From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/
Date: Sat, 15 Oct 2011 13:05:35 +0000 (UTC) [thread overview]
Message-ID: <db4e145c0d418e14eb73223d31f8117b6ac37778.SwifT@gentoo> (raw)
commit: db4e145c0d418e14eb73223d31f8117b6ac37778
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 13:05:21 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 13:05:21 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=db4e145c
Update on previews
---
html/selinux-faq.html | 42 +-
html/selinux/hb-intro-concepts.html | 179 ++++-
...ndix-reference.html => hb-intro-resources.html} | 0
html/selinux/hb-using-configuring.html | 919 ++++++++++++++++++++
html/selinux/hb-using-install.html | 29 +-
html/selinux/hb-using-permissive.html | 19 +-
...roubleshoot.html => hb-using-troubleshoot.html} | 0
html/selinux/selinux-handbook.html | 66 +-
8 files changed, 1184 insertions(+), 70 deletions(-)
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 611eaf5..252906f 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -81,6 +81,8 @@ as well.
FAILED (crontabs/root)'
</a></li>
<li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li>
+<li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li>
+<li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
</ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>General SELinux Support Questions</p>
@@ -656,11 +658,49 @@ If your system is upgrading its kernel, higher version(s) can be supported. In
this case, either unset the value again to automatically "jump" to a higher
version, or force set it to the higher version.
</p></td></tr></table>
+<p class="secthead"><a name="recoverportage"></a><a name="doc_chap5_sect8">Portage fails to label files because "setfiles" does not work anymore</a></p>
+<p>
+Portage uses the <span class="code" dir="ltr">setfiles</span> command to set the labels of the files it
+installs. However, that command is a dynamically linked executable, so any
+update in its depending libraries (<span class="path" dir="ltr">libselinux.so</span>,
+<span class="path" dir="ltr">libsepol.so</span>, <span class="path" dir="ltr">libaudit.so</span> and of course
+<span class="path" dir="ltr">libc.so</span>) might cause for the application to fail. Gentoo's standard
+solution (<span class="code" dir="ltr">revdep-rebuild</span>) will not work, since the tool will try to
+rebuild policycoreutils, which will fail to install because Portage cannot set
+the file labels.
+</p>
+<p>
+The solution is to rebuild policycoreutils while disabling Portage' selinux
+support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on
+the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
+</p>
+<a name="doc_chap5_pre14"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.14: Recovering from Portage installation failures</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span>
+# <span class="code-input">for FILE in $(qlist policycoreutils); do \
+CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</span>
+</pre></td></tr>
+</table>
+<p>
+Now Portage will function properly again, labeling files as they should.
+</p>
+<p class="secthead"><a name="nosuid"></a><a name="doc_chap5_sect9">Applications do not transition on a nosuid-mounted partition</a></p>
+<p>
+If you have file systems mounted with the <span class="code" dir="ltr">nosuid</span> option, then
+applications started from these file systems will not transition into their
+appropriate domain. This is intentional.
+</p>
+<p>
+So, a <span class="code" dir="ltr">passwd</span> binary, although correctly labeled <span class="emphasis">passwd_exec_t</span>,
+will not transition into the <span class="emphasis">passwd_t</span> domain if the binary is stored on a
+file system mounted with <span class="code" dir="ltr">nosuid</span>.
+</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 13, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions on SELinux integration with Gentoo Hardened.
The FAQ is a collection of solutions found on IRC, mailinglist, forums or
diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-concepts.html
index 362203a..c5cf801 100644
--- a/html/selinux/hb-intro-concepts.html
+++ b/html/selinux/hb-intro-concepts.html
@@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
@@ -191,6 +191,21 @@ getattr ptrace setkeycreate sigchld transition
</pre></td></tr>
</table>
<p>
+The most common SELinux access control rule (<span class="emphasis">allow</span>) is described as
+follows:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux allow statement</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+allow ACTOR TARGET:CLASS PRIVILEGE;
+ +-+-+ +-+--+ +-+-+ +---+---+
+ | | | `- Permission to be granted (like "write")
+ | | `- Class on which permission is given (like "file")
+ | `- Resource (label) on which permission is valid (like "portage_conf_t")
+ `- Actor (domain) which gets the privilege (like "sysadm_t")
+</pre></td></tr>
+</table>
+<p>
Let's take a look at a small example to explain the permission rules and how
SELinux uses them. The example user is in the <span class="emphasis">staff_u:staff_r:staff_t</span>
context and wants to write to its own home directory. As we can expect, this
@@ -269,8 +284,7 @@ security contexts, let's start from the last definition in the context (the
</li>
</ul>
<p>
-The rules that identify the allowed actions for a domain have the following
-syntax:
+The rules that identify the allowed actions for a domain have been described earlier. Again:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Standard SELinux policy rules</p></td></tr>
@@ -584,6 +598,158 @@ would require the development of new policies for each new client that a system
wants to serve).
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Reference Policy</p>
+<p class="secthead"><a name="doc_chap1_sect1">About refpolicy</a></p>
+<p>
+As described previously, SELinux uses type enforcement to describe the state of
+your system. This is done by giving each resource on your system (be it a
+process, a network port, a file or directory) a specific type and describe the
+rules how types can work with each other.
+</p>
+<p>
+Managing such a policy is not easy. Unlike some other MAC systems, which rely
+on a learning mode and do not use domain definitions (they rather keep track of
+which commands a process is allowed to execute), a proper SELinux definition
+requires lots (thousands and thousands) of permission lines.
+</p>
+<p>
+To ensure that no duplicate effort is made, and to help distributions like
+Gentoo, Fedora, RedHat, Debian, ... with their SELinux integration efforts, a
+project is launched called <span class="emphasis">The Reference Policy</span>.
