Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/docs/, html/selinux/
Date: Tue, 22 Nov 2011 20:09:06
Message-Id: 2b94f230c619d53a48074f051b711e76485cd74f.SwifT@gentoo
1 commit: 2b94f230c619d53a48074f051b711e76485cd74f
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Tue Nov 22 20:08:28 2011 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Tue Nov 22 20:08:28 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2b94f230
7
8 Update previews
9
10 ---
11 html/docs/index.html | 4 +-
12 html/index.html | 33 +-
13 html/index2.html | 21 +-
14 html/roadmap.html | 39 +--
15 html/selinux-bugreporting.html | 167 ++++++++
16 html/selinux-development.html | 14 +-
17 html/selinux-faq.html | 44 +--
18 html/selinux/hb-using-enforcing.html | 205 ----------
19 html/selinux/hb-using-install.html | 15 +-
20 html/selinux/hb-using-permissive.html | 609 ------------------------------
21 html/selinux/hb-using-policymodules.html | 541 --------------------------
22 html/selinux/hb-using-states.html | 2 +-
23 html/selinux/index.html | 20 +-
24 html/selinux/selinux-handbook.html | 16 +-
25 html/support-state.html | 6 +-
26 15 files changed, 257 insertions(+), 1479 deletions(-)
27
28 diff --git a/html/docs/index.html b/html/docs/index.html
29 index 06df3e1..81ff591 100644
30 --- a/html/docs/index.html
31 +++ b/html/docs/index.html
32 @@ -24,7 +24,8 @@
33 <a class="menulink" href="http://bugs.gentoo.org/">Bugs</a> |
34 <a class="menulink" href="http://www.gentoo.org/main/en/where.xml">Get Gentoo!</a> |
35 <a class="menulink" href="http://www.gentoo.org/main/en/support.xml">Support</a> |
36 -<a class="menulink" href="http://planet.gentoo.org/">Planet</a>
37 +<a class="menulink" href="http://planet.gentoo.org/">Planet</a> |
38 +<a class="menulink" href="http://wiki.gentoo.org/">Wiki</a>
39 </p></td>
40 </tr>
41 <tr>
42 @@ -53,6 +54,7 @@ Community<br>
43 <a class="altlink" href="http://bugs.gentoo.org">Report Issues</a><br>
44 <a class="altlink" href="http://planet.gentoo.org">Planet (Blogs)</a><br>
45 <a class="altlink" href="http://packages.gentoo.org/">Online Package Database</a><br>
46 +<a class="altlink" href="http://wiki.gentoo.org/">Wiki</a><br>
47 <a class="altlink" href="http://www.gentoo.org/main/en/contact.xml">Contact Us</a><br>
48 <a class="altlink" href="http://www.gentoo.org/main/en/sponsors.xml">Sponsors</a><br><br>
49 Get Involved<br>
50
51 diff --git a/html/index.html b/html/index.html
52 index f85729e..584d5db 100644
53 --- a/html/index.html
54 +++ b/html/index.html
55 @@ -66,11 +66,6 @@ Gentoo once they've been tested for security and stability by the Hardened team.
56 <td class="tableinfo">Member ( SELinux )</td>
57 </tr>
58 <tr>
59 - <td class="tableinfo">Bryan Stine</td>
60 - <td class="tableinfo">battousai</td>
61 - <td class="tableinfo">Member ( Bastille Lead )</td>
62 - </tr>
63 - <tr>
64 <td class="tableinfo">Anthony G. Basile</td>
65 <td class="tableinfo">blueness</td>
66 <td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td>
67 @@ -81,6 +76,11 @@ Gentoo once they've been tested for security and stability by the Hardened team.
68 <td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td>
69 </tr>
70 <tr>
71 + <td class="tableinfo">Francisco Blas Izquierdo Riera</td>
72 + <td class="tableinfo">klondike</td>
73 + <td class="tableinfo">Member ( Doc, PR )</td>
74 + </tr>
75 + <tr>
76 <td class="tableinfo">Gysbert Wassenaar</td>
77 <td class="tableinfo">nixnut</td>
78 <td class="tableinfo">Member ( PPC arch team liaison )</td>
79 @@ -91,6 +91,11 @@ Gentoo once they've been tested for security and stability by the Hardened team.
80 <td class="tableinfo">Member ( SELinux )</td>
81 </tr>
82 <tr>
83 + <td class="tableinfo">Matt Thode</td>
84 + <td class="tableinfo">prometheanfire</td>
85 + <td class="tableinfo">Member ( SELinux )</td>
86 + </tr>
87 + <tr>
88 <td class="tableinfo">Matthew Summers</td>
89 <td class="tableinfo">quantumsummers</td>
90 <td class="tableinfo">Member ( Hardened sources, Doc )</td>
91 @@ -117,11 +122,6 @@ project:
92 <td class="infohead"><b>Role</b></td>
93 </tr>
94 <tr>
95 -<td class="tableinfo">Francisco Blas Izquierdo Riera</td>
96 -<td class="tableinfo">klondike</td>
97 -<td class="tableinfo">Documentation writing, support</td>
98 -</tr>
99 -<tr>
100 <td class="tableinfo">Chris Richards</td>
101 <td class="tableinfo">gizmo</td>
102 <td class="tableinfo">Policy development, support (SELinux)</td>
103 @@ -142,7 +142,7 @@ project:
104 <td class="tableinfo">
105 <a href="selinux/index.html">SELinux</a>
106 </td>
107 - <td class="tableinfo">Chris PeBenito</td>
108 + <td class="tableinfo">Sven Vermeulen</td>
109 <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td>
110 </tr>
111 <tr>
112 @@ -173,15 +173,6 @@ A kernel which provides patches for hardened subprojects, and stability/security
113 oriented patches. Includes Grsecurity and SELinux.
114 </td>
115 </tr>
116 - <tr>
117 - <td class="tableinfo">Bastille</td>
118 - <td class="tableinfo">Bryan Stine</td>
119 - <td class="tableinfo">
120 -Bastille is an interactive application which gives the user suggestions on
121 -securing their machine. It will be customized to make suggestions about other
122 -Hardened Gentoo subprojects.
123 -</td>
124 - </tr>
125 </table>
126 <p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
127 </span>Resources</p>
128 @@ -307,7 +298,7 @@ GNU Stack Quickstart
129 </tr>
130 <tr>
131 <td class="tableinfo">selinux</td>
132 - <td class="tableinfo">blueness, pebenito, swift</td>
133 + <td class="tableinfo">blueness, pebenito, prometheanfire, swift</td>
134 <td class="tableinfo">Gentoo's Security-Enhanced Linux (SELinux) packages</td>
135 </tr>
136 </table>
137
138 diff --git a/html/index2.html b/html/index2.html
139 index 6ed1a19..61f6f0b 100644
140 --- a/html/index2.html
141 +++ b/html/index2.html
142 @@ -96,11 +96,6 @@ Gentoo once they've been tested for security and stability by the Hardened team.
143 <td class="infohead"><b></b></td>
144 </tr>
145 <tr>
146 - <td class="tableinfo">Sven Vermeulen</td>
147 - <td class="tableinfo">swift</td>
148 - <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
149 - </tr>
150 - <tr>
151 <td class="tableinfo">Anthony G. Basile</td>
152 <td class="tableinfo">blueness</td>
153 <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
154 @@ -108,7 +103,17 @@ Gentoo once they've been tested for security and stability by the Hardened team.
155 <tr>
156 <td class="tableinfo">Chris PeBenito</td>
157 <td class="tableinfo">pebenito</td>
158 - <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td>
159 + <td class="tableinfo">Developer ( Policy development, Userspace tools )</td>
160 + </tr>
161 + <tr>
162 + <td class="tableinfo">Matt Thode</td>
163 + <td class="tableinfo">prometheanfire</td>
164 + <td class="tableinfo">Developer ( Policy development, Support )</td>
165 + </tr>
166 + <tr>
167 + <td class="tableinfo">Sven Vermeulen</td>
168 + <td class="tableinfo">swift</td>
169 + <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td>
170 </tr>
171 </table>
172 <p>
173 @@ -129,7 +134,7 @@ Gentoo once they've been tested for security and stability by the Hardened team.
174 <td class="tableinfo">
175 <a href="selinux/index.html">SELinux</a>
176 </td>
177 - <td class="tableinfo">Chris PeBenito</td>
178 + <td class="tableinfo">Sven Vermeulen</td>
179 <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td>
180 </tr>
181 <tr>
182 @@ -280,7 +285,7 @@ GNU Stack Quickstart</a>
183 </tr>
184 <tr>
185 <td class="tableinfo">selinux</td>
186 - <td class="tableinfo">blueness, pebenito, swift</td>
187 + <td class="tableinfo">blueness, pebenito, prometheanfire, swift</td>
188 <td class="tableinfo">Gentoo's Security-Enhanced Linux (SELinux) packages</td>
189 </tr>
190 </table>
191
192 diff --git a/html/roadmap.html b/html/roadmap.html
193 index c623185..f645ca8 100644
194 --- a/html/roadmap.html
195 +++ b/html/roadmap.html
196 @@ -258,7 +258,7 @@ is in need for attention.
197 The Gentoo Hardened SELinux state is up to date and fully supported (except
198 MLS which is considered experimental). The documentation is being updated as
199 the state evolves, but can still improve. Primary focus now is on the quality
200 -of the packages and improved support for MCS.
201 +of the packages and standard policies.
202 </p>
203 <p class="secthead"><a name="doc_chap6_sect2">Goals and Milestones</a></p>
204 <table class="ntable">
205 @@ -270,47 +270,26 @@ of the packages and improved support for MCS.
206 <td class="infohead"><b>Related Bugs</b></td>
207 </tr>
208 <tr>
209 - <td class="tableinfo">Add support for MCS (driver is virtualization)</td>
210 - <td class="tableinfo">2011-08-15</td>
211 - <td class="tableinfo">Done</td>
212 - <td class="tableinfo">SwifT</td>
213 - <td class="tableinfo"></td>
214 -</tr>
215 -<tr>
216 - <td class="tableinfo">Stabilize the new SELinux profile structure</td>
217 - <td class="tableinfo">2011-08-20</td>
218 - <td class="tableinfo">Done</td>
219 - <td class="tableinfo">blueness, SwifT</td>
220 - <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
221 -</tr>
222 -<tr>
223 - <td class="tableinfo">Merge 20110726 policies in ~arch</td>
224 - <td class="tableinfo">2011-08-28</td>
225 - <td class="tableinfo">Busy</td>
226 + <td class="tableinfo">Deprecate old policies</td>
227 + <td class="tableinfo">2011-11-10</td>
228 + <td class="tableinfo">done</td>
229 <td class="tableinfo">SwifT</td>
230 <td class="tableinfo"></td>
231 </tr>
232 <tr>
233 - <td class="tableinfo">Stabilize the 20110727 userland tools and libraries</td>
234 - <td class="tableinfo">2011-09-30</td>
235 + <td class="tableinfo">Deprecate old profiles</td>
236 + <td class="tableinfo">2011-12-01</td>
237 <td class="tableinfo"></td>
238 - <td class="tableinfo">SwifT</td>
239 + <td class="tableinfo">blueness</td>
240 <td class="tableinfo"></td>
241 </tr>
242 <tr>
243 - <td class="tableinfo">Stabilize the 20110726 policies</td>
244 - <td class="tableinfo">2011-09-30</td>
245 + <td class="tableinfo">Get mainstream packages the proper dependencies on the SELinux policies</td>
246 + <td class="tableinfo">2011-12-31</td>
247 <td class="tableinfo"></td>
248 <td class="tableinfo">SwifT</td>
249 <td class="tableinfo"></td>
250 </tr>
251 -<tr>
252 - <td class="tableinfo">Deprecate old profiles</td>
253 - <td class="tableinfo">2011-12-01</td>
254 - <td class="tableinfo"></td>
255 - <td class="tableinfo">blueness</td>
256 - <td class="tableinfo"></td>
257 -</tr>
258 </table>
259 <br><br>
260 </td>
261
262 diff --git a/html/selinux-bugreporting.html b/html/selinux-bugreporting.html
263 new file mode 100644
264 index 0000000..872a5e6
265 --- /dev/null
266 +++ b/html/selinux-bugreporting.html
267 @@ -0,0 +1,167 @@
268 +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
269 +<html lang="en">
270 +<head>
271 +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
272 +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
273 +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
274 +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
275 +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
276 +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
277 +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
278 +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
279 +<title>Gentoo Linux Documentation
280 +--
281 + Reporting SELinux (policy) bugs</title>
282 +</head>
283 +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
284 +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
285 +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
286 +<td width="99%" class="content" valign="top" align="left">
287 +<br><h1>Reporting SELinux (policy) bugs</h1>
288 +<form name="contents" action="http://www.gentoo.org">
289 +<b>Content</b>:
290 + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. So you got a bug?</option>
291 +<option value="#doc_chap2">2. Bugs related to AVC denials (and non-functional applications)</option></select>
292 +</form>
293 +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
294 + </span>So you got a bug?</p>
295 +<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
296 +<p>
297 +When working with a SELinux-enabled system, you will notice that some policies
298 +are far from perfect. That is to be expected, since there are a lot more
299 +policies and SELinux policy modules than we can thoroughly test. That is why bug
300 +reports are very important for us as they give us much-needed feedback on the
301 +state of the policies. Also, since we follow the reference policy closely,
302 +patches are also sent upstream so that other distributions can benefit from the
303 +updates.
