SELinux Apache Module

be> CommitDate: Thu Dec 22 12:57:44 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3De4f04e14 Drop module information, is now over at wiki.g.o --- xml/selinux/modules/apache.xml | 586 ---------------------------------= ------ xml/selinux/modules/bind.xml | 132 --------- xml/selinux/modules/cron.xml | 389 -------------------------- xml/selinux/modules/index.xml | 69 ----- xml/selinux/modules/ldap.xml | 105 ------- xml/selinux/modules/portage.xml | 325 ---------------------- xml/selinux/modules/ssh.xml | 102 ------- 7 files changed, 0 insertions(+), 1708 deletions(-) diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.= xml deleted file mode 100644 index 4d6350e..0000000 --- a/xml/selinux/modules/apache.xml +++ /dev/null @@ -1,586 +0,0 @@ - - - - - -SELinux Apache Module - - Sven Vermeulen - - - -Within SELinux, the apache module is responsible for defining the -web server related domains and privileges. It is not tied to Apache, des= pite -its name. - - - - - - -1 -2011-06-02 - - -Structure -

-Domains - - -

- -

-The apache module provides the following domains: -

- - - - - - - - - httpd_t - apache
lighttpd - Webserver processes - - - httpd_helper_t - htsslpass - Domain for the htsslpass process - - - httpd_php_t - php-cgi - Domain for PHP support through CGI (php-cgi process) - - - httpd_rotatelogs_t - rotatelogs - Domain for the rotatelogs process - - - httpd_suexec_t - suexec - - Domain used by the webserver suexec process to switch to another use= r - before calling and executing a script - - - - httpd_sys_script_t - - Domain used by the system/package-provided CGI scripts - - - httpd_user_script_t - - Domain used by the user-provided CGI scripts - -

Domain	Process(es)	Description

- - -The apache module allows other modules to define their own domain= s and -types for use by the webservers. This is done through templates. The ref= erence -policy by default enabled two of such templated sets for user and -sys, which you can see in domains like httpd_sys_script_t = and -httpd_user_script_t. It is very well possible that on your system= , more -of these template-instantiated domains exist. - - - -

-File Types/Labels - - -

-The following table lists the file type/labels defined in the apache<= /c> -module. -

- -

- If the function mentions (templated) then it means that the t= ypes - are generated by the apache module, but that similar others m= ight - exist on your system (called through other modules). -
- When talking about scripts, we mean CGI scripts or other scri= pts that - are triggered from the webserver, not from an interactive shell sess= ion. -

- - - - - - - - - - - httpd_exec_t - Entrypoint - Entrypoint for the webserver processes - - - httpd_initrc_exec_t - Entrypoint - Entrypoint for the webserver init scripts - - - httpd_helper_exec_t - Entrypoint - Entrypoint for the webserver helper processes - - - httpd_php_exec_t - Entrypoint - Entrypoint for the PHP scripts - - - httpd_rotatelogs_exec_t - Entrypoint - Entrypoint for the rotatelog helper - - - httpd_suexec_exec_t - Entrypoint - Entrypoint for the suexec wrapper - - - httpd_sys_script_exec_t - Entrypoint (templated) - - Entrypoint for system CGI scripts (or other callable scripts) that n= eed - access to the system content files (httpd_sys_content_t) - - - - httpd_user_script_exec_t - Entrypoint (templated) - - Entrypoint for the user-provided scripts callable from the webserver= instances - - - - httpd_squirrelmail_t - Content - Squirrelmail files - - - squirrelmail_spool_t - Content - Squirrelmail attachment location - - - httpd_sys_content_t - Content (templated) - - Readable content for the webservers and system scripts, offered thro= ugh=20 - the system / packages. - - - - httpd_sys_htaccess_t - Content (templated) - - Label for the htaccess files, readable by the webserver but not from= scripts - or other webserver related domains. - - - - httpd_sys_rw_content_t - Content (templated) - - Read and writeable content for the webservers and system scripts (no= t user - scripts).=20 - - - - httpd_sys_ra_content_t - Content (templated) - - Read and appendable content for the webservers and system scripts (n= ot user - scripts). - - - - httpd_user_content_t - Content (templated) - - Readable content for the webservers and user scripts, offered by (an= d - writeable by) users. - - - - httpd_user_htaccess_t - Content (templated) - - Label for the htaccess files, readable by the webserver but not from= scripts - or other webserver related domains. - - - - httpd_user_rw_content_t - Content (templated) - - Read and writeable content for the webservers and user scripts (not = system=20 - scripts). - - - - httpd_user_ra_content_t - Content (templated) - - Read and appendable content for the webservers and user scripts (not= system - scripts). - - - - httpd_php_tmp_t - Temporary Files - Temporary files from the PHP scripts - - - httpd_suexec_tmp_t - Temporary Files - Temporery files for the suexec domain - - - httpd_tmp_t
httpd_tmpfs_t - Temporary Files - Temporary files from the httpd domain - - - - httpd_cache_t - - Web server cache - - - httpd_config_t - - Configuration files - - - httpd_lock_t - - Lock files - - - httpd_log_t - - Web server log files - - - httpd_modules_t - - Webserver modules - - - httpd_var_lib_t - - Webserver libraries - - - httpd_var_run_t - - Runtime files for httpd - -