+</p>
+<p>
+This project, managed by <a href="http://oss.tresys.com/projects/refpolicy">Tresys</a>, is used by almost
+all SELinux supporting distributions, including Gentoo Hardened, Fedora, RedHat
+Enterprise Linux, Debian, Ubuntu and more. This implementation not only offers
+the modular policies that users are looking for, but also enhances the SELinux
+experience with additional development tools that make it easier to work with
+the SELinux policies on your system. Updates in the reference policy eventually
+make it in all supported distributions. The same goes for Gentoo Hardened, which
+aims to use a policy as close as possible to the reference policy, and submits
+its own patches to the reference policy as well, which benefits the entire
+community.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Reference Policy API</a></p>
+<p>
+One major advantage of the reference policy is its API. To help policy writers,
+the reference policy uses a macro language which generates the necessary allow
+(and other) rules. This macro language makes it a lot easier to add rights to
+particular domains. You can find the API documented <a href="http://oss.tresys.com/docs/refpolicy/api/">online</a>, but if you have
+USE="doc" set, it will be stored on your system as well the moment you install
+and configure SELinux.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Modular Approach</a></p>
+<p>
+Another feature of the reference policy is its use of <span class="emphasis">modules</span>. If you
+would build all rules in a single policy (a binary file readable by the Linux
+kernel, allowing it to interpret and enforce SELinux rules), the file would
+quickly become too huge and inefficient.
+</p>
+<p>
+Instead, the reference policy defines the rules in what it calls modules, which
+define one domain (like <span class="code" dir="ltr">portage_t</span>) or more (if they are all tightly
+related) and the rights and privileges that that domain would need in order to
+function properly. Any right that the domain needs with respect to another
+domain needs to be defined through that domains' interfaces (see earlier),
+forcing the modules to be specific and manageable.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example overview of installed SELinux modules</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semodule -l</span>
+alsa 1.11.0
+apache 2.3.0
+audioentropy 1.6.0
+dbus 1.15.0
+dmidecode 1.4.0
+<span class="code-comment">(...)</span>
+</pre></td></tr>
+</table>
+<p>
+By using a modular approach, one only needs to load the base policy (kernel
+layer as well as other, core definitions) and the modules related to his system.
+You can then safely ignore the other modules. This improves performance (smaller
+policy, which also causes rebuilds to be a lot less painful) and manageability
+(properly defined boundaries for policy rules).
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Tunables and Conditionals</a></p>
+<p>
+But wait, there's more. The reference policy also supports <span class="emphasis">booleans</span>.
+Those are flags that a security administrator can enable or disable to change
+the active policy. Properly defined booleans allow security administrators to
+fine-tune the policy for their system.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Overview of available booleans</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">getsebool -a</span>
+allow_execheap --> off
+allow_execmem --> off
+allow_execmod --> off
+allow_execstack --> off
+allow_gssd_read_tmp --> on
+allow_httpd_anon_write --> off
+</pre></td></tr>
+</table>
+<p>
+Booleans are an important part to make a generic reference policy which is still
+usable for the majority of SELinux users. Although they have specific
+requirements (such as allowing ptrace, or disallowing execmem) they can still
+use the same reference policy and only need to toggle the booleans they need.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Versions</a></p>
+<p>
+The SELinux policy infrastructure that is used (i.e. the capabilities and
+functionalities that it offers) isn't in its first version. Currently, SELinux
+deployments use a binary version of 24 or 26 (depending on the kernel version
+used).
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the binary policy version</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">sestatus</span>
+SELinux status: enabled
+SELinuxfs mount: /selinux
+Current mode: enforcing
+Mode from config file: enforcing
+Policy version: 24
+Policy from config file: strict
+</pre></td></tr>
+</table>
+<p>
+Every time functionalities or capabilities are added which require
+changes to the internal structure of the compiled policy, this version is
+incremented. The following is an overview of the policy versions' history.
+</p>
+<dl>
+ <dt>Version 12</dt>
+ <dd>"Old API" for SELinux, which is now deprecated</dd>
+ <dt>Version 15</dt>
+ <dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd>
+ <dt>Version 16</dt>
+ <dd>Conditional policy extensions added (2.6.5)</dd>
+ <dt>Version 17</dt>
+ <dd>IPV6 support added (2.6.6 - 2.6.7)</dd>
+ <dt>Version 18</dt>
+ <dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd>
+ <dt>Version 19</dt>
+ <dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd>
+ <dt>Version 20</dt>
+ <dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd>
+ <dt>Version 21</dt>
+ <dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd>
+ <dt>Version 22</dt>
+ <dd>Policy capabilities (features) (2.6.25)</dd>
+ <dt>Version 23</dt>
+ <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
+ <dt>Version 24</dt>
+ <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
+ <dt>Version 25</dt>
+ <dd>Filename based transition support (2.6.39)</dd>
+ <dt>Version 26</dt>
+ <dd>Role transition support for non-process classes (3.0)</dd>
+</dl>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Next Steps</p>
<p class="secthead"><a name="doc_chap1_sect1">What Next</a></p>
<p>
@@ -593,9 +759,10 @@ when SELinux is disabled, then you will need to dive into the security contexts,
rules, types and domain transitions to find out why.
</p>
<p>
-The next chapter in line will discuss how distributions such as Gentoo Hardened
-manage the various permission rules and how they use a macro language to
-generate the permissions instead of creating the allow-rules one by one.
+The next chapter in line will give you some background resource information
+(online resources, books, FAQs, etc.) After that, we'll dive into the
+installation and configuration of SELinux on your Gentoo Hardened system. Then,
+we'll configure and tune the SELinux policy to our needs.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
diff --git a/html/selinux/hb-appendix-reference.html b/html/selinux/hb-intro-resources.html
similarity index 100%
rename from html/selinux/hb-appendix-reference.html
rename to html/selinux/hb-intro-resources.html
diff --git a/html/selinux/hb-using-configuring.html b/html/selinux/hb-using-configuring.html
new file mode 100644
index 0000000..05bd80b
--- /dev/null
+++ b/html/selinux/hb-using-configuring.html
@@ -0,0 +1,919 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Handbook Page
+--
+ </title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Administering Users</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+During the installation, we already covered how to map a Linux user to a SELinux
+user. In the example, we used a hypothetical user "john" and mapped him to the
+SELinux user "staff_u". If you are running a multi-user system, managing the
+right mappings is important. A user that is mapped to the SELinux user "user_u"
+will not get any additional rights. Even if you would give that user additional
+rights through commands such as <span class="code" dir="ltr">sudo</span>, the SELinux policy will not allow
+this user to do anything that is administration related.
+</p>
+<p>
+For this reason, it is important to go over the SELinux user mappings and the
+Linux users on your system.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">User Mappings</a></p>
+<p>
+Run <span class="code" dir="ltr">semanage login -l</span> to show the current mappings between Linux logins
+and SELinux users.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running semanage login -l</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage login -l</span>
+
+Login Name SELinux User
+
+__default__ user_u
+root root
+john staff_u
+system_u system_u
+</pre></td></tr>
+</table>
+<p>
+The "user_u" SELinux user is for regular accounts. As such, the special
+<span class="emphasis">__default__</span> mapping is defined by SELinux to denote every login that is
+not defined otherwise. This makes sure that a newly defined account does not get
+elevated privileges by default.
