[gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     ae3ab374c135466423f4ecd405935141a00683f5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 15 09:10:07 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 15 09:10:07 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae3ab374

Update previews

---
 html/selinux-faq.html              |   49 +++++++++++++++++++++++++++++++++++-
 html/selinux/hb-using-install.html |   22 +++------------
 2 files changed, 53 insertions(+), 18 deletions(-)

diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 89d9f5b..3a94091 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -56,6 +56,9 @@ as well.
 <li><a href="#enable_selinux">How do I enable SELinux?</a></li>
 <li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
 <li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
+<li><a href="#matchcontext">
+  How do I know which file context rule is used for a particular file?
+</a></li>
 </ul>
 <p class="secthead">SELinux Kernel Error Messages</p>
 <ul><li><a href="#register_security">I get a register_security error message when booting</a></li></ul>
@@ -195,6 +198,50 @@ while SELinux was disabled might have created new files or removed the labels
 from existing files, causing these files to be available without security
 context.
 </p></td></tr></table>
+<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">
+  How do I know which file context rule is used for a particular file?
+</a></p>
+<p>
+If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
+context for the given path (file or directory) should be, but it doesn't tell
+you which rule it used to deduce this. To do that, you can use <span class="code" dir="ltr">findcon</span>:
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Using findcon</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</span>
+/.*                          system_u:object_r:default_t
+/lib64/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
+/lib64/.*                    system_u:object_r:lib_t
+</pre></td></tr>
+</table>
+<p>
+When the SELinux utilities try to apply a context, they try to match the rule
+that is the most specific, so in the above case, it is the one that leads to the
+initrc_state_t context.
+</p>
+<p>
+The most specific means, in order of tests:
+</p>
+<ol>
+  <li>
+    If line A has a regular expression, and line B doesn't, then line B is more
+    specific.
+  </li>
+  <li>
+    If the number of characters before the first regular expression in line A is
+    less than the number of characters before the first regular expression in
+    line B, then line B is more specific
+  </li>
+  <li>
+    If the number of characters in line A is less than in line B, then line B is
+    more specific
+  </li>
+  <li>
+    If line A does not map to a specific SELinux type, and line B does, then
+    line B is more specific
+  </li>
+</ol>
 <p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
             </span>SELinux Kernel Error Messages</p>
 <p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
@@ -423,7 +470,7 @@ Another fix would be to disable UBAC completely. This is accomplished with
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or 

diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index f4288bb..6b41e61 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -93,7 +93,7 @@ Available Python interpreters:
 ~# <span class="code-input">source /etc/profile</span>
 </pre></td></tr>
 </table>
-<p class="secthead"><a name="doc_chap1_sect1">Setting the filesystem contexts</a></p>
+<p class="secthead"><a name="doc_chap1_sect1">Optional: Setting the filesystem contexts</a></p>
 <p>
 If your <span class="path" dir="ltr">/tmp</span> location is a tmpfs-mounted file system, then you need
 to tell the kernel that the root context of this location is <span class="code" dir="ltr">tmp_t</span>
@@ -109,19 +109,6 @@ To configure the <span class="path" dir="ltr">/tmp</span> mount, edit your <span
 tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t</span>  0 0
 </pre></td></tr>
 </table>
-<p>
-Next to the <span class="path" dir="ltr">/tmp</span> location, you will need to explicitly define the
-mount for <span class="path" dir="ltr">rc-svcdir</span>, used by sys-apps/openrc. If not, this tmpfs
-file system is mounted with the wrong security label which will result in boot
-failures.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update /etc/fstab for rc-svcdir</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Change /lib64 with /lib for 32-bit systems / support</span>
-rc-svcdir  /lib64/rc/init.d  tmpfs  rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755  0 0
-</pre></td></tr>
-</table>
 <p class="secthead"><a name="doc_chap1_sect1">Enabling ~Arch Packages</a></p>
 <p>
 The current stable SELinux related packages are not fit for use anymore (or are
@@ -531,8 +518,8 @@ kernel will not update the security attributes of the files you create or
 manipulate during your day-to-day activities on your system.
 </p></td></tr></table>
 <p>
-First relabel your devices. This will apply the correct security contexts
-(labels) onto the device files.
+First relabel your devices and openrc related files. This will apply the
+correct security contexts (labels) onto the necessary files.
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev structure</p></td></tr>
@@ -542,6 +529,7 @@ First relabel your devices. This will apply the correct security contexts
 
 <span class="code-comment">(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</span>
 ~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</span>
+~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</span>
 ~# <span class="code-input">umount /mnt/gentoo</span>
 </pre></td></tr>
 </table>
@@ -598,7 +586,7 @@ made.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 16, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>