Type	Function	Description

- - -

- - -Using Apache -

-File Locations - - -

-The policy offered only contains the right file context rules for the de= fault -locations. If you deviate from these locations, you'll need to update th= e -contexts accordingly. -

- -

-The following table provides an overview of common Apache settings (vari= ables in -httpd.conf) that are often changed by end users, and the fi= le=20 -context that it should have. If you use a different webserver you'll nee= d to -base it on the description instead. -

- - - - - - - - - - DocumentRoot - Location where web content is stored (html pages and such) - /srv/localhost/www - system_u:object_r:httpd_sys_content_t - - - Document - Location where CGI scripts are stored - /srv/localhost/cgi-bin - system_u:object_r:httpd_sys_script_exec_t - - - Directory - User home directory location where user-provided content is stored= - /home/*/public_html - system_u:object_r:httpd_user_content_t - - - Directory - User home directory location where user-provided CGI scripts are s= tored - /home/*/public_html/cgi-bin - system_u:object_r:httpd_user_script_exec_t - -

Setting in httpd.conf	Description	Default Location	File Context(s)

- - -

-Sharing Files - - -

-The SELinux policy (as part of the miscfiles module) supports two -additional types: public_content_t and public_content_rw_t= . These -are used for what is called anonymous files which are readable by= all -file-serving services. If all services only need to read from it, then -public_content_t is used. If at least one services needs to write= to it, -use public_content_rw_t and toggle the right SELinux boolean for = the -domain that needs write access to it (allow_DOMAIN_anon_write). -

- -

-For instance, if you have files that are shared by Apache, NFS, Samba, .= .. you -label these public_content_t (read-only) or public_content_rw_= t -(read-write for some) and then toggle the appropriate booleans: -

- -

-~# setsebool -P allow_httpd_sys_script_anon_write on
-

- - -

-Booleans - - -

-The apache module has several booleans which manipulate the allow= ed -permissions within your installation. The table below gives an overview = of the -booleans, but also mentions which USE flags you could associate w= ith it. -Note that the booleans are not linked to USE flags. However, if y= ou have -set a particular USE flag for the webserver environment, then you might = want to -toggle these booleans as well. -