+</p>
+<p>
+The next table gives an overview of the standard SELinux users available after
+an installation.
+</p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>SELinux User</b></td>
+ <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">user_u</td>
+ <td class="tableinfo">
+ Default regular SELinux user, which should be used by end-user accounts that
+ are not going to administer any service(s) on the system
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">staff_u</td>
+ <td class="tableinfo">
+ SELinux user for administrators. This user has the right to switch roles and
+ as such gain elevated privileges
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">root</td>
+ <td class="tableinfo">
+ SELinux user for the root account. It differs little from the staff_u
+ account beyond being a different ID. This ensures that files protected by
+ the user based access control for root cannot be handled by the staff_u
+ (and other) users
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">sysadm_u</td>
+ <td class="tableinfo">
+ SELinux user for system administration. By default, this account is not
+ immediately used as this user immediately gets the administrative role
+ (whereas staff_u and root still need to switch roles).
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">system_u</td>
+ <td class="tableinfo">
+ SELinux user for system services. It should never be used for end users or
+ administrators as it provides direct access to the system role (and
+ privileges)
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">unconfined_u</td>
+ <td class="tableinfo">
+ Used when the policy is <span class="emphasis">targeted</span>, this SELinux user has many
+ privileges (it is essentially not limited in its actions, although it is
+ still handled through SELinux - just through a "wide open" policy).
+ </td>
+</tr>
+</table>
+<p>
+To map a user to a specific SELinux user, use <span class="code" dir="ltr">semanage login -a</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping a user 'sophie' to the staff_u user</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage login -a -s staff_u sophie</span>
+</pre></td></tr>
+</table>
+<p>
+However, when you update such mapping, the files in that users' home directory
+will be owned by a wrong SELinux user. It is therefor important to relabel the
+files of that user:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling sophie's files</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">restorecon -R -F /home/sophie</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Additional SELinux Accounts</a></p>
+<p>
+It is perfectly possible to create additional SELinux accounts, and then map the
+Linux logins to these new accounts. This can be necessary when you want a more
+thorough auditing (on end user level) or when you will be enhancing the policy
+with additional roles. Also, if you want to use the User Based Access Control
+feature, using different SELinux users is important to enforce the control on
+different users (if they all use the same SELinux user, then UBAC has little to
+no effect).
+</p>
+<p>
+Managing the SELinux accounts is done through <span class="code" dir="ltr">semanage user</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a SELinux user</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage user -a -R "staff_r sysadm_r" sophie</span>
+</pre></td></tr>
+</table>
+<p>
+Let's verify how the SELinux users are currently configured:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the SELinux user identities</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage user -l</span>
+SELinux User SELinux Roles
+
+root staff_r sysadm_r
+sophie staff_r sysadm_r
+staff_u staff_r sysadm_r
+sysadm_u sysadm_r
+system_u system_r
+unconfined_u unconfined_r
+user_u user_r
+
+# <span class="code-input">semanage login -l</span>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie staff_u
+swift staff_u
+system_u system_u
+</pre></td></tr>
+</table>
+<p>
+Now that a new SELinux user called "sophie" exists, we can now update the Linux
+user mapping for "sophie" towards the new SELinux user "sophie":
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Updating the Linux user mapping</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage login -m -s sophie sophie</span>
+# <span class="code-input">semanage login -l</span>
+Login Name SELinux User
+
+__default__ user_u
+root root
+sophie sophie
+swift staff_u
+system_u system_u
+</pre></td></tr>
+</table>
+<p>
+Again, do not forget to relabel this users' files.
+</p>
+<p>
+As you can see, managing SELinux users means defining the roles to which the
+user has access to. We already gave a high-level introduction to the default
+roles in <span title="Link to other book part not available"><font color="#404080">(SELinux Concepts)</font></span>, but as roles are
+important when using a Mandatory Access Control system, let's refresh our memory
+again:
+</p>
+<table class="ntable">
+<tr>
+ <td class="infohead"><b>SELinux Role</b></td>
+ <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+ <td class="tableinfo">user_r</td>
+ <td class="tableinfo">
+ Default end-user role. This role provides access to regular applications and
+ activities, but does not allow any system or service administration beyond
+ what is expected for a regular user.
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">staff_r</td>
+ <td class="tableinfo">
+ Default administration role for day-to-day activities. This role has some
+ additional privileges beyond what is offered through user_r, but is not a
+ full system administrative role. It is meant for the non-administrative
+ activities done by operators and administrators
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">sysadm_r</td>
+ <td class="tableinfo">
+ System administration role. This role is highly privileged (since it also
+ contains the privileges to update the policy) and should only be given to
+ fully trusted administrators. It is almost never immediately granted to
+ users (they first need to switch roles) except for direct root access (for
+ instance through the console)
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">system_r</td>
+ <td class="tableinfo">
+ System service role, which is used for the runtime services (processes). It
+ is never granted to users directly.
+ </td>
+</tr>
+<tr>
+ <td class="tableinfo">unconfined_r</td>
+ <td class="tableinfo">
+ The unconfined role is used when the <span class="emphasis">targeted</span> policy is supported.
+ This role is given to unconfined users (such as the SELinux unconfined_u
+ user) which have very wide privileges (they almost run without constraints).
+ </td>
+</tr>
+</table>
+<p>
+It should be noted that these roles are the default ones, but the security
+administrator - yes, that means you - can create additional roles and add
+particular privileges to it. We will discuss this later in this book as it means
+you'll need to update the Gentoo Hardened SELinux policy.
+</p>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Reading Audit Logs</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+When working with a SELinux-enabled system, you will eventually notice that
+things behave differently, but without giving any meaningful error message.
+Usually, when SELinux "denies" a particular access, it logs it into the audit
+log of the system, but for the application itself, it is perfectly possible that
+it just silently dies. If not, you're most likely to get a <span class="emphasis">permission
+denied</span> error message.
+</p>
+<p>
+Initially, SELinux is running in <span class="code" dir="ltr">permissive</span> mode, which means that
+SELinux will log what it <span class="emphasis">would</span> deny, but still let it through.
