23 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 15:54:23 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=baca22a6
Updates on states, add information on switching between policytypes
---
xml/selinux/hb-using-states.xml | 36 ++++++++++++++++++++++++++++++++++++
1 files changed, 36 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
index 63d3f52..8702550 100644
--- a/xml/selinux/hb-using-states.xml
+++ b/xml/selinux/hb-using-states.xml
@@ -285,6 +285,42 @@ level can access it.
</body>
</subsection>
+<subsection>
+<title>Switching Types</title>
+<body>
+
+<p>
+It is not recommended to switch between types often. At best, you choose your
+policy type at install type and stick with it. But it is not impossible (nor
+that hard) to switch between types.
+</p>
+
+<p>
+First, you need to edit <path>/etc/selinux/config</path> so that it both
+switches the policy type as well as put the mode in <e>permissive</e>. This is
+necessary, since at your next reboot, many labels might (or will) be incorrect.
+</p>
+
+<p>
+Next, edit <path>/etc/fstab</path> and make sure that the domains you use there
+are updated accordingly. For instance, the line for <path>/tmp</path>:
+</p>
+
+<pre caption="Changing /etc/fstab">
+<comment># Example when switching from strict to mcs</comment>
+tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<i>:c0</i> 0 0
+</pre>
+
+<p>
+When this is done, reboot your system. Log on as root, and relabel your entire
+file system using <c>rlpkg -a -r</c>. Finally, reboot again and then validate if
+your context (such as when logged on as a user) is correct again. Once you are
+confident that the domains and contexts are correct, switch the SELinux policy
+mode back to "enforcing".
+</p>
+
+</body>
+</subsection>
</section>
</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 17:12 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 17:12 UTC (permalink / raw
To: gentoo-commits
commit: 8ef9da11964e1f4bf473695e1852882f7179f8d2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 17:12:40 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 17:12:40 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8ef9da11
Update on policy documentation
---
xml/selinux/hb-using-policies.xml | 189 +++++++++++++++++++++++++++++++++++++
1 files changed, 189 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
new file mode 100644
index 0000000..44d7b1f
--- /dev/null
+++ b/xml/selinux/hb-using-policies.xml
@@ -0,0 +1,189 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
+
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
+
+<sections>
+<version>1</version>
+<date>2011-10-15</date>
+
+<section>
+<title>SELinux Policy Language</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+By default, Gentoo provides a generic, yet tightly controlled policy which is
+deemed a good start policy for the majority of users. However, the purpose
+behind a Mandatory Access Control system is to put the security administrator in
+control. As such, a handbook on SELinux without information on how to write
+policies wouldn't be complete.
+</p>
+
+<p>
+In this chapter, we'll talk a bit about the language behind SELinux policies and
+give some pointers on how to create your own policies, roles, etc.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Building a SELinux Module</title>
+<body>
+
+<p>
+First, before we go into the art of SELinux policy writing, let's first make a
+small SELinux module with a rule we can test, build the module and see if things
+work. Although these steps are fairly easy, they are important nonetheless.
+Modifying the SELinux policy as offered by Gentoo is best done through
+additional SELinux policy modules. Only when the core policy (the base policy)
+is not to your liking should you see on using a totally different policy.
+</p>
+
+<p>
+Let's start with a skeleton for a policy module we'll call <e>testmod</e>.
+</p>
+
+<pre caption="Policy module skeleton">
+policy_module(testmod, 1.0.0)
+</pre>
+
+<p>
+Yes, that's it. But as you can see, it is fairly empty. So let's add a rule that
+allows a regular user (in the user_t domain) to read ebuild files (of type
+portage_ebuild_t).
+</p>
+
+<pre caption="Policy module testmod">
+policy_module(testmod, 1.0.0)
+
+require {
+ type user_t;
+ type portage_ebuild_t;
+ class file { read open getattr };
+ class dir { read search open getattr };
+}
+
+allow user_t portage_ebuild_t:file { read open getattr };
+allow user_t portage_ebuild_t:dir { read search open getattr };
+</pre>
+
+<p>
+As you can see, something as simple as allowing a user to read a file requires
+quite a few privileges. The directory privileges are needed to allow a user to
+navigate through the Portage tree structure whereas the file privileges are
+needed for a user to be able to access and open the ebuilds. Save this file as
+<path>testmod.te</path>.
+</p>
+
+<p>
+To build the policy and convert it into the binary module that we can load into
+the SELinux policy store, we can use the <path>Makefile</path> available in
+<path>/usr/share/selinux/strict/include</path> (substitute strict with the
+SELinux policy type you are using).
+</p>
+
+<pre caption="Building a binary policy module">
+$ <i>make -f /usr/share/selinux/struct/include/Makefile testmod.pp</i>
+</pre>
+
+<p>
+The filename (<path>testmod.pp</path>) is the destination binary SELinux module
+name. The <path>Makefile</path> will automatically look for the
+<path>testmod.te</path> file you have in the working directory.
+</p>
+
+<p>
+As a result, you should now have a file called <path>testmod.pp</path>. This
+module file can now be loaded in the SELinux policy store as follows:
+</p>
+
+<pre caption="Loading a binary module">
+# <i>semodule -i /path/to/testmod.pp</i>
+</pre>
+
+<p>
+Congratulations! You have now build your first SELinux policy module. If you
+want to disable it, remove it through <c>semodule -r testmod</c>.
+</p>
+
+<p>
+This method of building a policy (using the <path>Makefile</path> and
+<c>semodule</c>) is something that you will need to do every time you want to
+update the SELinux policy on your system. The contents of the policy however
+does change as we will see in the rest of this document.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Getting the SELinux Policy Interfaces</title>
+<body>
+
+<p>
+To streamline policy development, the SELinux policy based on the reference
+policy uses interfaces to access privileges within a module. If you have built
+<path>selinux-base-policy</path> with <c>USE="doc"</c> then this information is
+available at
+<path>/usr/share/doc/selinux-base-policy-<version>/html</path>. It is
+recommended to have this information at hand, since most policy
+development/updates will be done through the interfaces offered by the policy.
+</p>
+
+<p>
+If you are just interested, you can also find these interface definitions <uri
+link="http://oss.tresys.com/docs/refpolicy/api/">online</uri>. Mind you though,
+the online resource is only the reference policy and might differ a bit from the
+policy available within Gentoo.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Using Policy Interfaces</title>
+<body>
+
+<p>
+Using the policy interfaces allows you to update the policy with more readable
+functions. For instance, to allow the user_t domain to call and use Portage
+applications, the module could look like so:
+</p>
+
+<pre caption="Example policy to allow user_t to use portage">
+policy_module(testmod, 1.0.0)
+
+require {
+ type user_t;
+ role user_r;
+}
+
+portage_run(user_t, user_r)
+</pre>
+
+<p>
+Of course, this makes the user_t domain much more privileged than the previously
+defined rules to read ebuild files: it allows the user to call portage, update
+the system, etc. Of course, the user still requires the proper regular Linux
+permissions (so he needs to be part of the portage group or become root).
+Needless to say, we do not recommend to grant this to a regular user ;-)
+</p>
+
+</body>
+</subsection>
+</section>
+
+<section>
+<title>Building a SELinux Policy Module</title>
+<subsection>
+<title>Creating an Isolated Module</title>
+<body>
+
+
+</body>
+</subsection>
+</section>
+</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 17:43 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 17:43 UTC (permalink / raw
To: gentoo-commits
commit: 77a5cb36d533f0b6d1d34563bc59b5d523ad1c41
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 17:42:58 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 17:42:58 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=77a5cb36
Finishing on policy chapter
---
xml/selinux/hb-using-policies.xml | 159 ++++++++++++++++++++++++++++++++++++-
1 files changed, 157 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 44d7b1f..5d5f008 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -177,11 +177,166 @@ Needless to say, we do not recommend to grant this to a regular user ;-)
</section>
<section>
-<title>Building a SELinux Policy Module</title>
+<title>Full SELinux Policy Modules</title>
<subsection>
-<title>Creating an Isolated Module</title>
+<title>Checking Out an Isolated Module</title>
<body>
+<p>
+With the above in mind, we can now go one step further and investigate a full
+policy module, with both the type enforcement rules (<path>.te</path> file),
+file contexts (<path>.fc</path>) and interfaces (<path>.if</path>).
+</p>
+
+<p>
+You should know that writing a module requires you to get intimate with the
+application. It isn't a matter of just hoping for the best: as a security
+administrator, you will be responsible for defining what accesses are allowed
+and which not. If you forget one, the application might break under the users'
+hands. But if you add too much, you might grant privileges that can be abused
+later on. And it will be a lot more difficult to track and remove privileges
+later as you will be hesitating if the privilege is needed or not.
+</p>
+
+<p>
+In this section, we will not divulge in how to write one. We have an excellent
+<uri link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux
+Development</uri> resource that guides you in that. However, we will look into
+such a full module to explain the other aspects of policy development.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Type Enforcement File</title>
+<body>
+
+<p>
+The <path>.te</path> file we wrote earlier is a <e>type enforcement file</e>.
+Its purpose is to define the access rules related to the module that you are
+building, but also - and more importantly - define new types (or even roles).
+</p>
+
+<p>
+The example below is a snippet from a module for the skype application.
+</p>
+
+<pre caption="Snippet from skype.te">
+policy_module(skype, 1.0.0)
+
+type skype_t;
+type skype_exec_t;
+application_domain(skype_t, skype_exec_t)
+
+type skype_home_t;
+userdom_user_home_content(skype_home_t)
+
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
+manage_files_pattern(skype_t, skype_home_t, skype_home_t)
+</pre>
+
+<p>
+In the above example, three new types are declared: <c>skype_t</c> (which will
+be used for the application), <c>skype_exec_t</c> (which is the label given to
+the application binary) and <c>skype_home_t</c> (which will be used for the
+users' <path>~/.Skype</path> location). Also, the <c>skype_t</c> domain is given
+some privileges with respect to the <c>skype_home_t</c> label (manage
+directories and files).
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>File Context File</title>
+<body>
+
+<p>
+In the <path>.fc</path> file (which stands for <e>file context file</e>) the
+module's resources (files, directories, sockets, ...) are defined. Once the
+module is loaded, these rules are added so that file system relabeling will put
+the correct context on the files.
+</p>
+
+<p>
+The example below is a snippet from the skype modules' file context file.
+</p>
+
+<pre caption="Snippet from skype.fc">
+HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)
+/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
+/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
+</pre>
+
+<p>
+The format of the file context file has the following syntax:
+</p>
+
+<ol>
+ <li>
+ The regular expression that matches the file(s) and directorie(s) affected
+ by that line
+ </li>
+ <li>
+ An optional identifier to differentiate the type of files (file, directory,
+ socket, symbolic link, ...)
+ </li>
+ <li>
+ A <c>gen_context</c> line that contains the context to assign to the file(s)
+ and directorie(s)
+ </li>
+</ol>
+
+</body>
+</subsection>
+<subsection>
+<title>Interface File</title>
+<body>
+
+<p>
+In the <path>.if</path> file (for <e>interface file</e>) interfaces are declared
+which can be used by other modules. It is through interfaces that a nicely
+defined policy can be built on top of other, existing policy modules.
+</p>
+
+<p>
+One interface could be to allow users to call and execute an application. For
+instance, the following interface can be found in the skype module.
+</p>
+
+<pre caption="Snippet from skype.if">
+interface(`skype_role',`
+ gen_require(`
+ type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
+ ')
+
+ role $1 types skype_t;
+
+ domtrans_pattern($2, skype_exec_t, skype_t)
+
+ allow $2 skype_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, skype_home_t, skype_home_t)
+ manage_files_pattern($2, skype_home_t, skype_home_t)
+ manage_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+ relabel_dirs_pattern($2, skype_home_t, skype_home_t)
+ relabel_files_pattern($2, skype_home_t, skype_home_t)
+ relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
+
+ ps_process_pattern($2, skype_t)
+')
+</pre>
+
+<p>
+Through this <c>skype_role</c>, we can then allow users to call skype, as can be
+found in the <path>unprivuser.te</path> file (which defines the user_t domain):
+</p>
+
+<pre caption="Snippet from unprivuser.te to call skype">
+optional_policy(`
+ skype_role(user_r, user_t)
+')
+</pre>
</body>
</subsection>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-15 18:24 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-15 18:24 UTC (permalink / raw
To: gentoo-commits
commit: db384261df8fbd156ea90477c06f81e39a1f3577
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 18:24:36 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 18:24:36 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=db384261
Updating the "switching from permissive to enforcing"
---
xml/selinux/hb-using-policies.xml | 52 +++++++++++++++++++++++++++++++++++++
xml/selinux/hb-using-states.xml | 21 +++++++++++++++
2 files changed, 73 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 5d5f008..03751e1 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -341,4 +341,56 @@ optional_policy(`
</body>
</subsection>
</section>
+
+<section>
+<title>Using audit2allow</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+When reading online resources on SELinux, you will notice that there are many
+references to a tool called <c>audit2allow</c>. This tools' purpose is to read
+AVC denial messages from the audit log file and transform them into a policy
+module that you can load. The advantage is that it makes it a lot easier to
+write policies. The downside is that the output (unless you use the <c>-R</c>
+option) is not usable for the <path>Makefile</path> we used earlier to build
+modules.
