Gentoo Linux Handbook Page +-- +

From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RF3vs-0000EU-2M for garchives@archives.gentoo.org; Sat, 15 Oct 2011 13:05:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2AC2E21C21D; Sat, 15 Oct 2011 13:05:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 96B3F21C216 for ; Sat, 15 Oct 2011 13:05:36 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D53181B4014 for ; Sat, 15 Oct 2011 13:05:35 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 5425280042 for ; Sat, 15 Oct 2011 13:05:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/selinux-faq.html html/selinux/hb-appendix-reference.html html/selinux/hb-appendix-troubleshoot.html html/selinux/hb-intro-concepts.html html/selinux/hb-intro-resources.html html/selinux/hb-using-configuring.html html/selinux/hb-using-install.html html/selinux/hb-using-permissive.html html/selinux/hb-using-troubleshoot.html html/selinux/selinux-handbook.html X-VCS-Directories: html/ html/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: db4e145c0d418e14eb73223d31f8117b6ac37778 Date: Sat, 15 Oct 2011 13:05:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 5038cb3ecf45c466eb0b3d2ddb3f7fce commit: db4e145c0d418e14eb73223d31f8117b6ac37778 Author: Sven Vermeulen siphos be> AuthorDate: Sat Oct 15 13:05:21 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 15 13:05:21 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3Ddb4e145c Update on previews --- html/selinux-faq.html | 42 +- html/selinux/hb-intro-concepts.html | 179 ++++- ...ndix-reference.html =3D> hb-intro-resources.html} | 0 html/selinux/hb-using-configuring.html | 919 ++++++++++++++= ++++++ html/selinux/hb-using-install.html | 29 +- html/selinux/hb-using-permissive.html | 19 +- ...roubleshoot.html =3D> hb-using-troubleshoot.html} | 0 html/selinux/selinux-handbook.html | 66 +- 8 files changed, 1184 insertions(+), 70 deletions(-) diff --git a/html/selinux-faq.html b/html/selinux-faq.html index 611eaf5..252906f 100644 --- a/html/selinux-faq.html +++ b/html/selinux-faq.html @@ -81,6 +81,8 @@ as well. FAILED (crontabs/root)'

= 2. General SELinux Support Questions

@@ -656,11 +658,49 @@ If your system is upgrading its kernel, higher vers= ion(s) can be supported. In this case, either unset the value again to automatically "jump" to a hig= her version, or force set it to the higher version.

Portage fails to label files because "setfiles" does not work an= ymore

+Portage uses the setfiles comman= d to set the labels of the files it +installs. However, that command is a dynamically linked executable, so a= ny +update in its depending libraries (libs= elinux.so, +libsepol.so, libaudit.so and of course +libc.so) might cause for the app= lication to fail. Gentoo's standard +solution (revdep-rebuild) will n= ot work, since the tool will try to +rebuild policycoreutils, which will fail to install because Portage cann= ot set +the file labels. +

+The solution is to rebuild policycoreutils while disabling Portage' seli= nux +support, then label the installed files manually using chcon, based on +the feedback received from matchpathcon= . +

+ + + +

Code Listing5.14: Rec= overing from Portage installation failures

+# FEATURES=3D"-selinux" emerge --oneshot poli=
cycoreutils
+# for FILE in $(qlist policycoreutils); do \
+CONTEXT=3D$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done
+

+Now Portage will function properly again, labeling files as they should. +

Applications do not transition on a nosuid-mounted partition

+If you have file systems mounted with the nosuid option, then +applications started from these file systems will not transition into th= eir +appropriate domain. This is intentional. +

+So, a passwd binary, although co= rrectly labeled passwd_exec_t, +will not transition into the passwd_t do= main if the binary is stored on a +file system mounted with nosuid. +

- +

Updated S= eptember 4, 2011

Updated O= ctober 13, 2011

Summary:= Frequently Asked Questions on SELinux integration with Gentoo Hardened. The FAQ is a collection of solutions found on IRC, mailinglist, forums o= r=20 diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-= concepts.html index 362203a..c5cf801 100644 --- a/html/selinux/hb-intro-concepts.html +++ b/html/selinux/hb-intro-concepts.html @@ -3,7 +3,7 @@ - + @@ -191,6 +191,21 @@ getattr ptrace setkeycreate sigchld = transition

+The most common SELinux access control rule (al= low) is described as +follows: +

+ + + +

Code Listing1.1: SELi= nux allow statement

+allow ACTOR  TARGET:CLASS PRIVILEGE;
+      +-+-+  +-+--+ +-+-+ +---+---+
+        |      |      |       `- Permission to be granted (like "write")
+	|      |      `- Class on which permission is given (like "file")
+	|      `- Resource (label) on which permission is valid (like "portage_=
conf_t")
+	`- Actor (domain) which gets the privilege (like "sysadm_t")
+

Let's take a look at a small example to explain the permission rules and= how=20 SELinux uses them. The example user is in the s= taff_u:staff_r:staff_t context and wants to write to its own home directory. As we can expect, = this @@ -269,8 +284,7 @@ security contexts, let's start from the last definiti= on in the context (the

-The rules that identify the allowed actions for a domain have the follow= ing -syntax: +The rules that identify the allowed actions for a domain have been descr= ibed earlier. Again:

@@ -584,6 +598,158 @@ would require the development of new policies for e= ach new client that a system wants to serve).