+This mode is perfect for getting the system in shape without having too
+much problems keeping it running. Once you think your security settings are
+in order, then this mode can be switched from <span class="code" dir="ltr">permissive</span> to
+<span class="code" dir="ltr">enforcing</span>. We'll talk about these modes later.
+</p>
+<p>
+First, let's take a look at the audit log and see what it is saying...
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Audit Log Location(s)</a></p>
+<p>
+The SELinux kernel code writes its denials (and sometimes even allowed but
+audited activities) into the audit log. If you are running on a Gentoo Hardened
+installation with the <span class="code" dir="ltr">syslog-ng</span> system logger, then the logger is already
+configured to place these audit lines in <span class="path" dir="ltr">/var/log/avc.log</span>. However,
+different system loggers or system logger configurations might put the entries
+in a different log location (such as <span class="path" dir="ltr">/var/log/audit.log</span>).
+</p>
+<p>
+Below, you'll find the appropriate lines for the syslog-ng system logger
+configuration for writing the events in <span class="path" dir="ltr">/var/log/avc.log</span>.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng.conf excerpt for SELinux AVC entries</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># The following lines are only /part/ of the configuration file!</span>
+source kernsrc { file("http://www.gentoo.org/proc/kmsg"); };
+destination avc { file("http://www.gentoo.org/var/log/avc.log"); };
+filter f_avc { message(".*avc: .*"); };
+
+log {
+ source(kernsrc);
+ filter(f_avc);
+ destination(avc);
+};
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p>
+<p>
+As we mentioned, SELinux writes its entries in the audit log. These entries are
+called <span class="emphasis">avc messages</span> or <span class="emphasis">avc log entries</span>. The abbreviation AVC
+stands for <span class="emphasis">Access Vector Cache</span> and, like the name sais, is a caching
+system.
+</p>
+<p>
+Using an access vector cache improves performance on dealing with (and
+enforcing) activities and privileges. Since SELinux offers a very detailed
+approach on privileges and permissions, it would become quite painful
+(performance-wise) if each call means that the SELinux code needs to look up the
+domain, the target resource label, the privilege and if it is allowed or not
+over and over again. Instead, SELinux uses the Access Vector Cache to store past
+requests/responses. It is the AVC subsystem that is responsible for checking
+accesses and (if necessary) logging it.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Reading an AVC Denial Message</a></p>
+<p>
+Below you'll find a typical AVC denial message.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC denial message</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre></td></tr>
+</table>
+<p>
+Let's analyze each part of this message one by one.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: Timestamp and location information</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-input">Oct 15 13:04:54 hpl kernel: [963185.177043]</span> type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre></td></tr>
+</table>
+<p>
+This first part of the message informs you when the message was written (Oct 15
+13:04:54), on which host (hpl) and how many seconds since the system was booted
+(963185.177043).
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: source information</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for <span class="code-input">pid=14561 comm="firefox"</span> kmod="net-pf-10"
+ <span class="code-input">scontext=staff_u:staff_r:mozilla_t</span> tcontext=system_u:system_r:kernel_t tclass=system
+</pre></td></tr>
+</table>
+<p>
+Next is the source of the denial, i.e. what process is trying to do something.
+In this case, the process is firefox, with PID 14561, which is running in the
+source domain staff_u:staff_r:mozilla_t.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: target resource</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { module_request } for pid=14561 comm="firefox" <span class="code-input">kmod="net-pf-10"</span>
+ scontext=staff_u:staff_r:mozilla_t <span class="code-input">tcontext=system_u:system_r:kernel_t</span> tclass=system
+</pre></td></tr>
+</table>
+<p>
+The target of the activity is a kernel module (net-pf-10, which is the internal
+name given for IPv6), labeled system_u:system_r:kernel_t
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: denied action</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472):
+ avc: denied { <span class="code-input">module_request</span> } for pid=14561 comm="firefox" kmod="net-pf-10"
+ scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t <span class="code-input">tclass=system</span>
+</pre></td></tr>
+</table>
+<p>
+Finally, the action that is denied (module_request) and its class (system).
+These classes help you to identify what is denied, because a read on a file is
+different from a read on a directory.
+</p>
+<p>
+For instance, in the following case, a process <span class="code" dir="ltr">gorg</span> with PID 13935 is
+trying to read a file called <span class="path" dir="ltr">localtime</span> with inode 130867 which
+resides on the device <span class="path" dir="ltr">/dev/md3</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial example</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Oct 15 14:40:30 hpl kernel: [968909.807802] type=1400 audit(1318682430.323:2614):
+ avc: denied { read } for pid=13935 comm="gorg" name="localtime" dev=md3 ino=130867
+ scontext=staff_u:sysadm_r:gorg_t tcontext=system_u:object_r:locale_t tclass=file
+</pre></td></tr>
+</table>
+<p>
+In this case, it might be obvious that the file is <span class="path" dir="ltr">/etc/localtime</span>,
+but when that isn't the case, then you can find the following two commands
+useful:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding out the target resource based on inode and device</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment">(Find out which device /dev/md3 is)</span>
+# <span class="code-input">mount | grep /dev/md3</span>
+/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=1,nodelalloc,data=journal)
+
+<span class="code-comment">(Find out what file has inode 130867)</span>
+# <span class="code-input">find / -xdev -inum 130867</span>
+/etc/localtime
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Handling AVC denials</a></p>
+<p>
+The major part of configuring SELinux is reading the denials, finding out what
+needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully, the
+rest of this handbook will help you figure out what is causing a denial.
+</p>
+<p>
+Denials can be cosmetic (an activity that is denied, but has no effect on the
+application's functional behaviour). If that is the case, the denial can be
+marked as <span class="emphasis">dontaudit</span>, meaning that the denial is not logged by default
+anymore. If you think that a denial is occurring but you do not see it in the
+logs, try disabling the <span class="emphasis">dontaudit</span> rules:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disabling dontaudit</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment">(The command can also be abbreviated to "semodule -DB")</span>
+# <span class="code-input">semodule --build --disable_dontaudit</span>
+</pre></td></tr>
+</table>
+<p>
+In most cases though, denials need to be acted upon. Actions that might need to
+happen are:
+</p>
+<ul>
+ <li>
+ relabeling the target resource (wrong labels might cause legitimate actions
+ to be denied)
+ </li>
+ <li>
+ relabeling the source (process' binary file) as a wrong label might cause
+ the application to run in the wrong domain
+ </li>
+ <li>
+ loading a necessary SELinux module, since the modules contain the rules to
+ allow (and label) resources. Without the appropriate module loaded, you will
+ notice denials since no other module gives the necessary grants (allow
+ statements)
+ </li>
+ <li>
+ granting the right role to the user executing the application. We have
+ covered users and their roles initially but we will go deeper into this
+ subject later in the handbook.
