From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QDLry-0000fN-7j for garchives@archives.gentoo.org; Fri, 22 Apr 2011 19:18:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 51CA3E0462; Fri, 22 Apr 2011 19:18:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 136B3E0462 for ; Fri, 22 Apr 2011 19:18:14 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 559F51B4087 for ; Fri, 22 Apr 2011 19:18:14 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id B062B802C1 for ; Fri, 22 Apr 2011 19:18:13 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/selinux-faq.html html/selinux/hb-using-enforcing.html html/selinux/hb-using-permissive.html X-VCS-Directories: html/ html/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: e4503de380d1762bf2e26363e7283320b7948edd Date: Fri, 22 Apr 2011 19:18:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 6b49d0c14a4107ba14c99367b40ae540 commit: e4503de380d1762bf2e26363e7283320b7948edd Author: Sven Vermeulen siphos be> AuthorDate: Fri Apr 22 19:17:35 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Apr 22 19:17:35 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3De4503de3 Update previews --- html/selinux-faq.html | 40 +++++++++++++++++++++++++++= ++++++ html/selinux/hb-using-enforcing.html | 5 +-- html/selinux/hb-using-permissive.html | 6 ++++- 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/html/selinux-faq.html b/html/selinux-faq.html index b208016..b32a389 100644 --- a/html/selinux-faq.html +++ b/html/selinux-faq.html @@ -63,6 +63,10 @@ as well.
  • I get a missing SELinux module error when usi= ng emerge
  • I get 'FEATURES variable contains unknown va= lue(s): loadpolicy'
  • During rlpkg I get 'conflicting speci= fications for ... and ..., using ...'
    • +
  • + During package installation, ld.so complains 'object 'libsandbox.so' f= rom=20 + LD_PRELOAD cannot be preloaded: ignored' +

    • = 2. General SELinux Support Questions

    @@ -272,6 +276,42 @@ It is also not a bad idea to report (after verifying= if it hasn't been reported first) this on Gentoo's bugzilla= so=20 that the default policies are updated accordingly.

    +

    + During package installation, ld.so complains 'object 'libsandbox.so' f= rom=20 + LD_PRELOAD cannot be preloaded: ignored' +

    +

    +During installation of a package, you might see the following error mess= age: +

    + + + +

    Code Listing5.5: Erro= r message during package installation

    +>> Installing (1 of 1) net-dns/host-991529
+>>> Setting SELinux security labels
+ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded=
: ignored.
+
    +

    +This message should only occur after the= Setting SELinux security +labels message. It happens because SELinux tells glibc to disable= =20 +LD_PRELOAD (and other environmen= t variables that are considered=20 +potentially harmful) during domain transitions. Here, portage calls the +setfiles command (part of a SELi= nux installation) and as such=20 +transitions from portage_t to setfiles_t, which clears the environment +variable. +

    +

    +We believe that it is safer to trust the SELinux policy here (as setfile= s runs +in its own confined domain anyhow) rather than updating the policy to al= low +transitioning between portage_t to setfiles_t without clearing these=20 +environment variables. Note that libsandbox.so = is not disabled during builds +and merges, only during the activity where Portage labels the fil= es it=20 +just merged. +

    +

    +So the error is in our opinion cosmetic and can be ignored (but sadly no= t +hidden). +



    diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using= -enforcing.html index 810722f..eb5d08a 100644 --- a/html/selinux/hb-using-enforcing.html +++ b/html/selinux/hb-using-enforcing.html @@ -3,7 +3,7 @@ - + @@ -141,8 +141,7 @@ system as the intention was to ignore the output anyh= ow.

    So how can we ensure that this rule doesn't fill up our AVC logs? Well, = we need -to create a module (like we have seen before and which we discuss in a l= ater -chapter again :-): +to create a module (like we have seen before in (Creating Specific = Allow Rules)):

    diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-usin= g-permissive.html index b1a43d8..edb5a19 100644 --- a/html/selinux/hb-using-permissive.html +++ b/html/selinux/hb-using-permissive.html @@ -308,7 +308,7 @@ files whose context you want to set. Writing policy m= odules is described later in this book in (Adding SELinux Policy Modules).

    -

    Creating Specific Allo= w Rules

    +

    Creating Specific Allow Rules

    If a denial isn't resolved through an available SELinux policy module or= a corrective action taken against the target file or directory, or there @@ -381,6 +381,10 @@ order to load a module, you can use semodule -i mod

    • + With semodule -i modulename.pp you (re)install a module (or install + a higher version of said module) +
      • +
    • With semodule -u modulename.pp you upgrade an existing installed module with a new version of this module

    Code Listing1.1: Crea= ting a module to ignore these AVC denials