= 1. + Reference Policy

About refpolicy +

+As described previously, SELinux uses type enforcement to describe the s= tate of +your system. This is done by giving each resource on your system (be it = a +process, a network port, a file or directory) a specific type and descri= be the +rules how types can work with each other.=20 +

+Managing such a policy is not easy. Unlike some other MAC systems, which= rely +on a learning mode and do not use domain definitions (they rather keep t= rack of +which commands a process is allowed to execute), a proper SELinux defini= tion +requires lots (thousands and thousands) of permission lines. +

+To ensure that no duplicate effort is made, and to help distributions li= ke +Gentoo, Fedora, RedHat, Debian, ... with their SELinux integration effor= ts, a +project is launched called The Reference Policy= . +

+This project, managed by Tresys, is used by almost +all SELinux supporting distributions, including Gentoo Hardened, Fedora,= RedHat +Enterprise Linux, Debian, Ubuntu and more. This implementation not only = offers +the modular policies that users are looking for, but also enhances the S= ELinux +experience with additional development tools that make it easier to work= with +the SELinux policies on your system. Updates in the reference policy eve= ntually +make it in all supported distributions. The same goes for Gentoo Hardene= d, which +aims to use a policy as close as possible to the reference policy, and s= ubmits +its own patches to the reference policy as well, which benefits the enti= re +community. +

Reference Policy API

+One major advantage of the reference policy is its API. To help policy w= riters, +the reference policy uses a macro language which generates the necessary= allow +(and other) rules. This macro language makes it a lot easier to add righ= ts to +particular domains. You can find the API documented online, but if you have +USE=3D"doc" set, it will be stored on your system as well the moment you= install +and configure SELinux. +

Modular Approach +

+Another feature of the reference policy is its use of modules. If you +would build all rules in a single policy (a binary file readable by the = Linux +kernel, allowing it to interpret and enforce SELinux rules), the file wo= uld +quickly become too huge and inefficient. +

+Instead, the reference policy defines the rules in what it calls modules= , which +define one domain (like portage_t) or more (if they are all tightly +related) and the rights and privileges that that domain would need in or= der to +function properly. Any right that the domain needs with respect to anoth= er +domain needs to be defined through that domains' interfaces (see earlier= ), +forcing the modules to be specific and manageable. +

Code Listing1.1: Stan= dard SELinux policy rules

+ + +

Code Listing1.1: Exam= ple overview of installed SELinux modules

+# semodule -l
+alsa    1.11.0
+apache  2.3.0
+audioentropy    1.6.0
+dbus    1.15.0
+dmidecode       1.4.0
+(...)
+

+By using a modular approach, one only needs to load the base policy (ker= nel +layer as well as other, core definitions) and the modules related to his= system. +You can then safely ignore the other modules. This improves performance = (smaller +policy, which also causes rebuilds to be a lot less painful) and managea= bility +(properly defined boundaries for policy rules). +

Tunables and Condition= als

+But wait, there's more. The reference policy also supports booleans. +Those are flags that a security administrator can enable or disable to c= hange +the active policy. Properly defined booleans allow security administrato= rs to +fine-tune the policy for their system. +

+ + + +

Code Listing1.1: Over= view of available booleans

+# getsebool -a
+allow_execheap --> off
+allow_execmem --> off
+allow_execmod --> off
+allow_execstack --> off
+allow_gssd_read_tmp --> on
+allow_httpd_anon_write --> off
+

+Booleans are an important part to make a generic reference policy which = is still +usable for the majority of SELinux users. Although they have specific +requirements (such as allowing ptrace, or disallowing execmem) they can = still +use the same reference policy and only need to toggle the booleans they = need. +

Policy Files and Versi= ons

+The SELinux policy infrastructure that is used (i.e. the capabilities an= d +functionalities that it offers) isn't in its first version. Currently, S= ELinux +deployments use a binary version of 24 or 26 (depending on the kernel ve= rsion +used). +

+ + + +

Code Listing1.1: Gett= ing the binary policy version

+# sestatus
+SELinux status:                 enabled
+SELinuxfs mount:                /selinux
+Current mode:                   enforcing
+Mode from config file:          enforcing
+Policy version:                 24
+Policy from config file:        strict
+

+Every time functionalities or capabilities are added which require +changes to the internal structure of the compiled policy, this version i= s +incremented. The following is an overview of the policy versions' histor= y.=20 +

Version 12: "Old API" for SELinux, which is now deprecated
Version 15: "New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)<= /dd> +
Version 16: Conditional policy extensions added (2.6.5)
Version 17: IPV6 support added (2.6.6 - 2.6.7)
Version 18: Fine-grained netlink socket support added (2.6.8 - 2.6.11)
Version 19: Enhanced multi-level security (2.6.12 - 2.6.13)
Version 20: Access vector table size optimizations (2.6.14 - 2.6.18)
Version 21: Object classes in range transitions (2.6.19 - 2.6.24)
Version 22: Policy capabilities (features) (2.6.25)
Version 23: Per-domain permissive mode (2.6.26 - 2.6.27)
Version 24: Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)
Version 25: Filename based transition support (2.6.39)
Version 26: Role transition support for non-process classes (3.0)

= 1. Next Steps

What Next

@@ -593,9 +759,10 @@ when SELinux is disabled, then you will need to dive= into the security contexts, rules, types and domain transitions to find out why.

-The next chapter in line will discuss how distributions such as Gentoo H= ardened -manage the various permission rules and how they use a macro language to -generate the permissions instead of creating the allow-rules one by one. +The next chapter in line will give you some background resource informat= ion +(online resources, books, FAQs, etc.) After that, we'll dive into the +installation and configuration of SELinux on your Gentoo Hardened system= . Then, +we'll configure and tune the SELinux policy to our needs.

diff --git a/html/selinux/hb-appendix-reference.html b/html/selinux/hb-in= tro-resources.html similarity index 100% rename from html/selinux/hb-appendix-reference.html rename to html/selinux/hb-intro-resources.html diff --git a/html/selinux/hb-using-configuring.html b/html/selinux/hb-usi= ng-configuring.html new file mode 100644 index 0000000..05bd80b --- /dev/null +++ b/html/selinux/hb-using-configuring.html @@ -0,0 +1,919 @@ + + + + + + + + + + + +Gentoo Linux Handbook Page +-- + + +

+ + + +

<= tr> + + +

= 1. + Administering Users

Introduction

+During the installation, we already covered how to map a Linux user to a= SELinux +user. In the example, we used a hypothetical user "john" and mapped him = to the +SELinux user "staff_u". If you are running a multi-user system, managing= the +right mappings is important. A user that is mapped to the SELinux user "= user_u" +will not get any additional rights. Even if you would give that user add= itional +rights through commands such as sudo, the SELinux policy will not allow +this user to do anything that is administration related. +