- - - - - - - - - allow_httpd_anon_write - - Allow the webserver to modify public files (labeled - public_content_rw_t) - - - - - allow_httpd_sys_script_anon_write - - Allow the system scripts to modify public files - - - - - allow_httpd_user_script_anon_wriet - - Allow the user scripts to modify public files - - - - - allow_httpd_mod_auth_pam - - Allow the webserver to use the auth_pam module - - - - - httpd_builtin_scripting - - Needed when your webservers use internal scripting languages like PH= P - (languages that are read and interpreted by the webserver directly r= ather than - called through separate processes like with CGI) - - - - - httpd_can_network_connect - - Allow the webserver scripts and modules to connect to the network - - - - - httpd_can_network_connect_db - - Allow the webserver scripts and modules to connect to databases over= the - network - - - - - httpd_can_network_relay - - Allow webservers to act as a relay - - - - - httpd_can_sendmail - - Allow webservers to send e-mails - - - - - httpd_dbus_avahi - - Allow webservers to communicate with avahi service via dbus - - - - - httpd_enable_cgi - - Allow webservers to call CGI scripts (labeled httpd_sys_script_ex= ec_t - or httpd_user_script_exec_t) - - - - - httpd_enable_ftp_server - - Allow webservers to act as an FTP server by listening on the FTP por= ts - - - - - httpd_enable_homedirs - - Allow webservers to read home directories (user_home_t). Not = to be - mistaken with httpd_user_content_t, which resides in the user= s' home - directory but is labeled, well, httpd_user_content_t ;-) - - - - - httpd_ssi_exec - - Allow webservers to run SSI executables in the same domain as the CG= I - scripts - - - - - httpd_tty_com - - Unify webservers to communicate with the terminal. This is needed wh= en you - need to enter a passphraze for certificates at the terminal. - - - - - httpd_unified - - When enabled, the various webserver content types (all types with at= tribute - httpdcontent set) are not differentiated anymore, but all con= sidered - to be readable, writeable and executable by the webserver. - - - - - httpd_use_cifs - - Allow webservers to access CIFS file systems - - - - - httpd_use_gpg - - Allow webservers to run gpg - - - - - httpd_use_nfs - - Allow webservers to access NFS file systems - - - -

Boolean	Description	Gentoo USE flag suggestion

- -

-If you want to toggle booleans, you can do so through setsebool: -

- -

-( With the -P flag, the boolean state is persisted across reboo=
ts)
-~# setsebool -P httpd_enable_homedirs on
-

- - -

-Ports - - -

-If you need to run the webserver on a non-default port, you can either m= ark this -port as an HTTP port (http_port_t) or create the appropriate rule= to allow -it to bind to the specified port. -

- -

-To mark a particular port (say 81) as an HTTP port, use semanage: -

- -

-~# semanage port -a -t http_port_t -p tcp 81
-

- -

-If you need to allow the webserver to bind on a port but are not allowed= to -modify that ports' type, you'll need to create a policy that allows the -httpd_t domain to bind to the particular port. For instance, to a= llow it -to bind on the SMTP port: -

- -

-allow httpd_t smtp_port_t:tcp_socket name_bind;
-

- - -

- - diff --git a/xml/selinux/modules/bind.xml b/xml/selinux/modules/bind.xml deleted file mode 100644 index 25c2a11..0000000 --- a/xml/selinux/modules/bind.xml +++ /dev/null @@ -1,132 +0,0 @@ - - - - - -SELinux Bind Module - - Sven Vermeulen - - - -Within SELinux, the bind module is responsible for defining the BIND -domains and interactions. - - - - - - -1 -2011-07-09 - - -Structure -

-Domains - - -

- -

-The named_t domain can only be transitioned towards through the -initrc_t domain (i.e. through init scripts). The ndc_t dom= ain -(for the named domain controller) can be transitioned towards through th= e -initrc_t and sysadm_t (general system administration) doma= ins. -

- - -

-File Types/Labels - - -

-The following table lists the file type/labels defined in the bind -module. -

- - - - - - - - - named_exec_t - Entrypoint - Entrypoint domain for the named binaries - - - named_initrc_exec_t - Entrypoint - Entrypoint domain for non-Gentoo init scripts - - - named_checkconf_exec_t - Entrypoint - Entrypoint for the checkconf binary - - - ndc_exec_t - Entrypoint - Entrypoint for the ndc binaries - - - dnssec_t - Configuration - Label for the key files used by the named daemon - - - named_zone_t - Configuration - Label for the primary zone files - - - named_cache_t - Configuration - Label for the cached zone files - - - named_conf_t - Configuration - Label for the named configuration files - - - named_log_t - Configuration - Label for the named log files - - - named_tmp_t - - Label for the named temporary files - - - named_var_run_t - - Label for the named runtime variable data - -

Type	Function	Description

- - -

- - -Using Bind -

-SELinux boolean: named_write_master_zones - - -

-The named policy offers one boolean called -named_write_master_zones which, when enabled, allows the named da= emon to -write to its master zone files (i.e. named_zone_t). This is used = in -master/slave setups. -

- - -

- - diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml deleted file mode 100644 index e909ff8..0000000 --- a/xml/selinux/modules/cron.xml +++ /dev/null @@ -1,389 +0,0 @@ - - - - - -SELinux cron Module - - Sven Vermeulen - - - -Within SELinux, the cron module is responsible for defining the scheduli= ng -domains and interactions. - - - - - - -3 -2011-12-14 - - -Structure -

-Domains - - -

- -

-The cron daemon itself (like vixie-cron) runs in the crond_t -domain. Depending on the cron daemon used, this daemon either immediatel= y -executes the jobs (hence its ability to transition to various other doma= ins) or -does this through an intermediate domain (system_cronjob_t for sy= stem -cronjobs and cronjob_t for user cronjobs). -

- -

-The crontab_t and admin_crontab_t domains are used by the = users -(and administrators) for maintaining their crontab files. These files ar= e read -in by the cron daemon. -

- - -

-File Types/Labels - - -

-The following table lists the file type/labels defined in the cron -module (part of the base policy). -

- - - - - - - - - cronjob_t - Domain - Domain for end user cronjobs - - - system_cronjob_t - Domain - Domain for system cronjobs - - - crond_t - Domain - Domain for the cron daemon - - - admin_crontab_t - Domain - Domain for administrator-started crontab commands - - - crontab_t - Domain - Domain for user-started crontab commands - - - crond_exec_t - Entrypoint - Entrypoint for the cron daemon binaries - - - crontab_exec_t - Entrypoint - Entrypoint for the crontab commands - - - cron_spool_t - Configuration - Spool files (where the user crontab files are in) - - - user_cron_spool_t - Configuration - Spool files (for the user crontab files) - - - system_cron_spool_t - Configuration - Spool files (where the system crontab files are in) - - - cron_var_lib_t - - Label for cron's /var/lib items - - - cron_var_run_t - - Label for cron's /var/run items - - - cron_log_t - - Label for cron's logfiles (/var/log/cron) - - - crond_tmp_t - - Label for the cron daemon's temporary files - - - crond_var_run_t - - Label for the cron daemon's /var/run items - - - system_cronjob_lock_t - - Label for the system cronjobs' lock files - - - system_cronjob_tmp_t - - Label for the system cronjobs' temporary files - - - admin_crontab_tmp_t - - - Label for temporary files created by a system administrators' cronta= b - command - - - - crontab_tmp_t - - Label for temporary files created by a users' crontab command - -

Type	Function	Description

- - -

-Booleans - - -

-The cron domain supports the following SELinux booleans, which ca= n be set -/ unset using the standard setsebool statements. -

- - - - - - - - - cron_can_relabel - false - - Allow jobs running in the system_cronjob_t domain to relabel = files - and directories. When set, these jobs can also call the setfiles<= /c> and=20 - restorecon commands. - - - - fcron_crond - false - - Needed to set more privileges for the cron domains in case fcron<= /c> is - used as a cron daemon. These privileges are not necessary for other = cron - daemons and as such are "behind" this boolean. - - -

Boolean	Default	Description

- - -

- - -Using Cron -

-System Administration - - -

-If you want to perform system administrative tasks using cronjobs, you w= ill need -to take special care that the domain in which the job runs has sufficien= t -privileges. -

- -

-First, make sure that your cronjobs run in the system_cronjob_t d= omains. -This means that the cronjobs must be defined as either -

- -

- scripts in the /etc/cron.hourly, /etc/cron.daily<= /path>, - ... directories -
- crontab entries in the /etc/cron.d directory -
- crontab entries in the /etc/crontab file -