+ </li>
+ <li>
+ adding your own SELinux policy statements, most likely because no SELinux
+ policy module exists for the application you are trying to run
+ </li>
+</ul>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Using (File) Labels</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+Within SELinux, access privileges are based on the label given on the
+originating part (called the <span class="emphasis">domain</span>) and its target resource. For
+instance, a process running in the passwd_t domain wants to read (= privilege)
+the file <span class="path" dir="ltr">/etc/shadow</span> which is labeled shadow_t (= the target
+resource). It comes to no surprise then that the majority of SELinux
+administration is (re)labeling the resources correctly (and ensuring their label
+stays correct).
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Getting File Label(s)</a></p>
+<p>
+There are many ways to relabel commands, and none of them are equal to another.
+But before we explain this in more detail, let's first take a look at a few file
+labels (and how you can query them).
+</p>
+<p>
+In SELinux, labels are given on a file level through the file systems' ability
+to keep <span class="emphasis">extended attributes</span>. For SELinux, the attribute is called
+<span class="code" dir="ltr">security.selinux</span> and can be obtained through <span class="code" dir="ltr">getfattr</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file's extended attribute for SELinux</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">getfattr -n security.selinux /etc/hosts</span>
+# file: etc/hosts
+security.selinux="system_u:object_r:net_conf_t"
+</pre></td></tr>
+</table>
+<p>
+Of course, getting the file attribute this way is time consuming and not that
+flexible. For this purpose, most important applications (including
+<span class="code" dir="ltr">coreutils</span>) are made SELinux-aware. These applications mostly use the
+<span class="code" dir="ltr">-Z</span> option to display the SELinux context information. In case of files,
+this means the extended attribute content:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the context of a file</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z /etc/hosts</span>
+system_u:object_r:net_conf_t /etc/hosts
+</pre></td></tr>
+</table>
+<p>
+Other commands exist that display the context as it should be, like
+<span class="code" dir="ltr">matchpathcon</span>. However, their purpose is to query the SELinux policy on
+your system to find out what the policy ought to be, not what it is:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Difference between context and matchpathcon result</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z /etc/make.conf</span>
+staff_u:object_r:etc_t /etc/make.conf
+$ <span class="code-input">matchpathcon /etc/make.conf</span>
+/etc/make.conf system_u:object_r:portage_conf_t
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Setting File Label(s)</a></p>
+<p>
+Now how can you manipulate file labels? Well, first of all: you will not be
+allowed to change the file labels of any possible file (not even if you are the
+owner of that file) unless the SELinux policy allows you to. These allow rules
+are made on two privilege types: which labels are you allowed to change
+(<span class="code" dir="ltr">relabelfrom</span>) and to which labels are you allowed to change
+(<span class="code" dir="ltr">relabelto</span>). You can query these rules through <span class="code" dir="ltr">sesearch</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying the relabelto/relabelfrom types</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># From which label on files (-c) is user_t (-s) allowed (-A) to relabel from (-p)?</span>
+$ <span class="code-input">sesearch -s user_t -c file -p relabelfrom -A</span>
+<span class="code-comment">[...]</span>
+allow user_t mozilla_home_t : file { <span class="code-comment">...</span> relabelfrom relabelto } ;
+</pre></td></tr>
+</table>
+<p>
+If you have the permission, then you can use <span class="code" dir="ltr">chcon</span> to <span class="emphasis">ch</span>ange the
+<span class="emphasis">con</span>text of a file:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing a file context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z strace.log</span>
+staff_u:object_r:user_home_t strace.log
+$ <span class="code-input">chcon -t mutt_home_t strace.log</span>
+$ <span class="code-input">ls -Z strace.log</span>
+staff_u:object_r:mutt_home_t strace.log
+</pre></td></tr>
+</table>
+<p>
+If you do not hold the right privileges, you will get a descriptive error
+message:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Trying to change file context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">chcon -t shadow_t strace.log</span>
+chcon: failed to change context of `strace.log' to `staff_u:object_r:shadow_t': Permission denied
+</pre></td></tr>
+</table>
+<p>
+Now, if you now think that <span class="code" dir="ltr">chcon</span> is all you need, you're wrong. The
+<span class="code" dir="ltr">chcon</span> command does nothing more than what it sais - change context. But
+when the system relabels files, these changes are gone. Relabeling files is
+often done to ensure that the file labels are correct (as in: the labels match
+what the SELinux policy sais they ought to be). The SELinux policy contains, for
+each policy module, the list of files, directories, sockets, ... and their
+appropriate file context (label).
+</p>
+<p>
+We will look at SELinux policy modules later, but below you'll find an excerpt
+from such a definition, for the <span class="code" dir="ltr">mozilla</span> module:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Excerpt of the mozilla module file contexts</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+</pre></td></tr>
+</table>
+<p>
+To put the right label on a file, you can use the <span class="code" dir="ltr">setfiles</span> or
+<span class="code" dir="ltr">restorecon</span> commands. Since they are both the same command (but with a
+slightly different way of using) we'll only talk about <span class="code" dir="ltr">restorecon</span> for now
+- more information on the <span class="code" dir="ltr">setfiles</span> command can be found in its man page.
+</p>
+<p>
+When you use <span class="code" dir="ltr">restorecon</span>, the application will query the SELinux policy to
+find out what the right label of the file should be. If it differs, it will
+change the label to the right setting. That means that you do not need to
+provide the label for a file in order for the command to work. Also,
+<span class="code" dir="ltr">restorecon</span> supports recursivity, so you do not need to relabel files one
+by one.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using restorecon</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">ls -Z /etc/make.conf</span>
+staff_u:object_r:etc_t /etc/make.conf
+$ <span class="code-input">restorecon /etc/make.conf</span>
+$ <span class="code-input">ls -Z /etc/make.conf</span>
+system_u:object_r:portage_conf_t /etc/make.conf
+</pre></td></tr>
+</table>
+<p>
+Finally, Gentoo also provides a useful application: <span class="code" dir="ltr">rlpkg</span>. This script
+relabels the files of a Gentoo package (<span class="code" dir="ltr">rlpkg <packagename></span>) or,
+given the right arguments, all files on the file system:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using rlpkg</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Relabel the files of the firefox-bin package:</span>
+# <span class="code-input">rlpkg firefox</span>
+
+<span class="code-comment"># Relabel all files on the file system:</span>
+# <span class="code-input">rlpkg -a -r</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Overriding the SELinux Policy File Labels</a></p>
+<p>
+You might not always agree with the label that the SELinux policy enforces on
+the files: you might have your files located elsewhere (a different location for
+your Portage tree is a nice example) or you need to label them differently in
+order for other applications to work. To not have to <span class="code" dir="ltr">chcon</span> these files
+over and over again, you can enhance the SELinux policy on your system with
+additional file context rules. These rules are used when you call
+<span class="code" dir="ltr">restorecon</span> as well and override the rules provided by the SELinux policy.