+For this reason, it is important to go over the SELinux user mappings an= d the +Linux users on your system. +

User Mappings

+Run semanage login -l to show th= e current mappings between Linux logins +and SELinux users. +

+ + + +

Code Listing1.1: Runn= ing semanage login -l

+# semanage login -l
+
+Login Name                SELinux User
+
+__default__               user_u
+root                      root
+john                      staff_u
+system_u                  system_u
+

+The "user_u" SELinux user is for regular accounts. As such, the special +__default__ mapping is defined by SELinu= x to denote every login that is +not defined otherwise. This makes sure that a newly defined account does= not get +elevated privileges by default. +

+The next table gives an overview of the standard SELinux users available= after +an installation. +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

SELinux User	Description
user_u	+ Default regular SELinux user, which should be used by end-user accou= nts that + are not going to administer any service(s) on the system +
staff_u	+ SELinux user for administrators. This user has the right to switch r= oles and + as such gain elevated privileges +
root	+ SELinux user for the root account. It differs little from the staff_= u + account beyond being a different ID. This ensures that files protect= ed by + the user based access control for root cannot be handled by the staf= f_u + (and other) users +
sysadm_u	+ SELinux user for system administration. By default, this account is = not + immediately used as this user immediately gets the administrative ro= le + (whereas staff_u and root still need to switch roles). +
system_u	+ SELinux user for system services. It should never be used for end us= ers or + administrators as it provides direct access to the system role (and + privileges) +
unconfined_u	+ Used when the policy is targeted, th= is SELinux user has many + privileges (it is essentially not limited in its actions, although i= t is + still handled through SELinux - just through a "wide open" policy). +

+To map a user to a specific SELinux user, use semanage login -a: +

+ + + +

Code Listing1.1: Mapp= ing a user 'sophie' to the staff_u user

+# semanage login -a -s staff_u sophie
+

+However, when you update such mapping, the files in that users' home dir= ectory +will be owned by a wrong SELinux user. It is therefor important to relab= el the +files of that user: +

+ + + +

Code Listing1.1: Rela= beling sophie's files

+# restorecon -R -F /home/sophie
+

Additional SELinux Acc= ounts

+It is perfectly possible to create additional SELinux accounts, and then= map the +Linux logins to these new accounts. This can be necessary when you want = a more +thorough auditing (on end user level) or when you will be enhancing the = policy +with additional roles. Also, if you want to use the User Based Access Co= ntrol +feature, using different SELinux users is important to enforce the contr= ol on +different users (if they all use the same SELinux user, then UBAC has li= ttle to +no effect). +

+Managing the SELinux accounts is done through semanage user: +

+ + + +

Code Listing1.1: Crea= ting a SELinux user

+# semanage user -a -R "staff_r sysadm_r" soph=
ie
+

+Let's verify how the SELinux users are currently configured: +

+ + + +

Code Listing1.1: Chec= king the SELinux user identities

+# semanage user -l
+SELinux User    SELinux Roles
+
+root            staff_r sysadm_r
+sophie          staff_r sysadm_r
+staff_u         staff_r sysadm_r
+sysadm_u        sysadm_r
+system_u        system_r
+unconfined_u    unconfined_r
+user_u          user_r
+
+# semanage login -l
+Login Name                SELinux User
+
+__default__               user_u
+root                      root
+sophie                    staff_u
+swift                     staff_u
+system_u                  system_u
+

+Now that a new SELinux user called "sophie" exists, we can now update th= e Linux +user mapping for "sophie" towards the new SELinux user "sophie": +

+ + + +

Code Listing1.1: Upda= ting the Linux user mapping

+# semanage login -m -s sophie sophie
+# semanage login -l
+Login Name                SELinux User
+
+__default__               user_u
+root                      root
+sophie                    sophie
+swift                     staff_u
+system_u                  system_u
+

+Again, do not forget to relabel this users' files. +

+As you can see, managing SELinux users means defining the roles to which= the +user has access to. We already gave a high-level introduction to the def= ault +roles in (SELinux Concepts), but as roles are +important when using a Mandatory Access Control system, let's refresh ou= r memory +again: +

+ + + + + + + + + + + + + + + + + + + + + + + + + +

SELinux Role	Description
user_r	+ Default end-user role. This role provides access to regular applicat= ions and + activities, but does not allow any system or service administration = beyond + what is expected for a regular user. +
staff_r	+ Default administration role for day-to-day activities. This role has= some + additional privileges beyond what is offered through user_r, but is = not a + full system administrative role. It is meant for the non-administrat= ive + activities done by operators and administrators +
sysadm_r	+ System administration role. This role is highly privileged (since it= also + contains the privileges to update the policy) and should only be giv= en to + fully trusted administrators. It is almost never immediately granted= to + users (they first need to switch roles) except for direct root acces= s (for + instance through the console)=20 +
system_r	+ System service role, which is used for the runtime services (process= es). It + is never granted to users directly. +
unconfined_r	+ The unconfined role is used when the target= ed policy is supported. + This role is given to unconfined users (such as the SELinux unconfin= ed_u + user) which have very wide privileges (they almost run without const= raints). +

+It should be noted that these roles are the default ones, but the securi= ty +administrator - yes, that means you - can create additional roles and ad= d +particular privileges to it. We will discuss this later in this book as = it means +you'll need to update the Gentoo Hardened SELinux policy. +

= 1. + Reading Audit Logs

Introduction

+When working with a SELinux-enabled system, you will eventually notice t= hat +things behave differently, but without giving any meaningful error messa= ge. +Usually, when SELinux "denies" a particular access, it logs it into the = audit +log of the system, but for the application itself, it is perfectly possi= ble that +it just silently dies. If not, you're most likely to get a permission +denied error message. +

