[gentoo-commits] proj/hardened-docs:master commit in: html/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     ae48452f5bb0dbe181a5949c6018de93e9dc146e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  3 20:23:04 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  3 20:23:04 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae48452f

Update previews

---
 html/selinux-faq.html |   32 +++++++++++++++++++++++++++++++-
 1 files changed, 31 insertions(+), 1 deletions(-)

diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 42ccef9..cb068d4 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -49,6 +49,7 @@ as well.
 <li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>
 <li><a href="#filesystem">Can I use SELinux with any file system?</a></li>
 <li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>
+<li><a href="#ubac">What is UBAC exactly?</a></li>
 </ul>
 <p class="secthead">Using SELinux</p>
 <ul>
@@ -129,6 +130,35 @@ Theoretically, definitely. However, the current selinux profiles in the Portage
 tree are not no-multilib capable. Work is on the way however to make the
 profiles more flexible and support no-multilib soon.
 </p>
+<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>
+<p>
+UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints
+when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span>
+marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only
+have the allowed privileges in effect if they both run with the same SELinux
+user context.
+</p>
+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># The SELinux allow rule</span>
+allow foo_t bar_t:file { read };
+
+<span class="code-comment"># This will succeed:</span>
+staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t
+
+<span class="code-comment"># This will be prohibited:</span>
+user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t
+</pre></td></tr>
+</table>
+<p>
+Of course, this is not always the case. Besides the earlier mentioned
+requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source
+domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the 
+<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source
+or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also
+not be in effect. 
+</p>
 <p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
             </span>Using SELinux</p>
 <p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>
@@ -389,7 +419,7 @@ To fix this, change the user of the file to root:
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or