304 +</p>
305 +<p>
306 +However, debugging and fixing SELinux policies also means that we need to
307 +identify a proper policy failure, find the root cause of this failure and have
308 +an optimal solution. Since we are talking about <span class="emphasis">security</span> policies, much
309 +attention goes into details, but also in the <span class="emphasis">many eyes</span> paradigm to
310 +validate if a policy fix is correct or not.
311 +</p>
312 +<p>
313 +That is one of the reasons why we created this bugreport as it helps you, as the
314 +feedback-providing user, to both properly figure out why a failure occurs and
315 +how to fix it, but also why we are quite strict in the acceptance of patches.
316 +</p>
317 +<p class="secthead"><a name="doc_chap1_sect2">Short version</a></p>
318 +<p>
319 +When reporting SELinux policy fixes based on AVC denials,
320 +</p>
321 +<ul>
322 + <li>
323 + structure the denials and try to create one bug report per logically
324 + coherent set of denials. Don't push all your AVC denials onto us.
325 + </li>
326 + <li>
327 + make sure you can reproduce the issue and that you have the ability to
328 + reproduce while we work on the fix. We cannot test all policies ourselves.
329 + </li>
330 + <li>
331 + report the application failure output as well, not only the AVC denial. We
332 + need to know what the application is trying to do (and failing to do) to fix
333 + the problem.
334 + </li>
335 +</ul>
336 +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
337 + </span>Bugs related to AVC denials (and non-functional applications)</p>
338 +<p class="secthead"><a name="doc_chap2_sect1">About</a></p>
339 +<p>
340 +In this section, we'll go into the details of creating a helpful bug report for
341 +SELinux policies in case you have an AVC denial (which means SELinux is
342 +prohibiting a certain privilege request) that results in the failure of the
343 +application.
344 +</p>
345 +<p class="secthead"><a name="doc_chap2_sect2">Structure the denials</a></p>
346 +<p>
347 +When you get one or more AVC denials, try to structure them into logically
348 +coherent sets. We cannot easily deal with several dozen denials. Most of the
349 +time, you either get multiple denials of the same cause, or the denials are not
350 +truely related.
351 +</p>
352 +<p>
353 +When we need to fix the SELinux policy, nine out of ten times we focus on one or
354 +a few related denials and come up with a proper fix. When there is an abundance
355 +of AVC denials, we need to skim through them (which we usually then do one at a
356 +time) which puts a lot of stress on you (the reporter) as we will ask you
357 +hundred-and-one questions and requests for testing.
358 +</p>
359 +<p class="secthead"><a name="doc_chap2_sect3">Prepare for testing</a></p>
360 +<p>
361 +When you report a SELinux policy related bug, make sure you are ready to test
362 +the results that we want to put in. We cannot test out all applications
363 +ourselves. Sometimes, a failure is even only reproducable on a specific setup.
364 +</p>
365 +<p class="secthead"><a name="doc_chap2_sect4">Report the application failure</a></p>
366 +<p>
367 +More than once, we get bug reports on SELinux policy denials where the user is
368 +still running in permissive mode. He is reporting the denials because he is
369 +afraid that he will not be able to run it in enforcing mode without the denials
370 +being fixed.
371 +</p>
372 +<p>
373 +However, denials can be <span class="emphasis">cosmetic</span>, in which case we should actually hide
374 +the denials rather than allow their requests. Also, when you run in permissive
375 +mode, it is very much possible that the denials would never be reached when
376 +running in enforcing mode because of earlier denials (which, coincidentally,
377 +might be wrongly hidden from your logs).
378 +</p>
379 +<p>
380 +For this reason, we urge you to give us not only the AVC denial information, but
381 +also the application failure log output when running in enforcing mode.
382 +</p>
383 +<p>
384 +The <a href="selinux/selinux-handbook.xml">Gentoo Hardened SELinux
385 +Handbook</a> will guide you through the process of migrating from a permissive
386 +system into an enforcing mode. If you believe that booting in enforcing is not
387 +possible yet, just boot in permissive, log on as root, run <span class="code" dir="ltr">setenforce 1</span>
388 +and only then log on as user(s) to reproduce your situation. There is also a
389 +<a href="selinux/selinux-handbook.xml?part=2&amp;chap=2">Troubleshooting
390 +SELinux</a> section that helps you identify common bottlenecks or issues while
391 +trying to get SELinux running on your system.
392 +</p>
393 +<br><p class="copyright">
394 + The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
395 + </p>
396 +<!--
397 + <rdf:RDF xmlns="http://web.resource.org/cc/"
398 + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
399 + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
400 + <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
401 + <permits rdf:resource="http://web.resource.org/cc/Distribution" />
402 + <requires rdf:resource="http://web.resource.org/cc/Notice" />
403 + <requires rdf:resource="http://web.resource.org/cc/Attribution" />
404 + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
405 + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
406 + </License>
407 + </rdf:RDF>
408 +--><br>
409 +</td>
410 +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
411 +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="swift?style=printable">Print</a></p></td></tr>
412 +<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr>
413 +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
414 +This guide helps users to create a properly filled out bug report for SELinux
415 +policy updates.
416 +</p></td></tr>
417 +<tr><td align="left" class="topsep"><p class="alttext">
418 + <a href="mailto:swift@g.o" class="altlink"><b>Sven Vermeulen</b></a>
419 +<br><i>Author</i><br></p></td></tr>
420 +<tr lang="en"><td align="center" class="topsep">
421 +<p class="alttext"><b>Donate</b> to support our development efforts.
422 + </p>
423 +<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
424 +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
425 +</form>
426 +</td></tr>
427 +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
428 +</table></td>
429 +</tr></table></td></tr>
430 +<tr><td colspan="2" align="right" class="infohead">
431 +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
432 +</td></tr>
433 +</table></body>
434 +</html>
435
436 diff --git a/html/selinux-development.html b/html/selinux-development.html
437 index 1249769..c56971c 100644
438 --- a/html/selinux-development.html
439 +++ b/html/selinux-development.html
440 @@ -174,9 +174,15 @@ Every time a new revision comes out, you'll need to clean the
441 </p></td></tr></table>
442 <p class="secthead"><a name="doc_chap2_sect2">Add specific module files</a></p>
443 <p>
444 -To update your policy workspace, use the same tactic as describes
445 -earlier, but now for the specific SELinux policy module package (like
446 -<span class="path" dir="ltr">selinux-postfix</span>).
447 +If you want to or need to work on the policy of a SELinux module (rather than
448 +the base policy), check its ebuild to see if it holds any additional patches
449 +(mentioned through the <span class="code" dir="ltr">POLICY_PATCH</span> variable). If not, then you can work
450 +off the snapshot taken earlier in this guide.
451 +</p>
452 +<p>
453 +However, if a patch (or set of patches) is applied as well, you either need to
454 +apply those manually on the snapshot, or use the following tactics to create a
455 +snapshot just for this module:
456 </p>
457 <a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
458 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Updating the dev/hardened workspace</p></td></tr>
459 @@ -1239,7 +1245,7 @@ it out.
460 </td>
461 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
462 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr>
463 -<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
464 +<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr>
465 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
466 When planning to help Gentoo Hardened in the development of SELinux policies,
467 or when trying to debug existing policies, this document should help you get
468
469 diff --git a/html/selinux-faq.html b/html/selinux-faq.html
470 index 252906f..caa4c46 100644
471 --- a/html/selinux-faq.html
472 +++ b/html/selinux-faq.html
473 @@ -56,9 +56,7 @@ as well.
474 <li><a href="#enable_selinux">How do I enable SELinux?</a></li>
475 <li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
476 <li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
477 -<li><a href="#matchcontext">
478 - How do I know which file context rule is used for a particular file?
479 -</a></li>
480 +<li><a href="#matchcontext">How do I know which file context rule is used for a particular file?</a></li>
481 <li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li>
482 </ul>
483 <p class="secthead">SELinux Kernel Error Messages</p>
484 @@ -71,15 +69,11 @@ as well.
485 <li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
486 <li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
487 <li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li>
488 -<li><a href="#portage_libsandbox">
489 - During package installation, ld.so complains 'object 'libsandbox.so' from
490 - LD_PRELOAD cannot be preloaded: ignored'
491 -</a></li>
492 +<li><a href="#portage_libsandbox">During package installation, ld.so complains 'object 'libsandbox.so'
493 +from LD_PRELOAD cannot be preloaded: ignored'</a></li>
494 <li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
495 -<li><a href="#cronfails">
496 - Cron fails to load in root's crontab with message '(root) ENTRYPOINT
497 - FAILED (crontabs/root)'
498 -</a></li>
499 +<li><a href="#cronfails">Cron fails to load in root's crontab with message '(root) ENTRYPOINT
500 +FAILED (crontabs/root)'</a></li>
501 <li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li>
502 <li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li>
503 <li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
504 @@ -211,9 +205,7 @@ while SELinux was disabled might have created new files or removed the labels
505 from existing files, causing these files to be available without security
506 context.
507 </p></td></tr></table>
508 -<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">
509 - How do I know which file context rule is used for a particular file?
510 -</a></p>
511 +<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">How do I know which file context rule is used for a particular file?</a></p>
512 <p>
513 If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
514 context for the given path (file or directory) should be, but it doesn't tell
515 @@ -344,8 +336,8 @@ class (<span class="code" dir="ltr">process</span>) and privilege (<span class="
516 the <span class="code" dir="ltr">require { ... }</span> paragraph.
517 </p>
518 <p>
519 -When using interface names, make sure that the type (<span class="code" dir="ltr">ssh_t</span> and
520 -<span class="code" dir="ltr">user_t</span>) is mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph.
521 +When using interface names, make sure that the types (<span class="code" dir="ltr">ssh_t</span> and
522 +<span class="code" dir="ltr">user_t</span>) are mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph.
523 </p>
524 <p>
525 To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span>
526 @@ -498,10 +490,8 @@ It is also not a bad idea to report (after verifying if it hasn't been reported
527 first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so
528 that the default policies are updated accordingly.
529 </p>
530 -<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">
531 - During package installation, ld.so complains 'object 'libsandbox.so' from
532 - LD_PRELOAD cannot be preloaded: ignored'
533 -</a></p>
534 +<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">During package installation, ld.so complains 'object 'libsandbox.so'
535 +from LD_PRELOAD cannot be preloaded: ignored'</a></p>
536 <p>
537 During installation of a package, you might see the following error message:
538 </p>
539 @@ -559,10 +549,8 @@ This is also necessary if you logged on to your system as root but through SSH.
540 The default behavior is that SSH sets the lowest role for the particular user
541 when logged on. And you shouldn't allow remote root logins anyhow.
542 </p>
543 -<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">
544 - Cron fails to load in root's crontab with message '(root) ENTRYPOINT
545 - FAILED (crontabs/root)'
546 -</a></p>
547 +<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">Cron fails to load in root's crontab with message '(root) ENTRYPOINT
548 +FAILED (crontabs/root)'</a></p>
549 <p>
550 When you hit the mentioned error with a root crontab or an administrative
551 users' crontab, but not with a regular users' crontab, then check the context of
552 @@ -670,7 +658,7 @@ rebuild policycoreutils, which will fail to install because Portage cannot set
553 the file labels.
554 </p>
555 <p>
556 -The solution is to rebuild policycoreutils while disabling Portage' selinux
557 +The solution is to rebuild policycoreutils while disabling Portage's selinux
558 support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on
559 the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
560 </p>
561 @@ -679,7 +667,7 @@ the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
562 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
563 # <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span>
564 # <span class="code-input">for FILE in $(qlist policycoreutils); do \
565 -CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</span>
566 +CONTEXT=$(matchpathcon -n ${FILE}); chcon ${CONTEXT} ${FILE}; done</span>
567 </pre></td></tr>
568 </table>
569 <p>
570 @@ -699,8 +687,8 @@ file system mounted with <span class="code" dir="ltr">nosuid</span>.
571 <br><br>
572 </td>
573 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
574 -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
575 -<tr><td class="topsep" align="center"><p class="alttext">Updated October 13, 2011</p></td></tr>
576 +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@g.o?style=printable">Print</a></p></td></tr>
577 +<tr><td class="topsep" align="center"><p class="alttext">Updated October 25, 2011</p></td></tr>
578 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
579 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
580 The FAQ is a collection of solutions found on IRC, mailinglist, forums or
581
582 diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using-enforcing.html
583 deleted file mode 100644
584 index eb5d08a..0000000
585 --- a/html/selinux/hb-using-enforcing.html
586 +++ /dev/null
587 @@ -1,205 +0,0 @@
588 -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
589 -<html lang="en">
590 -<head>
591 -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
592 -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
593 -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
594 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
595 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
596 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
597 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
598 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
599 -<title>Gentoo Linux Handbook Page
600 ---
601 - </title>
602 -</head>
603 -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
604 -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
605 -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
606 -<td width="99%" class="content" valign="top" align="left">
607 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
608 - </span>Switching to Enforcing Mode</p>
609 -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
610 -<p>
611 -Switching to enforcing mode doesn't require all policies to be fully
612 -operational, nor does it require that the system boots in enforcing mode. You
613 -can first start small by enabling enforcing mode the moment your system is
614 -booted, then enable enforcing during boot (but with the possibility to disable
615 -it again when some things fail) and finally reconfigure your kernel so that
616 -disabling SELinux isn't possible anymore.
617 -</p>
618 -<p class="secthead"><a name="doc_chap1_sect1">Booting, Switch</a></p>
619 -<p>
620 -To boot your system before enabling enforcing mode, just boot as you do
621 -currently. Then, when you believe that you can run your system in enforcing
622 -mode, run <span class="code" dir="ltr">setenforce 1</span>.
623 -</p>
624 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
625 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling enforcing mode</p></td></tr>
626 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
627 -~# <span class="code-input">setenforce 1</span>
628 -</pre></td></tr>
629 -</table>
630 -<p>
631 -It is wise to ensure that you have booted the system but not logged in anywhere
632 -except as the root user. Also verify that the session you're currently in (as
633 -root) uses the <span class="code" dir="ltr">root:sysadm_r:sysadm_t</span> or
634 -<span class="code" dir="ltr">unconfined_u:unconfined_r:unconfined_t</span> context (otherwise trying to
635 -disable enforcing mode might not work).
636 -</p>
637 -<p>
638 -When you realize that things are going very, very wrong, disable SELinux using
639 -<span class="code" dir="ltr">setenforce 0</span> and try to resolve the failures.
640 -</p>
641 -<p class="secthead"><a name="doc_chap1_sect1">Booting in Enforcing Mode (Once)</a></p>
642 -<p>
643 -When you want to boot in enforcing mode, but you don't want to configure SELinux
644 -(yet) to run always in enforcing mode (say you want to try it once), add
645 -<span class="code" dir="ltr">enforcing=1</span> as a boot option inside the boot loader configuration.
646 -</p>
647 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
648 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample GRUB configuration to boot in enforcing mode</p></td></tr>
649 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
650 -kernel /vmlinuz root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=1</span>
651 -</pre></td></tr>
652 -</table>
653 -<p class="secthead"><a name="doc_chap1_sect1">Booting in Enforcing Mode</a></p>
654 -<p>
655 -Once you believe that you can always (re)boot in enforcing mode, edit
656 -<span class="path" dir="ltr">/etc/selinux/config</span> and change <span class="code" dir="ltr">SELINUX=permissive</span> to
657 -<span class="code" dir="ltr">SELINUX=enforcing</span>.
658 -</p>
659 -<p class="secthead"><a name="doc_chap1_sect1">Reconfiguring the Kernel</a></p>
660 -<p>
661 -Once you are fully confident that you can always and ever remain in enforcing
662 -mode, reconfigure your kernel so that SELinux cannot be disabled anymore.
663 -</p>
664 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
665 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reconfiguring the Linux kernel</p></td></tr>
666 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
667 -[*] NSA SELinux Support
668 -[ ] NSA SELinux boot parameter
669 -[ ] NSA SELinux runtime disable
670 -<span class="code-comment"># Make sure the following is deselected</span>
671 -<span class="code-input">[ ] NSA SELinux Development Support</span>
672 -[ ] NSA SELinux AVC Statistics
673 -(1) NSA SELinux checkreqprot default value
674 -[ ] NSA SELinux maximum supported policy format version
675 -</pre></td></tr>
676 -</table>
677 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
678 - </span>Analyzing AVC</p>
679 -<p class="secthead"><a name="doc_chap1_sect1">Intrusion or Not</a></p>
680 -<p>
681 -Once you are running in enforcing mode, the role of the
682 -<span class="path" dir="ltr">/var/log/avc.log</span> logfile starts changing. Whereas it was previously
683 -used to inform you about denials which might cause functional failures on your
684 -system, it is now more and more becoming a source of information for the
685 -behavior of applications - and sometimes, the unexpected behavior of it.
686 -</p>
687 -<p>
688 -Being able to read the AVC logs is important, because in the (near) future you
689 -should use the AVC logs to identify potential intrusion attempts. Say that you
690 -are running an Internet-facing web server which is contained within its own
691 -SELinux domain. Suddenly you start getting weird AVC denials of that SELinux
692 -domain trying to read files it really shouldn't read, or write stuff in some
693 -temporary location it shouldn't write anything into. This can be a totally
694 -expected behavior, but can also be a malicious user that is attempting to run
695 -some exploit code against your web server.
696 -</p>
697 -<p>
698 -Interpreting the AVC logs can be considered a time-consuming job if you are
699 -still getting lots of cosmetic (and safe) AVC denials. So let's first see if we
700 -can ignore those...
701 -</p>
702 -<p class="secthead"><a name="doc_chap1_sect1">Ignoring Cosmetic AVC Events</a></p>
703 -<p>
704 -When you get AVC denials which you believe are harmless for your system, you can
705 -create a policy module yourself which contains the exact AVC rule, but using the
706 -<span class="emphasis">dontaudit</span> statement rather than <span class="emphasis">allow</span>.
707 -</p>
708 -<p>
709 -Consider the following AVC denial:
710 -</p>
711 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
712 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample harmless AVC denial</p></td></tr>
713 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
714 -Jan 6 19:49:25 hpl kernel: [10482.016339] type=1400 audit(1294339765.865:1527):
715 -avc: denied { use } for pid=19421 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs
716 -ino=1552 scontext=system_u:system_r:ifconfig_t
717 -tcontext=system_u:system_r:wpa_cli_t tclass=fd
718 -</pre></td></tr>
719 -</table>
720 -<p>
721 -The denial states that the <span class="code" dir="ltr">ifconfig</span> process is trying to use a file
722 -descriptor within the wpa_cli_t domain. The target file descriptor points to
723 -<span class="path" dir="ltr">/dev/null</span>. This usually means that the <span class="code" dir="ltr">ifconfig</span> process is
724 -started from within the wpa_cli_t domain with <span class="code" dir="ltr">&gt; /dev/null</span> to redirect
725 -its output to the <span class="path" dir="ltr">/dev/null</span> device. Although it is denied (so no output
726 -will be redirected to <span class="path" dir="ltr">/dev/null</span>) it has no functional impact on the
727 -system as the intention was to ignore the output anyhow.
728 -</p>
729 -<p>
730 -So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need
731 -to create a module (like we have seen before in <span title="Link to other book part not available"><font color="#404080">(Creating Specific Allow Rules)</font></span>):
732 -</p>
733 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
734 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a module to ignore these AVC denials</p></td></tr>
735 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
736 -~$ <span class="code-input">cat ignoreavc.te</span>
737 -module ignoreavc 1.0.0;
738 -
739 -require {
740 - type ifconfig_t;
741 - type wpa_cli_t;
742 -
743 - class fd use;
744 -}
745 -
746 -dontaudit ifconfig_t wpa_cli_t:fd { use };
747 -
748 -~$ <span class="code-input">checkmodule -m -o ignoreavc.mod ignoreavc.te</span>
749 -~$ <span class="code-input">semodule_package -o ignoreavc.pp -m ignoreavc.mod</span>
750 -~$ <span class="code-input">semodule -i ignoreavc.pp</span>
751 -</pre></td></tr>
752 -</table>
753 -<p>
754 -Once this module is loaded, you should no longer see these denials in your log.
755 -However, if you ever feel that you might have <span class="emphasis">dontaudit</span>'ed too many
756 -things, you can always reload the SELinux policies without the dontaudit
757 -statements:
758 -</p>
759 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
760 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reloading the SELinux policies without dontaudit</p></td></tr>
761 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
762 -~# <span class="code-input">semodule -R -D</span>
763 -</pre></td></tr>
764 -</table>
765 -<p>
766 -If you are confident to continue with the dontaudit statements again, run the
767 -same command without the <span class="code" dir="ltr">-D</span>.
768 -</p>
769 -<p>
770 -Gentoo Hardened uses a specific boolean called <span class="code" dir="ltr">gentoo_try_dontaudit</span> to
771 -show or hide the denials that the developers believe are cosmetic. Thanks to
772 -this approach, you can first disable the Gentoo-selected dontaudit statements
773 -before showing all of them - which can be quite a lot more.
774 -</p>
775 -</td>
776 -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
777 -<tr><td class="topsep" align="center"><p class="alttext">Updated March 2, 2011</p></td></tr>
778 -<tr lang="en"><td align="center" class="topsep">
779 -<p class="alttext"><b>Donate</b> to support our development efforts.
780 - </p>
781 -<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
782 -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
783 -</form>
784 -</td></tr>
785 -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
786 -</table></td>
787 -</tr></table></td></tr>
788 -<tr><td colspan="2" align="right" class="infohead">
789 -Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
790 -</td></tr>
791 -</table></body>
792 -</html>
793
794 diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
795 index 061fe7b..fb5eb85 100644
796 --- a/html/selinux/hb-using-install.html
797 +++ b/html/selinux/hb-using-install.html
798 @@ -87,19 +87,6 @@ tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=
799 tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t:s0</span> 0 0
800 </pre></td></tr>
801 </table>
802 -<p class="secthead"><a name="doc_chap1_sect1">Enabling ~Arch Packages</a></p>
803 -<p>
804 -The current stable SELinux related packages are not fit for use anymore (or are
805 -even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
806 -the following settings to the right file (for instance
807 -<span class="path" dir="ltr">/etc/portage/package.accept_keywords/selinux</span>):
808 -</p>
809 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
810 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux ~arch packages</p></td></tr>
811 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
812 -=sys-process/vixie-cron-4.1-r11
813 -</pre></td></tr>
814 -</table>
815 <p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p>
816 <p>
817 Now that you have a running Gentoo Linux installation, switch the Gentoo profile
818 @@ -613,7 +600,7 @@ With that done, enjoy - your first steps into the SELinux world are now made.