+Initially, SELinux is running in permis= sive mode, which means that +SELinux will log what it would deny, but= still let it through. +This mode is perfect for getting the system in shape without having too +much problems keeping it running. Once you think your security settings = are +in order, then this mode can be switched from permissive to +enforcing. We'll talk about thes= e modes later. +

+First, let's take a look at the audit log and see what it is saying... +

Audit Log Location(s)<= /a>

+The SELinux kernel code writes its denials (and sometimes even allowed b= ut +audited activities) into the audit log. If you are running on a Gentoo H= ardened +installation with the syslog-ng = system logger, then the logger is already +configured to place these audit lines in /var/log/avc.log. However, +different system loggers or system logger configurations might put the e= ntries +in a different log location (such as /v= ar/log/audit.log). +

+Below, you'll find the appropriate lines for the syslog-ng system logger +configuration for writing the events in /var/log/avc.log. +

+ + + +

Code Listing1.1: sysl= og-ng.conf excerpt for SELinux AVC entries

+# The following lines are only /part/ of th=
e configuration file!
+source kernsrc  { file("http://www.gentoo.org/proc/kmsg");       };
+destination avc { file("http://www.gentoo.org/var/log/avc.log"); };
+filter f_avc    { message(".*avc: .*");     };
+
+log {
+  source(kernsrc);
+  filter(f_avc);
+  destination(avc);
+};
+

What is AVC?

+As we mentioned, SELinux writes its entries in the audit log. These entr= ies are +called avc messages or avc log entries. The abbreviation AVC +stands for Access Vector Cache and, like= the name sais, is a caching +system. +

+Using an access vector cache improves performance on dealing with (and +enforcing) activities and privileges. Since SELinux offers a very detail= ed +approach on privileges and permissions, it would become quite painful +(performance-wise) if each call means that the SELinux code needs to loo= k up the +domain, the target resource label, the privilege and if it is allowed or= not +over and over again. Instead, SELinux uses the Access Vector Cache to st= ore past +requests/responses. It is the AVC subsystem that is responsible for chec= king +accesses and (if necessary) logging it. +

Reading an AVC Denial = Message

+Below you'll find a typical AVC denial message. +

+ + + +

Code Listing1.1: Exam= ple AVC denial message

+Oct 15 13:04:54 hpl kernel: [963185.177043] type=3D1400 audit(1318676694=
.660:2472):=20
+  avc:  denied  { module_request } for  pid=3D14561 comm=3D"firefox" kmo=
d=3D"net-pf-10"
+  scontext=3Dstaff_u:staff_r:mozilla_t tcontext=3Dsystem_u:system_r:kern=
el_t tclass=3Dsystem
+

+Let's analyze each part of this message one by one. +

+ + + +

Code Listing1.1: AVC = denial: Timestamp and location information

+Oct 15 13:04:54 hpl kernel: [963185.177043] type=3D1400 audit(1318676694.660:2472):=20
+  avc:  denied  { module_request } for  pid=3D14561 comm=3D"firefox" kmo=
d=3D"net-pf-10"
+  scontext=3Dstaff_u:staff_r:mozilla_t tcontext=3Dsystem_u:system_r:kern=
el_t tclass=3Dsystem
+

+This first part of the message informs you when the message was written = (Oct 15 +13:04:54), on which host (hpl) and how many seconds since the system was= booted +(963185.177043). +

+ + + +

Code Listing1.1: AVC = denial: source information

+Oct 15 13:04:54 hpl kernel: [963185.177043] type=3D1400 audit(1318676694=
.660:2472):=20
+  avc:  denied  { module_request } for  pid=3D=
14561 comm=3D"firefox" kmod=3D"net-pf-10"
+  scontext=3Dstaff_u:staff_r:mozilla_t=
 tcontext=3Dsystem_u:system_r:kernel_t tclass=3Dsystem
+

+Next is the source of the denial, i.e. what process is trying to do some= thing. +In this case, the process is firefox, with PID 14561, which is running i= n the +source domain staff_u:staff_r:mozilla_t. +

+ + + +

Code Listing1.1: AVC = denial: target resource

+Oct 15 13:04:54 hpl kernel: [963185.177043] type=3D1400 audit(1318676694=
.660:2472):=20
+  avc:  denied  { module_request } for  pid=3D14561 comm=3D"firefox" kmod=3D"net-pf-10"
+  scontext=3Dstaff_u:staff_r:mozilla_t tconte=
xt=3Dsystem_u:system_r:kernel_t tclass=3Dsystem
+

+The target of the activity is a kernel module (net-pf-10, which is the i= nternal +name given for IPv6), labeled system_u:system_r:kernel_t +

+ + + +

Code Listing1.1: AVC = denial: denied action

+Oct 15 13:04:54 hpl kernel: [963185.177043] type=3D1400 audit(1318676694=
.660:2472):=20
+  avc:  denied  { module_request } for=
  pid=3D14561 comm=3D"firefox" kmod=3D"net-pf-10"
+  scontext=3Dstaff_u:staff_r:mozilla_t tcontext=3Dsystem_u:system_r:kern=
el_t tclass=3Dsystem
+

+Finally, the action that is denied (module_request) and its class (syste= m). +These classes help you to identify what is denied, because a read on a f= ile is +different from a read on a directory. +

+For instance, in the following case, a process gorg with PID 13935 is +trying to read a file called localtime<= /span> with inode 130867 which +resides on the device /dev/md3: +

+ + + +

Code Listing1.1: AVC = denial example

+Oct 15 14:40:30 hpl kernel: [968909.807802] type=3D1400 audit(1318682430=
.323:2614):
+  avc:  denied  { read } for  pid=3D13935 comm=3D"gorg" name=3D"localtim=
e" dev=3Dmd3 ino=3D130867
+  scontext=3Dstaff_u:sysadm_r:gorg_t tcontext=3Dsystem_u:object_r:locale=
_t tclass=3Dfile
+

+In this case, it might be obvious that the file is /etc/localtime, +but when that isn't the case, then you can find the following two comman= ds +useful: +