+</p>
+
+<p>
+Another disadvantage is that the tool does not intelligently cope with changes.
+It blindly accepts denials and treats them as if they need to be allowed, rather
+than investigate if no other context should be given to the file, etc.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Using audit2allow</title>
+<body>
+
+<p>
+Using <c>audit2allow</c> is pretty straightforward. You send it the denials you
+want to fix and store the result in a <path>.te</path> file. You then convert it
+into an intermediary format which can then be translated into a <path>.pp</path>
+file for final loading by <c>semodule</c>.
+</p>
+
+<p>
+For instance, to catch all denials and transform them into allowed statements
+from firefox-related denials:
+</p>
+
+<pre caption="Generate a new policy using audit2allow">
+# <i>grep firefox /var/log/avc.log | audit2allow -m firefoxmod > firefoxmod.te</i>
+# <i>checkmodule -m -o firefoxmod.mod firefoxmod.te</i>
+# <i>semodule_package -o firefoxmod.pp -m firefoxmod.mod</i>
+# <i>semodule -i firefoxmod.pp</i>
+</pre>
+
+</body>
+</subsection>
+</section>
+
</sections>
diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
index 8702550..e379547 100644
--- a/xml/selinux/hb-using-states.xml
+++ b/xml/selinux/hb-using-states.xml
@@ -168,6 +168,27 @@ Using the <path>/etc/selinux/config</path> <c>SELINUX</c> variable:
SELINUXTYPE=strict
</pre>
+<p>
+When you want to switch from permissive to enforcing, it is recommended to do so
+in the order given above:
+</p>
+
+<ol>
+ <li>
+ First boot up in permissive mode, log on, verify that your context is
+ correct (<c>id -Z</c>) and then switch to enforcing (<c>setenforce 1</c>).
+ You can now test if your system is still working properly.
+ </li>
+ <li>
+ Next, boot with <c>enforcing=1</c> as kernel parameter. This way, your
+ system will boot in enforcing mode, but if things go haywire, you can just
+ reboot, leave out the option and be back in permissive mode
+ </li>
+ <li>
+ Finally, edit <path>/etc/selinux/config</path> to persist this change.
+ </li>
+</ol>
+
</body>
</subsection>
</section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-19 12:55 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-19 12:55 UTC (permalink / raw
To: gentoo-commits
commit: 7aeebc5179af9780e56c5127f5ee945119aceedc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Oct 19 12:54:47 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 19 12:54:47 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=7aeebc51
Drop ~arch recommendation, not needed anymore
---
xml/selinux/hb-using-install.xml | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index df810a8..4d9c1eb 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>13</version>
-<date>2011-09-11</date>
+<version>14</version>
+<date>2011-10-18</date>
<section>
<title>Installing Gentoo Hardened</title>
@@ -137,6 +137,7 @@ tmpfs /tmp tmpfs defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_
</body>
</subsection>
+<!--
<subsection>
<title>Enabling ~Arch Packages</title>
<body>
@@ -154,6 +155,7 @@ the following settings to the right file (for instance
</body>
</subsection>
+-->
<subsection>
<title>Change the Gentoo Profile</title>
<body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-23 13:01 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-10-23 13:01 UTC (permalink / raw
To: gentoo-commits
commit: 2ddbc661e6b6470d9c35363bbfc1fea574ebc7af
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 23 13:00:43 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Oct 23 13:00:43 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2ddbc661
Remove obsolete documents
---
xml/selinux/hb-using-enforcing.xml | 224 -----------
xml/selinux/hb-using-permissive.xml | 666 --------------------------------
xml/selinux/hb-using-policymodules.xml | 576 ---------------------------
3 files changed, 0 insertions(+), 1466 deletions(-)
diff --git a/xml/selinux/hb-using-enforcing.xml b/xml/selinux/hb-using-enforcing.xml
deleted file mode 100644
index ca626c3..0000000
--- a/xml/selinux/hb-using-enforcing.xml
+++ /dev/null
@@ -1,224 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-enforcing.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
-
-<sections>
-<version>1</version>
-<date>2011-03-02</date>
-
-<section>
-<title>Switching to Enforcing Mode</title>
-<subsection>
-<title>Introduction</title>
-<body>
-
-<p>
-Switching to enforcing mode doesn't require all policies to be fully
-operational, nor does it require that the system boots in enforcing mode. You
-can first start small by enabling enforcing mode the moment your system is
-booted, then enable enforcing during boot (but with the possibility to disable
-it again when some things fail) and finally reconfigure your kernel so that
-disabling SELinux isn't possible anymore.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Booting, Switch</title>
-<body>
-
-<p>
-To boot your system before enabling enforcing mode, just boot as you do
-currently. Then, when you believe that you can run your system in enforcing
-mode, run <c>setenforce 1</c>.
-</p>
-
-<pre caption="Enabling enforcing mode">
-~# <i>setenforce 1</i>
-</pre>
-
-<p>
-It is wise to ensure that you have booted the system but not logged in anywhere
-except as the root user. Also verify that the session you're currently in (as
-root) uses the <c>root:sysadm_r:sysadm_t</c> or
-<c>unconfined_u:unconfined_r:unconfined_t</c> context (otherwise trying to
-disable enforcing mode might not work).
-</p>
-
-<p>
-When you realize that things are going very, very wrong, disable SELinux using
-<c>setenforce 0</c> and try to resolve the failures.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Booting in Enforcing Mode (Once)</title>
-<body>
-
-<p>
-When you want to boot in enforcing mode, but you don't want to configure SELinux
-(yet) to run always in enforcing mode (say you want to try it once), add
-<c>enforcing=1</c> as a boot option inside the boot loader configuration.
-</p>
-
-<pre caption="Sample GRUB configuration to boot in enforcing mode">
-kernel /vmlinuz root=/dev/md3 rootflags=data=journal <i>enforcing=1</i>
-</pre>
-
-</body>
-</subsection>
-<subsection>
-<title>Booting in Enforcing Mode</title>
-<body>
-
-<p>
-Once you believe that you can always (re)boot in enforcing mode, edit
-<path>/etc/selinux/config</path> and change <c>SELINUX=permissive</c> to
-<c>SELINUX=enforcing</c>.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Reconfiguring the Kernel</title>
-<body>
-
-<p>
-Once you are fully confident that you can always and ever remain in enforcing
-mode, reconfigure your kernel so that SELinux cannot be disabled anymore.
-</p>
-
-<pre caption="Reconfiguring the Linux kernel">
-[*] NSA SELinux Support
-[ ] NSA SELinux boot parameter
-[ ] NSA SELinux runtime disable
-<comment># Make sure the following is deselected</comment>
-<i>[ ] NSA SELinux Development Support</i>
-[ ] NSA SELinux AVC Statistics
-(1) NSA SELinux checkreqprot default value
-[ ] NSA SELinux maximum supported policy format version
-</pre>
-
-</body>
-</subsection>
-</section>
-<section>
-<title>Analyzing AVC</title>
-<subsection>
-<title>Intrusion or Not</title>
-<body>
-
-<p>
-Once you are running in enforcing mode, the role of the
-<path>/var/log/avc.log</path> logfile starts changing. Whereas it was previously
-used to inform you about denials which might cause functional failures on your
-system, it is now more and more becoming a source of information for the
-behavior of applications - and sometimes, the unexpected behavior of it.
-</p>
-
-<p>
-Being able to read the AVC logs is important, because in the (near) future you
-should use the AVC logs to identify potential intrusion attempts. Say that you
-are running an Internet-facing web server which is contained within its own
-SELinux domain. Suddenly you start getting weird AVC denials of that SELinux
-domain trying to read files it really shouldn't read, or write stuff in some
-temporary location it shouldn't write anything into. This can be a totally
-expected behavior, but can also be a malicious user that is attempting to run
-some exploit code against your web server.
-</p>
-
-<p>
-Interpreting the AVC logs can be considered a time-consuming job if you are
-still getting lots of cosmetic (and safe) AVC denials. So let's first see if we
-can ignore those...
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Ignoring Cosmetic AVC Events</title>
-<body>
-
-<p>
-When you get AVC denials which you believe are harmless for your system, you can
-create a policy module yourself which contains the exact AVC rule, but using the
-<e>dontaudit</e> statement rather than <e>allow</e>.
-</p>
-
-<p>
-Consider the following AVC denial:
-</p>
-
-<pre caption="Sample harmless AVC denial">
-Jan 6 19:49:25 hpl kernel: [10482.016339] type=1400 audit(1294339765.865:1527):
-avc: denied { use } for pid=19421 comm="ifconfig" path="/dev/null" dev=tmpfs
-ino=1552 scontext=system_u:system_r:ifconfig_t
-tcontext=system_u:system_r:wpa_cli_t tclass=fd
-</pre>
-
-<p>
-The denial states that the <c>ifconfig</c> process is trying to use a file
-descriptor within the wpa_cli_t domain. The target file descriptor points to
-<path>/dev/null</path>. This usually means that the <c>ifconfig</c> process is
-started from within the wpa_cli_t domain with <c>> /dev/null</c> to redirect
-its output to the <path>/dev/null</path> device. Although it is denied (so no output
-will be redirected to <path>/dev/null</path>) it has no functional impact on the
-system as the intention was to ignore the output anyhow.
-</p>
-
-<p>
-So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need
-to create a module (like we have seen before in <uri
-link="?part=2&chap=3#create_module">Creating Specific Allow Rules</uri>):
-</p>
-
-<pre caption="Creating a module to ignore these AVC denials">
-~$ <i>cat ignoreavc.te</i>
-module ignoreavc 1.0.0;
-
-require {
- type ifconfig_t;
- type wpa_cli_t;
-
- class fd use;
-}
-
-dontaudit ifconfig_t wpa_cli_t:fd { use };
-
-~$ <i>checkmodule -m -o ignoreavc.mod ignoreavc.te</i>
-~$ <i>semodule_package -o ignoreavc.pp -m ignoreavc.mod</i>
-~$ <i>semodule -i ignoreavc.pp</i>
-</pre>
-
-<p>
-Once this module is loaded, you should no longer see these denials in your log.
-However, if you ever feel that you might have <e>dontaudit</e>'ed too many
-things, you can always reload the SELinux policies without the dontaudit
-statements:
-</p>
-
-<pre caption="Reloading the SELinux policies without dontaudit">
-~# <i>semodule -R -D</i>
-</pre>
-
-<p>
-If you are confident to continue with the dontaudit statements again, run the
-same command without the <c>-D</c>.
-</p>
-
-<p>
-Gentoo Hardened uses a specific boolean called <c>gentoo_try_dontaudit</c> to
-show or hide the denials that the developers believe are cosmetic. Thanks to
-this approach, you can first disable the Gentoo-selected dontaudit statements
-before showing all of them - which can be quite a lot more.
-</p>
-
-</body>
-</subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml
deleted file mode 100644
index 2b331c7..0000000
--- a/xml/selinux/hb-using-permissive.xml
+++ /dev/null
@@ -1,666 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-permissive.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
-
-<sections>
-<version>6</version>
-<date>2011-09-11</date>
-
-<section>
-<title>Keeping Track of Denials</title>
-<subsection>
-<title>Introduction</title>
-<body>
-
-<p>
-The moment you start using SELinux in permissive mode, SELinux will start
-logging all of its denials through your system logger. Based on this
-information, you can and will:
-</p>
-
-<ul>
- <li>
- see if certain domains are missing (for instance, commands are being ran
- inside a more standard domain whereas you would expect it to run within a
- more specific one) in which case you'll probably look for a SELinux policy
- module to introduce the specific domain,
- </li>
- <li>
- see if some files have wrong security contexts in which case you'll either
- restore their context or set it yourself,
- </li>
- <li>
- see if some denials are made which you don't expect in which case you'll
- find out why the denial is made and what the original policy writer intended
- (a prime example would be a website hosted in the wrong location in the file
- system)
- </li>
-</ul>
-
-<p>
-Of course, several other aspects can be performed the moment you analyze the
-denial messages, but the above ones are the most common.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Configuring System Logger</title>
-<body>
-
-<p>
-Before we start investigating denials, let's first configure the system logger
-to log the denials in its own log file. If you are running syslog-ng with a
-Gentoo Hardened profile, it will already be configured to log these denials in
-<path>/var/log/avc.log</path>:
-</p>
-
-<pre caption="syslog-ng configuration">
-destination avc { file("/var/log/avc.log"); };
-[...]
-filter f_avc { message(".*avc: .*"); };
-filter f_audit { message("^(\\[.*\..*] |)audit.*") and not message(".*avc: .*"); };
-[...]
