From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
by finch.gentoo.org with esmtp (Exim 4.60)
(envelope-from )
id 1QLXMd-0001cU-5a
for garchives@archives.gentoo.org; Sun, 15 May 2011 09:11:51 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 75DED1C01D;
Sun, 15 May 2011 09:11:43 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
by pigeon.gentoo.org (Postfix) with ESMTP id 1BCD01C01D
for ; Sun, 15 May 2011 09:11:42 +0000 (UTC)
Received: from pelican.gentoo.org (unknown [66.219.59.40])
(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 353631B4048
for ; Sun, 15 May 2011 09:11:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
by pelican.gentoo.org (Postfix) with ESMTP id 6093B80504
for ; Sun, 15 May 2011 09:11:41 +0000 (UTC)
From: "Sven Vermeulen"
To: gentoo-commits@lists.gentoo.org
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen"
Message-ID:
Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: html/selinux-faq.html html/selinux/hb-using-install.html
X-VCS-Directories: html/ html/selinux/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: ae3ab374c135466423f4ecd405935141a00683f5
Date: Sun, 15 May 2011 09:11:41 +0000 (UTC)
Precedence: bulk
List-Post:
List-Help:
List-Unsubscribe:
List-Subscribe:
List-Id: Gentoo Linux mail
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt:
X-Archives-Hash: bda6ce46c229d6f4a8d7a136d4bf974f
commit: ae3ab374c135466423f4ecd405935141a00683f5
Author: Sven Vermeulen siphos be>
AuthorDate: Sun May 15 09:10:07 2011 +0000
Commit: Sven Vermeulen siphos be>
CommitDate: Sun May 15 09:10:07 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs=
.git;a=3Dcommit;h=3Dae3ab374
Update previews
---
html/selinux-faq.html | 49 ++++++++++++++++++++++++++++++=
+++++-
html/selinux/hb-using-install.html | 22 +++------------
2 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 89d9f5b..3a94091 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -56,6 +56,9 @@ as well.
How do I enable SELinux?
How do I switch between permissive and en=
forcing?
How do I disable SELinux completely?
+
+ How do I know which file context rule is used for a particular file?
+
SELinux Kernel Error Messages
@@ -195,6 +198,50 @@ while SELinux was disabled might have created new fi=
les or removed the labels
from existing files, causing these files to be available without securit=
y
context.
+
+ How do I know which file context rule is used for a particular file?
+
+
+If you use the matchpathcon comm=
and, it will tell you what the security
+context for the given path (file or directory) should be, but it doesn't=
tell
+you which rule it used to deduce this. To do that, you can use findcon:
+
+
+Code Listing3.1: Usin=
g findcon |
+
+~# findcon /etc/selinux/strict/contexts/files=
/file_contexts -p /lib64/rc/init.d
+/.* system_u:object_r:default_t
+/lib64/rc/init\.d(/.*)? system_u:object_r:initrc_state_t
+/lib64/.* system_u:object_r:lib_t
+ |
+
+
+When the SELinux utilities try to apply a context, they try to match the=
rule
+that is the most specific, so in the above case, it is the one that lead=
s to the
+initrc_state_t context.
+
+
+The most specific means, in order of tests:
+
+
+ -
+ If line A has a regular expression, and line B doesn't, then line B =
is more
+ specific.
+
+ -
+ If the number of characters before the first regular expression in l=
ine A is
+ less than the number of characters before the first regular expressi=
on in
+ line B, then line B is more specific
+
+ -
+ If the number of characters in line A is less than in line B, then l=
ine B is
+ more specific
+
+ -
+ If line A does not map to a specific SELinux type, and line B does, =
then
+ line B is more specific
+
+
=
4.
SELinux Kernel Error Messages
I get a register_security error message when booting
@@ -423,7 +470,7 @@ Another fix would be to disable UBAC completely. This=
is accomplished with
|
-Updated M=
ay 3, 2011 |
+Updated M=
ay 14, 2011 |
Summary:=
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums o=
r=20
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-i=
nstall.html
index f4288bb..6b41e61 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -93,7 +93,7 @@ Available Python interpreters:
~# source /etc/profile
|
-Setting the filesystem=
contexts
+Optional: Setting the =
filesystem contexts
If your /tmp location is a tmpfs=
-mounted file system, then you need
to tell the kernel that the root context of this location is tmp_t
@@ -109,19 +109,6 @@ To configure the /t=
mp mount, edit your ,ro=
otcontext=3Dsystem_u:object_r:tmp_t 0 0
|
-
-Next to the /tmp location, you w=
ill need to explicitly define the
-mount for rc-svcdir, used by sys=
-apps/openrc. If not, this tmpfs
-file system is mounted with the wrong security label which will result i=
n boot
-failures.
-
-
-Code Listing1.1: Upda=
te /etc/fstab for rc-svcdir |
-
-
-rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=3Dsystem_u:object_r:i=
nitrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=3D1024k,mode=3D7=
55 0 0
- |
-
Enabling ~Arch Package=
s
The current stable SELinux related packages are not fit for use anymore =
(or are
@@ -531,8 +518,8 @@ kernel will not update the security attributes of the=
files you create or
manipulate during your day-to-day activities on your system.
-First relabel your devices. This will apply the correct security context=
s
-(labels) onto the device files.
+First relabel your devices and openrc related files. This will apply the
+correct security contexts (labels) onto the necessary files.
Code Listing1.1: Rela=
bel /dev structure |
@@ -542,6 +529,7 @@ First relabel your devices. This will apply the corre=
ct security contexts
=20
~# setfiles -r /mnt/gentoo /etc/selinux/stric=
t/contexts/files/file_contexts /mnt/gentoo/dev
+~# setfiles -r /mnt/gentoo /etc/selinux/stric=
t/contexts/files/file_contexts /mnt/gentoo/lib64
~# umount /mnt/gentoo
@@ -598,7 +586,7 @@ made.
-Updated A=
pril 16, 2011 |
+Updated M=
ay 14, 2011 |
Donate to support our development efforts.
| |