+ + + +

Code Listing1.1: Find= ing out the target resource based on inode and device

+(Find out which device /dev/md3 is)
+# mount | grep /dev/md3
+/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=3D1,nodelalloc,data=
=3Djournal)
+
+(Find out what file has inode 130867)
+# find / -xdev -inum 130867
+/etc/localtime
+

Handling AVC denials

+The major part of configuring SELinux is reading the denials, finding ou= t what +needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully,= the +rest of this handbook will help you figure out what is causing a denial. +

+Denials can be cosmetic (an activity that is denied, but has no effect o= n the +application's functional behaviour). If that is the case, the denial can= be +marked as dontaudit, meaning that the de= nial is not logged by default +anymore. If you think that a denial is occurring but you do not see it i= n the +logs, try disabling the dontaudit rules: +

+ + + +

Code Listing1.1: Disa= bling dontaudit

+(The command can also be abbreviated to "se=
module -DB")
+# semodule --build --disable_dontaudit
+

+In most cases though, denials need to be acted upon. Actions that might = need to +happen are: +

+ relabeling the target resource (wrong labels might cause legitimate = actions + to be denied) +
+ relabeling the source (process' binary file) as a wrong label might = cause + the application to run in the wrong domain +
+ loading a necessary SELinux module, since the modules contain the ru= les to + allow (and label) resources. Without the appropriate module loaded, = you will + notice denials since no other module gives the necessary grants (all= ow + statements) +
+ granting the right role to the user executing the application. We ha= ve + covered users and their roles initially but we will go deeper into t= his + subject later in the handbook. +
+ adding your own SELinux policy statements, most likely because no SE= Linux + policy module exists for the application you are trying to run +

= 1. + Using (File) Labels

Introduction

+Within SELinux, access privileges are based on the label given on the +originating part (called the domain) and= its target resource. For +instance, a process running in the passwd_t domain wants to read (=3D pr= ivilege) +the file /etc/shadow which is la= beled shadow_t (=3D the target +resource). It comes to no surprise then that the majority of SELinux +administration is (re)labeling the resources correctly (and ensuring the= ir label +stays correct). +

Getting File Label(s)<= /a>

+There are many ways to relabel commands, and none of them are equal to a= nother. +But before we explain this in more detail, let's first take a look at a = few file +labels (and how you can query them). +

+In SELinux, labels are given on a file level through the file systems' a= bility +to keep extended attributes. For SELinux= , the attribute is called +security.selinux and can be obta= ined through getfattr: +

+ + + +

Code Listing1.1: Gett= ing a file's extended attribute for SELinux

+$ getfattr -n security.selinux /etc/hosts
+# file: etc/hosts
+security.selinux=3D"system_u:object_r:net_conf_t"
+

+Of course, getting the file attribute this way is time consuming and not= that +flexible. For this purpose, most important applications (including +coreutils) are made SELinux-awar= e. These applications mostly use the +-Z option to display the SELinux= context information. In case of files, +this means the extended attribute content: +

+ + + +

Code Listing1.1: Gett= ing the context of a file

+$ ls -Z /etc/hosts
+system_u:object_r:net_conf_t   /etc/hosts
+

+Other commands exist that display the context as it should be, like +matchpathcon. However, their pur= pose is to query the SELinux policy on +your system to find out what the policy ought to be, not what it is: +

+ + + +

Code Listing1.1: Diff= erence between context and matchpathcon result

+$ ls -Z /etc/make.conf
+staff_u:object_r:etc_t    /etc/make.conf
+$ matchpathcon /etc/make.conf
+/etc/make.conf            system_u:object_r:portage_conf_t
+

Setting File Label(s)<= /a>

+Now how can you manipulate file labels? Well, first of all: you will not= be +allowed to change the file labels of any possible file (not even if you = are the +owner of that file) unless the SELinux policy allows you to. These allow= rules +are made on two privilege types: which labels are you allowed to change +(relabelfrom) and to which label= s are you allowed to change +(relabelto). You can query these= rules through sesearch: +

+ + + +

Code Listing1.1: Quer= ying the relabelto/relabelfrom types

+# From which label on files (-c) is user_t =
(-s) allowed (-A) to relabel from (-p)?
+$ sesearch -s user_t -c file -p relabelfrom -=
A
+[...]
+allow user_t mozilla_home_t : file { ... relabelfrom relabelto } ;
+

+If you have the permission, then you can use chcon to change the +context of a file: +

+ + + +

Code Listing1.1: Chan= ging a file context

+$ ls -Z strace.log
+staff_u:object_r:user_home_t  strace.log
+$ chcon -t mutt_home_t strace.log
+$ ls -Z strace.log
+staff_u:object_r:mutt_home_t  strace.log
+

+If you do not hold the right privileges, you will get a descriptive erro= r +message: +

+ + + +

Code Listing1.1: Tryi= ng to change file context

+$ chcon -t shadow_t strace.log
+chcon: failed to change context of `strace.log' to `staff_u:object_r:sha=
dow_t': Permission denied
+

+Now, if you now think that chcon= is all you need, you're wrong. The +chcon command does nothing more = than what it sais - change context. But +when the system relabels files, these changes are gone. Relabeling files= is +often done to ensure that the file labels are correct (as in: the labels= match +what the SELinux policy sais they ought to be). The SELinux policy conta= ins, for +each policy module, the list of files, directories, sockets, ... and the= ir +appropriate file context (label). +

+We will look at SELinux policy modules later, but below you'll find an e= xcerpt +from such a definition, for the mozilla= module: +

+ + + +

Code Listing1.1: Exce= rpt of the mozilla module file contexts

+/usr/bin/firefox-bin                            -- gen_context(system_u:=
object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].*                        -- gen_context(system_u:=
object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].*                    -- gen_context(system_u:=
object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/galeon/galeon                     -- gen_context(system_u:=
object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_=
context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper           -- gen_context(system_u:=
object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/plugin-container     -- gen_context(system_u:=
object_r:mozilla_plugin_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/plugin-container   -- gen_context(system_u:=
object_r:mozilla_plugin_exec_t,s0)
+

+To put the right label on a file, you can use the setfiles or +restorecon commands. Since they = are both the same command (but with a +slightly different way of using) we'll only talk about restorecon for now +- more information on the setfiles command can be found in its man page. +

+When you use restorecon, the app= lication will query the SELinux policy to +find out what the right label of the file should be. If it differs, it w= ill +change the label to the right setting. That means that you do not need t= o +provide the label for a file in order for the command to work. Also, +restorecon supports recursivity,= so you do not need to relabel files one +by one. +

+ + + +

Code Listing1.1: Usin= g restorecon

+$ ls -Z /etc/make.conf
+staff_u:object_r:etc_t            /etc/make.conf
+$ restorecon /etc/make.conf
+$ ls -Z /etc/make.conf
+system_u:object_r:portage_conf_t  /etc/make.conf
+

+Finally, Gentoo also provides a useful application: rlpkg. This script +relabels the files of a Gentoo package (rlpkg <packagename>) or, +given the right arguments, all files on the file system: +

+ + + +

Code Listing1.1: Usin= g rlpkg

+# Relabel the files of the firefox-bin pack=
age:
+# rlpkg firefox
+
+# Relabel all files on the file system:
+# rlpkg -a -r
+

Overriding the SELinux= Policy File Labels

+You might not always agree with the label that the SELinux policy enforc= es on +the files: you might have your files located elsewhere (a different loca= tion for +your Portage tree is a nice example) or you need to label them different= ly in +order for other applications to work. To not have to chcon these files +over and over again, you can enhance the SELinux policy on your system w= ith +additional file context rules. These rules are used when you call +restorecon as well and override = the rules provided by the SELinux policy. +

+To add additional file context rules, you need to use the semanage +command. This command is used to manage, manipulate and update the local= SELinux +policy on your system. In this particular case, we will use the semanage +fcontext command: +

+ + + +

Code Listing1.1: Usin= g semanage to add a file context rule

+# Mark /mnt/gentoo/etc/make.conf as a porta=
ge_conf_t type
+# semanage fcontext -a -t portage_conf_t /mnt=
/gentoo/etc/make.conf
+
+# Mark /mnt/gentoo/usr/portage as portage_e=
build_t
+# semanage fcontext -a -t portage_ebuild_t "h=
ttp://www.gentoo.org/mnt/gentoo/usr/portage(/.*)?"
+

+As you can see from the example, you can use wildcards. But beware about= using +wildcards: when a rule holds a wildcard, it has a lower priority than a = rule +without a wildcard. And the priority on rules with a wildcard is based o= n how +"down" the string the first occurance of a wildcard is. For more informa= tion, +please check out our FAQ on = "How do +I know which file context rule is used for a particular file?." +

+If you want to delete a file context definition, you use semanage fcontext +-d: +

+ + + +

Code Listing1.1: Dele= ting a file context definition

+# semanage fcontext -d -t portage_ebuild_t /m=
nt/gentoo/etc/make.conf
+

+Finally, to view all file context definitions (both user-set and SELinux= policy +provided), you can use semanage fcontex= t -l. To only see the locally set, +add -C: +

+ + + +

Code Listing1.1: View= ing user-set file context enhancements

+# semanage fcontext -C -l
+SELinux fcontext                          type             Context
+/opt/xxe/bin/.*\.jar                      all files        system_u:obje=
ct_r:lib_t
+/srv/virt/gentoo(/.*)?                    all files        system_u:obje=
ct_r:qemu_image_t
+

Customizable types=

+Labels on files are not that hard to understand, but you might come into= some +surprises if you do not know that there are also customizable types. +

+A customizable type is a specific type w= hich is not touched by the +SELinux administration tools by default. If you want to relabel a file t= hat +currently holds a customizable type, you will need to force this through= the +commands (such as restorecon -F)= . +

+There are not that many customizable types by default. The list of types= that +SELinux considers as customizable are mentioned in the +customizable_types file within t= he +/etc/selinux/*/contexts location= : +

+ + + +

Code Listing1.1: List= ing the customizable types

+# cat /etc/selinux/strict/contexts/customizab=
le_types
+mount_loopback_t
+public_content_rw_t
+public_content_t
+swapfile_t
+textrel_shlib_t
+

+Such types exist because these types are used for files whose location i= s known +not to be fixed (and as such, the SELinux policy cannot without a doubt = know if +the label on the files is correct or not). The public_content_t one, +which is used for files that are readable by several services (like FTP,= web +server, ...), might give you a nice example for such a case. +

+If you look at the restorecon ma= n page, it mentions both customizable +types as well as the user section. The latter is for rules that are iden= tified +in the SELinux policy as being files for an end user, like the following +definitions in the mozilla polic= y module: +

+ + + +

Code Listing1.1: User= section definition within mozilla module

+HOME_DIR/\.mozilla(/.*)?      gen_context(system_u:object_r:mozilla_home=
_t,s0)
+HOME_DIR/\.netscape(/.*)?     gen_context(system_u:object_r:mozilla_home=
_t,s0)
+HOME_DIR/\.phoenix(/.*)?      gen_context(system_u:object_r:mozilla_home=
_t,s0)
+

+Although in the above example, forcing = restorecon on the files is +probably correct, there are examples where you do not want this. For ins= tance, +the firefox policy by default only allows the application to write to +directories labeled mozilla_home_t. If you want to download something, +this isn't possible (unless you download it into ~/.mozilla). The +solution there is to label a directory (say ~/Downloads) as +mozilla_home_t.=20 +

= 1. + SELinux Policy and Booleans

Introduction

+We have dealt with users and labels now, but there is still a third aspe= ct that +we haven't touched: the SELinux policy itself. +

+The SELinux policy as offered by Gentoo Hardened is a carefully tuned SE= Linux +policy, based on the reference policy (a distribution-agnostic SELinux p= olicy) +with minor changes. Hopefully, you will not need to rewrite the policy t= o suit +it for your needs, but changes are very likely to occur here and there. +