+</p>
+<p>
+To add additional file context rules, you need to use the <span class="code" dir="ltr">semanage</span>
+command. This command is used to manage, manipulate and update the local SELinux
+policy on your system. In this particular case, we will use the <span class="code" dir="ltr">semanage
+fcontext</span> command:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using semanage to add a file context rule</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+<span class="code-comment"># Mark /mnt/gentoo/etc/make.conf as a portage_conf_t type</span>
+# <span class="code-input">semanage fcontext -a -t portage_conf_t /mnt/gentoo/etc/make.conf</span>
+
+<span class="code-comment"># Mark /mnt/gentoo/usr/portage as portage_ebuild_t</span>
+# <span class="code-input">semanage fcontext -a -t portage_ebuild_t "http://www.gentoo.org/mnt/gentoo/usr/portage(/.*)?"</span>
+</pre></td></tr>
+</table>
+<p>
+As you can see from the example, you can use wildcards. But beware about using
+wildcards: when a rule holds a wildcard, it has a lower priority than a rule
+without a wildcard. And the priority on rules with a wildcard is based on how
+"down" the string the first occurance of a wildcard is. For more information,
+please check out our <a href="../selinux-faq.xml#matchcontext">FAQ on "How do
+I know which file context rule is used for a particular file?."</a>
+</p>
+<p>
+If you want to delete a file context definition, you use <span class="code" dir="ltr">semanage fcontext
+-d</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Deleting a file context definition</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage fcontext -d -t portage_ebuild_t /mnt/gentoo/etc/make.conf</span>
+</pre></td></tr>
+</table>
+<p>
+Finally, to view all file context definitions (both user-set and SELinux policy
+provided), you can use <span class="code" dir="ltr">semanage fcontext -l</span>. To only see the locally set,
+add <span class="code" dir="ltr">-C</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Viewing user-set file context enhancements</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semanage fcontext -C -l</span>
+SELinux fcontext type Context
+/opt/xxe/bin/.*\.jar all files system_u:object_r:lib_t
+/srv/virt/gentoo(/.*)? all files system_u:object_r:qemu_image_t
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Customizable types</a></p>
+<p>
+Labels on files are not that hard to understand, but you might come into some
+surprises if you do not know that there are also customizable types.
+</p>
+<p>
+A <span class="emphasis">customizable type</span> is a specific type which is not touched by the
+SELinux administration tools by default. If you want to relabel a file that
+currently holds a customizable type, you will need to force this through the
+commands (such as <span class="code" dir="ltr">restorecon -F</span>).
+</p>
+<p>
+There are not that many customizable types by default. The list of types that
+SELinux considers as customizable are mentioned in the
+<span class="path" dir="ltr">customizable_types</span> file within the
+<span class="path" dir="ltr">/etc/selinux/*/contexts</span> location:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the customizable types</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">cat /etc/selinux/strict/contexts/customizable_types</span>
+mount_loopback_t
+public_content_rw_t
+public_content_t
+swapfile_t
+textrel_shlib_t
+</pre></td></tr>
+</table>
+<p>
+Such types exist because these types are used for files whose location is known
+not to be fixed (and as such, the SELinux policy cannot without a doubt know if
+the label on the files is correct or not). The <span class="code" dir="ltr">public_content_t</span> one,
+which is used for files that are readable by several services (like FTP, web
+server, ...), might give you a nice example for such a case.
+</p>
+<p>
+If you look at the <span class="code" dir="ltr">restorecon</span> man page, it mentions both customizable
+types as well as the user section. The latter is for rules that are identified
+in the SELinux policy as being files for an end user, like the following
+definitions in the <span class="code" dir="ltr">mozilla</span> policy module:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: User section definition within mozilla module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+</pre></td></tr>
+</table>
+<p>
+Although in the above example, forcing <span class="code" dir="ltr">restorecon</span> on the files is
+probably correct, there are examples where you do not want this. For instance,
+the firefox policy by default only allows the application to write to
+directories labeled <span class="code" dir="ltr">mozilla_home_t</span>. If you want to download something,
+this isn't possible (unless you download it into <span class="path" dir="ltr">~/.mozilla</span>). The
+solution there is to label a directory (say <span class="path" dir="ltr">~/Downloads</span>) as
+<span class="code" dir="ltr">mozilla_home_t</span>.
+</p>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>SELinux Policy and Booleans</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+We have dealt with users and labels now, but there is still a third aspect that
+we haven't touched: the SELinux policy itself.
+</p>
+<p>
+The SELinux policy as offered by Gentoo Hardened is a carefully tuned SELinux
+policy, based on the reference policy (a distribution-agnostic SELinux policy)
+with minor changes. Hopefully, you will not need to rewrite the policy to suit
+it for your needs, but changes are very likely to occur here and there.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Changing the SELinux Policy Behavior: Booleans</a></p>
+<p>
+A common and user friendly way of tweaking the SELinux policy is through
+booleans. A <span class="emphasis">SELinux boolean</span>, also known as a conditional, changes how the
+SELinux policy behaves based on the setting that the user provides. To make this
+a bit more clear, let's look at a few booleans available:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting SELinux booleans</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">getsebool -a | grep ^user</span>
+user_direct_mouse --> off
+user_dmesg --> off
+user_ping --> on
+user_rw_noexattrfile --> off
+user_tcp_server --> off
+user_ttyfile_stat --> off
+</pre></td></tr>
+</table>
+<p>
+Although they might not say much on first sight, these booleans alter how the
+SELinux policy enforces user activity (hence the booleans starting with
+<span class="path" dir="ltr">user_</span>). For instance, <span class="code" dir="ltr">user_ping</span> is set to <span class="code" dir="ltr">on</span>, so a
+user is allowed to use <span class="code" dir="ltr">ping</span>. If it was set to <span class="code" dir="ltr">off</span>, the SELinux
+policy would not allow a user to execute <span class="code" dir="ltr">ping</span>.