- -

-Second, make sure that your /etc/crontab uses HOME=3D/. -Setting this to another HOME directory might confuse some applica= tions. -With SELinux enabled, this could cause those applications to try and rea= d the -root users' home directory, which isn't allowed by policy. -

- -

-Next, verify that the commands you want to run (and thus their target do= main in -which they will run) are allowed for the system_cronjob_t domain. -

- -

-# Example to verify if we can call emerge
-~# sesearch -s system_cronjob_t -t portage_t -A
-Found 1 semantic av rules:
-  allow system_cronjob_t portage_t : process transition;
-

- -

-If the domain does not have the necessary privileges, you need to update= the -policy. More information on maintaining the SELinux policy can be found = in the -Ge= ntoo -Hardened SELinux Handbook.=20 -

- -

-An example policy file to allow executing dmesg: -

- -

-policy_module(fixcron, 1.0)
-
-require {
-  type dmesg_t;
-}
-
-cron_system_entry(dmesg_t)
-

- -

-For more information or help with managing your policies, do not hesitat= e to -drop by on #gentoo-hardened in irc.freenode.net. -

- - -

-User (incl. root) Cronjobs - - - -Part of this is for vixie-cron users with USE=3D"ubac" set, but even if = this is -not the case it is still pertinent (cfr. the default_contexts issue). - - -

-When working with end user crontabs (those triggered / managed through t= he -crontab command), you must take care that you do this as the S= ELinux -user which is associated with the file (this is a result of the SELi= nux User -Based Access Control, aka UBAC). In other words, if you want to e= dit the -root users' crontab file, you need to be the root SE= Linux -user (and not a staff user that su/sudo'ed into root). -

- -

-If this was not done correctly, you will get the following error: -

- -

-cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
-

- -

-Verify that the file's user and SELinux user match: -

- -

-~# ls -Z /var/spool/cron/crontabs/root
-staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
-
-~# semanage login -l | grep root
-root              root
-

- -

-In the above case, the root Unix account (cfr filename of the crontab fi= le) is -mapped to the root SELinux user (cfr second "root" in the semanage lo= gin --l output). However, the SELinux user of the crontab file is staf= f_u -instead of root, which is why the failure occurred. -

- -

-To fix this, use chcon: -

- -

-~# chcon -u root /var/spool/cron/crontabs/root
-

- -

-Another problem that you might see is immediately at startup: -

- -

-cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
-

- -

-In this case, even if the user of the file is correct, it is most likely= due to -the /etc/selinux/*/contexts/default_context file containing= an -incorrect definition. Look at the cron-related line and verify that each -mentioned context is valid. For instance: -

- -

-# Verify the context "system_r:cronjob_t:s0"
-~# seinfo -rsystem_r -x | grep cronjob
-  system_cronjob_t
-

- -

-In the above case, cronjob_t is not valid, but system_cronjob_= t is. -

- - -

-Reporting Cron and SELinux Issues - - -

-If you have an issue with cron and believe that it is related to SELinux= , please -also give the output of the following command: -

- -

-# Get the domain under which system-level jobs will run
-~# getseuser system_u system_u:system_r:crond_t
-seuser:  system_u, level (null)
-Context 0        system_u:system_r:system_cronjob_t
-
-# Get the domain under which user-level jobs will run
-~# getseuser john system_u:system_r:crond_t
-seuser:  user_u, level (null)
-Context 0        user_u:user_r:cronjob_t
-

- - -The getseuser command usually takes a Unix account name for the f= irst -argument, but treats system_u as a special case. - - - -

- - diff --git a/xml/selinux/modules/index.xml b/xml/selinux/modules/index.xm= l deleted file mode 100644 index d93bf05..0000000 --- a/xml/selinux/modules/index.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - -SELinux Modules - - Sven Vermeulen - - - -SELinux aggregates its permissions in modules to make the entire policy = more -manageable. To help users work with these modules, we document the commo= n -modules and how to work with them. - - - - - - -1 -2011-07-09 - - -Modules -