Changing the SELinux P= olicy Behavior: Booleans

+A common and user friendly way of tweaking the SELinux policy is through +booleans. A SELinux boolean, also known = as a conditional, changes how the +SELinux policy behaves based on the setting that the user provides. To m= ake this +a bit more clear, let's look at a few booleans available: +

+ + + +

Code Listing1.1: Gett= ing SELinux booleans

+# getsebool -a | grep ^user
+user_direct_mouse --> off
+user_dmesg --> off
+user_ping --> on
+user_rw_noexattrfile --> off
+user_tcp_server --> off
+user_ttyfile_stat --> off
+

+Although they might not say much on first sight, these booleans alter ho= w the +SELinux policy enforces user activity (hence the booleans starting with +user_). For instance, user_ping is set to on, so a +user is allowed to use ping. If = it was set to off, the SELinux +policy would not allow a user to execute ping. +

+Booleans can be toggled on or off using setsebool or togglesebool= . +With setsebool you need to give = the value (on or off) whereas +togglesebool switches the value. +

+ + + +

Code Listing1.1: Disa= llowing the use of ping by users

+# setsebool user_ping off
+

+By default, setsebool does not s= tore the boolean values - after a reboot, +the old values are used again. To persist such changes, you need to add = the +-P option: +

+ + + +

Code Listing1.1: Pers= istedly allow users to run dmesg

+# setsebool -P user_dmesg on
+

+Booleans allow administrators to tune the policy, and allow security +administrators to write policies that are flexible enough for a more wid= espread +use. In terms of Gentoo flexibility, these booleans might not be used en= ough (it +would be nice to couple these booleans on USE flags, so that a server bu= ild with +USE=3D"ldap" gets the SELinux policy to use ldap, whereas USE=3D"-ldap" = disallows +it). But still, the use of booleans is a popular method for making a mor= e +flexible SELinux policy. +

Managing SELinux Polic= y Modules

+In this last part, we'll cover SELinux policy modules. We mentioned befo= re that +the SELinux policy used by Gentoo Hardened is based on the reference pol= icy, +which offers a modular approach to SELinux policies. There is one base p= olicy, +which is mandatory on every system and is kept as small as possible. The= rest +are SELinux policy modules, usually providing the declarations, rules an= d file +contexts for a single application (or type of applications). +

+With semodule -l you can see the= list of SELinux policy modules loaded: +

+ + + +

Code Listing1.1: List= ing the loaded SELinux modules

+# semodule -l
+alsa       1.11.0
+apache     2.3.0
+entropyd   1.6.0
+dbus       1.15.0
+dnsmasq    1.9.0
+(...)
+

+Within Gentoo Hardened, each module is provided by the package +sec-policy/selinux-<modulename>. For instance, the first +module encountered in the above example is provided by +selinux-alsa: +

+ + + +

Code Listing1.1: The = SELinux policy module package in Gentoo

+$ emerge --search selinux-alsa
+Searching...
+[ Results for search key : selinux-alsa ]
+[ Applications found : 1]
+
+* sec-policy/selinux-alsa
+    Latest version available: 2.20110726
+    Latest version installed: 2.20110726
+    Size of files: 574 kB
+    Homepage:      http://www.gentoo.org/proj/en/hardened/selinux/
+    Description:   SELinux policy for alsa
+    License:       GPL-2
+

+If you need a module that isn't installed on your system, this is consid= ered a +bug (packages that need it should depend on the SELinux policy package i= f the +selinux USE flag is set). But once you install the package yourself, the= module +will be loaded automatically: +

+ + + +

Code Listing1.1: Inst= alling a SELinux policy package

+# emerge selinux-screen
+

+If you want to remove a module from your system though, uninstalling the= package +will not suffice: the SELinux policy module itself is copied to the poli= cy store +earlier (as part of the installation process) and is not removed from th= is store +by Portage. Instead, you will need to remove the module manually: +

+ + + +

Code Listing1.1: Unin= stalling a SELinux policy module

+# emerge -C selinux-screen
+# semodule -r screen
+

+ + + +

Updated S= eptember 30, 2011

Donate to support our development efforts. +

+ +

+ diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-i= nstall.html index b711d55..061fe7b 100644 --- a/html/selinux/hb-using-install.html +++ b/html/selinux/hb-using-install.html @@ -39,10 +39,10 @@ this chapter.

Install Gentoo Linux according to the Gentoo Handbook installation instructions. We recommend the use of the hard= ened -stage 3 tarballs instead of the standard ones, but standard stage -installations are also supported for SELinux. Perform a full installatio= n to -the point that you have booted your system into a (primitive) Gentoo bas= e -installation. +stage 3 tarballs and hardened-sources kernel instead of the standard +ones, but standard stage installations are also supported for SELinux. +Perform a full installation to the point that you have booted your syste= m +into a (primitive) Gentoo base installation.

Note: = If you are an XFS user, make sure that the inode sizes of the XFS file @@ -403,7 +403,7 @@ flag), but until that time, you will need to install = them yourself.

Code Listing1.1: Inst= alling SELinux modules

-~# eix selinux- +~# emerge --search selinux- [...] (Select the modules you want to install) ~# emerge selinux-screen selinux-gnupg selinu= x-sudo selinux-ntp selinux-networkmanager ... @@ -562,7 +562,8 @@ correctly. For instance, if you have installed
Reboot and Set SELinux= Booleans

Reboot your system. Log on and, if you have indeed installed Gentoo usin= g the -hardened sources (as we recommended), enable the SSP SELinux boolean: +hardened sources (as we recommended), enable the SSP SELinux boolean, al= lowing +every domain read access to the /dev/ur= andom device:
@@ -573,12 +574,14 @@ hardened sources (as we recommended), enable the SS= P SELinux boolean:
Define the Administrat= or Accounts
Finally, we need to map the account(s) you use to manage your system (th= ose -that need access to Portage) to the sta= ff_u SELinux user. By default, -users are mapped to the user_u S= ELinux user who doesn't have the -appropriate rights (nor access to the appropriate roles) to manage a sys= tem. -Accounts that are mapped to staff_u can, but might need to switch roles -from staff_r to sysadm_r before they are granted the appropriate -privileges. +that need access to Portage) to the sta= ff_u SELinux user. If not, none +of your accounts will be able to succesfully manage the system (except f= or +root, but then you will need to = login as root directly and not +through sudo or su.) By default, users are mapped to the +user_u SELinux user who doesn't = have the appropriate rights (nor access +to the appropriate roles) to manage a system. Accounts that are mapped t= o +staff_u can, but might need to s= witch roles from staff_r to +sysadm_r before they are granted= the appropriate privileges.
Assuming that your account name is john: @@ -610,7 +613,7 @@ With that done, enjoy - your first steps into the SEL= inux world are now made.

