From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QLXMd-0001cU-5a for garchives@archives.gentoo.org; Sun, 15 May 2011 09:11:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 75DED1C01D; Sun, 15 May 2011 09:11:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 1BCD01C01D for ; Sun, 15 May 2011 09:11:42 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 353631B4048 for ; Sun, 15 May 2011 09:11:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 6093B80504 for ; Sun, 15 May 2011 09:11:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/selinux-faq.html html/selinux/hb-using-install.html X-VCS-Directories: html/ html/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: ae3ab374c135466423f4ecd405935141a00683f5 Date: Sun, 15 May 2011 09:11:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: bda6ce46c229d6f4a8d7a136d4bf974f commit: ae3ab374c135466423f4ecd405935141a00683f5 Author: Sven Vermeulen siphos be> AuthorDate: Sun May 15 09:10:07 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun May 15 09:10:07 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3Dae3ab374 Update previews --- html/selinux-faq.html | 49 ++++++++++++++++++++++++++++++= +++++- html/selinux/hb-using-install.html | 22 +++------------ 2 files changed, 53 insertions(+), 18 deletions(-) diff --git a/html/selinux-faq.html b/html/selinux-faq.html index 89d9f5b..3a94091 100644 --- a/html/selinux-faq.html +++ b/html/selinux-faq.html @@ -56,6 +56,9 @@ as well.
  • How do I enable SELinux?
  • How do I switch between permissive and en= forcing?
  • How do I disable SELinux completely?
    • +
  • + How do I know which file context rule is used for a particular file? +

    • SELinux Kernel Error Messages

    @@ -195,6 +198,50 @@ while SELinux was disabled might have created new fi= les or removed the labels from existing files, causing these files to be available without securit= y context.

    +

    + How do I know which file context rule is used for a particular file? +

    +

    +If you use the matchpathcon comm= and, it will tell you what the security +context for the given path (file or directory) should be, but it doesn't= tell +you which rule it used to deduce this. To do that, you can use findcon: +

    + + + +

    Code Listing3.1: Usin= g findcon

    +~# findcon /etc/selinux/strict/contexts/files=
/file_contexts -p /lib64/rc/init.d
+/.*                          system_u:object_r:default_t
+/lib64/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
+/lib64/.*                    system_u:object_r:lib_t
+
    +

    +When the SELinux utilities try to apply a context, they try to match the= rule +that is the most specific, so in the above case, it is the one that lead= s to the +initrc_state_t context. +

    +

    +The most specific means, in order of tests: +

    +
      +
    1. + If line A has a regular expression, and line B doesn't, then line B = is more + specific. +
      2. +
    2. + If the number of characters before the first regular expression in l= ine A is + less than the number of characters before the first regular expressi= on in + line B, then line B is more specific +
      3. +
    3. + If the number of characters in line A is less than in line B, then l= ine B is + more specific +
      4. +
    4. + If line A does not map to a specific SELinux type, and line B does, = then + line B is more specific +
      5. +

    = 4. SELinux Kernel Error Messages

    I get a register_security error message when booting

    @@ -423,7 +470,7 @@ Another fix would be to disable UBAC completely. This= is accomplished with - +

    Print

    Updated M= ay 3, 2011

    Updated M= ay 14, 2011

    Summary:= Frequently Asked Questions on SELinux integration with Gentoo Hardened. The FAQ is a collection of solutions found on IRC, mailinglist, forums o= r=20 diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-i= nstall.html index f4288bb..6b41e61 100644 --- a/html/selinux/hb-using-install.html +++ b/html/selinux/hb-using-install.html @@ -93,7 +93,7 @@ Available Python interpreters: ~# source /etc/profile

    -

    Setting the filesystem= contexts

    +

    Optional: Setting the = filesystem contexts

    If your /tmp location is a tmpfs= -mounted file system, then you need to tell the kernel that the root context of this location is tmp_t @@ -109,19 +109,6 @@ To configure the /t= mp mount, edit your ,ro= otcontext=3Dsystem_u:object_r:tmp_t 0 0 -

    -Next to the /tmp location, you w= ill need to explicitly define the -mount for rc-svcdir, used by sys= -apps/openrc. If not, this tmpfs -file system is mounted with the wrong security label which will result i= n boot -failures. -

    - - - -

    Code Listing1.1: Upda= te /etc/fstab for rc-svcdir

    -# Change /lib64 with /lib for 32-bit system=
s / support
-rc-svcdir  /lib64/rc/init.d  tmpfs  rw,rootcontext=3Dsystem_u:object_r:i=
nitrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=3D1024k,mode=3D7=
55  0 0
-

    Enabling ~Arch Package= s

    The current stable SELinux related packages are not fit for use anymore = (or are @@ -531,8 +518,8 @@ kernel will not update the security attributes of the= files you create or manipulate during your day-to-day activities on your system.

    -First relabel your devices. This will apply the correct security context= s -(labels) onto the device files. +First relabel your devices and openrc related files. This will apply the +correct security contexts (labels) onto the necessary files.

    @@ -542,6 +529,7 @@ First relabel your devices. This will apply the corre= ct security contexts =20 (Substitute the "strict" in the next comman= d with "targeted" if that is your SELINUXTYPE selection) ~# setfiles -r /mnt/gentoo /etc/selinux/stric= t/contexts/files/file_contexts /mnt/gentoo/dev +~# setfiles -r /mnt/gentoo /etc/selinux/stric= t/contexts/files/file_contexts /mnt/gentoo/lib64 ~# umount /mnt/gentoo

    Code Listing1.1: Rela= bel /dev structure

    @@ -598,7 +586,7 @@ made.

    - +

    Updated A= pril 16, 2011

    Updated M= ay 14, 2011

    Donate to support our development efforts.