[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     db384261df8fbd156ea90477c06f81e39a1f3577
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 18:24:36 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 18:24:36 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=db384261

Updating the "switching from permissive to enforcing"

---
 xml/selinux/hb-using-policies.xml |   52 +++++++++++++++++++++++++++++++++++++
 xml/selinux/hb-using-states.xml   |   21 +++++++++++++++
 2 files changed, 73 insertions(+), 0 deletions(-)

diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
index 5d5f008..03751e1 100644
--- a/xml/selinux/hb-using-policies.xml
+++ b/xml/selinux/hb-using-policies.xml
@@ -341,4 +341,56 @@ optional_policy(`
 </body>
 </subsection>
 </section>
+
+<section>
+<title>Using audit2allow</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+When reading online resources on SELinux, you will notice that there are many
+references to a tool called <c>audit2allow</c>. This tools' purpose is to read
+AVC denial messages from the audit log file and transform them into a policy
+module that you can load. The advantage is that it makes it a lot easier to
+write policies. The downside is that the output (unless you use the <c>-R</c>
+option) is not usable for the <path>Makefile</path> we used earlier to build
+modules.
+</p>
+
+<p>
+Another disadvantage is that the tool does not intelligently cope with changes.
+It blindly accepts denials and treats them as if they need to be allowed, rather
+than investigate if no other context should be given to the file, etc.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Using audit2allow</title>
+<body>
+
+<p>
+Using <c>audit2allow</c> is pretty straightforward. You send it the denials you
+want to fix and store the result in a <path>.te</path> file. You then convert it
+into an intermediary format which can then be translated into a <path>.pp</path>
+file for final loading by <c>semodule</c>.
+</p>
+
+<p>
+For instance, to catch all denials and transform them into allowed statements
+from firefox-related denials:
+</p>
+
+<pre caption="Generate a new policy using audit2allow">
+# <i>grep firefox /var/log/avc.log | audit2allow -m firefoxmod &gt; firefoxmod.te</i>
+# <i>checkmodule -m -o firefoxmod.mod firefoxmod.te</i>
+# <i>semodule_package -o firefoxmod.pp -m firefoxmod.mod</i>
+# <i>semodule -i firefoxmod.pp</i>
+</pre>
+
+</body>
+</subsection>
+</section>
+
 </sections>

diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
index 8702550..e379547 100644
--- a/xml/selinux/hb-using-states.xml
+++ b/xml/selinux/hb-using-states.xml
@@ -168,6 +168,27 @@ Using the <path>/etc/selinux/config</path> <c>SELINUX</c> variable:
 SELINUXTYPE=strict
 </pre>
 
+<p>
+When you want to switch from permissive to enforcing, it is recommended to do so
+in the order given above:
+</p>
+
+<ol>
+  <li>
+    First boot up in permissive mode, log on, verify that your context is
+    correct (<c>id -Z</c>) and then switch to enforcing (<c>setenforce 1</c>).
+    You can now test if your system is still working properly.
+  </li>
+  <li>
+    Next, boot with <c>enforcing=1</c> as kernel parameter. This way, your
+    system will boot in enforcing mode, but if things go haywire, you can just
+    reboot, leave out the option and be back in permissive mode
+  </li>
+  <li>
+    Finally, edit <path>/etc/selinux/config</path> to persist this change.
+  </li>
+</ol>
+
 </body>
 </subsection>
 </section>