+</p>
+<p>
+Booleans can be toggled on or off using <span class="code" dir="ltr">setsebool</span> or <span class="code" dir="ltr">togglesebool</span>.
+With <span class="code" dir="ltr">setsebool</span> you need to give the value (on or off) whereas
+<span class="code" dir="ltr">togglesebool</span> switches the value.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disallowing the use of ping by users</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">setsebool user_ping off</span>
+</pre></td></tr>
+</table>
+<p>
+By default, <span class="code" dir="ltr">setsebool</span> does not store the boolean values - after a reboot,
+the old values are used again. To persist such changes, you need to add the
+<span class="code" dir="ltr">-P</span> option:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Persistedly allow users to run dmesg</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">setsebool -P user_dmesg on</span>
+</pre></td></tr>
+</table>
+<p>
+Booleans allow administrators to tune the policy, and allow security
+administrators to write policies that are flexible enough for a more widespread
+use. In terms of Gentoo flexibility, these booleans might not be used enough (it
+would be nice to couple these booleans on USE flags, so that a server build with
+USE="ldap" gets the SELinux policy to use ldap, whereas USE="-ldap" disallows
+it). But still, the use of booleans is a popular method for making a more
+flexible SELinux policy.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Managing SELinux Policy Modules</a></p>
+<p>
+In this last part, we'll cover SELinux policy modules. We mentioned before that
+the SELinux policy used by Gentoo Hardened is based on the reference policy,
+which offers a modular approach to SELinux policies. There is one base policy,
+which is mandatory on every system and is kept as small as possible. The rest
+are SELinux policy modules, usually providing the declarations, rules and file
+contexts for a single application (or type of applications).
+</p>
+<p>
+With <span class="code" dir="ltr">semodule -l</span> you can see the list of SELinux policy modules loaded:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the loaded SELinux modules</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">semodule -l</span>
+alsa 1.11.0
+apache 2.3.0
+entropyd 1.6.0
+dbus 1.15.0
+dnsmasq 1.9.0
+<span class="code-comment">(...)</span>
+</pre></td></tr>
+</table>
+<p>
+Within Gentoo Hardened, each module is provided by the package
+<span class="path" dir="ltr">sec-policy/selinux-<modulename></span>. For instance, the first
+module encountered in the above example is provided by
+<span class="path" dir="ltr">selinux-alsa</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELinux policy module package in Gentoo</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">emerge --search selinux-alsa</span>
+Searching...
+[ Results for search key : selinux-alsa ]
+[ Applications found : 1]
+
+* sec-policy/selinux-alsa
+ Latest version available: 2.20110726
+ Latest version installed: 2.20110726
+ Size of files: 574 kB
+ Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
+ Description: SELinux policy for alsa
+ License: GPL-2
+</pre></td></tr>
+</table>
+<p>
+If you need a module that isn't installed on your system, this is considered a
+bug (packages that need it should depend on the SELinux policy package if the
+selinux USE flag is set). But once you install the package yourself, the module
+will be loaded automatically:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing a SELinux policy package</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">emerge selinux-screen</span>
+</pre></td></tr>
+</table>
+<p>
+If you want to remove a module from your system though, uninstalling the package
+will not suffice: the SELinux policy module itself is copied to the policy store
+earlier (as part of the installation process) and is not removed from this store
+by Portage. Instead, you will need to remove the module manually:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Uninstalling a SELinux policy module</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">emerge -C selinux-screen</span>
+# <span class="code-input">semodule -r screen</span>
+</pre></td></tr>
+</table>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 30, 2011</p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index b711d55..061fe7b 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -39,10 +39,10 @@ this chapter.
<p>
Install Gentoo Linux according to the <a href="http://www.gentoo.org/doc/en/handbook">Gentoo
Handbook</a> installation instructions. We recommend the use of the hardened
-stage 3 tarballs instead of the standard ones, but standard stage
-installations are also supported for SELinux. Perform a full installation to
-the point that you have booted your system into a (primitive) Gentoo base
-installation.
+stage 3 tarballs and <span class="code" dir="ltr">hardened-sources</span> kernel instead of the standard
+ones, but standard stage installations are also supported for SELinux.
+Perform a full installation to the point that you have booted your system
+into a (primitive) Gentoo base installation.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
If you are an XFS user, make sure that the inode sizes of the XFS file
@@ -403,7 +403,7 @@ flag), but until that time, you will need to install them yourself.
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux modules</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">eix selinux-</span>
+~# <span class="code-input">emerge --search selinux-</span>
[...]
<span class="code-comment">(Select the modules you want to install)</span>
~# <span class="code-input">emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</span>
@@ -562,7 +562,8 @@ correctly. For instance, if you have installed
<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p>
<p>
Reboot your system. Log on and, if you have indeed installed Gentoo using the
-hardened sources (as we recommended), enable the SSP SELinux boolean:
+hardened sources (as we recommended), enable the SSP SELinux boolean, allowing
+every domain read access to the <span class="path" dir="ltr">/dev/urandom</span> device:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling the global_ssp boolean</p></td></tr>
@@ -573,12 +574,14 @@ hardened sources (as we recommended), enable the SSP SELinux boolean:
<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
<p>
Finally, we need to map the account(s) you use to manage your system (those
-that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. By default,
-users are mapped to the <span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the
-appropriate rights (nor access to the appropriate roles) to manage a system.
-Accounts that are mapped to <span class="code" dir="ltr">staff_u</span> can, but might need to switch roles
-from <span class="code" dir="ltr">staff_r</span> to <span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate
-privileges.
+that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none
+of your accounts will be able to succesfully manage the system (except for
+<span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not
+through <span class="code" dir="ltr">sudo</span> or <span class="code" dir="ltr">su</span>.) By default, users are mapped to the
+<span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the appropriate rights (nor access
+to the appropriate roles) to manage a system. Accounts that are mapped to
+<span class="code" dir="ltr">staff_u</span> can, but might need to switch roles from <span class="code" dir="ltr">staff_r</span> to
+<span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate privileges.
</p>
<p>
Assuming that your account name is <span class="emphasis">john</span>:
@@ -610,7 +613,7 @@ With that done, enjoy - your first steps into the SELinux world are now made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
index d5e77aa..4212a95 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -243,11 +243,18 @@ screen: /usr/bin/screen
~# <span class="code-input">qfile /usr/bin/screen</span>
app-misc/screen (/usr/bin/screen)
-~# <span class="code-input">eix selinux-screen</span>
-* sec-policy/selinux-screen
- Available versions: ~2.20090730 ~2.20091215 ~2.20101213
- Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
- Description: SELinux policy for general applications
+~# <span class="code-input">emerge --search selinux-screen</span>
+Searching...
+[ Results for search key : selinux-screen ]
+[ Applications found : 1 ]
+
+* sec-policy/selinux-screen
+ Latest version available: 2.20110726
+ Latest version installed: 2.20110726
+ Size of files: 574 kB
+ Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
+ Description: SELinux policy for screen
+ License: GPL-2
~# <span class="code-input">emerge selinux-screen</span>
[...]
@@ -584,7 +591,7 @@ The same tool can be used to relabel the entire system:
</table>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-appendix-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html
similarity index 100%
rename from html/selinux/hb-appendix-troubleshoot.html
rename to html/selinux/hb-using-troubleshoot.html
diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html
index 7006609..bd04178 100644
--- a/html/selinux/selinux-handbook.html
+++ b/html/selinux/selinux-handbook.html
@@ -53,12 +53,10 @@ a basic understanding of these aspects, it will be difficult to understand
how SELinux policies work and how to troubleshoot if things go wrong.
</li>
<li>
-<b><a href="?part=1&chap=3">The SELinux (Reference) Policy</a></b><br>
-To streamline SELinux policy development, a reference policy is being developed
-that is used by all SELinux-supporting distributions. In this chapter we give
-some intel on what this reference policy is and why it is brought to life, but
-also how this policy functions and how its development is progressing. We also
-cover the basics on SELinux policies in general.
+<b><a href="?part=1&chap=3">SELinux Resources</a></b><br>
+To get more acquainted with SELinux, many resources exist on the Internet.
+In this chapter we give a quick overview of the various resources as well
+as places where you can get more help when you are fighting with SELinux.
</li>
</ol>
</li>
@@ -75,55 +73,35 @@ update your system to become a SELinux-managed system. This chapter will guide
you through this process.
</li>
<li>
-<b><a href="?part=2&chap=2">SELinux Commands</a></b><br>
-Before we start with SELinux, we first take a step back and get to know a few
-commands. As we are currently running a SELinux enabled system (but in
-permissive mode) we can now get acquainted with the various SELinux-specific
-commands.
+<b><a href="?part=2&chap=2">Configuring SELinux For Your Needs</a></b><br>
+With SELinux now "installed" and enabled (although in permissive mode), we now
+configure it to suit your particular needs. After all, SELinux is a Mandatory
+Access Control system where you, as security administrator, define what is
+allowed and what not.
</li>
<li>
-<b><a href="?part=2&chap=3">Running in Permissive Mode</a></b><br>
-Once SELinux is active, we first start by running the system in permissive mode.
-In this chapter, we tell you how to get acquainted with SELinux more in-depth
-with live command information, but without interfering with the standard access
-controls (i.e. in permissive mode).
+<b><a href="?part=2&chap=3">SELinux Commands</a></b><br>
+Let's take a step back and get to know a few more commands. We covered most of
+them in the previous section, but we will now dive a bit deeper in its
+syntax, features and potential pitfalls.
</li>
<li>
-<b><a href="?part=2&chap=4">Switching to Enforcing Mode</a></b><br>
-Once you believe that the system can be ran in enforcing mode, we switch the
-system to verify if this is true. Once verified, the next step is to (re)boot in
-enforcing mode. Finally, if we are confident that the enforcing is working
-properly and that the system is still doing its job correctly, we fix the
-enforcing mode so that it cannot be disabled anymore.
+<b><a href="?part=2&chap=4">Permissive, Unconfined, Disabled or What Not...</a></b><br>
+Your system can be in many SELinux states. In this chapter, we help you switch
+between the various states / policies.
</li>
<li>
-<b><a href="?part=2&chap=5">Adding SELinux Policy Modules</a></b><br>
-Far from all packages where SELinux policy modules are available for have a
-corresponding package in Gentoo/Hardened. In this chapter, we help you to add
-more modules yourself or create your own modules for those packages that have no
-SELinux policies yet.
+<b><a href="?part=2&chap=5">Modifying the Gentoo Hardened SELinux Policy</a></b><br>
+Gentoo Hardened offers a default policy, but this might not allow what you want
+(or allows too much). In this chapter we tell you how you can tweak Gentoo's
+policy, or even run your own.
</li>
-</ol>
-</li>
-<li>
-<b><a href="?part=3">Appendices</a></b><br>
-Additional resources and referenced materials within this book are mentioned in
-this appendix.
-<ol>
<li>
-<b><a href="?part=3&chap=1">Troubleshooting SELinux</a></b><br>
+<b><a href="?part=2&chap=6">Troubleshooting SELinux</a></b><br>
Everything made by a human can and will fail. In this chapter we will try to
keep track of all potential issues you might come across and how to resolve
them.
</li>
-<li>
-<b><a href="?part=3&chap=2">SELinux Reference Material</a></b><br>
-This Gentoo Hardened SELinux handbook gives a first introduction to SELinux and
-how it is integrated in Gentoo Hardened. But more seasoned administrators will
-most definitely want to read up on the more advanced uses (and managerial
-challenges) of SELinux - which we definitely recommend. A non-exhaustive list is
-compiled in this chapter.
-</li>
</ol>
</li>
</ul>
@@ -160,7 +138,7 @@ compiled in this chapter.
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-handbook.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="selinux-handbook.xml?full=1">View all</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated September 18, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
This is the Gentoo SELinux Handbook.
</p></td></tr>
next reply other threads:[~2011-10-15 13:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-15 13:05 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-04-28 19:23 [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ Francisco Blas Izquierdo Riera
2011-09-04 19:54 Sven Vermeulen
2011-08-24 21:10 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-15 9:11 Sven Vermeulen
2011-04-22 22:35 Sven Vermeulen
2011-04-22 19:18 Sven Vermeulen
2011-02-19 3:45 Francisco Blas Izquierdo Riera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db4e145c0d418e14eb73223d31f8117b6ac37778.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox