From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
Date: Sun, 15 May 2011 09:11:41 +0000 (UTC) [thread overview]
Message-ID: <ae3ab374c135466423f4ecd405935141a00683f5.SwifT@gentoo> (raw)
commit: ae3ab374c135466423f4ecd405935141a00683f5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 15 09:10:07 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 15 09:10:07 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae3ab374
Update previews
---
html/selinux-faq.html | 49 +++++++++++++++++++++++++++++++++++-
html/selinux/hb-using-install.html | 22 +++------------
2 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 89d9f5b..3a94091 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -56,6 +56,9 @@ as well.
<li><a href="#enable_selinux">How do I enable SELinux?</a></li>
<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
+<li><a href="#matchcontext">
+ How do I know which file context rule is used for a particular file?
+</a></li>
</ul>
<p class="secthead">SELinux Kernel Error Messages</p>
<ul><li><a href="#register_security">I get a register_security error message when booting</a></li></ul>
@@ -195,6 +198,50 @@ while SELinux was disabled might have created new files or removed the labels
from existing files, causing these files to be available without security
context.
</p></td></tr></table>
+<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">
+ How do I know which file context rule is used for a particular file?
+</a></p>
+<p>
+If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
+context for the given path (file or directory) should be, but it doesn't tell
+you which rule it used to deduce this. To do that, you can use <span class="code" dir="ltr">findcon</span>:
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Using findcon</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</span>
+/.* system_u:object_r:default_t
+/lib64/rc/init\.d(/.*)? system_u:object_r:initrc_state_t
+/lib64/.* system_u:object_r:lib_t
+</pre></td></tr>
+</table>
+<p>
+When the SELinux utilities try to apply a context, they try to match the rule
+that is the most specific, so in the above case, it is the one that leads to the
+initrc_state_t context.
+</p>
+<p>
+The most specific means, in order of tests:
+</p>
+<ol>
+ <li>
+ If line A has a regular expression, and line B doesn't, then line B is more
+ specific.
+ </li>
+ <li>
+ If the number of characters before the first regular expression in line A is
+ less than the number of characters before the first regular expression in
+ line B, then line B is more specific
+ </li>
+ <li>
+ If the number of characters in line A is less than in line B, then line B is
+ more specific
+ </li>
+ <li>
+ If line A does not map to a specific SELinux type, and line B does, then
+ line B is more specific
+ </li>
+</ol>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>SELinux Kernel Error Messages</p>
<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
@@ -423,7 +470,7 @@ Another fix would be to disable UBAC completely. This is accomplished with
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index f4288bb..6b41e61 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -93,7 +93,7 @@ Available Python interpreters:
~# <span class="code-input">source /etc/profile</span>
</pre></td></tr>
</table>
-<p class="secthead"><a name="doc_chap1_sect1">Setting the filesystem contexts</a></p>
+<p class="secthead"><a name="doc_chap1_sect1">Optional: Setting the filesystem contexts</a></p>
<p>
If your <span class="path" dir="ltr">/tmp</span> location is a tmpfs-mounted file system, then you need
to tell the kernel that the root context of this location is <span class="code" dir="ltr">tmp_t</span>
@@ -109,19 +109,6 @@ To configure the <span class="path" dir="ltr">/tmp</span> mount, edit your <span
tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t</span> 0 0
</pre></td></tr>
</table>
-<p>
-Next to the <span class="path" dir="ltr">/tmp</span> location, you will need to explicitly define the
-mount for <span class="path" dir="ltr">rc-svcdir</span>, used by sys-apps/openrc. If not, this tmpfs
-file system is mounted with the wrong security label which will result in boot
-failures.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update /etc/fstab for rc-svcdir</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Change /lib64 with /lib for 32-bit systems / support</span>
-rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
-</pre></td></tr>
-</table>
<p class="secthead"><a name="doc_chap1_sect1">Enabling ~Arch Packages</a></p>
<p>
The current stable SELinux related packages are not fit for use anymore (or are
@@ -531,8 +518,8 @@ kernel will not update the security attributes of the files you create or
manipulate during your day-to-day activities on your system.
</p></td></tr></table>
<p>
-First relabel your devices. This will apply the correct security contexts
-(labels) onto the device files.
+First relabel your devices and openrc related files. This will apply the
+correct security contexts (labels) onto the necessary files.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev structure</p></td></tr>
@@ -542,6 +529,7 @@ First relabel your devices. This will apply the correct security contexts
<span class="code-comment">(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</span>
~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</span>
+~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</span>
~# <span class="code-input">umount /mnt/gentoo</span>
</pre></td></tr>
</table>
@@ -598,7 +586,7 @@ made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 16, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
next reply other threads:[~2011-05-15 9:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-15 9:11 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-04-28 19:23 [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ Francisco Blas Izquierdo Riera
2011-10-15 13:05 Sven Vermeulen
2011-09-04 19:54 Sven Vermeulen
2011-08-24 21:10 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-04-22 22:35 Sven Vermeulen
2011-04-22 19:18 Sven Vermeulen
2011-02-19 3:45 Francisco Blas Izquierdo Riera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae3ab374c135466423f4ecd405935141a00683f5.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox