[gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     e4503de380d1762bf2e26363e7283320b7948edd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 22 19:17:35 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 22 19:17:35 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e4503de3

Update previews

---
 html/selinux-faq.html                 |   40 +++++++++++++++++++++++++++++++++
 html/selinux/hb-using-enforcing.html  |    5 +--
 html/selinux/hb-using-permissive.html |    6 ++++-
 3 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index b208016..b32a389 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -63,6 +63,10 @@ as well.
 <li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
 <li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
 <li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li>
+<li><a href="#portage_libsandbox">
+  During package installation, ld.so complains 'object 'libsandbox.so' from 
+  LD_PRELOAD cannot be preloaded: ignored'
+</a></li>
 </ul>
 <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
             </span>General SELinux Support Questions</p>
@@ -272,6 +276,42 @@ It is also not a bad idea to report (after verifying if it hasn't been reported
 first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so 
 that the default policies are updated accordingly.
 </p>
+<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">
+  During package installation, ld.so complains 'object 'libsandbox.so' from 
+  LD_PRELOAD cannot be preloaded: ignored'
+</a></p>
+<p>
+During installation of a package, you might see the following error message:
+</p>
+<a name="doc_chap5_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.5: Error message during package installation</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+&gt;&gt; Installing (1 of 1) net-dns/host-991529
+&gt;&gt;&gt; Setting SELinux security labels
+ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
+</pre></td></tr>
+</table>
+<p>
+This message should <span class="emphasis">only</span> occur after the <span class="emphasis">Setting SELinux security
+labels</span> message. It happens because SELinux tells glibc to disable 
+<span class="code" dir="ltr">LD_PRELOAD</span> (and other environment variables that are considered 
+potentially harmful) during domain transitions. Here, portage calls the
+<span class="code" dir="ltr">setfiles</span> command (part of a SELinux installation) and as such 
+transitions from portage_t to setfiles_t, which clears the environment
+variable.
+</p>
+<p>
+We believe that it is safer to trust the SELinux policy here (as setfiles runs
+in its own confined domain anyhow) rather than updating the policy to allow
+transitioning between portage_t to setfiles_t without clearing these 
+environment variables. Note that <span class="emphasis">libsandbox.so is not disabled during builds
+and merges</span>, only during the activity where Portage labels the files it 
+just merged.
+</p>
+<p>
+So the error is in our opinion cosmetic and can be ignored (but sadly not
+hidden).
+</p>
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">

diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using-enforcing.html
index 810722f..eb5d08a 100644
--- a/html/selinux/hb-using-enforcing.html
+++ b/html/selinux/hb-using-enforcing.html
@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
@@ -141,8 +141,7 @@ system as the intention was to ignore the output anyhow.
 </p>
 <p>
 So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need
-to create a module (like we have seen before and which we discuss in a later
-chapter again :-):
+to create a module (like we have seen before in <span title="Link to other book part not available"><font color="#404080">(Creating Specific Allow Rules)</font></span>):
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a module to ignore these AVC denials</p></td></tr>

diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
index b1a43d8..edb5a19 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -308,7 +308,7 @@ files whose context you want to set. Writing policy modules is described later
 in this book in <span title="Link to other book part not available"><font color="#404080">(Adding SELinux Policy
 Modules)</font></span>.
 </p>
-<p class="secthead"><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p>
+<p class="secthead"><a name="create_module"></a><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p>
 <p>
 If a denial isn't resolved through an available SELinux policy module or a
 corrective action taken against the target file or directory, or there
@@ -381,6 +381,10 @@ order to load a module, you can use <span class="code" dir="ltr">semodule -i mod
 </p>
 <ul>
   <li>
+    With <span class="code" dir="ltr">semodule -i modulename.pp</span> you (re)install a module (or install
+    a higher version of said module)
+  </li>
+  <li>
     With <span class="code" dir="ltr">semodule -u modulename.pp</span> you upgrade an existing installed
     module with a new version of this module
   </li>