819 </p>
820 </td>
821 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
822 -<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
823 +<tr><td class="topsep" align="center"><p class="alttext">Updated October 18, 2011</p></td></tr>
824 <tr lang="en"><td align="center" class="topsep">
825 <p class="alttext"><b>Donate</b> to support our development efforts.
826 </p>
827
828 diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
829 deleted file mode 100644
830 index 4212a95..0000000
831 --- a/html/selinux/hb-using-permissive.html
832 +++ /dev/null
833 @@ -1,609 +0,0 @@
834 -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
835 -<html lang="en">
836 -<head>
837 -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
838 -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
839 -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
840 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
841 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
842 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
843 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
844 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
845 -<title>Gentoo Linux Handbook Page
846 ---
847 - </title>
848 -</head>
849 -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
850 -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
851 -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
852 -<td width="99%" class="content" valign="top" align="left">
853 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
854 - </span>Keeping Track of Denials</p>
855 -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
856 -<p>
857 -The moment you start using SELinux in permissive mode, SELinux will start
858 -logging all of its denials through your system logger. Based on this
859 -information, you can and will:
860 -</p>
861 -<ul>
862 - <li>
863 - see if certain domains are missing (for instance, commands are being ran
864 - inside a more standard domain whereas you would expect it to run within a
865 - more specific one) in which case you'll probably look for a SELinux policy
866 - module to introduce the specific domain,
867 - </li>
868 - <li>
869 - see if some files have wrong security contexts in which case you'll either
870 - restore their context or set it yourself,
871 - </li>
872 - <li>
873 - see if some denials are made which you don't expect in which case you'll
874 - find out why the denial is made and what the original policy writer intended
875 - (a prime example would be a website hosted in the wrong location in the file
876 - system)
877 - </li>
878 -</ul>
879 -<p>
880 -Of course, several other aspects can be performed the moment you analyze the
881 -denial messages, but the above ones are the most common.
882 -</p>
883 -<p class="secthead"><a name="doc_chap1_sect1">Configuring System Logger</a></p>
884 -<p>
885 -Before we start investigating denials, let's first configure the system logger
886 -to log the denials in its own log file. If you are running syslog-ng with a
887 -Gentoo Hardened profile, it will already be configured to log these denials in
888 -<span class="path" dir="ltr">/var/log/avc.log</span>:
889 -</p>
890 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
891 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng configuration</p></td></tr>
892 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
893 -destination avc { file("http://www.gentoo.org/var/log/avc.log"); };
894 -[...]
895 -filter f_avc { message(".*avc: .*"); };
896 -filter f_audit { message("^(\\[.*\..*] |)audit.*") and not message(".*avc: .*"); };
897 -[...]
898 -log { source(kernsrc); filter(f_avc); destination(avc); };
899 -</pre></td></tr>
900 -</table>
901 -<p>
902 -If you use a different logger, look for the configuration of the kernel audit
903 -events. Throughout the rest of this document, we assume that the log where the
904 -denials are logged in is <span class="path" dir="ltr">/var/log/avc.log</span>.
905 -</p>
906 -<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p>
907 -<p>
908 -When we previously showed a few of SELinux' policy allow rules, what you were
909 -actually looking at was an <span class="emphasis">access vector</span> rule. For instance:
910 -</p>
911 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
912 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example access vector rule</p></td></tr>
913 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
914 -allow sysadm_t portage_t : process transition ;
915 -</pre></td></tr>
916 -</table>
917 -<p>
918 -Up until now we have seen only the <span class="emphasis">allow</span> permission, but SELinux supports
919 -others as well:
920 -</p>
921 -<ul>
922 - <li>
923 - <span class="emphasis">auditallow</span> will allow an activity to occur, but will still log it
924 - (but then with a "granted" message instead of "denied")
925 - </li>
926 - <li>
927 - <span class="emphasis">dontaudit</span> will not allow an activity to occur but will also not log
928 - this. This is particularly useful where the activity is not needed and would
929 - otherwise fill the <span class="path" dir="ltr">avc.log</span> file.
930 - </li>
931 -</ul>
932 -<p>
933 -To improve efficiency of the policy enforcement, SELinux uses a cache for its
934 -access vectors - the <span class="emphasis">access vector cache</span> or <span class="emphasis">AVC</span>. Whenever some
935 -access is requested which isn't in the cache yet, it is first loaded in the
936 -cache from which the allow/deny is triggered. Hence the "avc" messages and the
937 -<span class="path" dir="ltr">avc.log</span> log file.
938 -</p>
939 -<p class="secthead"><a name="avclog"></a><a name="doc_chap1_sect1">Looking at the AVC Log</a></p>
940 -<p>
941 -During regular system operations, you can keep track of the denials through a
942 -simple <span class="code" dir="ltr">tail</span> session:
943 -</p>
944 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
945 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Looking at the avc logs</p></td></tr>
946 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
947 -~# <span class="code-input">tail -f /var/log/avc.log</span>
948 -Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 audit(1293872219.247:156):
949 - avc: denied { setattr } for pid=7419 comm="gorg" name="selinux-handbook.xml" dev=dm-3 ino=159061
950 - scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file
951 -Jan 1 10:08:52 hpl kernel: [ 2944.664577] type=1400 audit(1293872932.907:157):
952 - avc: denied { use } for pid=9917 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs ino=1546
953 - scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=fd
954 -Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158):
955 - avc: denied { create } for pid=10016 comm="logger"
956 - scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket
957 -</pre></td></tr>
958 -</table>
959 -<p>
960 -But how do you interprete such messages? Well, let's take a closer look at the
961 -first denial from the example.
962 -</p>
963 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
964 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample denial message</p></td></tr>
965 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
966 -<span class="code-comment">[ Standard data within log message, such as date, time, hostname, ... ]</span>
967 -Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400
968 -<span class="code-comment">[ The message is an AVC audit message, telling a deny for the setattr system call ]</span>
969 - audit(1293872219.247:156): avc: denied { setattr }
970 -<span class="code-comment">[ The offending process has PID 7419 and is named "gorg" ]</span>
971 - for pid=7419 comm="gorg"
972 -<span class="code-comment">[ The target for the system call is a file named "selinux-handbook.xml"
973 - on the dm-3 device; the file has inode 159061 ]</span>
974 - name="selinux-handbook.xml" dev=dm-3 ino=159061
975 -<span class="code-comment">[ The source and target security contexts and the class of the target (in this case, a file) ]</span>
976 - scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file
977 -</pre></td></tr>
978 -</table>
979 -<p>
980 -A similar one can be found of the last line in the example.
981 -</p>
982 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
983 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Another sample denial message</p></td></tr>
984 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
985 -Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158):
986 - avc: denied { create } for pid=10016 comm="logger"
987 - scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket
988 -</pre></td></tr>
989 -</table>
990 -<p>
991 -In this particular case, the offending process is <span class="code" dir="ltr">logger</span> (with PID 10016)
992 -which is trying to create a Unix stream socket (see the <span class="emphasis">tclass</span>
993 -information).
994 -</p>
995 -<p>
996 -Note though that not all AVC messages imply denials. Some accesses recorded by
997 -the access vector cache are grants but which have an explicit <span class="emphasis">auditallow</span>
998 -statement so that this can be tracked in the logs.
999 -</p>
1000 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
1001 - </span>Analyzing Denials</p>
1002 -<p class="secthead"><a name="doc_chap1_sect1">A Standard Setup Might Not Work</a></p>
1003 -<p>
1004 -If you have taken a look at your denials, you'll probably think "If I'm going to
1005 -go to enforcing mode, my system will not function properly" and you might be
1006 -right. At this point, Gentoo Hardened is constantly updating the SELinux
1007 -policies to get you a working system - but we're not fully there yet. For this
1008 -reason, being able to analyze the denials (and take corrective actions) is
1009 -very important.
1010 -</p>
1011 -<p>
1012 -It is not easy to describe what the best option is when you see a denial which
1013 -shouldn't be. But a few ground-rules do apply.
1014 -</p>
1015 -<ul>
1016 - <li>
1017 - Verify if the denial is cosmetic or not. Try focusing on denials of which
1018 - you are <span class="emphasis">sure</span> that they are not cosmetic and will result in a
1019 - malfunction of your system (or that particular command) if no corrective
1020 - action is taken.
1021 - </li>
1022 - <li>
1023 - If you see a denial where the source context is a generic one (such as
1024 - <span class="emphasis">sysadm_t</span> or <span class="emphasis">staff_t</span> or <span class="emphasis">user_t</span>), try to find out if
1025 - there are specific SELinux policy modules for the offending resource. In the
1026 - previous example of the <span class="code" dir="ltr">gorg</span> process, we definitely need to check if
1027 - there is no selinux-gorg SELinux policy. Note that, even if there is none,
1028 - it doesn't mean there shouldn't be ;-)
1029 - </li>
1030 - <li>
1031 - If the target for the denial is a file, verify if its security context is
1032 - correct or if no different context should be given. It is also possible that
1033 - the process is trying to work on the wrong path. Sometimes a simple
1034 - configuration change of that process is sufficient to make it work properly
1035 - under its SELinux policy.
1036 - </li>
1037 -</ul>
1038 -<p>
1039 -During development of the policies, Gentoo Hardened developers will try to
1040 -hide denials they believe are cosmetic. This hiding can be toggled using the
1041 -SELinux <span class="code" dir="ltr">gentoo_try_dontaudit</span> boolean:
1042 -</p>
1043 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1044 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting and setting Gentoo's gentoo_try_dontaudit boolean</p></td></tr>
1045 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1046 -~# <span class="code-input">getsebool gentoo_try_dontaudit</span>
1047 -gentoo_try_dontaudit --&gt; off
1048 -~# <span class="code-input">setsebool -P gentoo_try_dontaudit on</span>
1049 -</pre></td></tr>
1050 -</table>
1051 -<p>
1052 -When set, the denials that are believed to be cosmetic are hidden from your
1053 -audit logs. But if your system is not functioning properly and you do not see
1054 -any denials, it is wise to toggle this boolean again to verify if the denial
1055 -is now shown or not.
1056 -</p>
1057 -<p class="secthead"><a name="doc_chap1_sect1">Installing Additional SELinux Policy Modules</a></p>
1058 -<p>
1059 -When a denial is found for which you think a SELinux policy module should
1060 -exist, find out which package provides the offending resource and verify if
1061 -Gentoo offers a SELinux policy for that package. If it does, install it and
1062 -relabel the files of the package.
1063 -</p>
1064 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1065 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding Gentoo SELinux packages</p></td></tr>
1066 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1067 -~# <span class="code-input">tail -f /var/log/avc.log</span>
1068 -Jan 1 09:42:37 hpl kernel: [ 1372.708172] type=1400 audit(1293871357.972:76):
1069 - avc: denied { search } for pid=6937 comm="screen" name="selinux" dev=dm-0
1070 - ino=1053303 scontext=staff_u:staff_r:staff_t
1071 - tcontext=staff_u:object_r:user_home_t tclass=dir
1072 -
1073 -~# <span class="code-input">whereis screen</span>
1074 -screen: /usr/bin/screen
1075 -
1076 -~# <span class="code-input">qfile /usr/bin/screen</span>
1077 -app-misc/screen (/usr/bin/screen)
1078 -
1079 -~# <span class="code-input">emerge --search selinux-screen</span>
1080 -Searching...
1081 -[ Results for search key : selinux-screen ]
1082 -[ Applications found : 1 ]
1083 -
1084 -* sec-policy/selinux-screen
1085 - Latest version available: 2.20110726
1086 - Latest version installed: 2.20110726
1087 - Size of files: 574 kB
1088 - Homepage: http://www.gentoo.org/proj/en/hardened/selinux/
1089 - Description: SELinux policy for screen
1090 - License: GPL-2
1091 -
1092 -~# <span class="code-input">emerge selinux-screen</span>
1093 -[...]
1094 -
1095 -~# <span class="code-input">rlpkg screen</span>
1096 -Relabeling: app-misc/screen-4.0.3
1097 -</pre></td></tr>
1098 -</table>
1099 -<p>
1100 -If you believe a SELinux policy module should exist but you cannot find one,
1101 -then you can either download the reference policy tarball (which you might find
1102 -in your <span class="path" dir="ltr">distfiles</span> directory - it is called
1103 -<span class="path" dir="ltr">refpolicy-2.YYYYMMDD.tar.bz2</span>) and see if there are already modules
1104 -available (look inside the <span class="path" dir="ltr">refpolicy/policy/modules</span> location) or
1105 -ask around on #gentoo-hardened on irc.freenode.net.
1106 -</p>
1107 -<p class="secthead"><a name="doc_chap1_sect1">Updating the Security Contexts of Files</a></p>
1108 -<p>
1109 -The most common case of denials when the necessary policies are in place are
1110 -wrongly labeled files or directories (in other words, the security context of
1111 -the target file or directory is not what the policy would expect). This can be
1112 -either because the file has not been (re)labeled after the policy has been
1113 -loaded or because the label has for some reason changed (case 1) or because
1114 -the path of the file is not in accordance to the file context specifications
1115 -in the SELinux module (case 2).
1116 -</p>
1117 -<p>
1118 -The first possibility (security context correct in policy, but not applied) can
1119 -be easily fixed using the <span class="code" dir="ltr">restorecon</span> command. You can apply it against a
1120 -single file, or run it recursively using the <span class="code" dir="ltr">-R</span> option.
1121 -</p>
1122 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1123 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running restorecon to restore a security context</p></td></tr>
1124 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1125 -~# <span class="code-input">restorecon /etc/make.conf</span>
1126 -</pre></td></tr>
1127 -</table>
1128 -<p>
1129 -If the file context definition in the policy however doesn't apply to the file
1130 -(or directory), you can still tell your system to label the file or directory
1131 -accordingly. For instance, say you have your <span class="path" dir="ltr">lvm.conf</span> file inside
1132 -<span class="path" dir="ltr">/etc</span> rather than <span class="path" dir="ltr">/etc/lvm</span> as the policy would expect,
1133 -then you can still label the file correctly using <span class="code" dir="ltr">semanage</span>. With
1134 -<span class="code" dir="ltr">semanage</span>, you assign a correct security context unrelated to any
1135 -module. It is a local setting - but which is persistent across reboots and
1136 -relabelling activities.
1137 -</p>
1138 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1139 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting a new file context using semanage</p></td></tr>
1140 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1141 -~# <span class="code-input">semanage fcontext -a -t lvm_etc_t /etc/lvm.conf</span>
1142 -~# <span class="code-input">restorecon /etc/lvm.conf</span>
1143 -</pre></td></tr>
1144 -</table>
1145 -<p>
1146 -If you want to make such a definition part of a module you're writing, you will
1147 -need to create a file context file which contains the definition(s) for the
1148 -files whose context you want to set. Writing policy modules is described later
1149 -in this book in <span title="Link to other book part not available"><font color="#404080">(Adding SELinux Policy
1150 -Modules)</font></span>.
1151 -</p>
1152 -<p class="secthead"><a name="create_module"></a><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p>
1153 -<p>
1154 -If a denial isn't resolved through an available SELinux policy module or a
1155 -corrective action taken against the target file or directory, or there
1156 -is no such module available, then you might opt to create your own policy. If
1157 -your goal is to allow a specific set of rules (rather than to write a
1158 -full-fledged SELinux policy module) then you can use the <span class="code" dir="ltr">audit2allow</span> tool
1159 -to generate a policy based on the denial logs.
1160 -</p>
1161 -<p>
1162 -With <span class="code" dir="ltr">audit2allow</span>, you can transform an AVC denial message into a SELinux
1163 -policy module definition. This can then be compiled into a binary policy module
1164 -and finally packaged into an easily (re)loadable SELinux policy module. It is
1165 -recommended to keep the (raw) AVC logs that you use to build the SELinux policy
1166 -module as this will allow you to continuously update the module when new denials
1167 -occur.
1168 -</p>
1169 -<p>
1170 -For instance, to allow some <span class="code" dir="ltr">sudo</span>-related denials, you can do the
1171 -following steps...
1172 -</p>
1173 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1174 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Generating, building and inserting a SELinux policy</p></td></tr>
1175 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1176 -<span class="code-comment">[ We append the AVC messages to the sudo.raw file so that, in the future, we can
1177 - add additional denial messages inside the same raw file which will be used to
1178 - build a new SELinux policy module ]</span>
1179 -~# <span class="code-input">grep 'comm="sudo"' /var/log/avc.log &gt;&gt; sudo.raw</span>
1180 -
1181 -<span class="code-comment">[ We generate a module definition called 'fixsudo' based on the captured AVC denials ]</span>
1182 -~# <span class="code-input">cat sudo.raw | audit2allow -m fixsudo &gt; fixsudo.te</span>
1183 -
1184 -<span class="code-comment">[ Next we build the SELinux module ]</span>
1185 -~# <span class="code-input">checkmodule -m -o fixsudo.mod fixsudo.te</span>
1186 -~# <span class="code-input">semodule_package -o fixsudo.pp -m fixsudo.mod</span>
1187 -</pre></td></tr>
1188 -</table>
1189 -<p>
1190 -The generated policy module (with the <span class="path" dir="ltr">.pp</span> suffix) can then be
1191 -dynamically loaded into the SELinux policy store:
1192 -</p>
1193 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1194 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Loading the generated module</p></td></tr>
1195 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1196 -~# <span class="code-input">semodule -i fixsudo.pp</span>
1197 -</pre></td></tr>
1198 -</table>
1199 -<p>
1200 -The module definition (in our example called <span class="path" dir="ltr">fixsudo.te</span>) can be
1201 -modified as you please - it's content is standard ASCII, human readable.
1202 -</p>
1203 -<p>
1204 -Not all denials that you might get are bugs in the default security policy.
1205 -It is very probable that you use your system in a slightly different way than
1206 -intended within the Gentoo Hardened SELinux default policy. However, if you
1207 -believe that you had to change your runtime policy due to a bug in the
1208 -current policy, please report it on <a href="https://bugs.gentoo.org">Bugzilla</a> so that the Gentoo Hardened
1209 -SELinux developers can take a look at it. Also, don't hesitate to contact
1210 -the Gentoo Hardened SELinux developers if you are uncertain about things.
1211 -</p>
1212 -<p>
1213 -They don't bite. They get fed regularly so they don't have to.
1214 -</p>
1215 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
1216 - </span>Working with SELinux</p>
1217 -<p class="secthead"><a name="doc_chap1_sect1">Loading and Unloading of Modules</a></p>
1218 -<p>
1219 -We have already crossed SELinux modules quite a few times. You even saw that, in
1220 -order to load a module, you can use <span class="code" dir="ltr">semodule -i modulename.pp</span>. The
1221 -<span class="code" dir="ltr">semodule</span> command offers the following functions:
1222 -</p>
1223 -<ul>
1224 - <li>
1225 - With <span class="code" dir="ltr">semodule -i modulename.pp</span> you (re)install a module (or install
1226 - a higher version of said module)
1227 - </li>
1228 - <li>
1229 - With <span class="code" dir="ltr">semodule -u modulename.pp</span> you upgrade an existing installed
1230 - module with a new version of this module
1231 - </li>
1232 - <li>
1233 - With <span class="code" dir="ltr">semodule -r modulename.pp</span> you remove a module from the SELinux
1234 - policy store. It will not be reloaded, not even after a reboot.
1235 - </li>
1236 - <li>
1237 - With <span class="code" dir="ltr">semodule -R</span> you reload the policies. An interesting feature here
1238 - is that you can add <span class="code" dir="ltr">-D</span> which will <span class="emphasis">disable</span> the <span class="emphasis">dontaudit</span>
1239 - rules from the policy. This can be useful, especially later in enforcing
1240 - mode, to find out why something is failing even though you get no denials.
1241 - </li>
1242 - <li>
1243 - With <span class="code" dir="ltr">semodule -B</span> you force a rebuild of the policy (which includes by
1244 - default a reload of the policy as well). Amongst some other things, such a
1245 - rebuild will read up on the existing users' and their home directories and
1246 - create the associated domains.
1247 - </li>
1248 -</ul>
1249 -<p class="secthead"><a name="doc_chap1_sect1">Listing Modules</a></p>
1250 -<p>
1251 -With the <span class="code" dir="ltr">semodule -l</span> command you can get an overview of the installed
1252 -modules, together with their current version. When you have issues with SELinux
1253 -policies and are trying to get online help on the matter, knowing the version of
1254 -the particular module is important to help you troubleshoot problems.
1255 -</p>
1256 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1257 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the installed modules</p></td></tr>
1258 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1259 -~# <span class="code-input">semodule -l</span>
1260 -dbus 1.14.0
1261 -dnsmasq 1.9.0
1262 -hal 1.13.0
1263 -[...]
1264 -</pre></td></tr>
1265 -</table>
1266 -<p class="secthead"><a name="doc_chap1_sect1">Switching Roles</a></p>
1267 -<p>
1268 -When you are working with a SELinux system, your default users will be using the
1269 -user_u SELinux login (and as such the user_r SELinux role) so they will not need
1270 -to perform any role switching: there are no other roles they can switch to.
1271 -</p>
1272 -<p>
1273 -Accounts that you use to perform more administrative tasks however are most
1274 -likely mapped to the staff_u SELinux login or have their own login but with the
1275 -same roles supported: staff_r and sysadm_r. These accounts should by default
1276 -start within the staff_r role. Although still restricted, it has more
1277 -possibilities (with respect to supported target domains to transition to)
1278 -than the user_r role.
1279 -</p>
1280 -<p>
1281 -The major difference however is that these users will also have to switch roles
1282 -from time to time. For instance, if you want to use Portage - even just for
1283 -querying the tree - you will need to be in the sysadm_r role. To switch roles,
1284 -use the <span class="code" dir="ltr">newrole</span> command:
1285 -</p>
1286 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1287 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr>
1288 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1289 -~$ <span class="code-input">newrole -r sysadm_r</span>
1290 -Password: <span class="code-comment">(Enter your personal password)</span>
1291 -~$
1292 -</pre></td></tr>
1293 -</table>
1294 -<p>
1295 -With <span class="code" dir="ltr">id -Z</span> you can verify that you have indeed successfully switched
1296 -roles.
1297 -</p>
1298 -<p>
1299 -Now how do you know that you need to switch roles? Generally, you will get a
1300 -<span class="emphasis">Permission denied</span> statement on one or more files:
1301 -</p>
1302 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1303 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting to know when to switch roles</p></td></tr>
1304 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1305 -~$ <span class="code-input">emerge --info</span>
1306 -Permission denied: '/etc/make.conf'
1307 -</pre></td></tr>
1308 -</table>
1309 -<p>
1310 -You might not be able, from within your current role, to find out if switching
1311 -roles is sufficient to gain read access. Within your current role, you might not
1312 -be able to get to view the current security context or query the SELinux AV
1313 -rules. But if you switch to the sysadm_r role and run the necessary queries, you
1314 -might get the information you need:
1315 -</p>
1316 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1317 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Verifying read access against the /etc/make.conf file</p></td></tr>
1318 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1319 -~$ <span class="code-input">id -Z</span>
1320 -staff_u:staff_r:staff_t
1321 -~$ <span class="code-input">newrole -r sysadm_r</span>
1322 -Password: <span class="code-comment">(Enter your personal password)</span>
1323 -~$ <span class="code-input">id -Z</span>
1324 -staff_u:sysadm_r:sysadm_t
1325 -~$ <span class="code-input">ls -Z /etc/make.conf</span>
1326 -system_u:object_r:portage_conf_t /etc/make.conf
1327 -~$ <span class="code-input">sesearch -t portage_conf_t -c file -p read -A -d</span>
1328 -Found 8 semantic av rules:
1329 - allow portage_t portage_conf_t : file { ioctl read getattr lock execute execute_no_trans open } ;
1330 - <span class="code-comment"># This is the one we are looking for</span>
1331 - allow sysadm_t portage_conf_t : file { ioctl read write ... } ;
1332 - allow portage_fetch_t portage_conf_t : file { ioctl read getattr lock open } ;
1333 - allow restorecond_t portage_conf_t : file { ioctl read getattr lock relabelfrom relabelto open } ;
1334 - allow gcc_config_t portage_conf_t : file { ioctl read getattr lock open } ;
1335 - allow portage_sandbox_t portage_conf_t : file { ioctl read getattr lock open } ;
1336 - allow rsync_t portage_conf_t : file { ioctl read getattr lock open } ;
1337 - allow mount_t portage_conf_t : file { ioctl read getattr lock open } ;
1338 -</pre></td></tr>
1339 -</table>
1340 -<p>
1341 -As you can see, the sysadm_t domain (which is affiliated with the sysadm_r role)
1342 -has the necessary read access, whereas there is no sign of any read access for
1343 -the staff_t domain.