- - -

-If you use Gentoo Hardened with SELinux, then you'll eventually need to -configure your system to work with the policies (or update the policies = to work -with your system). To help you tune the policy, insight in how the modul= es are -structured and what they contain is necessary. -

- -

-Gentoo Hardened tries to document the common modules as well as how they= are -structured. Also, we document what configuration changes are often reque= sted and -how to deal with them. If a module contains booleans, we explain them in= more -detail. -

- - -

-Administrative Modules - - -

Portage

- - -

-Services (Daemons) - - -

BIND server (bind)
Cron service (vixie-cron)
LDAP servers (openldap)
Web servers (apache, lighttpd)

- - -

- - diff --git a/xml/selinux/modules/ldap.xml b/xml/selinux/modules/ldap.xml deleted file mode 100644 index 4da1c55..0000000 --- a/xml/selinux/modules/ldap.xml +++ /dev/null @@ -1,105 +0,0 @@ - - - - - -SELinux LDAP Module - - Sven Vermeulen - - - -Within SELinux, the ldap module is responsible for defining the openldap -domains and interactions. - - - - - - -1 -2011-07-09 - - -Structure -

-Domains - - -

- -

-The slapd daemon runs within the slapd_t domain and can on= ly be -transitioned towards through the sysadm_t (general system adminis= trative -domain) or initrc_t (init script launched) domains. -

- - -

-File Types/Labels - - -

-The following table lists the file type/labels defined in the ldap -module. -

- - - - - - - - - slapd_exec_t - Entrypoint - Executable entry point for the slapd daemon binaries - - - slapd_etc_t - Configuration - Label for OpenLDAP configuration files - - - slapd_cert_t - Configuration - Label for certificate keystores used by OpenLDAP - - - slapd_db_t - Configuration - Label for the OpenLDAP database files (backend content) - - - slapd_replog_t - Configuration - Label for the slurpd replication log location - - - slapd_lock_t - - Label for the lock files (runtime) - - - slapd_tmp_t - - Label for the temporary files - - - slapd_var_run_t - - Label for the runtime variable data - - - slapd_initrc_exec_t - - Label for non-Gentoo init script - -

Type	Function	Description

- - -

- - diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portag= e.xml deleted file mode 100644 index 293b8b0..0000000 --- a/xml/selinux/modules/portage.xml +++ /dev/null @@ -1,325 +0,0 @@ - - - - - -SELinux Portage Module - - Sven Vermeulen - - - -Within SELinux, the portage module is responsible for defining the -Gentoo-related domains and privileges, including those for the Portage p= ackage -manager, Gentoo-specific file system locations and the command-line wrap= pers. - - - - - - -4 -2011-07-21 - - -Structure -

-Domains - - -

- -

-The portage module provides the following domains: -

- - - - - - - - - portage_t - emerge, ebuild, quickpkg, ebuild.sh, regenworld, sandbox - Gentoo's package manager domain - - - portage_sandbox_t - sandbox - Portage compile sandbox domain - - - portage_fetch_t - rsync - - Domain responsible for fetching ebuilds and sources and storing them= on - the system - - - - gcc_config_t - gcc-config - Domain for the gcc-config wrapper - -

Domain	Process(es)	Description

- - -

-File Types/Labels - - -

-The following table lists the file type/labels defined in the portage= -module. -

- - - - - - - - portage_exec_t - - Entrypoints for the portage and protage-related domains. Used for bi= naries - or scripts such as sandbox, emerge, ... - - - - gcc_config_exec_t - - Entrypoints for the gcc-config wrapper domain - - - - portage_ebuild_t - - Type assigned to the ebuild files and directories - - - - portage_srcrepo_t - - Type assigned to the live repository pulls (git, svn, cvs, ...) used= by live - ebuilds - - - - portage_fetch_tmp_t - - Type used by the portage_fetch_t domain when storing files in a temp= orary - location - - - - portage_db_t - - Type used by Portage' data files - - - - portage_conf_t - - Type used by Portage' configuration files - - - - portage_cache_t - - Type used for the Portage cache - - - - portage_log_t - - Type used by Portage for its log files - - - - portage_tmp_t
portage_tmpfs_t - - Type used by Portage for temporary files - - -

Type	Description

- - -

-Other Types - - -

-Besides the file and file location types, the following types are also d= efined: -

- - - - - - - - portage_devpts_t - - Type used for the terminal output device/location - - -

Type	Description

- - -

- - -Using Portage -

-File Locations - - -

-The policy offered only contains the right file context rules for the de= fault -locations. If you deviate from these locations, you'll need to update th= e -contexts accordingly. -

- -

-The following table provides an overview of the Portage settings (variab= les in -make.conf) that are commonly changed by end users, and the = file=20 -context that it should have. -

- - - - - - - - - - ${PORTDIR} - - - /usr/portage - - - system_u:object_r:portage_ebuild_t - - - - - ${DISTDIR}/svn-src
- ${DISTDIR}/git-src
- ${DISTDIR}/cvs-src - - - /usr/portage/distfiles/svn-src
- /usr/portage/distfiles/git-src
- /usr/portage/distfiles/cvs-src - - - system_u:object_r:portage_srcrepo_t - - - - ${PKGDIR} - - /usr/portage/packages - - - system_u:object_r:portage_ebuild_t - - - - ${PORT_LOGDIR} - - /var/log/portage - - - system_u:object_r:portage_log_t - - - - ${PORTAGE_TMPDIR} - - /var/tmp/portage - - - system_u:object_r:portage_tmp_t - - -

Variable in make.conf	Default Location	File Context(s)

- -

-If you use different locations, use the following commands to update the= file -contexts accordingly: -

- -

-( Example for a different PORTDIR location, say /var/repo/porta=
ge )
-~# semanage -a -t portage_ebuild_t /var/repo/portage
-~# restorecon -R /var/repo/portage
-

- -

-Don't forget that Portage uses subdirectories with different labels (thi= nk -distfiles or the repositories for the live ebuilds) so take care when -relabelling locations! -

- -

-If you are using different mounts, you might need to use the=20 -rootcontext=3D mount option to set the initial context. If the fi= le system -does not suppor SELinux contexts (like NFS), you can use the context=3D= -mount option to force the context of all files on the mounted location. -

- - -

-Booleans - - -

-The Portage module within Gentoo defines three booleans, called -gentoo_try_dontaudit, gentoo_portage_use_nfs and -gentoo_wait_requests.=20 -

- -

-When gentoo_try_dontaudit is enabled, the policy will hide the AV= C -denials of which the Gentoo developers believe they are harmless (cosmet= ic). -If this boolean is enabled and you are experiencing permission problems,= it -is wise to first disable the boolean and see if you now get any denials = that -could explain the problem. -

- -

-When gentoo_portage_use_nfs is enabled, then the Portage-related -domains will be able to manage the nfs_t and as such, allow for t= he=20 -Portage tree and other locations to be NFS-mounted without correcting th= eir -label (which is still supported when using the context=3D mount o= ption). -

- -

-When gentoo_wait_requests is enabled, then policy rules that are -introduced to get things working, but which are temporary until the upst= ream -project enhances its application (and a bug report is opened for it), ar= e -active. Disabling this boolean is only recommended if you are running th= e -system with the proper patches and is more used for development traceabi= lity. -

- -

-To switch booleans, use setsebool or togglesebool. -

- -

-( With the -P flag, the boolean state is persisted across reboo=
ts)
-~# setsebool -P gentoo_try_dontaudit on
-

- - -

- - diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml deleted file mode 100644 index 20edf7a..0000000 --- a/xml/selinux/modules/ssh.xml +++ /dev/null @@ -1,102 +0,0 @@ - - - - - -SELinux SSH Module - - Sven Vermeulen - - - -Within SELinux, the SSH module is responsible for defining what openssh = can do - - - - - - -1 -2011-07-09 - - -Structure -

-Domains - - -

- -

-The... -

- - -

-File Types/Labels - - -

-The following table lists the file type/labels defined in the ldap -module. -

Type	Function	Description

- - -

- -