Code Listing1.1: Enab= ling the global_ssp boolean

- +
Updated J= uly 22, 2011
Updated S= eptember 11, 2011

Donate to support our development efforts.
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-usin= g-permissive.html index d5e77aa..4212a95 100644 --- a/html/selinux/hb-using-permissive.html +++ b/html/selinux/hb-using-permissive.html @@ -243,11 +243,18 @@ screen: /usr/bin/screen ~# qfile /usr/bin/screen app-misc/screen (/usr/bin/screen) =20 -~# eix selinux-screen -* sec-policy/selinux-screen - Available versions: ~2.20090730 ~2.20091215 ~2.20101213 - Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ - Description: SELinux policy for general applications +~# emerge --search selinux-screen +Searching... =20 +[ Results for search key : selinux-screen ] +[ Applications found : 1 ] + +* sec-policy/selinux-screen + Latest version available: 2.20110726 + Latest version installed: 2.20110726 + Size of files: 574 kB + Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ + Description: SELinux policy for screen + License: GPL-2 =20 ~# emerge selinux-screen [...] @@ -584,7 +591,7 @@ The same tool can be used to relabel the entire syste= m:
- +
Updated J= une 2, 2011
Updated S= eptember 11, 2011

Donate to support our development efforts.
diff --git a/html/selinux/hb-appendix-troubleshoot.html b/html/selinux/hb= -using-troubleshoot.html similarity index 100% rename from html/selinux/hb-appendix-troubleshoot.html rename to html/selinux/hb-using-troubleshoot.html diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-ha= ndbook.html index 7006609..bd04178 100644 --- a/html/selinux/selinux-handbook.html +++ b/html/selinux/selinux-handbook.html @@ -53,12 +53,10 @@ a basic understanding of these aspects, it will be di= fficult to understand how SELinux policies work and how to troubleshoot if things go wrong.
-The SELinux (Reference) Policy=
-To streamline SELinux policy development, a reference policy is being de= veloped -that is used by all SELinux-supporting distributions. In this chapter we= give=20 -some intel on what this reference policy is and why it is brought to lif= e, but -also how this policy functions and how its development is progressing. W= e also -cover the basics on SELinux policies in general. +SELinux Resources
+To get more acquainted with SELinux, many resources exist on the Interne= t. +In this chapter we give a quick overview of the various resources as wel= l +as places where you can get more help when you are fighting with SELinux= .
@@ -75,55 +73,35 @@ update your system to become a SELinux-managed system= . This chapter will guide you through this process.
-SELinux Commands
-Before we start with SELinux, we first take a step back and get to know = a few -commands. As we are currently running a SELinux enabled system (but in -permissive mode) we can now get acquainted with the various SELinux-spec= ific -commands. +Configuring SELinux For Your Needs=
+With SELinux now "installed" and enabled (although in permissive mode), = we now +configure it to suit your particular needs. After all, SELinux is a Mand= atory +Access Control system where you, as security administrator, define what = is +allowed and what not.

-Running in Permissive Mode=
-Once SELinux is active, we first start by running the system in permissi= ve mode. -In this chapter, we tell you how to get acquainted with SELinux more in-= depth -with live command information, but without interfering with the standard= access -controls (i.e. in permissive mode). +SELinux Commands
+Let's take a step back and get to know a few more commands. We covered m= ost of +them in the previous section, but we will now dive a bit deeper in its +syntax, features and potential pitfalls.

-Switching to Enforcing Mode
-Once you believe that the system can be ran in enforcing mode, we switch= the -system to verify if this is true. Once verified, the next step is to (re= )boot in -enforcing mode. Finally, if we are confident that the enforcing is worki= ng -properly and that the system is still doing its job correctly, we fix th= e -enforcing mode so that it cannot be disabled anymore. +Permissive, Unconfined, Disabled o= r What Not...
+Your system can be in many SELinux states. In this chapter, we help you = switch +between the various states / policies.

-Adding SELinux Policy Modules<= /b>
-Far from all packages where SELinux policy modules are available for hav= e a -corresponding package in Gentoo/Hardened. In this chapter, we help you t= o add -more modules yourself or create your own modules for those packages that= have no -SELinux policies yet. +Modifying the Gentoo Hardened SELi= nux Policy
+Gentoo Hardened offers a default policy, but this might not allow what y= ou want +(or allows too much). In this chapter we tell you how you can tweak Gent= oo's +policy, or even run your own.
- - -
-Appendices
-Additional resources and referenced materials within this book are menti= oned in -this appendix. -

-Troubleshooting SELinux +Troubleshooting SELinux Everything made by a human can and will fail. In this chapter we will tr= y to keep track of all potential issues you might come across and how to reso= lve them.=20
-
-SELinux Reference Material=
-This Gentoo Hardened SELinux handbook gives a first introduction to SELi= nux and -how it is integrated in Gentoo Hardened. But more seasoned administrator= s will -most definitely want to read up on the more advanced uses (and manageria= l -challenges) of SELinux - which we definitely recommend. A non-exhaustive= list is -compiled in this chapter. -

@@ -160,7 +138,7 @@ compiled in this chapter. - +

Print

View all
Updated D= ecember 1, 2010
Updated S= eptember 18, 2011

Summary:= This is the Gentoo SELinux Handbook.