1344 -</p>
1345 -<p class="secthead"><a name="doc_chap1_sect1">Using File Labels</a></p>
1346 -<p>
1347 -During regular system usage, you will get into situations where you need to set
1348 -file labels (security contexts). We have already covered the use of
1349 -<span class="code" dir="ltr">semanage</span> and <span class="code" dir="ltr">restorecon</span> to do so, but a few other methods exist as
1350 -well, each of them for specific purposes...
1351 -</p>
1352 -<p>
1353 -With <span class="code" dir="ltr">chcon</span> users (and not only administrators) can relabel files (if they
1354 -have the necessary privileges to do so) to the type they want. As an example,
1355 -consider the domains and rules for the Mozilla applications (such as firefox).
1356 -By default, this domain has no ability to create new files in the user home
1357 -directory. However, a specific domain has been created (mozilla_home_t) in which
1358 -the application can create files. By creating a folder (say
1359 -<span class="path" dir="ltr">Downloads</span>) and relabeling it correctly, the application is able to
1360 -create new files inside this location.
1361 -</p>
1362 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1363 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling a directory</p></td></tr>
1364 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1365 -~$ <span class="code-input">ls -Zd ~/Downloads</span>
1366 -staff_u:object_r:user_home_t Downloads/
1367 -~$ <span class="code-input">chcon -t mozilla_home_t ~/Downloads</span>
1368 -~$ <span class="code-input">ls -Zd ~/Downloads</span>
1369 -staff_u:object_r:mozilla_home_t
1370 -</pre></td></tr>
1371 -</table>
1372 -<p>
1373 -It is important to understand that relabeling is a specific privilege which is
1374 -also governed by SELinux policies (the staff_t domain has this privilege on the
1375 -user_home_t domain). Also, the target domain (mozilla_home_t) is still
1376 -manageable by the staff_t domain (including relabeling) so that the relabeling
1377 -activity doesn't lower the privileges that staff_t has on this folder. This
1378 -isn't always the case, so be careful when you relabel.
1379 -</p>
1380 -<p>
1381 -Relabelling files is governed by the relabelfrom and relabelto privileges.
1382 -Consider the following two hypothetical rules:
1383 -</p>
1384 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1385 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling rules</p></td></tr>
1386 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1387 -allow staff_t foo_t : dir { relabelfrom relabelto };
1388 -allow staff_t bar_t : dir { relabelto };
1389 -</pre></td></tr>
1390 -</table>
1391 -<p>
1392 -In the first rule, the staff_t domain has the ability to relabel directories
1393 -that are currently in the foo_t domain (relabelfrom) and to relabel directories
1394 -to the foo_t domain (if their source domain has a correct relabelfrom
1395 -privilege). In the second rule, the staff_t domain is only able to relabel
1396 -directories to the bar_t domain. However, once a directory has the bar_t domain,
1397 -the staff_t domain has no ability to relabel it to something else (no
1398 -relabelfrom privilege).
1399 -</p>
1400 -<p class="secthead"><a name="doc_chap1_sect1">Relabelling Gentoo Package Content</a></p>
1401 -<p>
1402 -As a last section let's talk about Gentoo support for relabeling files. By
1403 -default, Portage will relabel all files of a package once it is installed. This
1404 -is governed by the FEATURES="selinux" setting which is enabled when you select
1405 -the selinux profiles. An administrator can also relabel the contents of a
1406 -package using the (Gentoo-specific) <span class="code" dir="ltr">rlpkg</span> command (installed through
1407 -the policycoreutils package):
1408 -</p>
1409 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1410 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling the files and directories of a package</p></td></tr>
1411 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1412 -~# <span class="code-input">rlpkg net-tools</span>
1413 -Relabeling: sys-apps/net-tools-1.60_p20090728014017-r1
1414 -</pre></td></tr>
1415 -</table>
1416 -<p>
1417 -The same tool can be used to relabel the entire system:
1418 -</p>
1419 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1420 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling the entire (file) system</p></td></tr>
1421 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1422 -~# <span class="code-input">rlpkg -a -r</span>
1423 -</pre></td></tr>
1424 -</table>
1425 -</td>
1426 -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
1427 -<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
1428 -<tr lang="en"><td align="center" class="topsep">
1429 -<p class="alttext"><b>Donate</b> to support our development efforts.
1430 - </p>
1431 -<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
1432 -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
1433 -</form>
1434 -</td></tr>
1435 -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
1436 -</table></td>
1437 -</tr></table></td></tr>
1438 -<tr><td colspan="2" align="right" class="infohead">
1439 -Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
1440 -</td></tr>
1441 -</table></body>
1442 -</html>
1443
1444 diff --git a/html/selinux/hb-using-policymodules.html b/html/selinux/hb-using-policymodules.html
1445 deleted file mode 100644
1446 index 9a098cc..0000000
1447 --- a/html/selinux/hb-using-policymodules.html
1448 +++ /dev/null
1449 @@ -1,541 +0,0 @@
1450 -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
1451 -<html lang="en">
1452 -<head>
1453 -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
1454 -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
1455 -<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
1456 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
1457 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
1458 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
1459 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
1460 -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
1461 -<title>Gentoo Linux Handbook Page
1462 ---
1463 - </title>
1464 -</head>
1465 -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
1466 -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
1467 -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
1468 -<td width="99%" class="content" valign="top" align="left">
1469 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
1470 - </span>Writing Simple Policies</p>
1471 -<p class="secthead"><a name="doc_chap1_sect1">Writing a TE File</a></p>
1472 -<p>
1473 -Let us summarize our previous experiences with writing simple policies. We have
1474 -already covered how to write a <span class="path" dir="ltr">.te</span> file and convert it to a
1475 -loadable SELinux module. Let's go over this once again with a simple example:
1476 -allowing execmem for the mozilla_t domain.
1477 -</p>
1478 -<p>
1479 -When using the <span class="path" dir="ltr">selinux-mozilla</span> provided SELinux module, you might
1480 -still get a failure if you are using the 32-bit binary firefox package
1481 -(<span class="path" dir="ltr">www-client/firefox-bin</span>) and if you do not allow memexec (see the
1482 -<span class="code" dir="ltr">allow_memexec</span> boolean). You will probably find an AVC denial telling you
1483 -this exact same thing. If you want to allow just mozilla_t to run execmem, you
1484 -can write the following <span class="path" dir="ltr">fixmozilla.te</span> module:
1485 -</p>
1486 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1487 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Content of fixmozilla.te</p></td></tr>
1488 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1489 -module fixmozilla 1.0.0;
1490 -
1491 -require {
1492 - type mozilla_t;
1493 - class process execmem;
1494 -}
1495 -
1496 -allow mozilla_t self:process { execmem };
1497 -</pre></td></tr>
1498 -</table>
1499 -<p>
1500 -This simple policy sais that the module is called <span class="emphasis">fixmozilla</span> with module
1501 -version <span class="emphasis">1.0.0</span> (it is wise to update this version every time you update
1502 -the content of the module so that you can quickly verify with <span class="code" dir="ltr">semodule -l</span>
1503 -if the new version is loaded or not). It requires the <span class="emphasis">mozilla_t</span> domain
1504 -(if <span class="path" dir="ltr">sec-policy/selinux-mozilla</span> isn't installed, loading of this
1505 -policy will fail as it will not find the mozilla_t domain) and the
1506 -<span class="emphasis">process</span> class with the <span class="emphasis">execmem</span> operation. The policy itself
1507 -(the AVC statement) is to allow the mozilla_t domain to use execmem on its
1508 -own processes.
1509 -</p>
1510 -<p>
1511 -To convert this source into a loadable policy, we first convert it into a
1512 -<span class="path" dir="ltr">.mod</span> file:
1513 -</p>
1514 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1515 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Converting a .te file to a .mod file</p></td></tr>
1516 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1517 -~$ <span class="code-input">checkmodule -m -o fixmozilla.mod fixmozilla.te</span>
1518 -</pre></td></tr>
1519 -</table>
1520 -<p>
1521 -In this particular command, we create a non-base (<span class="code" dir="ltr">-m</span>) module file
1522 -(<span class="path" dir="ltr">fixmozilla.mod</span>) which contains the statements offered by the
1523 -<span class="path" dir="ltr">fixmozilla.te</span> file. If you are running an MLS/MCS system you will
1524 -need to add the <span class="code" dir="ltr">-M</span> option.
1525 -</p>
1526 -<p>
1527 -Next we package this module into a loadable SELinux module:
1528 -</p>
1529 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1530 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Packaging the .mod file to a loadable SELinux module</p></td></tr>
1531 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1532 -~$ <span class="code-input">semodule_package -o fixmozilla.pp -m fixmozilla.mod</span>
1533 -</pre></td></tr>
1534 -</table>
1535 -<p>
1536 -This final module file (<span class="path" dir="ltr">fixmozilla.pp</span>) can then be loaded into the
1537 -SELinux policy store using <span class="code" dir="ltr">semodule -i fixmozilla.pp</span>.
1538 -</p>
1539 -<p>
1540 -Using this relatively simple method, you can create all the policy rules you
1541 -want. However, you most likely want to add information on file labeling as
1542 -well...
1543 -</p>
1544 -<p class="secthead"><a name="doc_chap1_sect1">Writing an FC File</a></p>
1545 -<p>
1546 -An FC file (<span class="emphasis">File Context</span>) contains the file labels (security contexts)
1547 -that should be assigned to particular files. If you structure your modules
1548 -correctly, you most likely have policies for particular programs, and you would
1549 -like to label the program files and binaries accordingly. This is what the
1550 -<span class="path" dir="ltr">.fc</span> files are for.
1551 -</p>
1552 -<p>
1553 -Let's take a look at a sample .fc file which contains the various types of
1554 -context definitions that are supported:
1555 -</p>
1556 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1557 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample .fc file</p></td></tr>
1558 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1559 -/var/.* gen_context(system_u:object_r:var_t)
1560 -/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t)
1561 -/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t)
1562 -/vmlinuz.* -l gen_context(system_u:object_r:boot_t)
1563 -/usr/bin/firefox -- gen_context(system_u:object_r:mozilla_exec_t)
1564 -/tmp/\.ICE-unix/.* -s &lt;&lt;none&gt;&gt;
1565 -/dev/initctl -p gen_context(system_u:object_r:initctl_t)
1566 -/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t)
1567 -</pre></td></tr>
1568 -</table>
1569 -<p>
1570 -The first column (in every line) starts with a regular expression to match
1571 -against a file's path. This is usually sufficient to match any possible file.
1572 -SELinux does support some special variables like ROLE, HOME_DIR, HOME_ROOT and
1573 -USER which are substituted with their corresponding values when the file context
1574 -is (re)compiled (for instance when you add or delete SELinux users or rebuild
1575 -the policy using <span class="code" dir="ltr">semodule</span>).
1576 -</p>
1577 -<p>
1578 -The second column, if available, starts with a dash followed by the file type:
1579 -<span class="code" dir="ltr">c</span>haracter device, <span class="code" dir="ltr">b</span>lock device, symbolic <span class="code" dir="ltr">l</span>ink,
1580 -<span class="code" dir="ltr">s</span>ocket, <span class="code" dir="ltr">d</span>irectory, named <span class="code" dir="ltr">p</span>ipe or a regular file (<span class="code" dir="ltr">-</span>).
1581 -</p>
1582 -<p>
1583 -The last column gives the security context (label) that should be assigned to
1584 -the resource(s) that match the regular expression. You should always see the
1585 -"standard three" (user, role, domain), but you might also see the security level
1586 -and even category if MLS/MCS is used or supported by the module.
1587 -</p>
1588 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1589 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample file context with MLS/MCS support</p></td></tr>
1590 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1591 -/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15,c0.c255)
1592 -</pre></td></tr>
1593 -</table>
1594 -<p>
1595 -You can write your own FC file. For instance, Gentoo adds the following
1596 -definition to the <span class="path" dir="ltr">sec-policy/selinux-mozilla</span> package to support the
1597 -binary firefox package:
1598 -</p>
1599 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1600 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example .fc content</p></td></tr>
1601 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1602 -/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
1603 -/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
1604 -/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
1605 -/opt/firefox/run-mozilla.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
1606 -/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
1607 -/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
1608 -</pre></td></tr>
1609 -</table>
1610 -<p>
1611 -If you want to add such a file to your policy, add it during the
1612 -<span class="code" dir="ltr">semodule_package</span> phase:
1613 -</p>
1614 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1615 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding file context information to a policy</p></td></tr>
1616 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1617 -~$ <span class="code-input">semodule_package -o fixmozilla.pp -m fixmozilla.mod -f fixmozilla.fc</span>
1618 -</pre></td></tr>
1619 -</table>
1620 -<p>
1621 -Once this policy is loaded, you can use tools like <span class="code" dir="ltr">matchpathcon</span>,
1622 -<span class="code" dir="ltr">restorecon</span> and more as they now know how to deal with the files you have
1623 -mentioned in your file context file.
1624 -</p>
1625 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
1626 - </span>Building a Reference Policy Module</p>
1627 -<p class="secthead"><a name="doc_chap1_sect1">Introduction to the Reference Policy</a></p>
1628 -<p>
1629 -Initially we have already covered the fact that Gentoo Hardened bases its
1630 -policies on the reference policy maintained by Tresys. This reference policy
1631 -offers an important additional functionality during module development:
1632 -interfaces.
1633 -</p>
1634 -<p>
1635 -By creating an interface, you actually create a function of some sort which can
1636 -be used in other modules. Such interfaces allow module writers to generate rules
1637 -to interact with the domain of their module without knowing what the other
1638 -domains are. For instance, the mozilla module has an interface definition like
1639 -so:
1640 -</p>
1641 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1642 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example interface definition</p></td></tr>
1643 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1644 -interface(`mozilla_read_user_home_files',`
1645 - gen_require(`
1646 - type mozilla_home_t;
1647 - ')
1648 -
1649 - allow $1 mozilla_home_t:dir list_dir_perms;
1650 - allow $1 mozilla_home_t:file read_file_perms;
1651 - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
1652 - userdom_search_user_home_dirs($1)
1653 -')
1654 -</pre></td></tr>
1655 -</table>
1656 -<p>
1657 -This interface allows other modules to use the
1658 -<span class="code" dir="ltr">mozilla_read_user_home_files</span> function if they want their domain to be
1659 -able to (in this case) read the files in the mozilla_home_t domain. Of course,
1660 -they can add all statements inside their own definition, but then they would
1661 -have to require that the mozilla module is loaded, which might be a wrong
1662 -assumption, and duplicate the same allow statements for each application.
1663 -The use of interfaces makes policy development easier.
1664 -</p>
1665 -<p>
1666 -Also, the reference policy allows the use of <span class="emphasis">optional</span> statements:
1667 -a module can call an interface of another module, but this may not fail if
1668 -the other module is not available on a users' system.
1669 -</p>
1670 -<p>
1671 -For instance, in the evolution policy:
1672 -</p>
1673 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1674 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Extract from evolution.te</p></td></tr>
1675 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1676 -optional_policy(`
1677 - mozilla_read_user_home_files(evolution_t)
1678 - mozilla_domtrans(evolution_t)
1679 -')
1680 -</pre></td></tr>
1681 -</table>
1682 -<p>
1683 -In this extract we see that the previously defined interface is called with
1684 -argument evolution_t (the Evolution domain) within an <span class="code" dir="ltr">optional_policy</span>
1685 -clause. As a result, building this policy will attempt to call this interface,
1686 -but if the interface is missing (because the mozilla module isn't installed) it
1687 -will not fail the build of the evolution module.
1688 -</p>
1689 -<p>
1690 -Using the interfaces allows for a clean separation of the various modules.
1691 -Within the reference policy, the following guidelines are used:
1692 -</p>
1693 -<ul>
1694 - <li>
1695 - Inside a <span class="path" dir="ltr">.te</span> file, the only domains that are allowed to be
1696 - mentioned are those defined in the same <span class="path" dir="ltr">.te</span> file. Any
1697 - interaction with other domains need to happen through interfaces offered by
1698 - that domain.
1699 - </li>
1700 - <li>
1701 - Inside an <span class="path" dir="ltr">.if</span> file, where the interfaces are defined, an XML
1702 - like syntax is used to document each interface, allowing for developers to
1703 - read easily what an interface is meant to do (because honestly, there are
1704 - far more complex interfaces than the one we have previously shown)
1705 - </li>
1706 - <li>
1707 - Distribution-specific aspects of modules should be enclosed within a
1708 - <span class="code" dir="ltr">ifdef(`distro_gentoo',`...')</span> statement (example for Gentoo). This
1709 - statement is supported in all three files (<span class="path" dir="ltr">.te</span>,
1710 - <span class="path" dir="ltr">.if</span> and <span class="path" dir="ltr">.fc</span>).
1711 - </li>
1712 -</ul>
1713 -<p class="secthead"><a name="doc_chap1_sect1">Building the Reference Policy Module</a></p>
1714 -<p>
1715 -If you want to build a module using the reference policy interfaces, you first
1716 -need to create the <span class="path" dir="ltr">.te</span> file and, optionally (but most likely
1717 -needed) <span class="path" dir="ltr">.if</span> and <span class="path" dir="ltr">.fc</span> file. It is wise to start from an
1718 -example set of files for a similar application. If you want to or need to use
1719 -interfaces of different modules, you can find the interfaces that are valid on
1720 -your system inside <span class="path" dir="ltr">/usr/share/selinux/strict/include</span>.
1721 -</p>
1722 -<p>
1723 -Once you want to build the module, copy the
1724 -<span class="path" dir="ltr">/usr/share/selinux/strict/include/Makefile</span> file inside the
1725 -directory where your policy definition(s) are stored. Then, call the <span class="code" dir="ltr">make</span>
1726 -command to build the policy modules.
1727 -</p>
1728 -<p>
1729 -The result should be one (or more) loadable SELinux modules.
1730 -</p>
1731 -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
1732 - </span>Example: Start Building the Skype Policy</p>
1733 -<p class="secthead"><a name="doc_chap1_sect1">Labelling</a></p>
1734 -<p>
1735 -Let's start to create a sample reference policy based SELinux module for the <span class="code" dir="ltr">skype</span>
1736 -application. This application is a well-known application used to perform voice-
1737 -and video chats across the Internet. We will not finish the module in this
1738 -chapter (as the exercise will become a repetitive try-and-correct cycle which
1739 -isn't the purpose to document here) but rather show an approach on how to deal
1740 -with such policy building exercises.
1741 -</p>
1742 -<p>
1743 -First get acquainted with the application.
1744 -</p>
1745 -<p>
1746 -The usual way of interacting with <span class="code" dir="ltr">skype</span> is from an end-user point (not
1747 -administrator). From interacting with it in permissive mode (or from a
1748 -non-SELinux system) we know it creates a <span class="path" dir="ltr">~/.Skype</span> folder for its
1749 -configuration, chat history and more.
1750 -</p>
1751 -<p>
1752 -Given this above information, let's take a look at the content of the
1753 -<span class="path" dir="ltr">net-im/skype</span> package:
1754 -</p>
1755 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1756 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Content of the skype package</p></td></tr>
1757 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1758 -~$ <span class="code-input">qlist skype</span>
1759 -<span class="code-comment">(Output shortened for clarity)</span>
1760 -/usr/bin/skype
1761 -/usr/share/... <span class="code-comment"># Unrelated to the application but used by distribution</span>
1762 -/opt/skype/skype
1763 -/opt/skype/sounds/...
1764 -/opt/skype/lang/...
1765 -/opt/skype/avatars/...
1766 -</pre></td></tr>
1767 -</table>
1768 -<p>
1769 -Given this information, we could create the following file context definition:
1770 -</p>
1771 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1772 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample file context for skype</p></td></tr>
1773 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1774 -/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
1775 -/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
1776 -HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)
1777 -</pre></td></tr>
1778 -</table>
1779 -<p>
1780 -We will not give the various skype files a specific label - they are all
1781 -read-only files so can keep the default label assigned to them.
1782 -</p>
1783 -<p>
1784 -Within the <span class="path" dir="ltr">skype.te</span> file, we define the necessary domains and
1785 -also use the first interfaces which are often associated with this kind of
1786 -domains (for reasoning you can read the sources for the apache module or
1787 -other services). A sample module to base our definition from could be
1788 -telepathy...
1789 -</p>
1790 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1791 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Initial skype module definition</p></td></tr>
1792 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1793 -policy_module(skype, 1.0.0)
1794 -
1795 -type skype_t;
1796 -type skype_exec_t;
1797 -application_domain(skype_t, skype_exec_t)
1798 -
1799 -type skype_home_t;
1800 -userdom_user_home_content(skype_home_t)
1801 -
1802 -# Allow skype_t to put files in the skype_home_t location(s)
1803 -manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
1804 -manage_files_pattern(skype_t, skype_home_t, skype_home_t)
1805 -userdom_user_home_dir_filetrans(skype_t, skype_home_t, { dir file })
1806 -userdom_search_user_home_dirs(skype_t)
1807 -</pre></td></tr>
1808 -</table>
1809 -<p>
1810 -Again, we're not going to cover the various interfaces and explain them. They
1811 -are documented and available on the system, and there are plenty of examples to
1812 -use.
1813 -</p>
1814 -<p>
1815 -Finally, we are going to create an interface to allow users to transition to the
1816 -skype_t domain. The idea here is that you add <span class="code" dir="ltr">skype_role(role, domain)</span> in
1817 -the <span class="path" dir="ltr">.te</span> definition of the users' domain or within your own policy.
1818 -</p>
1819 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1820 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Defining the skype_role interface</p></td></tr>
1821 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1822 -interface(`skype_role',`
1823 - gen_require(`
1824 - type skype_t, skype_exec_t;
1825 - ')
1826 -
1827 - role $1 types skype_t;
1828 -
1829 - domain_auto_trans($2, skype_exec_t, skype_t)
1830 -')
1831 -</pre></td></tr>
1832 -</table>
1833 -<p>
1834 -Build the module and load it in the SELinux module store. Next, create a small
1835 -policy to allow users (user_r, user_t) to access skype:
1836 -</p>
1837 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1838 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding access to skype for users</p></td></tr>
1839 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1840 -~$ <span class="code-input">cat skypeusers.te</span>
1841 -policy_module(skypeusers, 1.0.0)
1842 -
1843 -gen_require(`
1844 - type user_t;
1845 - role user_r;
1846 - type staff_t;
1847 - role staff_r;
1848 -')
1849 -
1850 -optional_policy(`
1851 - skype_role(user_r, user_t)
1852 - skype_role(staff_r, staff_t)
1853 -')
1854 -</pre></td></tr>
1855 -</table>
1856 -<p>
1857 -Build that module as well and load it. A regular SELinux user should now have
1858 -the ability to execute skype_exec_t and transition to the skype_t domain.
1859 -</p>
1860 -<p class="secthead"><a name="doc_chap1_sect1">Dry Run</a></p>
1861 -<p>
1862 -With the policy loaded, do a dry run. Relabel the files of the
1863 -<span class="path" dir="ltr">net-im/skype</span> package (and if you have previously ran skype yourself,
1864 -relabel the <span class="path" dir="ltr">~/.Skype</span> folder as well), then start <span class="code" dir="ltr">skype</span> and both
1865 -watch skype's output as well as the AVC denials.
1866 -</p>
1867 -<p>
1868 -We notice that the binary (skype) hangs and cannot be killed. In the AVC denial
1869 -logs, we notice the following denials:
1870 -</p>
1871 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1872 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Shown denials while running skype</p></td></tr>
1873 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1874 -Jan 6 22:01:56 hpl kernel: [18418.420427] type=1400 audit(1294347716.358:2221):
1875 -avc: denied { read write } for pid=25540 comm="skype" name="1" dev=devpts
1876 -ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:object_r:user_devpts_t
1877 -tclass=chr_file
1878 -Jan 6 22:01:56 hpl kernel: [18418.420455] type=1400 audit(1294347716.358:2222):
1879 -avc: denied { use } for pid=25540 comm="skype" path="http://www.gentoo.org/dev/pts/1" dev=devpts
1880 -ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t
1881 -tclass=fd
1882 -Jan 6 22:01:56 hpl kernel: [18418.420563] type=1400 audit(1294347716.358:2225):
1883 -avc: denied { sigchld } for pid=6532 comm="bash"
1884 -scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t tclass=process
1885 -</pre></td></tr>
1886 -</table>
1887 -<p>
1888 -Note that the attempt is done in enforcing mode - running in permissive mode
1889 -will yield more AVC denials and is also a plausible way to create the necessary
1890 -rules.
1891 -</p>
1892 -<p>
1893 -From the denials, we see that skype attempts to use the pts in which the command
1894 -is ran (notice that this fails because we didn't explicitly allow it) and also
1895 -fails to exit properly (a sigchld signal isn't allowed to be submitted).
1896 -</p>
1897 -<p>
1898 -By looking into the example policies already around, we notice that they have
1899 -interfaces in use such as <span class="code" dir="ltr">userdom_use_user_terminals</span> as well as generic
1900 -allowances such as <span class="code" dir="ltr">ps_process_pattern</span> (to allow users to view a process
1901 -and kill it). This is a nice example of how a type enforcement MAC system works:
1902 -nothing is assumed by default.
1903 -</p>
1904 -<p class="secthead"><a name="doc_chap1_sect1">Next Dry Run</a></p>
1905 -<p>
1906 -So after adding some interfaces to allow the use of the user terminals, file
1907 -descriptors and also allow process signals to be sent, we try to run the
1908 -application again. Now, we get:
1909 -</p>
1910 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1911 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Output of running the skype command</p></td></tr>
1912 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1913 -~$ <span class="code-input">skype</span>
1914 -Killed
1915 -
1916 -~$ <span class="code-input">cat /var/log/avc.log</span>
1917 -Jan 6 22:27:41 hpl kernel: [19961.313321] type=1400
1918 -audit(1294349261.991:9089017): avc: denied { execmem } for pid=27256
1919 -comm="skype" scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:skype_t
1920 -tclass=process
1921 -</pre></td></tr>
1922 -</table>
1923 -<p>
1924 -At least <span class="code" dir="ltr">skype</span> now exits. From the AVC log, we see that it wants to call
1925 -execmem (which isn't something we like, but have seen in the past for mozilla as
1926 -well). Okay, let's allow this, rebuild the modules and retry.
1927 -</p>
1928 -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
1929 -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Output of running the skype command again</p></td></tr>
1930 -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
1931 -~$ <span class="code-input">skype</span>
1932 -./skype: error while loading shared libraries: libasound.so.2: cannot open
1933 -shared object file: Permission denied
1934 -
1935 -~$ <span class="code-input">cat /var/log/avc.log</span>
1936 -Jan 6 22:33:41 hpl kernel: [20319.960127] type=1400
1937 -audit(1294349621.275:9089042): avc: denied { read } for pid=27536
1938 -comm="skype" name="libasound.so.2" dev=dm-1 ino=525098
1939 -scontext=staff_u:staff_r:skype_t tcontext=system_u:object_r:usr_t
1940 -tclass=lnk_file
1941 -</pre></td></tr>
1942 -</table>
1943 -<p>
1944 -Okay, we need to grant it read rights to links within the usr_t domain (and most
1945 -likely then load libraries from the lib_t domain, so we need to add
1946 -<span class="code" dir="ltr">files_read_usr_symlinks</span> and <span class="code" dir="ltr">libs_use_ld_so</span>, etc.
1947 -</p>
1948 -<p class="secthead"><a name="doc_chap1_sect1">Finishing Up</a></p>
1949 -<p>
1950 -After running into the standard "can't start" issues, you'll notice that the
1951 -application then wants to bind and connect to ports - which are also protected
1952 -by SELinux and can be manipulated by various interfaces. It wants to access your
1953 -soundcard and webcam, etc.
1954 -</p>
1955 -<p>
1956 -As you can see from the above information, writing policies correctly isn't
1957 -easy. You need to constantly keep in mind what you are allowing - aren't you
1958 -granting too much? Are you forgetting something? Also, the first time(s) you
1959 -create policies it will take lots of time, but over time you will grow better in
1960 -it. You'll start realizing what all those standard things are that you need to
1961 -allow and what not.
1962 -</p>
1963 -<p>
1964 -Writing SELinux policies isn't hard, but it's far more difficult than setting
1965 -the standard Linux permissions on files and directories. It requires a decent
1966 -knowledge of how the application behaves and what the SELinux reference policy
1967 -interfaces grant when you select them.
1968 -</p>
1969 -<p>
1970 -If you ever feel like writing these policies, don't hesitate to read up on the
1971 -various resources at the end of this book.
1972 -</p>
1973 -</td>
1974 -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
1975 -<tr><td class="topsep" align="center"><p class="alttext">Updated March 2, 2011</p></td></tr>
1976 -<tr lang="en"><td align="center" class="topsep">
1977 -<p class="alttext"><b>Donate</b> to support our development efforts.
1978 - </p>
1979 -<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
1980 -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
1981 -</form>
1982 -</td></tr>
1983 -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
1984 -</table></td>
1985 -</tr></table></td></tr>
1986 -<tr><td colspan="2" align="right" class="infohead">
1987 -Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
1988 -</td></tr>
1989 -</table></body>
1990 -</html>
1991
1992 diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html
1993 index 41e19bd..98817d2 100644
1994 --- a/html/selinux/hb-using-states.html
1995 +++ b/html/selinux/hb-using-states.html
1996 @@ -253,7 +253,7 @@ level can access it.
1997 <p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p>
1998 <p>
1999 It is not recommended to switch between types often. At best, you choose your
2000 -policy type at install type and stick with it. But it is not impossible (nor
2001 +policy type at install time and stick with it. But it is not impossible (nor
2002 that hard) to switch between types.
2003 </p>
2004 <p>
2005
2006 diff --git a/html/selinux/index.html b/html/selinux/index.html
2007 index c9ffd77..b61b1b8 100644
2008 --- a/html/selinux/index.html
2009 +++ b/html/selinux/index.html
2010 @@ -84,20 +84,25 @@ As a result, we
2011 <td class="infohead"><b>Role</b></td>
2012 </tr>
2013 <tr>
2014 - <td class="tableinfo">Chris PeBenito</td>
2015 - <td class="tableinfo">pebenito</td>
2016 - <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td>
2017 - </tr>
2018 - <tr>
2019 <td class="tableinfo">Sven Vermeulen</td>
2020 <td class="tableinfo">swift</td>
2021 - <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
2022 + <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td>
2023 </tr>
2024 <tr>
2025 <td class="tableinfo">Anthony G. Basile</td>
2026 <td class="tableinfo">blueness</td>
2027 <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
2028 </tr>
2029 + <tr>
2030 + <td class="tableinfo">Chris PeBenito</td>
2031 + <td class="tableinfo">pebenito</td>
2032 + <td class="tableinfo">Developer ( Policy development, Userspace tools )</td>
2033 + </tr>
2034 + <tr>
2035 + <td class="tableinfo">Matt Thode</td>
2036 + <td class="tableinfo">prometheanfire</td>
2037 + <td class="tableinfo">Developer ( Policy development, Support )</td>
2038 + </tr>
2039 </table>
2040 <p>
2041 All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@g.o</span>.
2042 @@ -135,6 +140,9 @@ The following people, although non-developer, are actively contributing to the p
2043 <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
2044 </li>
2045 <li>
2046 + <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a>
2047 + </li>
2048 + <li>
2049 <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
2050 </li>
2051 <li>
2052
2053 diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html
2054 index bd04178..a903353 100644
2055 --- a/html/selinux/selinux-handbook.html
2056 +++ b/html/selinux/selinux-handbook.html
2057 @@ -23,11 +23,11 @@
2058
2059 [ &lt; ]
2060
2061 - [ <a href="selinux-handbook.xml">Home</a> ]
2062 + [ <a href="pebenito@g.o">Home</a> ]
2063
2064 - [ <a href="selinux-handbook.xml?part=1">&gt;</a> ]
2065 + [ <a href="pebenito@g.o?part=1">&gt;</a> ]
2066
2067 - [ <a href="selinux-handbook.xml?part=1">&gt;&gt;</a> ]
2068 + [ <a href="pebenito@g.o?part=1">&gt;&gt;</a> ]
2069 </p>
2070 <hr>
2071 <h1>Gentoo SELinux Handbook</h1>
2072 @@ -111,11 +111,11 @@ them.
2073
2074 [ &lt; ]
2075
2076 - [ <a href="selinux-handbook.xml">Home</a> ]
2077 + [ <a href="pebenito@g.o">Home</a> ]
2078
2079 - [ <a href="selinux-handbook.xml?part=1">&gt;</a> ]
2080 + [ <a href="pebenito@g.o?part=1">&gt;</a> ]
2081
2082 - [ <a href="selinux-handbook.xml?part=1">&gt;&gt;</a> ]
2083 + [ <a href="pebenito@g.o?part=1">&gt;&gt;</a> ]
2084 </p>
2085 <hr>
2086 <p class="copyright">
2087 @@ -136,8 +136,8 @@ them.
2088 -->
2089 </td>
2090 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
2091 -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-handbook.xml?style=printable">Print</a></p></td></tr>
2092 -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="selinux-handbook.xml?full=1">View all</a></p></td></tr>
2093 +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@g.o?style=printable">Print</a></p></td></tr>
2094 +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="pebenito@g.o?full=1">View all</a></p></td></tr>
2095 <tr><td class="topsep" align="center"><p class="alttext">Updated September 18, 2011</p></td></tr>
2096 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
2097 This is the Gentoo SELinux Handbook.
2098
2099 diff --git a/html/support-state.html b/html/support-state.html
2100 index 94aad74..a42568c 100644
2101 --- a/html/support-state.html
2102 +++ b/html/support-state.html
2103 @@ -178,12 +178,12 @@ reports and feedback).
2104 <tr>
2105 <td class="tableinfo">x86</td>
2106 <td class="tableinfo">In place</td>
2107 - <td class="tableinfo">Still ~arch for the time being</td>
2108 + <td class="tableinfo"></td>
2109 </tr>
2110 <tr>
2111 <td class="tableinfo">amd64 / x86_64</td>
2112 <td class="tableinfo">In place</td>
2113 - <td class="tableinfo">Still ~arch for the time being</td>
2114 + <td class="tableinfo"></td>
2115 </tr>
2116 <tr>
2117 <td class="tableinfo">ppc</td>
2118 @@ -235,7 +235,7 @@ reports and feedback).
2119 </td>
2120 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
2121 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
2122 -<tr><td class="topsep" align="center"><p class="alttext">Updated May 25, 2011</p></td></tr>
2123 +<tr><td class="topsep" align="center"><p class="alttext">Updated November 17, 2011</p></td></tr>
2124 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
2125 The support state of the Gentoo Hardened project describes the supported
2126 platforms, setups and additional requirements for each of the subprojects
Report Message
Find on MARC Find on Google Groups