-log { source(kernsrc); filter(f_avc); destination(avc); };
-</pre>
-
-<p>
-If you use a different logger, look for the configuration of the kernel audit
-events. Throughout the rest of this document, we assume that the log where the
-denials are logged in is <path>/var/log/avc.log</path>.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>What is AVC?</title>
-<body>
-
-<p>
-When we previously showed a few of SELinux' policy allow rules, what you were
-actually looking at was an <e>access vector</e> rule. For instance:
-</p>
-
-<pre caption="Example access vector rule">
-allow sysadm_t portage_t : process transition ;
-</pre>
-
-<p>
-Up until now we have seen only the <e>allow</e> permission, but SELinux supports
-others as well:
-</p>
-
-<ul>
- <li>
- <e>auditallow</e> will allow an activity to occur, but will still log it
- (but then with a "granted" message instead of "denied")
- </li>
- <li>
- <e>dontaudit</e> will not allow an activity to occur but will also not log
- this. This is particularly useful where the activity is not needed and would
- otherwise fill the <path>avc.log</path> file.
- </li>
-</ul>
-
-<p>
-To improve efficiency of the policy enforcement, SELinux uses a cache for its
-access vectors - the <e>access vector cache</e> or <e>AVC</e>. Whenever some
-access is requested which isn't in the cache yet, it is first loaded in the
-cache from which the allow/deny is triggered. Hence the "avc" messages and the
-<path>avc.log</path> log file.
-</p>
-
-</body>
-</subsection>
-<subsection id="avclog">
-<title>Looking at the AVC Log</title>
-<body>
-
-<p>
-During regular system operations, you can keep track of the denials through a
-simple <c>tail</c> session:
-</p>
-
-<pre caption="Looking at the avc logs">
-~# <i>tail -f /var/log/avc.log</i>
-Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 audit(1293872219.247:156):
- avc: denied { setattr } for pid=7419 comm="gorg" name="selinux-handbook.xml" dev=dm-3 ino=159061
- scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file
-Jan 1 10:08:52 hpl kernel: [ 2944.664577] type=1400 audit(1293872932.907:157):
- avc: denied { use } for pid=9917 comm="ifconfig" path="/dev/null" dev=tmpfs ino=1546
- scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=fd
-Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158):
- avc: denied { create } for pid=10016 comm="logger"
- scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket
-</pre>
-
-<p>
-But how do you interprete such messages? Well, let's take a closer look at the
-first denial from the example.
-</p>
-
-<pre caption="Sample denial message">
-<comment>[ Standard data within log message, such as date, time, hostname, ... ]</comment>
-Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400
-<comment>[ The message is an AVC audit message, telling a deny for the setattr system call ]</comment>
- audit(1293872219.247:156): avc: denied { setattr }
-<comment>[ The offending process has PID 7419 and is named "gorg" ]</comment>
- for pid=7419 comm="gorg"
-<comment>[ The target for the system call is a file named "selinux-handbook.xml"
- on the dm-3 device; the file has inode 159061 ]</comment>
- name="selinux-handbook.xml" dev=dm-3 ino=159061
-<comment>[ The source and target security contexts and the class of the target (in this case, a file) ]</comment>
- scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file
-</pre>
-
-<p>
-A similar one can be found of the last line in the example.
-</p>
-
-<pre caption="Another sample denial message">
-Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158):
- avc: denied { create } for pid=10016 comm="logger"
- scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket
-</pre>
-
-<p>
-In this particular case, the offending process is <c>logger</c> (with PID 10016)
-which is trying to create a Unix stream socket (see the <e>tclass</e>
-information).
-</p>
-
-<p>
-Note though that not all AVC messages imply denials. Some accesses recorded by
-the access vector cache are grants but which have an explicit <e>auditallow</e>
-statement so that this can be tracked in the logs.
-</p>
-
-</body>
-</subsection>
-</section>
-<section>
-<title>Analyzing Denials</title>
-<subsection>
-<title>A Standard Setup Might Not Work</title>
-<body>
-
-<p>
-If you have taken a look at your denials, you'll probably think "If I'm going to
-go to enforcing mode, my system will not function properly" and you might be
-right. At this point, Gentoo Hardened is constantly updating the SELinux
-policies to get you a working system - but we're not fully there yet. For this
-reason, being able to analyze the denials (and take corrective actions) is
-very important.
-</p>
-
-<p>
-It is not easy to describe what the best option is when you see a denial which
-shouldn't be. But a few ground-rules do apply.
-</p>
-
-<ul>
- <li>
- Verify if the denial is cosmetic or not. Try focusing on denials of which
- you are <e>sure</e> that they are not cosmetic and will result in a
- malfunction of your system (or that particular command) if no corrective
- action is taken.
- </li>
- <li>
- If you see a denial where the source context is a generic one (such as
- <e>sysadm_t</e> or <e>staff_t</e> or <e>user_t</e>), try to find out if
- there are specific SELinux policy modules for the offending resource. In the
- previous example of the <c>gorg</c> process, we definitely need to check if
- there is no selinux-gorg SELinux policy. Note that, even if there is none,
- it doesn't mean there shouldn't be ;-)
- </li>
- <li>
- If the target for the denial is a file, verify if its security context is
- correct or if no different context should be given. It is also possible that
- the process is trying to work on the wrong path. Sometimes a simple
- configuration change of that process is sufficient to make it work properly
- under its SELinux policy.
- </li>
-</ul>
-
-<p>
-During development of the policies, Gentoo Hardened developers will try to
-hide denials they believe are cosmetic. This hiding can be toggled using the
-SELinux <c>gentoo_try_dontaudit</c> boolean:
-</p>
-
-<pre caption="Getting and setting Gentoo's gentoo_try_dontaudit boolean">
-~# <i>getsebool gentoo_try_dontaudit</i>
-gentoo_try_dontaudit --> off
-~# <i>setsebool -P gentoo_try_dontaudit on</i>
-</pre>
-
-<p>
-When set, the denials that are believed to be cosmetic are hidden from your
-audit logs. But if your system is not functioning properly and you do not see
-any denials, it is wise to toggle this boolean again to verify if the denial
-is now shown or not.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Installing Additional SELinux Policy Modules</title>
-<body>
-
-<p>
-When a denial is found for which you think a SELinux policy module should
-exist, find out which package provides the offending resource and verify if
-Gentoo offers a SELinux policy for that package. If it does, install it and
-relabel the files of the package.
-</p>
-
-<pre caption="Finding Gentoo SELinux packages">
-~# <i>tail -f /var/log/avc.log</i>
-Jan 1 09:42:37 hpl kernel: [ 1372.708172] type=1400 audit(1293871357.972:76):
- avc: denied { search } for pid=6937 comm="screen" name="selinux" dev=dm-0
- ino=1053303 scontext=staff_u:staff_r:staff_t
- tcontext=staff_u:object_r:user_home_t tclass=dir
-
-~# <i>whereis screen</i>
-screen: /usr/bin/screen
-
-~# <i>qfile /usr/bin/screen</i>
-app-misc/screen (/usr/bin/screen)
-
-~# <i>emerge --search selinux-screen</i>
-Searching...
-[ Results for search key : selinux-screen ]
-[ Applications found : 1 ]
-
-* sec-policy/selinux-screen
- Latest version available: 2.20110726
- Latest version installed: 2.20110726
- Size of files: 574 kB
- Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
- Description: SELinux policy for screen
- License: GPL-2
-
-~# <i>emerge selinux-screen</i>
-[...]
-
-~# <i>rlpkg screen</i>
-Relabeling: app-misc/screen-4.0.3
-</pre>
-
-<p>
-If you believe a SELinux policy module should exist but you cannot find one,
-then you can either download the reference policy tarball (which you might find
-in your <path>distfiles</path> directory - it is called
-<path>refpolicy-2.YYYYMMDD.tar.bz2</path>) and see if there are already modules
-available (look inside the <path>refpolicy/policy/modules</path> location) or
-ask around on #gentoo-hardened on irc.freenode.net.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Updating the Security Contexts of Files</title>
-<body>
-
-<p>
-The most common case of denials when the necessary policies are in place are
-wrongly labeled files or directories (in other words, the security context of
-the target file or directory is not what the policy would expect). This can be
-either because the file has not been (re)labeled after the policy has been
-loaded or because the label has for some reason changed (case 1) or because
-the path of the file is not in accordance to the file context specifications
-in the SELinux module (case 2).
-</p>
-
-<p>
-The first possibility (security context correct in policy, but not applied) can
-be easily fixed using the <c>restorecon</c> command. You can apply it against a
-single file, or run it recursively using the <c>-R</c> option.
-</p>
-
-<pre caption="Running restorecon to restore a security context">
-~# <i>restorecon /etc/make.conf</i>
-</pre>
-
-<p>
-If the file context definition in the policy however doesn't apply to the file
-(or directory), you can still tell your system to label the file or directory
-accordingly. For instance, say you have your <path>lvm.conf</path> file inside
-<path>/etc</path> rather than <path>/etc/lvm</path> as the policy would expect,
-then you can still label the file correctly using <c>semanage</c>. With
-<c>semanage</c>, you assign a correct security context unrelated to any
-module. It is a local setting - but which is persistent across reboots and
-relabelling activities.
-</p>
-
-<pre caption="Setting a new file context using semanage">
-~# <i>semanage fcontext -a -t lvm_etc_t /etc/lvm.conf</i>
-~# <i>restorecon /etc/lvm.conf</i>
-</pre>
-
-<p>
-If you want to make such a definition part of a module you're writing, you will
-need to create a file context file which contains the definition(s) for the
-files whose context you want to set. Writing policy modules is described later
-in this book in <uri link="?part=2&chap=5">Adding SELinux Policy
-Modules</uri>.
-</p>
-
-</body>
-</subsection>
-<subsection id="create_module">
-<title>Creating Specific Allow Rules</title>
-<body>
-
-<p>
-If a denial isn't resolved through an available SELinux policy module or a
-corrective action taken against the target file or directory, or there
-is no such module available, then you might opt to create your own policy. If
-your goal is to allow a specific set of rules (rather than to write a
-full-fledged SELinux policy module) then you can use the <c>audit2allow</c> tool
-to generate a policy based on the denial logs.
-</p>
-
-<p>
-With <c>audit2allow</c>, you can transform an AVC denial message into a SELinux
-policy module definition. This can then be compiled into a binary policy module
-and finally packaged into an easily (re)loadable SELinux policy module. It is
-recommended to keep the (raw) AVC logs that you use to build the SELinux policy
-module as this will allow you to continuously update the module when new denials
-occur.
-</p>
-
-<p>
-For instance, to allow some <c>sudo</c>-related denials, you can do the
-following steps...
-</p>
-
-<pre caption="Generating, building and inserting a SELinux policy">
-<comment>[ We append the AVC messages to the sudo.raw file so that, in the future, we can
- add additional denial messages inside the same raw file which will be used to
- build a new SELinux policy module ]</comment>
-~# <i>grep 'comm="sudo"' /var/log/avc.log >> sudo.raw</i>
-
-<comment>[ We generate a module definition called 'fixsudo' based on the captured AVC denials ]</comment>
-~# <i>cat sudo.raw | audit2allow -m fixsudo > fixsudo.te</i>
-
-<comment>[ Next we build the SELinux module ]</comment>
-~# <i>checkmodule -m -o fixsudo.mod fixsudo.te</i>
-~# <i>semodule_package -o fixsudo.pp -m fixsudo.mod</i>
-</pre>
-
-<p>
-The generated policy module (with the <path>.pp</path> suffix) can then be
-dynamically loaded into the SELinux policy store:
-</p>
-
-<pre caption="Loading the generated module">
-~# <i>semodule -i fixsudo.pp</i>
-</pre>
-
-<p>
-The module definition (in our example called <path>fixsudo.te</path>) can be
-modified as you please - it's content is standard ASCII, human readable.
-</p>
-
-<p>
-Not all denials that you might get are bugs in the default security policy.
-It is very probable that you use your system in a slightly different way than
-intended within the Gentoo Hardened SELinux default policy. However, if you
-believe that you had to change your runtime policy due to a bug in the
-current policy, please report it on <uri
-link="https://bugs.gentoo.org">Bugzilla</uri> so that the Gentoo Hardened
-SELinux developers can take a look at it. Also, don't hesitate to contact
-the Gentoo Hardened SELinux developers if you are uncertain about things.
-</p>
-
-<p>
-They don't bite. They get fed regularly so they don't have to.
-</p>
-
-</body>
-</subsection>
-</section>
-
-<section>
-<title>Working with SELinux</title>
-<subsection>
-<title>Loading and Unloading of Modules</title>
-<body>
-
-<p>
-We have already crossed SELinux modules quite a few times. You even saw that, in
-order to load a module, you can use <c>semodule -i modulename.pp</c>. The
-<c>semodule</c> command offers the following functions:
-</p>
-
-<ul>
- <li>
- With <c>semodule -i modulename.pp</c> you (re)install a module (or install
- a higher version of said module)
- </li>
- <li>
- With <c>semodule -u modulename.pp</c> you upgrade an existing installed
- module with a new version of this module
- </li>
- <li>
- With <c>semodule -r modulename.pp</c> you remove a module from the SELinux
- policy store. It will not be reloaded, not even after a reboot.
- </li>
- <li>
- With <c>semodule -R</c> you reload the policies. An interesting feature here
- is that you can add <c>-D</c> which will <e>disable</e> the <e>dontaudit</e>
- rules from the policy. This can be useful, especially later in enforcing
- mode, to find out why something is failing even though you get no denials.
- </li>
- <li>
- With <c>semodule -B</c> you force a rebuild of the policy (which includes by
- default a reload of the policy as well). Amongst some other things, such a
- rebuild will read up on the existing users' and their home directories and
- create the associated domains.
- </li>
-</ul>
-
-</body>
-</subsection>
-<subsection>
-<title>Listing Modules</title>
-<body>
-
-<p>
-With the <c>semodule -l</c> command you can get an overview of the installed
-modules, together with their current version. When you have issues with SELinux
-policies and are trying to get online help on the matter, knowing the version of
-the particular module is important to help you troubleshoot problems.
-</p>
-
-<pre caption="Listing the installed modules">
-~# <i>semodule -l</i>
-dbus 1.14.0
-dnsmasq 1.9.0
-hal 1.13.0
-[...]
-</pre>
-
-</body>
-</subsection>
-<subsection>
-<title>Switching Roles</title>
-<body>
-
-<p>
-When you are working with a SELinux system, your default users will be using the
-user_u SELinux login (and as such the user_r SELinux role) so they will not need
-to perform any role switching: there are no other roles they can switch to.
-</p>
-
-<p>
-Accounts that you use to perform more administrative tasks however are most
-likely mapped to the staff_u SELinux login or have their own login but with the
-same roles supported: staff_r and sysadm_r. These accounts should by default
-start within the staff_r role. Although still restricted, it has more
-possibilities (with respect to supported target domains to transition to)
-than the user_r role.
-</p>
-
-<p>
-The major difference however is that these users will also have to switch roles
-from time to time. For instance, if you want to use Portage - even just for
-querying the tree - you will need to be in the sysadm_r role. To switch roles,
-use the <c>newrole</c> command:
-</p>
-
-<pre caption="Switching roles">
-~$ <i>newrole -r sysadm_r</i>
-Password: <comment>(Enter your personal password)</comment>
-~$
-</pre>
-
-<p>
-With <c>id -Z</c> you can verify that you have indeed successfully switched
-roles.
-</p>
-
-<p>
-Now how do you know that you need to switch roles? Generally, you will get a
-<e>Permission denied</e> statement on one or more files:
-</p>
-
-<pre caption="Getting to know when to switch roles">
-~$ <i>emerge --info</i>
-Permission denied: '/etc/make.conf'
-</pre>
-
-<p>
-You might not be able, from within your current role, to find out if switching
-roles is sufficient to gain read access. Within your current role, you might not
-be able to get to view the current security context or query the SELinux AV
-rules. But if you switch to the sysadm_r role and run the necessary queries, you
-might get the information you need:
-</p>
-
-<pre caption="Verifying read access against the /etc/make.conf file">
-~$ <i>id -Z</i>
-staff_u:staff_r:staff_t
-~$ <i>newrole -r sysadm_r</i>
-Password: <comment>(Enter your personal password)</comment>
-~$ <i>id -Z</i>
-staff_u:sysadm_r:sysadm_t
-~$ <i>ls -Z /etc/make.conf</i>
-system_u:object_r:portage_conf_t /etc/make.conf
-~$ <i>sesearch -t portage_conf_t -c file -p read -A -d</i>
-Found 8 semantic av rules:
- allow portage_t portage_conf_t : file { ioctl read getattr lock execute execute_no_trans open } ;
- <comment># This is the one we are looking for</comment>
- allow sysadm_t portage_conf_t : file { ioctl read write ... } ;
- allow portage_fetch_t portage_conf_t : file { ioctl read getattr lock open } ;
- allow restorecond_t portage_conf_t : file { ioctl read getattr lock relabelfrom relabelto open } ;
- allow gcc_config_t portage_conf_t : file { ioctl read getattr lock open } ;
- allow portage_sandbox_t portage_conf_t : file { ioctl read getattr lock open } ;
- allow rsync_t portage_conf_t : file { ioctl read getattr lock open } ;
- allow mount_t portage_conf_t : file { ioctl read getattr lock open } ;
-</pre>
-
-<p>
-As you can see, the sysadm_t domain (which is affiliated with the sysadm_r role)
-has the necessary read access, whereas there is no sign of any read access for
-the staff_t domain.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Using File Labels</title>
-<body>
-
-<p>
-During regular system usage, you will get into situations where you need to set
-file labels (security contexts). We have already covered the use of
-<c>semanage</c> and <c>restorecon</c> to do so, but a few other methods exist as
-well, each of them for specific purposes...
-</p>
-
-<p>
-With <c>chcon</c> users (and not only administrators) can relabel files (if they
-have the necessary privileges to do so) to the type they want. As an example,
-consider the domains and rules for the Mozilla applications (such as firefox).
-By default, this domain has no ability to create new files in the user home
-directory. However, a specific domain has been created (mozilla_home_t) in which
-the application can create files. By creating a folder (say
-<path>Downloads</path>) and relabeling it correctly, the application is able to
-create new files inside this location.
-</p>
-
-<pre caption="Relabelling a directory">
-~$ <i>ls -Zd ~/Downloads</i>
-staff_u:object_r:user_home_t Downloads/
-~$ <i>chcon -t mozilla_home_t ~/Downloads</i>
-~$ <i>ls -Zd ~/Downloads</i>
-staff_u:object_r:mozilla_home_t
-</pre>
-
-<p>
-It is important to understand that relabeling is a specific privilege which is
-also governed by SELinux policies (the staff_t domain has this privilege on the
-user_home_t domain). Also, the target domain (mozilla_home_t) is still
-manageable by the staff_t domain (including relabeling) so that the relabeling
-activity doesn't lower the privileges that staff_t has on this folder. This
-isn't always the case, so be careful when you relabel.
-</p>
-
-<p>
-Relabelling files is governed by the relabelfrom and relabelto privileges.
-Consider the following two hypothetical rules:
-</p>
-
-<pre caption="Relabelling rules">
-allow staff_t foo_t : dir { relabelfrom relabelto };
-allow staff_t bar_t : dir { relabelto };
-</pre>
-
-<p>
-In the first rule, the staff_t domain has the ability to relabel directories
-that are currently in the foo_t domain (relabelfrom) and to relabel directories
-to the foo_t domain (if their source domain has a correct relabelfrom
-privilege). In the second rule, the staff_t domain is only able to relabel
-directories to the bar_t domain. However, once a directory has the bar_t domain,
-the staff_t domain has no ability to relabel it to something else (no
-relabelfrom privilege).
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Relabelling Gentoo Package Content</title>
-<body>
-
-<p>
-As a last section let's talk about Gentoo support for relabeling files. By
-default, Portage will relabel all files of a package once it is installed. This
-is governed by the FEATURES="selinux" setting which is enabled when you select
-the selinux profiles. An administrator can also relabel the contents of a
-package using the (Gentoo-specific) <c>rlpkg</c> command (installed through
-the policycoreutils package):
-</p>
-
-<pre caption="Relabelling the files and directories of a package">
-~# <i>rlpkg net-tools</i>
-Relabeling: sys-apps/net-tools-1.60_p20090728014017-r1
-</pre>
-
-<p>
-The same tool can be used to relabel the entire system:
-</p>
-
-<pre caption="Relabelling the entire (file) system">
-~# <i>rlpkg -a -r</i>
-</pre>
-
-</body>
-</subsection>
-</section>
-</sections>
diff --git a/xml/selinux/hb-using-policymodules.xml b/xml/selinux/hb-using-policymodules.xml
deleted file mode 100644
index 3032bcb..0000000
--- a/xml/selinux/hb-using-policymodules.xml
+++ /dev/null
@@ -1,576 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
-
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policymodules.xml,v 1.5 2011/06/07 19:46:52 klondike Exp $ -->
-
-<sections>
-<version>1</version>
-<date>2011-03-02</date>
-
-<section>
-<title>Writing Simple Policies</title>
-<subsection>
-<title>Writing a TE File</title>
-<body>
-
-<p>
-Let us summarize our previous experiences with writing simple policies. We have
-already covered how to write a <path>.te</path> file and convert it to a
-loadable SELinux module. Let's go over this once again with a simple example:
-allowing execmem for the mozilla_t domain.
-</p>
-
-<p>
-When using the <path>selinux-mozilla</path> provided SELinux module, you might
-still get a failure if you are using the 32-bit binary firefox package
-(<path>www-client/firefox-bin</path>) and if you do not allow memexec (see the
-<c>allow_memexec</c> boolean). You will probably find an AVC denial telling you
-this exact same thing. If you want to allow just mozilla_t to run execmem, you
-can write the following <path>fixmozilla.te</path> module:
-</p>
-
-<pre caption="Content of fixmozilla.te">
-module fixmozilla 1.0.0;
-
-require {
- type mozilla_t;
- class process execmem;
-}
-
-allow mozilla_t self:process { execmem };
-</pre>
-
-<p>
-This simple policy sais that the module is called <e>fixmozilla</e> with module
-version <e>1.0.0</e> (it is wise to update this version every time you update
-the content of the module so that you can quickly verify with <c>semodule -l</c>
-if the new version is loaded or not). It requires the <e>mozilla_t</e> domain
-(if <path>sec-policy/selinux-mozilla</path> isn't installed, loading of this
-policy will fail as it will not find the mozilla_t domain) and the
-<e>process</e> class with the <e>execmem</e> operation. The policy itself
-(the AVC statement) is to allow the mozilla_t domain to use execmem on its
-own processes.
-</p>
-
-<p>
-To convert this source into a loadable policy, we first convert it into a
-<path>.mod</path> file:
-</p>
-
-<pre caption="Converting a .te file to a .mod file">
-~$ <i>checkmodule -m -o fixmozilla.mod fixmozilla.te</i>
-</pre>
-
-<p>
-In this particular command, we create a non-base (<c>-m</c>) module file
-(<path>fixmozilla.mod</path>) which contains the statements offered by the
-<path>fixmozilla.te</path> file. If you are running an MLS/MCS system you will
-need to add the <c>-M</c> option.
-</p>
-
-<p>
-Next we package this module into a loadable SELinux module:
-</p>
-
-<pre caption="Packaging the .mod file to a loadable SELinux module">
-~$ <i>semodule_package -o fixmozilla.pp -m fixmozilla.mod</i>
-</pre>
-
-<p>
-This final module file (<path>fixmozilla.pp</path>) can then be loaded into the
-SELinux policy store using <c>semodule -i fixmozilla.pp</c>.
-</p>
-
-<p>
-Using this relatively simple method, you can create all the policy rules you
-want. However, you most likely want to add information on file labeling as
-well...
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Writing an FC File</title>
-<body>
-
-<p>
-An FC file (<e>File Context</e>) contains the file labels (security contexts)
-that should be assigned to particular files. If you structure your modules
-correctly, you most likely have policies for particular programs, and you would
-like to label the program files and binaries accordingly. This is what the
-<path>.fc</path> files are for.
-</p>
-
-<p>
-Let's take a look at a sample .fc file which contains the various types of
-context definitions that are supported:
-</p>
-
-<pre caption="Sample .fc file">
-/var/.* gen_context(system_u:object_r:var_t)
-/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t)
-/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t)
-/vmlinuz.* -l gen_context(system_u:object_r:boot_t)
-/usr/bin/firefox -- gen_context(system_u:object_r:mozilla_exec_t)
-/tmp/\.ICE-unix/.* -s <<none>>
-/dev/initctl -p gen_context(system_u:object_r:initctl_t)
-/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t)
-</pre>
-
-<p>
-The first column (in every line) starts with a regular expression to match
-against a file's path. This is usually sufficient to match any possible file.
-SELinux does support some special variables like ROLE, HOME_DIR, HOME_ROOT and
-USER which are substituted with their corresponding values when the file context
-is (re)compiled (for instance when you add or delete SELinux users or rebuild
-the policy using <c>semodule</c>).
-</p>
-
-<p>
-The second column, if available, starts with a dash followed by the file type:
-<c>c</c>haracter device, <c>b</c>lock device, symbolic <c>l</c>ink,
-<c>s</c>ocket, <c>d</c>irectory, named <c>p</c>ipe or a regular file (<c>-</c>).
-</p>
-
-<p>
-The last column gives the security context (label) that should be assigned to
-the resource(s) that match the regular expression. You should always see the
-"standard three" (user, role, domain), but you might also see the security level
-and even category if MLS/MCS is used or supported by the module.
-</p>
-
-<pre caption="Sample file context with MLS/MCS support">
-/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15,c0.c255)
-</pre>
-
-<p>
-You can write your own FC file. For instance, Gentoo adds the following
-definition to the <path>sec-policy/selinux-mozilla</path> package to support the
-binary firefox package:
-</p>
-
-<pre caption="Example .fc content">
-/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/run-mozilla.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-</pre>
-
-<p>
-If you want to add such a file to your policy, add it during the
-<c>semodule_package</c> phase:
-</p>
-
-<pre caption="Adding file context information to a policy">
-~$ <i>semodule_package -o fixmozilla.pp -m fixmozilla.mod -f fixmozilla.fc</i>
-</pre>
-
-<p>
-Once this policy is loaded, you can use tools like <c>matchpathcon</c>,
-<c>restorecon</c> and more as they now know how to deal with the files you have
-mentioned in your file context file.
-</p>
-
-</body>
-</subsection>
-</section>
-<section>
-<title>Building a Reference Policy Module</title>
-<subsection>
-<title>Introduction to the Reference Policy</title>
-<body>
-
-<p>
-Initially we have already covered the fact that Gentoo Hardened bases its
-policies on the reference policy maintained by Tresys. This reference policy
-offers an important additional functionality during module development:
-interfaces.
-</p>
-
-<p>
-By creating an interface, you actually create a function of some sort which can
-be used in other modules. Such interfaces allow module writers to generate rules
-to interact with the domain of their module without knowing what the other
-domains are. For instance, the mozilla module has an interface definition like
-so:
-</p>
-
-<pre caption="Example interface definition">
-interface(`mozilla_read_user_home_files',`
- gen_require(`
- type mozilla_home_t;
- ')
-
- allow $1 mozilla_home_t:dir list_dir_perms;
- allow $1 mozilla_home_t:file read_file_perms;
- allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
- userdom_search_user_home_dirs($1)
-')
-</pre>
-
-<p>
-This interface allows other modules to use the
-<c>mozilla_read_user_home_files</c> function if they want their domain to be
-able to (in this case) read the files in the mozilla_home_t domain. Of course,
-they can add all statements inside their own definition, but then they would
-have to require that the mozilla module is loaded, which might be a wrong
-assumption, and duplicate the same allow statements for each application.
-The use of interfaces makes policy development easier.
-</p>
-
-<p>
-Also, the reference policy allows the use of <e>optional</e> statements:
-a module can call an interface of another module, but this may not fail if
-the other module is not available on a users' system.
-</p>
-
-<p>
-For instance, in the evolution policy:
-</p>
-
-<pre caption="Extract from evolution.te">
-optional_policy(`
- mozilla_read_user_home_files(evolution_t)
- mozilla_domtrans(evolution_t)
-')
-</pre>
-
-<p>
-In this extract we see that the previously defined interface is called with
-argument evolution_t (the Evolution domain) within an <c>optional_policy</c>
-clause. As a result, building this policy will attempt to call this interface,
-but if the interface is missing (because the mozilla module isn't installed) it
-will not fail the build of the evolution module.
-</p>
-
-<p>
-Using the interfaces allows for a clean separation of the various modules.
-Within the reference policy, the following guidelines are used:
-</p>
-
-<ul>
- <li>
- Inside a <path>.te</path> file, the only domains that are allowed to be
- mentioned are those defined in the same <path>.te</path> file. Any
- interaction with other domains need to happen through interfaces offered by
- that domain.
- </li>
- <li>
- Inside an <path>.if</path> file, where the interfaces are defined, an XML
- like syntax is used to document each interface, allowing for developers to
- read easily what an interface is meant to do (because honestly, there are
- far more complex interfaces than the one we have previously shown)
- </li>
- <li>
- Distribution-specific aspects of modules should be enclosed within a
- <c>ifdef(`distro_gentoo',`...')</c> statement (example for Gentoo). This
- statement is supported in all three files (<path>.te</path>,
- <path>.if</path> and <path>.fc</path>).
- </li>
-</ul>
-
-</body>
-</subsection>
-<subsection>
-<title>Building the Reference Policy Module</title>
-<body>
-
-<p>
-If you want to build a module using the reference policy interfaces, you first
-need to create the <path>.te</path> file and, optionally (but most likely
-needed) <path>.if</path> and <path>.fc</path> file. It is wise to start from an
-example set of files for a similar application. If you want to or need to use
-interfaces of different modules, you can find the interfaces that are valid on
-your system inside <path>/usr/share/selinux/strict/include</path>.
-</p>
-
-<p>
-Once you want to build the module, copy the
-<path>/usr/share/selinux/strict/include/Makefile</path> file inside the
-directory where your policy definition(s) are stored. Then, call the <c>make</c>
-command to build the policy modules.
-</p>
-
-<p>
-The result should be one (or more) loadable SELinux modules.
-</p>
-
-</body>
-</subsection>
-</section>
-<section>
-<title>Example: Start Building the Skype Policy</title>
-<subsection>
-<title>Labelling</title>
-<body>
-
-<p>
-Let's start to create a sample reference policy based SELinux module for the <c>skype</c>
-application. This application is a well-known application used to perform voice-
-and video chats across the Internet. We will not finish the module in this
-chapter (as the exercise will become a repetitive try-and-correct cycle which
-isn't the purpose to document here) but rather show an approach on how to deal
-with such policy building exercises.
-</p>
-
-<p>
-First get acquainted with the application.
-</p>
-
-<p>
-The usual way of interacting with <c>skype</c> is from an end-user point (not
-administrator). From interacting with it in permissive mode (or from a
-non-SELinux system) we know it creates a <path>~/.Skype</path> folder for its
-configuration, chat history and more.
-</p>
-
-<p>
-Given this above information, let's take a look at the content of the
-<path>net-im/skype</path> package:
-</p>
-
-<pre caption="Content of the skype package">
-~$ <i>qlist skype</i>
-<comment>(Output shortened for clarity)</comment>
-/usr/bin/skype
-/usr/share/... <comment># Unrelated to the application but used by distribution</comment>
-/opt/skype/skype
-/opt/skype/sounds/...
-/opt/skype/lang/...
-/opt/skype/avatars/...
-</pre>
-
-<p>
-Given this information, we could create the following file context definition:
-</p>
-
-<pre caption="Sample file context for skype">
-/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
-/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
-HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)
-</pre>
-
-<p>
-We will not give the various skype files a specific label - they are all
-read-only files so can keep the default label assigned to them.
-</p>
-
-<p>
-Within the <path>skype.te</path> file, we define the necessary domains and
-also use the first interfaces which are often associated with this kind of
-domains (for reasoning you can read the sources for the apache module or
-other services). A sample module to base our definition from could be
-telepathy...
-</p>
-
-<pre caption="Initial skype module definition">
-policy_module(skype, 1.0.0)
-
-type skype_t;
-type skype_exec_t;
-application_domain(skype_t, skype_exec_t)
-
-type skype_home_t;
-userdom_user_home_content(skype_home_t)
-
-# Allow skype_t to put files in the skype_home_t location(s)
-manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
-manage_files_pattern(skype_t, skype_home_t, skype_home_t)
-userdom_user_home_dir_filetrans(skype_t, skype_home_t, { dir file })
-userdom_search_user_home_dirs(skype_t)
-</pre>
-
-<p>
-Again, we're not going to cover the various interfaces and explain them. They
-are documented and available on the system, and there are plenty of examples to
-use.
-</p>
-
-<p>
-Finally, we are going to create an interface to allow users to transition to the
-skype_t domain. The idea here is that you add <c>skype_role(role, domain)</c> in
-the <path>.te</path> definition of the users' domain or within your own policy.
-</p>
-
-<pre caption="Defining the skype_role interface">
-interface(`skype_role',`
- gen_require(`
- type skype_t, skype_exec_t;
- ')
-
- role $1 types skype_t;
-
- domain_auto_trans($2, skype_exec_t, skype_t)
-')
-</pre>
-
-<p>
-Build the module and load it in the SELinux module store. Next, create a small
-policy to allow users (user_r, user_t) to access skype:
-</p>
-
-<pre caption="Adding access to skype for users">
-~$ <i>cat skypeusers.te</i>
-policy_module(skypeusers, 1.0.0)
-
-gen_require(`
- type user_t;
- role user_r;
- type staff_t;
- role staff_r;
-')
-
-optional_policy(`
- skype_role(user_r, user_t)
- skype_role(staff_r, staff_t)
-')
-</pre>
-
-<p>
-Build that module as well and load it. A regular SELinux user should now have
-the ability to execute skype_exec_t and transition to the skype_t domain.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Dry Run</title>
-<body>
-
-<p>
-With the policy loaded, do a dry run. Relabel the files of the
-<path>net-im/skype</path> package (and if you have previously ran skype yourself,
-relabel the <path>~/.Skype</path> folder as well), then start <c>skype</c> and both
-watch skype's output as well as the AVC denials.
-</p>
-
-<p>
-We notice that the binary (skype) hangs and cannot be killed. In the AVC denial
-logs, we notice the following denials:
-</p>
-
-<pre caption="Shown denials while running skype">
-Jan 6 22:01:56 hpl kernel: [18418.420427] type=1400 audit(1294347716.358:2221):
-avc: denied { read write } for pid=25540 comm="skype" name="1" dev=devpts
-ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:object_r:user_devpts_t
-tclass=chr_file
-Jan 6 22:01:56 hpl kernel: [18418.420455] type=1400 audit(1294347716.358:2222):
-avc: denied { use } for pid=25540 comm="skype" path="/dev/pts/1" dev=devpts
-ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t
-tclass=fd
-Jan 6 22:01:56 hpl kernel: [18418.420563] type=1400 audit(1294347716.358:2225):
-avc: denied { sigchld } for pid=6532 comm="bash"
-scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t tclass=process
-</pre>
-
-<p>
-Note that the attempt is done in enforcing mode - running in permissive mode
-will yield more AVC denials and is also a plausible way to create the necessary
-rules.
-</p>
-
-<p>
-From the denials, we see that skype attempts to use the pts in which the command
-is ran (notice that this fails because we didn't explicitly allow it) and also
-fails to exit properly (a sigchld signal isn't allowed to be submitted).
-</p>
-
-<p>
-By looking into the example policies already around, we notice that they have
-interfaces in use such as <c>userdom_use_user_terminals</c> as well as generic
-allowances such as <c>ps_process_pattern</c> (to allow users to view a process
-and kill it). This is a nice example of how a type enforcement MAC system works:
-nothing is assumed by default.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Next Dry Run</title>
-<body>
-
-<p>
-So after adding some interfaces to allow the use of the user terminals, file
-descriptors and also allow process signals to be sent, we try to run the
-application again. Now, we get:
-</p>
-
-<pre caption="Output of running the skype command">
-~$ <i>skype</i>
-Killed
-
-~$ <i>cat /var/log/avc.log</i>
-Jan 6 22:27:41 hpl kernel: [19961.313321] type=1400
-audit(1294349261.991:9089017): avc: denied { execmem } for pid=27256
-comm="skype" scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:skype_t
-tclass=process
-</pre>
-
-<p>
-At least <c>skype</c> now exits. From the AVC log, we see that it wants to call
-execmem (which isn't something we like, but have seen in the past for mozilla as
-well). Okay, let's allow this, rebuild the modules and retry.
-</p>
-
-<pre caption="Output of running the skype command again">
-~$ <i>skype</i>
-./skype: error while loading shared libraries: libasound.so.2: cannot open
-shared object file: Permission denied
-
-~$ <i>cat /var/log/avc.log</i>
-Jan 6 22:33:41 hpl kernel: [20319.960127] type=1400
-audit(1294349621.275:9089042): avc: denied { read } for pid=27536
-comm="skype" name="libasound.so.2" dev=dm-1 ino=525098
-scontext=staff_u:staff_r:skype_t tcontext=system_u:object_r:usr_t
-tclass=lnk_file
-</pre>
-
-<p>
-Okay, we need to grant it read rights to links within the usr_t domain (and most
-likely then load libraries from the lib_t domain, so we need to add
-<c>files_read_usr_symlinks</c> and <c>libs_use_ld_so</c>, etc.
-</p>
-
-</body>
-</subsection>
-<subsection>
-<title>Finishing Up</title>
-<body>
-
-<p>
-After running into the standard "can't start" issues, you'll notice that the
-application then wants to bind and connect to ports - which are also protected
-by SELinux and can be manipulated by various interfaces. It wants to access your
-soundcard and webcam, etc.
-</p>
-
-<p>
-As you can see from the above information, writing policies correctly isn't
-easy. You need to constantly keep in mind what you are allowing - aren't you
-granting too much? Are you forgetting something? Also, the first time(s) you
-create policies it will take lots of time, but over time you will grow better in
-it. You'll start realizing what all those standard things are that you need to
-allow and what not.
-</p>
-
-<p>
-Writing SELinux policies isn't hard, but it's far more difficult than setting
-the standard Linux permissions on files and directories. It requires a decent
-knowledge of how the application behaves and what the SELinux reference policy
-interfaces grant when you select them.
-</p>
-
-<p>
-If you ever feel like writing these policies, don't hesitate to read up on the
-various resources at the end of this book.
-</p>
-
-</body>
-</subsection>
-</section>
-</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-26 22:05 José María Alonso
0 siblings, 0 replies; 95+ messages in thread
From: José María Alonso @ 2011-10-26 22:05 UTC (permalink / raw
To: gentoo-commits
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1020 bytes --]
commit: 9b362003f51f9e47f79c8809b936fe71003e089a
Author: José María Alonso <nimiux <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 26 22:04:51 2011 +0000
Commit: José MarÃa Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 22:04:51 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9b362003
Fixed minor typo.
---
xml/selinux/hb-using-states.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
index e379547..9e99d9c 100644
--- a/xml/selinux/hb-using-states.xml
+++ b/xml/selinux/hb-using-states.xml
@@ -312,7 +312,7 @@ level can access it.
<p>
It is not recommended to switch between types often. At best, you choose your
-policy type at install type and stick with it. But it is not impossible (nor
+policy type at install time and stick with it. But it is not impossible (nor
that hard) to switch between types.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-10-27 19:18 José María Alonso
0 siblings, 0 replies; 95+ messages in thread
From: José María Alonso @ 2011-10-27 19:18 UTC (permalink / raw
To: gentoo-commits
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 970 bytes --]
commit: 715d485888ed3c3a8934cc2b87b18fe47f54e58b
Author: José María Alonso <nimiux <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 27 19:16:54 2011 +0000
Commit: José MarÃa Alonso <nimiux <AT> gentoo <DOT> org>
CommitDate: Thu Oct 27 19:16:54 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=715d4858
Removed useless link tag
---
xml/selinux/selinux-handbook.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/selinux-handbook.xml b/xml/selinux/selinux-handbook.xml
index 893e120..9801448 100644
--- a/xml/selinux/selinux-handbook.xml
+++ b/xml/selinux/selinux-handbook.xml
@@ -3,7 +3,7 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.11 2011/04/25 20:12:59 zorry Exp $ -->
-<book link="selinux-handbook.xml">
+<book>
<title>Gentoo SELinux Handbook</title>
<author title="Author">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-11-11 19:59 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-11-11 19:59 UTC (permalink / raw
To: gentoo-commits
commit: 5892ad6a113948a2d6f346243c4a7c68216beef1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 11 19:56:42 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Nov 11 19:56:42 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5892ad6a
Add prometheanfire as dev, switch myself and pebenito as per selinux@ discussion
---
xml/selinux/index.xml | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index 8cddd10..c39ddf8 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -67,9 +67,10 @@ As a result, we
</ul>
</goals>
-<dev role="lead" description="Policy, x86, AMD64">pebenito</dev>
+<dev role="lead" description="Documentation, Userspace tools, Policy development">SwifT</dev>
+<dev role="developer" description="Policy development, Userspace tools">pebenito</dev>
<dev role="developer" description="Policy development, Proxy (non developer contributors)">blueness</dev>
-<dev role="developer" description="Documentation, Userspace tools, Policy development">SwifT</dev>
+<dev role="developer" description="Policy development, Support">prometheanfire</dev>
<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (concepts, installation, maintenance)</resource>
<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-11-22 20:08 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-11-22 20:08 UTC (permalink / raw
To: gentoo-commits
commit: c1bf6d85276c21965676f3126583904f506161dc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 22 20:07:52 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 22 20:07:52 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=c1bf6d85
Add link to SELinux bug reporting guide
---
xml/selinux/index.xml | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/index.xml b/xml/selinux/index.xml
index c39ddf8..08fc361 100644
--- a/xml/selinux/index.xml
+++ b/xml/selinux/index.xml
@@ -75,6 +75,7 @@ As a result, we
<resource link="/proj/en/hardened/selinux/selinux-handbook.xml">Gentoo SELinux Handbook (concepts, installation, maintenance)</resource>
<resource link="/proj/en/hardened/selinux-faq.xml">Gentoo SELinux FAQ</resource>
<resource link="/proj/en/hardened/selinux-development.xml">Gentoo Hardened SELinux Development Guide</resource>
+<resource link="/proj/en/hardened/selinux-bugreporting.xml">Reporting SELinux (policy) bugs</resource>
<resource link="/proj/en/hardened/selinux-policy.xml">Gentoo Hardened SELinux Development Policy</resource>
<resource link="/proj/en/hardened/roadmap.xml">Gentoo Hardened Roadmap (includes SELinux development)</resource>
<resource link="/proj/en/hardened/support-state.xml">Gentoo Hardened Support Matrices (includes SELinux)</resource>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-12-10 14:00 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-12-10 14:00 UTC (permalink / raw
To: gentoo-commits
commit: b5a820ed211f8fb84d84c6889f9b0bb9204544e4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 10 13:59:02 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 10 13:59:02 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b5a820ed
Update documents to reflect supporting vanilla SELinux support
---
xml/selinux/hb-using-install.xml | 54 +++++++++++++++++---------------------
1 files changed, 24 insertions(+), 30 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 4d9c1eb..85341cc 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,17 +7,17 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>14</version>
-<date>2011-10-18</date>
+<version>15</version>
+<date>2011-12-10</date>
<section>
-<title>Installing Gentoo Hardened</title>
+<title>Installing Gentoo (Hardened)</title>
<subsection>
<title>Introduction</title>
<body>
<p>
-Getting a Gentoo Hardened SELinux installation doesn't require weird actions.
+Getting a SELinux-powered Gentoo installation doesn't require weird actions.
What you need to do is install Gentoo Linux with the correct profile, correct
kernel configuration and some file system relabelling. We seriously recommend to
use SELinux together with other hardening improvements (such as PaX /
@@ -25,10 +25,10 @@ grSecurity).
</p>
<p>
-This chapter will describe the steps to install Gentoo Hardened with SELinux. We
+This chapter will describe the steps to install Gentoo with SELinux. We
assume that you have an existing Gentoo Linux system which you want to convert
-to Gentoo Hardened with SELinux. If this is not the case, you should still read
-on: you can install Gentoo Hardened with SELinux immediately if you make the
+to Gentoo with SELinux. If this is not the case, you should still read
+on: you can install Gentoo with SELinux immediately if you make the
correct decisions during the installation process, based on the information in
this chapter.
</p>
@@ -162,35 +162,29 @@ the following settings to the right file (for instance
<p>
Now that you have a running Gentoo Linux installation, switch the Gentoo profile
-to the right SELinux hardened profile (for instance,
+to the right SELinux profile (for instance,
<path>hardened/linux/amd64/no-multilib/selinux</path>). Note that the older
-profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are still
-supported though.
+profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are not
+supported anymore.
</p>
<pre caption="Switching the Gentoo profile">
~# <i>eselect profile list</i>
Available profile symlink targets:
[1] default/linux/amd64/10.0
- [2] default/linux/amd64/10.0/desktop
- [3] default/linux/amd64/10.0/desktop/gnome
- [4] default/linux/amd64/10.0/desktop/kde
- [5] default/linux/amd64/10.0/developer
- [6] default/linux/amd64/10.0/no-multilib
- [7] default/linux/amd64/10.0/server
- [8] hardened/linux/amd64
- [9] hardened/linux/amd64/selinux
- [10] hardened/linux/amd64/no-multilib *
- [11] hardened/linux/amd64/no-multilib/selinux
- [12] selinux/2007.0/amd64
- [13] selinux/2007.0/amd64/hardened
- [14] selinux/v2refpolicy/amd64
- [15] selinux/v2refpolicy/amd64/desktop
- [16] selinux/v2refpolicy/amd64/developer
- [17] selinux/v2refpolicy/amd64/hardened
- [18] selinux/v2refpolicy/amd64/server
-
-~# <i>eselect profile set 11</i>
+ [2] default/linux/amd64/10.0/selinux
+ [3] default/linux/amd64/10.0/desktop
+ [4] default/linux/amd64/10.0/desktop/gnome
+ [5] default/linux/amd64/10.0/desktop/kde
+ [6] default/linux/amd64/10.0/developer
+ [7] default/linux/amd64/10.0/no-multilib
+ [8] default/linux/amd64/10.0/server
+ [9] hardened/linux/amd64
+ [10] hardened/linux/amd64/selinux
+ [11] hardened/linux/amd64/no-multilib *
+ [12] hardened/linux/amd64/no-multilib/selinux
+
+~# <i>eselect profile set 12</i>
</pre>
<note>
@@ -595,7 +589,7 @@ running, most of them in the same security domain, but in different categories.
<p>
Finally, you can also select <c>mls</c> to differentiate security domains on
a sensitivity level. However, MLS is currently still considered experimental
-in Gentoo Hardened and as such not recommended.
+in Gentoo and as such not recommended.
</p>
<p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-12-11 14:36 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-12-11 14:36 UTC (permalink / raw
To: gentoo-commits
commit: 5a3923f95ddfe75d03cb2a363151a7f096b61bf1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Dec 11 14:35:39 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Dec 11 14:35:39 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5a3923f9
Adding portage installation failure information
---
xml/selinux/hb-using-troubleshoot.xml | 70 ++++++++++++++++++++++++++++++++-
1 files changed, 68 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-troubleshoot.xml b/xml/selinux/hb-using-troubleshoot.xml
index 96df785..16fff0a 100644
--- a/xml/selinux/hb-using-troubleshoot.xml
+++ b/xml/selinux/hb-using-troubleshoot.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-appendix-troubleshoot.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>0</version>
-<date>2011-02-24</date>
+<version>1</version>
+<date>2011-12-11</date>
<section>
<title>Unable To Load SELinux Policy</title>
@@ -225,4 +225,70 @@ contexts</e> that you see in the output with the next table.
</body>
</subsection>
</section>
+
+<section>
+<title>Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)</title>
+<subsection>
+<title>Problem Description</title>
+<body>
+
+<p>
+When trying to install software with Portage, you get a huge python stacktrace
+and finally the error message <e>OSError: [Errno 22] Invalid argument</e>:
+</p>
+
+<pre caption="Stacktrace dump when portage fails to install software">
+Traceback (most recent call last):
+ File "/usr/bin/emerge", line 43, in <module>
+ retval = emerge_main()
+ File "/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main
+ myopts, myaction, myfiles, spinner)
+ File "/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build
+ retval = mergetask.merge()
+...
+ File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn
+ return spawn(cmd, settings, **kwargs)
+ File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn
+ return spawn_func(mystring, env=mysettings.environ(), **keywords)
+ File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
+ setexec(con)
+ File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
+ if selinux.setexeccon(ctx) < 0:
+OSError: [Errno 22] Invalid argument
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Wrong Context</title>
+<body>
+
+<p>
+The above error comes when you launch portage (through <c>emerge</c>) while you
+are not in <c>sysadm_t</c> context. You can verify this with <c>id -Z</c>:
+</p>
+
+<pre caption="Checking current context">
+~# <i>id -Z</i>
+system_u:system_r:local_login_t
+</pre>
+
+<p>
+As long as the context isn't <c>sysadm_t</c>, then Portage will break. This is
+because Portage wants to switch its execution context from <c>portage_t</c> to
+<c>portage_sandbox_t</c> but fails (it isn't in <c>portage_t</c> to begin with
+because the user who launched Portage isn't in <c>sysadm_t</c>).
+</p>
+
+<p>
+Please check <uri link="#doc_chap2">Unable to Log On</uri> above first. Also
+make sure that you can <c>dispatch-conf</c> or <c>etc-update</c> after
+installing SELinux so that <path>/etc/pam.d/system-login</path> is updated with
+the right <path>pam_selinux.so</path> calls.
+</p>
+
+</body>
+</subsection>
+</section>
+
</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-12-11 14:39 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-12-11 14:39 UTC (permalink / raw
To: gentoo-commits
commit: 657dfb4a7512482de478947efc9d953b590fcb29
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Dec 11 14:38:31 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Dec 11 14:38:31 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=657dfb4a
Add blurb on consequences of disabling SELinux support in portage
---
xml/selinux/hb-using-troubleshoot.xml | 25 +++++++++++++++++++++++++
1 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-troubleshoot.xml b/xml/selinux/hb-using-troubleshoot.xml
index 16fff0a..6a7d2dd 100644
--- a/xml/selinux/hb-using-troubleshoot.xml
+++ b/xml/selinux/hb-using-troubleshoot.xml
@@ -289,6 +289,31 @@ the right <path>pam_selinux.so</path> calls.
</body>
</subsection>
+<subsection>
+<title>Forcing Installation</title>
+<body>
+
+<p>
+If you need to force Portage to continue regardless (for instance, you were in
+the middle of a SELinux installation so cannot properly resolve such issues
+now), run the <c>emerge</c> command but with <c>FEATURES="-selinux"</c>. This
+will effectively disable Portage' SELinux integration, but allows you to
+continue installing software.
+</p>
+
+<pre caption="Running emerge without selinux support">
+~# <i>FEATURES="-selinux" emerge -u world</i>
+</pre>
+
+<p>
+Make sure that you relabel the entire file system after using this approach!
+Portage will not label the files installed on the system correctly if you
+disable its SELinux support. To relabel the entire file system, use <c>rlpkg -a
+-r</c>.
+</p>
+
+</body>
+</subsection>
</section>
</sections>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2011-12-17 10:52 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2011-12-17 10:52 UTC (permalink / raw
To: gentoo-commits
commit: 874755a75c6184087ed4dee49f0d8b4f84295f0a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 17 10:52:47 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 17 10:52:47 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=874755a7
Reboot before relabeling, add blurb about etc-update/dispatch-conf
---
xml/selinux/hb-using-install.xml | 20 ++++++++++++--------
1 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 85341cc..bd33761 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>15</version>
-<date>2011-12-10</date>
+<version>16</version>
+<date>2011-12-17</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -473,7 +473,9 @@ it yet).
Next, rebuild those packages affected by the profile change we did previously
through a standard world update, taking into account USE-flag changes (as the
new profile will change many default USE flags, including enabling the
-<c>selinux</c> USE flag).
+<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or
+<c>dispatch-conf</c> afterwards as some changes to configuration files need to
+be made.
</p>
<pre caption="Update your Gentoo Linux system">
@@ -606,7 +608,7 @@ POLICY_TYPES="<i>strict</i>"
</body>
</subsection>
<subsection>
-<title>Label the File System</title>
+<title>Reboot, and Label the File System</title>
<body>
<impo>
@@ -617,7 +619,8 @@ manipulate during your day-to-day activities on your system.
</impo>
<p>
-First relabel your devices and openrc related files. This will apply the
+First reboot your system so that the installed policies are loaded. Now we
+need to relabel your devices and openrc related files. This will apply the
correct security contexts (labels) onto the necessary files.
</p>
@@ -671,9 +674,10 @@ correctly. For instance, if you have installed
<body>
<p>
-Reboot your system. Log on and, if you have indeed installed Gentoo using the
-hardened sources (as we recommended), enable the SSP SELinux boolean, allowing
-every domain read access to the <path>/dev/urandom</path> device:
+Reboot your system so that the newly applied file contexts are used. Log on
+and, if you have indeed installed Gentoo using the hardened sources (as we
+recommended), enable the SSP SELinux boolean, allowing every domain read
+access to the <path>/dev/urandom</path> device:
</p>
<pre caption="Enabling the global_ssp boolean">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-01-21 13:20 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-01-21 13:20 UTC (permalink / raw
To: gentoo-commits
commit: 54ec74b625fc1890ef6797c18b318f437d0e6063
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jan 21 13:20:34 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jan 21 13:20:34 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=54ec74b6
Correct naming for modules
---
xml/selinux/hb-using-policies.xml | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 03751e1..1fef1b3 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>1</version>
-<date>2011-10-15</date>
+<version>2</version>
+<date>2012-01-21</date>
<section>
<title>SELinux Policy Language</title>
@@ -389,6 +389,12 @@ from firefox-related denials:
# <i>semodule -i firefoxmod.pp</i>
</pre>
+<p>
+Keep the module name (given through the <c>-m</c> option) simple: only use
+characters (<c>[a-z]</c>) and numbers (<c>[0-9]</c>), and start the module name
+with a character.
+</p>
+
</body>
</subsection>
</section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-01-29 12:42 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-01-29 12:42 UTC (permalink / raw
To: gentoo-commits
commit: 2614a1c2739b623bba81b3cff6dfcf71e2e6e2b7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 29 12:42:21 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jan 29 12:42:21 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2614a1c2
Add edited lvm-* scripts to CONFIG_PROTECT location
---
xml/selinux/hb-using-install.xml | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index bd33761..a2bf934 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>16</version>
-<date>2011-12-17</date>
+<version>17</version>
+<date>2012-01-29</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -277,7 +277,9 @@ tools or configurations that apply.
<path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
and <path>lvm-stop.sh</path> and set the config location from
<path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the
- <path>/etc/lvm/lock</path> directory.
+ <path>/etc/lvm/lock</path> directory. Finally, add
+ <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your
+ <path>make.conf</path> file.
</li>
<li>
Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-03-01 20:09 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-03-01 20:09 UTC (permalink / raw
To: gentoo-commits
commit: 2b911cde899f4c86d516e31ad44ff00569afb67e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Mar 1 20:07:41 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Mar 1 20:07:41 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2b911cde
Adding naming convention for SELinux module
---
xml/selinux/hb-using-policies.xml | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 1fef1b3..4f76052 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>2</version>
-<date>2012-01-21</date>
+<version>3</version>
+<date>2012-03-01</date>
<section>
<title>SELinux Policy Language</title>
@@ -45,7 +45,10 @@ is not to your liking should you see on using a totally different policy.
</p>
<p>
-Let's start with a skeleton for a policy module we'll call <e>testmod</e>.
+Let's start with a skeleton for a policy module we'll call <e>testmod</e>. You
+should use simple names for the modules as the build infrastructure is quite
+sensitive to special constructs. Use only letters a-z and numbers, and never
+start a module name with a number.
</p>
<pre caption="Policy module skeleton">
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-04-05 16:24 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-04-05 16:24 UTC (permalink / raw
To: gentoo-commits
commit: fb855ada9f2ee20f3b8773a4e53a2729973594e5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 5 16:20:49 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 5 16:20:49 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=fb855ada
Adding info on sandbox issue
---
xml/selinux/hb-using-install.xml | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index a2bf934..ae3ce92 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>17</version>
-<date>2012-01-29</date>
+<version>18</version>
+<date>2012-04-05</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -272,6 +272,10 @@ tools or configurations that apply.
</p>
<ul>
+ <!--
+ TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed
+ anymore
+ -->
<li>
If you use LVM for one or more file systems, you need to edit
<path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
@@ -288,6 +292,16 @@ tools or configurations that apply.
which mess up the file labelling. For instance, <c>cp /bin/hostname
/bin/hostname.old</c>.
</li>
+ <!--
+ TODO When the fix is accepted in the portage code and that portage version is
+ stabilized, the change is not needed anymore.
+ -->
+ <li>
+ Edit <path>/etc/sandbox.conf</path> and add in
+ <path>/sys/fs/selinux/context</path> to the <c>SANDBOX_WRITE</c> parameter.
+ This is currently needed to work around bug <uri
+ link="https://bugs.gentoo.org/410687">410687</uri>.
+ </li>
</ul>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-04-10 18:22 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-04-10 18:22 UTC (permalink / raw
To: gentoo-commits
commit: 48aeb50f83250c1b5f01d4029ad4f77cb62db514
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Apr 10 18:15:12 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Apr 10 18:15:12 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=48aeb50f
Fix bug #411005 - Have the user manually install python-2
---
xml/selinux/hb-using-install.xml | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 539586f..a806009 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,7 +7,7 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>19</version>
+<version>20</version>
<date>2012-04-10</date>
<section>
@@ -101,6 +101,7 @@ we recommend to switch to Python 2 until the packages are updated and fixed.
</p>
<pre caption="Switching to python 2">
+~# <i>emerge '<=dev-lang/python-3.0'</i>
~# <i>eselect python list</i>
Available Python interpreters:
[1] python2.7
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-04-10 18:22 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-04-10 18:22 UTC (permalink / raw
To: gentoo-commits
commit: fc8853d8d0954a11c738c24ed686c4e0b71064cd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Apr 10 18:12:13 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Apr 10 18:12:13 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=fc8853d8
Fix bug #411365 - Only refer to staff_u when policy is strict
---
xml/selinux/hb-using-install.xml | 13 ++++++++++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index ae3ce92..539586f 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>18</version>
-<date>2012-04-05</date>
+<version>19</version>
+<date>2012-04-10</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -707,7 +707,8 @@ access to the <path>/dev/urandom</path> device:
<body>
<p>
-Finally, we need to map the account(s) you use to manage your system (those
+If the <c>SELINUXTYPE</c> is set to <c>strict</c>, then we
+need to map the account(s) you use to manage your system (those
that need access to Portage) to the <c>staff_u</c> SELinux user. If not, none
of your accounts will be able to succesfully manage the system (except for
<c>root</c>, but then you will need to login as <c>root</c> directly and not
@@ -742,6 +743,12 @@ staff_u:sysadm_r:sysadm_t
</pre>
<p>
+If you however use a <c>targeted</c> policy, then the user you work with will be
+of type <e>unconfined_t</e> and will already have the necessary privileges to
+perform system administrative tasks.
+</p>
+
+<p>
With that done, enjoy - your first steps into the SELinux world are now made.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-04-10 18:22 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-04-10 18:22 UTC (permalink / raw
To: gentoo-commits
commit: 2edf36cf8da16833111fdf7f7f46fa7169bc0e7f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Apr 10 18:22:27 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Apr 10 18:22:27 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2edf36cf
Fix bug #411377 - Additional details on working out corrupted policy store
---
xml/selinux/hb-using-troubleshoot.xml | 34 +++++++++++++++++++++++++++++++-
1 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/xml/selinux/hb-using-troubleshoot.xml b/xml/selinux/hb-using-troubleshoot.xml
index 6a7d2dd..fc0323d 100644
--- a/xml/selinux/hb-using-troubleshoot.xml
+++ b/xml/selinux/hb-using-troubleshoot.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-appendix-troubleshoot.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
<sections>
-<version>1</version>
-<date>2011-12-11</date>
+<version>2</version>
+<date>2012-04-10</date>
<section>
<title>Unable To Load SELinux Policy</title>
@@ -111,6 +111,36 @@ points to a <path>selinux/v2refpolicy/...</path> profile.
</body>
</subsection>
+<subsection>
+<title>Policy Store is Corrupt</title>
+<body>
+
+<p>
+If you encounter problems during boot-up or <c>semodule</c> operations which
+fail with loading problems, but cannot be resolved with the above solution, then
+you might need to reinstall the policies after eliminating the corrupt store.
+</p>
+
+<pre caption="Recovering from store corruption">
+~# <i>semodule -n -B</i>
+libsemanage.semanage_load_module: Error while reading from module file
+/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)
+
+~# <i>setenforce 0</i>
+~# <i>mv /etc/selinux/targeted /etc/selinux/targeted.old</i>
+~# <i>FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)</i>
+~# <i>restorecon -R /etc/selinux</i>
+</pre>
+
+<p>
+This will effectively disable the current, corrupted SELinux policy store and
+then use Portage to reinstall all SELinux policy packages that are installed on
+the system. When done, the file contexts of <path>/etc/selinux</path> are
+restored, after which you should be able to continue.
+</p>
+
+</body>
+</subsection>
</section>
<section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-04-29 14:22 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-04-29 14:22 UTC (permalink / raw
To: gentoo-commits
commit: 15b6b45542f2faee92ba7168ec7df8e8098b71b2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 29 14:20:17 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 29 14:20:17 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=15b6b455
Update with 20120217 related material
---
xml/selinux/hb-intro-concepts.xml | 11 +++-
xml/selinux/hb-using-install.xml | 35 +++--------
xml/selinux/hb-using-policies.xml | 119 ++++++++++++++++++++++++++++++++++++-
xml/selinux/hb-using-states.xml | 24 +++++++-
4 files changed, 157 insertions(+), 32 deletions(-)
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index 5d4470e..bc6f4c1 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>5</version>
-<date>2011-07-21</date>
+<version>6</version>
+<date>2012-04-29</date>
<section>
<title>Introduction</title>
@@ -81,6 +81,13 @@ development focuses mainly on <e>strict</e> and <e>mcs</e>. The
that the <e>mls</e> policy is currently not fit yet for production use.
</p>
+<note>
+To clear up some confusion, especially when trying to seek support outside
+Gentoo: our "strict" implementation is not what was "strict" up to the year
+2008. The old meaning of strict involved a different implementation of the
+policy.
+</note>
+
</body>
</subsection>
</section>
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index a806009..037877e 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>20</version>
-<date>2012-04-10</date>
+<version>21</version>
+<date>2012-04-29</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -91,6 +91,10 @@ Make sure to include layman's <path>make.conf</path> in your
</body>
</subsection>
-->
+<!--
+TODO Validate after 2.20120215-r8 is stable that this is no longer
+necessary? Not sure about it though : check userspace ebuilds as well.
+-->
<subsection>
<title>Switching to Python 2</title>
<body>
@@ -273,19 +277,6 @@ tools or configurations that apply.
</p>
<ul>
- <!--
- TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed
- anymore
- -->
- <li>
- If you use LVM for one or more file systems, you need to edit
- <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
- and <path>lvm-stop.sh</path> and set the config location from
- <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the
- <path>/etc/lvm/lock</path> directory. Finally, add
- <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your
- <path>make.conf</path> file.
- </li>
<li>
Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
either remove those or make them a copy of their counterpart so that they
@@ -411,8 +402,8 @@ Next, edit <path>/etc/fstab</path> and add the following two lines:
<pre caption="Enabling selinux-specific file system options">
<comment># The udev mount is due to bug #373381</comment>
-udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
-none /selinux selinuxfs defaults 0 0
+udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
+none /sys/fs/selinux selinuxfs defaults 0 0
</pre>
<note>
@@ -420,14 +411,6 @@ In case of an MLS/MCS policy, you need to have the context with sensitivity
level, so <c>...:device_t:s0</c>.
</note>
-<p>
-Make the <path>/selinux</path> mountpoint as well:
-</p>
-
-<pre caption="Creating the /selinux mountpoint">
-~# <i>mkdir /selinux</i>
-</pre>
-
</body>
</subsection>
<subsection>
@@ -436,7 +419,7 @@ Make the <path>/selinux</path> mountpoint as well:
<p>
With the above changes made, reboot your system. Assert yourself that you are
-now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file
+now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file
system should be mounted). Don't worry - SELinux is at this point not activated.
</p>
diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 4f76052..a67f20b 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>3</version>
-<date>2012-03-01</date>
+<version>4</version>
+<date>2012-04-29</date>
<section>
<title>SELinux Policy Language</title>
@@ -341,6 +341,121 @@ optional_policy(`
')
</pre>
+<p>
+The following table shows a few common interfaces that could be in use. We
+seriously recommend to look at the available interfaces when enhancing or
+creating your own modules - and be sure to pick the interface that adds just
+what you need, nothing more.
+</p>
+
+<table>
+<tr>
+ <th colspan="3">Templates</th>
+</tr>
+<tr>
+ <th>Suffix</th>
+ <th>Example</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>_template</ti>
+ <ti>virt_domain_template(prefix)</ti>
+ <ti>
+ Not really an interface, templates create additional domains based on the
+ information given to them. This is usually done for fine-grained policy
+ templates with a common (sub)set of privileges.
+ </ti>
+</tr>
+<tr>
+ <th colspan="3">Transformations</th>
+</tr>
+<tr>
+ <th>Suffix</th>
+ <th>Example</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti></ti>
+ <ti>miscfiles_cert_type(resource)</ti>
+ <ti>
+ Transformation interfaces generally add specific attributes to resources or
+ domains. Attributes "transform" the given resource into something more. In
+ the given example, the miscfiles_cert_type(resource) assigns the cert_type
+ attribute to the resource (and also marks it as a file). Interfaces, like
+ miscfiles_read_all_certs work on these attributes.
+ </ti>
+</tr>
+<tr>
+ <th colspan="3">Access interfaces</th>
+</tr>
+<tr>
+ <th>Suffix</th>
+ <th>Example</th>
+ <th>Description</th>
+</tr>
+<tr>
+ <ti>_<access>_<resource></ti>
+ <ti>mta_getattr_spool(domain)</ti>
+ <ti>
+ Grant the specified domain access towards the shown resource. The resource
+ usually defines the type too (like kudzu_getattr_exec_files: grant getattr
+ on the kudzu_exec_t files) unless it is obvious from the name, or when the
+ resource is a more specific term towards the domain. It can also include
+ dontaudit (like mta_dontaudit_getattr_spool).
+ </ti>
+</tr>
+<tr>
+ <ti>_exec</ti>
+ <ti>dmesg_exec(domain)</ti>
+ <ti>
+ Grant one domain the right to execute the given domains' executable file (in
+ the example, allow "domain" to execute dmesg_exec_t files), but without
+ implying that the domains transition. In other words, dmesg gets executed
+ but still confined by the privileges of the source domain.
+ </ti>
+</tr>
+<tr>
+ <ti>_domtrans</ti>
+ <ti>dmesg_domtrans(domain)</ti>
+ <ti>
+ Grant one domain execute and transition privileges towards the new domain.
+ This interface is most commonly used to allow application domains to
+ transition to another. In the given example, dmesg is ran with the
+ privileges of the dmesg_t domain.
+ </ti>
+</tr>
+<tr>
+ <ti>_run</ti>
+ <ti>netutils_run(domain, role)</ti>
+ <ti>
+ Grant a given role and domain the rights to execute and transition towards
+ the given domain. This is usually granted to (existing) user roles and
+ domains and gives them the set of privileges needed to interact safely with
+ the new (interactive) domain (such as terminal access).
+ </ti>
+</tr>
+<tr>
+ <ti>_role</ti>
+ <ti>xserver_role(role, domain)</ti>
+ <ti>
+ Allow the given role and domain the necessary permissions to transition and
+ interact with the given domain. This interface is enhanced with the
+ privileges to interact with the domain (and its underlying files) more
+ thoroughly, and is usually assigned to newly created users or roles within
+ the policy (rather than enhance existing user domains and roles).
+ </ti>
+</tr>
+<tr>
+ <ti>_admin</ti>
+ <ti>aide_admin(domain)</ti>
+ <ti>
+ Grant the given domain the rights to administer the target domains'
+ environment. This usually involves privileges to manage and relabel all
+ affiliated files, directories, sockets, etc.
+ </ti>
+</tr>
+</table>
+
</body>
</subsection>
</section>
diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
index 9e99d9c..ee7f8e1 100644
--- a/xml/selinux/hb-using-states.xml
+++ b/xml/selinux/hb-using-states.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>1</version>
-<date>2011-10-15</date>
+<version>2</version>
+<date>2012-04-29</date>
<section>
<title>SELinux States</title>
@@ -191,6 +191,26 @@ in the order given above:
</body>
</subsection>
+<subsection>
+<title>Domain-permissive Mode</title>
+<body>
+
+<p>
+You can also opt to mark a single domain permissive while running the rest of
+the system in an enforcing state. For instance, to mark mplayer_t as a
+permissive domain (which means that SELinux does not enforce anything):
+</p>
+
+<pre caption="Marking mplayer_t as permissive">
+# <i>semanage permissive -a mplayer_t</i>
+</pre>
+
+<p>
+With the <c>-d</c> option, you can remove the permissive mark again.
+</p>
+
+</body>
+</subsection>
</section>
<section>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-05-05 18:56 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-05-05 18:56 UTC (permalink / raw
To: gentoo-commits
commit: e945d3751e180448c8b724329465c37812508d92
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 5 18:55:51 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 5 18:55:51 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e945d375
Adding blurb on using /selinux for now
---
xml/selinux/hb-using-install.xml | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 85b2551..6a58a58 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>22</version>
-<date>2012-05-05</date>
+<version>23</version>
+<date>2012-05-06</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -300,9 +300,9 @@ tools or configurations that apply.
Previously (before <path>sys-libs/libselinux-2.1.9</path> was stabilized) the
location of the SELinux file system was <path>/selinux</path>. This location can
still be used (the recent libselinux implementations are currently backwards
-compatible with it) but we recommend to use the new location when you can - and
-if this is your first installation, better to go with the latest one
-immediately ;-)
+compatible with it) and, due to <uri link="https://bugs.gentoo.org/14779">bug
+14779</uri>, is still the location to use if you do not boot with an initramfs
+that premounts <path>/sys</path>.
</p>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-05-07 20:07 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-05-07 20:07 UTC (permalink / raw
To: gentoo-commits
commit: de8df879dbb5c649f8f49b36c9df9d6cb4f7edd5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 7 20:06:18 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 7 20:06:18 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=de8df879
Reverting change from /sys/fs/selinux to /selinux, need it until Portage is stabilized
---
xml/selinux/hb-using-install.xml | 26 +++++---------------------
1 files changed, 5 insertions(+), 21 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 6a58a58..2ecf08c 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
<sections>
-<version>23</version>
-<date>2012-05-06</date>
+<version>24</version>
+<date>2012-05-07</date>
<section>
<title>Installing Gentoo (Hardened)</title>
@@ -285,26 +285,10 @@ tools or configurations that apply.
/bin/hostname.old</c>.
</li>
<!--
- TODO When the fix is accepted in the portage code and that portage version is
- stabilized, the change is not needed anymore.
+ TODO When portage fix is stabilized, convert docs to /sys/fs/selinux
-->
- <li>
- Edit <path>/etc/sandbox.conf</path> and add in
- <path>/sys/fs/selinux/context</path> to the <c>SANDBOX_WRITE</c> parameter.
- This is currently needed to work around bug <uri
- link="https://bugs.gentoo.org/410687">410687</uri>.
- </li>
</ul>
-<p>
-Previously (before <path>sys-libs/libselinux-2.1.9</path> was stabilized) the
-location of the SELinux file system was <path>/selinux</path>. This location can
-still be used (the recent libselinux implementations are currently backwards
-compatible with it) and, due to <uri link="https://bugs.gentoo.org/14779">bug
-14779</uri>, is still the location to use if you do not boot with an initramfs
-that premounts <path>/sys</path>.
-</p>
-
</body>
</subsection>
<subsection>
@@ -412,7 +396,7 @@ Next, edit <path>/etc/fstab</path> and add the following two lines:
<pre caption="Enabling selinux-specific file system options">
<comment># The udev mount is due to bug #373381</comment>
udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
-none /sys/fs/selinux selinuxfs defaults 0 0
+none /selinux selinuxfs defaults 0 0
</pre>
<note>
@@ -428,7 +412,7 @@ level, so <c>...:device_t:s0</c>.
<p>
With the above changes made, reboot your system. Assert yourself that you are
-now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file
+now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file
system should be mounted). Don't worry - SELinux is at this point not activated.
</p>
^ permalink raw reply related [flat|nested] 95+ messages in thread
* [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
@ 2012-05-07 20:20 Sven Vermeulen
0 siblings, 0 replies; 95+ messages in thread
From: Sven Vermeulen @ 2012-05-07 20:20 UTC (permalink / raw
To: gentoo-commits
commit: 5bf12e1f1542705b8818514f62aa0474764b5739
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 7 20:19:37 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 7 20:19:37 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5bf12e1f
Adding back in sandbox fix, still needed, even with /selinux
---
xml/selinux/hb-using-install.xml | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 2ecf08c..672f11d 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -287,6 +287,12 @@ tools or configurations that apply.
<!--
TODO When portage fix is stabilized, convert docs to /sys/fs/selinux
-->
+ <li>
+ Edit <path>/etc/sandbox.conf</path> and add in
+ <c>SANDBOX_WRITE="/sys/fs/selinux/context"</c>. This is temporarily needed
+ until the necessary fix (included in Portage but not stable yet) is
+ available.
+ </li>
</ul>
</body>
^ permalink raw reply related [flat|nested] 95+ messages in thread
end of thread, other threads:[~2012-05-07 20:20 UTC | newest]
Thread overview: 95+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-15 17:12 [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2012-05-07 20:20 Sven Vermeulen
2012-05-07 20:07 Sven Vermeulen
2012-05-05 18:56 Sven Vermeulen
2012-04-29 14:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-05 16:24 Sven Vermeulen
2012-03-01 20:09 Sven Vermeulen
2012-01-29 12:42 Sven Vermeulen
2012-01-21 13:20 Sven Vermeulen
2011-12-17 10:52 Sven Vermeulen
2011-12-11 14:39 Sven Vermeulen
2011-12-11 14:36 Sven Vermeulen
2011-12-10 14:00 Sven Vermeulen
2011-11-22 20:08 Sven Vermeulen
2011-11-11 19:59 Sven Vermeulen
2011-10-27 19:18 José María Alonso
2011-10-26 22:05 José María Alonso
2011-10-23 13:01 Sven Vermeulen
2011-10-19 12:55 Sven Vermeulen
2011-10-15 18:24 Sven Vermeulen
2011-10-15 17:43 Sven Vermeulen
2011-10-15 15:54 Sven Vermeulen
2011-10-15 15:18 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-09-30 17:36 Sven Vermeulen
2011-09-18 13:49 Sven Vermeulen
2011-09-11 9:51 Sven Vermeulen
2011-09-04 19:22 Sven Vermeulen
2011-08-16 16:58 José María Alonso
2011-08-12 21:00 Sven Vermeulen
2011-07-22 16:03 Sven Vermeulen
2011-07-21 19:11 Sven Vermeulen
2011-07-13 21:39 Sven Vermeulen
2011-07-09 18:56 Sven Vermeulen
2011-06-09 18:54 José María Alonso
2011-06-09 17:49 Sven Vermeulen
2011-06-09 17:40 Francisco Blas Izquierdo Riera
2011-06-09 17:24 Sven Vermeulen
2011-06-07 19:38 Sven Vermeulen
2011-06-07 19:26 Sven Vermeulen
2011-06-02 19:50 Sven Vermeulen
2011-06-02 11:57 Sven Vermeulen
2011-06-02 11:55 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-05-31 20:22 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-24 19:56 Sven Vermeulen
2011-05-20 19:32 Sven Vermeulen
2011-05-14 12:51 Sven Vermeulen
2011-05-13 19:43 Sven Vermeulen
2011-05-03 20:47 Sven Vermeulen
2011-05-03 20:12 Sven Vermeulen
2011-04-22 21:43 Sven Vermeulen
2011-04-22 19:30 Sven Vermeulen
2011-04-22 19:28 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-16 9:06 Sven Vermeulen
2011-04-15 19:10 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-10 7:49 Sven Vermeulen
2011-04-01 17:45 Sven Vermeulen
2011-03-09 16:54 Sven Vermeulen
2011-03-02 20:48 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 15:53 Sven Vermeulen
2011-02-24 21:19 Sven Vermeulen
2011-02-20 13:26 Sven Vermeulen
2011-02-19 17:00 Francisco Blas Izquierdo Riera
2011-02-19 3:21 Francisco Blas Izquierdo Riera
2011-02-19 3:12 Francisco Blas Izquierdo Riera
2011-02-13 18:20 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 20:50 Sven Vermeulen
2011-02-12 20:49 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 17:33 Sven Vermeulen
2011-02-06 19:53 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox