1 |
commit: 2b94f230c619d53a48074f051b711e76485cd74f |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Nov 22 20:08:28 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Nov 22 20:08:28 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2b94f230 |
7 |
|
8 |
Update previews |
9 |
|
10 |
--- |
11 |
html/docs/index.html | 4 +- |
12 |
html/index.html | 33 +- |
13 |
html/index2.html | 21 +- |
14 |
html/roadmap.html | 39 +-- |
15 |
html/selinux-bugreporting.html | 167 ++++++++ |
16 |
html/selinux-development.html | 14 +- |
17 |
html/selinux-faq.html | 44 +-- |
18 |
html/selinux/hb-using-enforcing.html | 205 ---------- |
19 |
html/selinux/hb-using-install.html | 15 +- |
20 |
html/selinux/hb-using-permissive.html | 609 ------------------------------ |
21 |
html/selinux/hb-using-policymodules.html | 541 -------------------------- |
22 |
html/selinux/hb-using-states.html | 2 +- |
23 |
html/selinux/index.html | 20 +- |
24 |
html/selinux/selinux-handbook.html | 16 +- |
25 |
html/support-state.html | 6 +- |
26 |
15 files changed, 257 insertions(+), 1479 deletions(-) |
27 |
|
28 |
diff --git a/html/docs/index.html b/html/docs/index.html |
29 |
index 06df3e1..81ff591 100644 |
30 |
--- a/html/docs/index.html |
31 |
+++ b/html/docs/index.html |
32 |
@@ -24,7 +24,8 @@ |
33 |
<a class="menulink" href="http://bugs.gentoo.org/">Bugs</a> | |
34 |
<a class="menulink" href="http://www.gentoo.org/main/en/where.xml">Get Gentoo!</a> | |
35 |
<a class="menulink" href="http://www.gentoo.org/main/en/support.xml">Support</a> | |
36 |
-<a class="menulink" href="http://planet.gentoo.org/">Planet</a> |
37 |
+<a class="menulink" href="http://planet.gentoo.org/">Planet</a> | |
38 |
+<a class="menulink" href="http://wiki.gentoo.org/">Wiki</a> |
39 |
</p></td> |
40 |
</tr> |
41 |
<tr> |
42 |
@@ -53,6 +54,7 @@ Community<br> |
43 |
<a class="altlink" href="http://bugs.gentoo.org">Report Issues</a><br> |
44 |
<a class="altlink" href="http://planet.gentoo.org">Planet (Blogs)</a><br> |
45 |
<a class="altlink" href="http://packages.gentoo.org/">Online Package Database</a><br> |
46 |
+<a class="altlink" href="http://wiki.gentoo.org/">Wiki</a><br> |
47 |
<a class="altlink" href="http://www.gentoo.org/main/en/contact.xml">Contact Us</a><br> |
48 |
<a class="altlink" href="http://www.gentoo.org/main/en/sponsors.xml">Sponsors</a><br><br> |
49 |
Get Involved<br> |
50 |
|
51 |
diff --git a/html/index.html b/html/index.html |
52 |
index f85729e..584d5db 100644 |
53 |
--- a/html/index.html |
54 |
+++ b/html/index.html |
55 |
@@ -66,11 +66,6 @@ Gentoo once they've been tested for security and stability by the Hardened team. |
56 |
<td class="tableinfo">Member ( SELinux )</td> |
57 |
</tr> |
58 |
<tr> |
59 |
- <td class="tableinfo">Bryan Stine</td> |
60 |
- <td class="tableinfo">battousai</td> |
61 |
- <td class="tableinfo">Member ( Bastille Lead )</td> |
62 |
- </tr> |
63 |
- <tr> |
64 |
<td class="tableinfo">Anthony G. Basile</td> |
65 |
<td class="tableinfo">blueness</td> |
66 |
<td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td> |
67 |
@@ -81,6 +76,11 @@ Gentoo once they've been tested for security and stability by the Hardened team. |
68 |
<td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td> |
69 |
</tr> |
70 |
<tr> |
71 |
+ <td class="tableinfo">Francisco Blas Izquierdo Riera</td> |
72 |
+ <td class="tableinfo">klondike</td> |
73 |
+ <td class="tableinfo">Member ( Doc, PR )</td> |
74 |
+ </tr> |
75 |
+ <tr> |
76 |
<td class="tableinfo">Gysbert Wassenaar</td> |
77 |
<td class="tableinfo">nixnut</td> |
78 |
<td class="tableinfo">Member ( PPC arch team liaison )</td> |
79 |
@@ -91,6 +91,11 @@ Gentoo once they've been tested for security and stability by the Hardened team. |
80 |
<td class="tableinfo">Member ( SELinux )</td> |
81 |
</tr> |
82 |
<tr> |
83 |
+ <td class="tableinfo">Matt Thode</td> |
84 |
+ <td class="tableinfo">prometheanfire</td> |
85 |
+ <td class="tableinfo">Member ( SELinux )</td> |
86 |
+ </tr> |
87 |
+ <tr> |
88 |
<td class="tableinfo">Matthew Summers</td> |
89 |
<td class="tableinfo">quantumsummers</td> |
90 |
<td class="tableinfo">Member ( Hardened sources, Doc )</td> |
91 |
@@ -117,11 +122,6 @@ project: |
92 |
<td class="infohead"><b>Role</b></td> |
93 |
</tr> |
94 |
<tr> |
95 |
-<td class="tableinfo">Francisco Blas Izquierdo Riera</td> |
96 |
-<td class="tableinfo">klondike</td> |
97 |
-<td class="tableinfo">Documentation writing, support</td> |
98 |
-</tr> |
99 |
-<tr> |
100 |
<td class="tableinfo">Chris Richards</td> |
101 |
<td class="tableinfo">gizmo</td> |
102 |
<td class="tableinfo">Policy development, support (SELinux)</td> |
103 |
@@ -142,7 +142,7 @@ project: |
104 |
<td class="tableinfo"> |
105 |
<a href="selinux/index.html">SELinux</a> |
106 |
</td> |
107 |
- <td class="tableinfo">Chris PeBenito</td> |
108 |
+ <td class="tableinfo">Sven Vermeulen</td> |
109 |
<td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td> |
110 |
</tr> |
111 |
<tr> |
112 |
@@ -173,15 +173,6 @@ A kernel which provides patches for hardened subprojects, and stability/security |
113 |
oriented patches. Includes Grsecurity and SELinux. |
114 |
</td> |
115 |
</tr> |
116 |
- <tr> |
117 |
- <td class="tableinfo">Bastille</td> |
118 |
- <td class="tableinfo">Bryan Stine</td> |
119 |
- <td class="tableinfo"> |
120 |
-Bastille is an interactive application which gives the user suggestions on |
121 |
-securing their machine. It will be customized to make suggestions about other |
122 |
-Hardened Gentoo subprojects. |
123 |
-</td> |
124 |
- </tr> |
125 |
</table> |
126 |
<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. |
127 |
</span>Resources</p> |
128 |
@@ -307,7 +298,7 @@ GNU Stack Quickstart |
129 |
</tr> |
130 |
<tr> |
131 |
<td class="tableinfo">selinux</td> |
132 |
- <td class="tableinfo">blueness, pebenito, swift</td> |
133 |
+ <td class="tableinfo">blueness, pebenito, prometheanfire, swift</td> |
134 |
<td class="tableinfo">Gentoo's Security-Enhanced Linux (SELinux) packages</td> |
135 |
</tr> |
136 |
</table> |
137 |
|
138 |
diff --git a/html/index2.html b/html/index2.html |
139 |
index 6ed1a19..61f6f0b 100644 |
140 |
--- a/html/index2.html |
141 |
+++ b/html/index2.html |
142 |
@@ -96,11 +96,6 @@ Gentoo once they've been tested for security and stability by the Hardened team. |
143 |
<td class="infohead"><b></b></td> |
144 |
</tr> |
145 |
<tr> |
146 |
- <td class="tableinfo">Sven Vermeulen</td> |
147 |
- <td class="tableinfo">swift</td> |
148 |
- <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td> |
149 |
- </tr> |
150 |
- <tr> |
151 |
<td class="tableinfo">Anthony G. Basile</td> |
152 |
<td class="tableinfo">blueness</td> |
153 |
<td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td> |
154 |
@@ -108,7 +103,17 @@ Gentoo once they've been tested for security and stability by the Hardened team. |
155 |
<tr> |
156 |
<td class="tableinfo">Chris PeBenito</td> |
157 |
<td class="tableinfo">pebenito</td> |
158 |
- <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td> |
159 |
+ <td class="tableinfo">Developer ( Policy development, Userspace tools )</td> |
160 |
+ </tr> |
161 |
+ <tr> |
162 |
+ <td class="tableinfo">Matt Thode</td> |
163 |
+ <td class="tableinfo">prometheanfire</td> |
164 |
+ <td class="tableinfo">Developer ( Policy development, Support )</td> |
165 |
+ </tr> |
166 |
+ <tr> |
167 |
+ <td class="tableinfo">Sven Vermeulen</td> |
168 |
+ <td class="tableinfo">swift</td> |
169 |
+ <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td> |
170 |
</tr> |
171 |
</table> |
172 |
<p> |
173 |
@@ -129,7 +134,7 @@ Gentoo once they've been tested for security and stability by the Hardened team. |
174 |
<td class="tableinfo"> |
175 |
<a href="selinux/index.html">SELinux</a> |
176 |
</td> |
177 |
- <td class="tableinfo">Chris PeBenito</td> |
178 |
+ <td class="tableinfo">Sven Vermeulen</td> |
179 |
<td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td> |
180 |
</tr> |
181 |
<tr> |
182 |
@@ -280,7 +285,7 @@ GNU Stack Quickstart</a> |
183 |
</tr> |
184 |
<tr> |
185 |
<td class="tableinfo">selinux</td> |
186 |
- <td class="tableinfo">blueness, pebenito, swift</td> |
187 |
+ <td class="tableinfo">blueness, pebenito, prometheanfire, swift</td> |
188 |
<td class="tableinfo">Gentoo's Security-Enhanced Linux (SELinux) packages</td> |
189 |
</tr> |
190 |
</table> |
191 |
|
192 |
diff --git a/html/roadmap.html b/html/roadmap.html |
193 |
index c623185..f645ca8 100644 |
194 |
--- a/html/roadmap.html |
195 |
+++ b/html/roadmap.html |
196 |
@@ -258,7 +258,7 @@ is in need for attention. |
197 |
The Gentoo Hardened SELinux state is up to date and fully supported (except |
198 |
MLS which is considered experimental). The documentation is being updated as |
199 |
the state evolves, but can still improve. Primary focus now is on the quality |
200 |
-of the packages and improved support for MCS. |
201 |
+of the packages and standard policies. |
202 |
</p> |
203 |
<p class="secthead"><a name="doc_chap6_sect2">Goals and Milestones</a></p> |
204 |
<table class="ntable"> |
205 |
@@ -270,47 +270,26 @@ of the packages and improved support for MCS. |
206 |
<td class="infohead"><b>Related Bugs</b></td> |
207 |
</tr> |
208 |
<tr> |
209 |
- <td class="tableinfo">Add support for MCS (driver is virtualization)</td> |
210 |
- <td class="tableinfo">2011-08-15</td> |
211 |
- <td class="tableinfo">Done</td> |
212 |
- <td class="tableinfo">SwifT</td> |
213 |
- <td class="tableinfo"></td> |
214 |
-</tr> |
215 |
-<tr> |
216 |
- <td class="tableinfo">Stabilize the new SELinux profile structure</td> |
217 |
- <td class="tableinfo">2011-08-20</td> |
218 |
- <td class="tableinfo">Done</td> |
219 |
- <td class="tableinfo">blueness, SwifT</td> |
220 |
- <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td> |
221 |
-</tr> |
222 |
-<tr> |
223 |
- <td class="tableinfo">Merge 20110726 policies in ~arch</td> |
224 |
- <td class="tableinfo">2011-08-28</td> |
225 |
- <td class="tableinfo">Busy</td> |
226 |
+ <td class="tableinfo">Deprecate old policies</td> |
227 |
+ <td class="tableinfo">2011-11-10</td> |
228 |
+ <td class="tableinfo">done</td> |
229 |
<td class="tableinfo">SwifT</td> |
230 |
<td class="tableinfo"></td> |
231 |
</tr> |
232 |
<tr> |
233 |
- <td class="tableinfo">Stabilize the 20110727 userland tools and libraries</td> |
234 |
- <td class="tableinfo">2011-09-30</td> |
235 |
+ <td class="tableinfo">Deprecate old profiles</td> |
236 |
+ <td class="tableinfo">2011-12-01</td> |
237 |
<td class="tableinfo"></td> |
238 |
- <td class="tableinfo">SwifT</td> |
239 |
+ <td class="tableinfo">blueness</td> |
240 |
<td class="tableinfo"></td> |
241 |
</tr> |
242 |
<tr> |
243 |
- <td class="tableinfo">Stabilize the 20110726 policies</td> |
244 |
- <td class="tableinfo">2011-09-30</td> |
245 |
+ <td class="tableinfo">Get mainstream packages the proper dependencies on the SELinux policies</td> |
246 |
+ <td class="tableinfo">2011-12-31</td> |
247 |
<td class="tableinfo"></td> |
248 |
<td class="tableinfo">SwifT</td> |
249 |
<td class="tableinfo"></td> |
250 |
</tr> |
251 |
-<tr> |
252 |
- <td class="tableinfo">Deprecate old profiles</td> |
253 |
- <td class="tableinfo">2011-12-01</td> |
254 |
- <td class="tableinfo"></td> |
255 |
- <td class="tableinfo">blueness</td> |
256 |
- <td class="tableinfo"></td> |
257 |
-</tr> |
258 |
</table> |
259 |
<br><br> |
260 |
</td> |
261 |
|
262 |
diff --git a/html/selinux-bugreporting.html b/html/selinux-bugreporting.html |
263 |
new file mode 100644 |
264 |
index 0000000..872a5e6 |
265 |
--- /dev/null |
266 |
+++ b/html/selinux-bugreporting.html |
267 |
@@ -0,0 +1,167 @@ |
268 |
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
269 |
+<html lang="en"> |
270 |
+<head> |
271 |
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
272 |
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> |
273 |
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> |
274 |
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> |
275 |
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> |
276 |
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> |
277 |
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> |
278 |
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> |
279 |
+<title>Gentoo Linux Documentation |
280 |
+-- |
281 |
+ Reporting SELinux (policy) bugs</title> |
282 |
+</head> |
283 |
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> |
284 |
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> |
285 |
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> |
286 |
+<td width="99%" class="content" valign="top" align="left"> |
287 |
+<br><h1>Reporting SELinux (policy) bugs</h1> |
288 |
+<form name="contents" action="http://www.gentoo.org"> |
289 |
+<b>Content</b>: |
290 |
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. So you got a bug?</option> |
291 |
+<option value="#doc_chap2">2. Bugs related to AVC denials (and non-functional applications)</option></select> |
292 |
+</form> |
293 |
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
294 |
+ </span>So you got a bug?</p> |
295 |
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> |
296 |
+<p> |
297 |
+When working with a SELinux-enabled system, you will notice that some policies |
298 |
+are far from perfect. That is to be expected, since there are a lot more |
299 |
+policies and SELinux policy modules than we can thoroughly test. That is why bug |
300 |
+reports are very important for us as they give us much-needed feedback on the |
301 |
+state of the policies. Also, since we follow the reference policy closely, |
302 |
+patches are also sent upstream so that other distributions can benefit from the |
303 |
+updates. |
304 |
+</p> |
305 |
+<p> |
306 |
+However, debugging and fixing SELinux policies also means that we need to |
307 |
+identify a proper policy failure, find the root cause of this failure and have |
308 |
+an optimal solution. Since we are talking about <span class="emphasis">security</span> policies, much |
309 |
+attention goes into details, but also in the <span class="emphasis">many eyes</span> paradigm to |
310 |
+validate if a policy fix is correct or not. |
311 |
+</p> |
312 |
+<p> |
313 |
+That is one of the reasons why we created this bugreport as it helps you, as the |
314 |
+feedback-providing user, to both properly figure out why a failure occurs and |
315 |
+how to fix it, but also why we are quite strict in the acceptance of patches. |
316 |
+</p> |
317 |
+<p class="secthead"><a name="doc_chap1_sect2">Short version</a></p> |
318 |
+<p> |
319 |
+When reporting SELinux policy fixes based on AVC denials, |
320 |
+</p> |
321 |
+<ul> |
322 |
+ <li> |
323 |
+ structure the denials and try to create one bug report per logically |
324 |
+ coherent set of denials. Don't push all your AVC denials onto us. |
325 |
+ </li> |
326 |
+ <li> |
327 |
+ make sure you can reproduce the issue and that you have the ability to |
328 |
+ reproduce while we work on the fix. We cannot test all policies ourselves. |
329 |
+ </li> |
330 |
+ <li> |
331 |
+ report the application failure output as well, not only the AVC denial. We |
332 |
+ need to know what the application is trying to do (and failing to do) to fix |
333 |
+ the problem. |
334 |
+ </li> |
335 |
+</ul> |
336 |
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. |
337 |
+ </span>Bugs related to AVC denials (and non-functional applications)</p> |
338 |
+<p class="secthead"><a name="doc_chap2_sect1">About</a></p> |
339 |
+<p> |
340 |
+In this section, we'll go into the details of creating a helpful bug report for |
341 |
+SELinux policies in case you have an AVC denial (which means SELinux is |
342 |
+prohibiting a certain privilege request) that results in the failure of the |
343 |
+application. |
344 |
+</p> |
345 |
+<p class="secthead"><a name="doc_chap2_sect2">Structure the denials</a></p> |
346 |
+<p> |
347 |
+When you get one or more AVC denials, try to structure them into logically |
348 |
+coherent sets. We cannot easily deal with several dozen denials. Most of the |
349 |
+time, you either get multiple denials of the same cause, or the denials are not |
350 |
+truely related. |
351 |
+</p> |
352 |
+<p> |
353 |
+When we need to fix the SELinux policy, nine out of ten times we focus on one or |
354 |
+a few related denials and come up with a proper fix. When there is an abundance |
355 |
+of AVC denials, we need to skim through them (which we usually then do one at a |
356 |
+time) which puts a lot of stress on you (the reporter) as we will ask you |
357 |
+hundred-and-one questions and requests for testing. |
358 |
+</p> |
359 |
+<p class="secthead"><a name="doc_chap2_sect3">Prepare for testing</a></p> |
360 |
+<p> |
361 |
+When you report a SELinux policy related bug, make sure you are ready to test |
362 |
+the results that we want to put in. We cannot test out all applications |
363 |
+ourselves. Sometimes, a failure is even only reproducable on a specific setup. |
364 |
+</p> |
365 |
+<p class="secthead"><a name="doc_chap2_sect4">Report the application failure</a></p> |
366 |
+<p> |
367 |
+More than once, we get bug reports on SELinux policy denials where the user is |
368 |
+still running in permissive mode. He is reporting the denials because he is |
369 |
+afraid that he will not be able to run it in enforcing mode without the denials |
370 |
+being fixed. |
371 |
+</p> |
372 |
+<p> |
373 |
+However, denials can be <span class="emphasis">cosmetic</span>, in which case we should actually hide |
374 |
+the denials rather than allow their requests. Also, when you run in permissive |
375 |
+mode, it is very much possible that the denials would never be reached when |
376 |
+running in enforcing mode because of earlier denials (which, coincidentally, |
377 |
+might be wrongly hidden from your logs). |
378 |
+</p> |
379 |
+<p> |
380 |
+For this reason, we urge you to give us not only the AVC denial information, but |
381 |
+also the application failure log output when running in enforcing mode. |
382 |
+</p> |
383 |
+<p> |
384 |
+The <a href="selinux/selinux-handbook.xml">Gentoo Hardened SELinux |
385 |
+Handbook</a> will guide you through the process of migrating from a permissive |
386 |
+system into an enforcing mode. If you believe that booting in enforcing is not |
387 |
+possible yet, just boot in permissive, log on as root, run <span class="code" dir="ltr">setenforce 1</span> |
388 |
+and only then log on as user(s) to reproduce your situation. There is also a |
389 |
+<a href="selinux/selinux-handbook.xml?part=2&chap=2">Troubleshooting |
390 |
+SELinux</a> section that helps you identify common bottlenecks or issues while |
391 |
+trying to get SELinux running on your system. |
392 |
+</p> |
393 |
+<br><p class="copyright"> |
394 |
+ The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply. |
395 |
+ </p> |
396 |
+<!-- |
397 |
+ <rdf:RDF xmlns="http://web.resource.org/cc/" |
398 |
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> |
399 |
+ <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> |
400 |
+ <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> |
401 |
+ <permits rdf:resource="http://web.resource.org/cc/Distribution" /> |
402 |
+ <requires rdf:resource="http://web.resource.org/cc/Notice" /> |
403 |
+ <requires rdf:resource="http://web.resource.org/cc/Attribution" /> |
404 |
+ <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> |
405 |
+ <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> |
406 |
+ </License> |
407 |
+ </rdf:RDF> |
408 |
+--><br> |
409 |
+</td> |
410 |
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
411 |
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="swift?style=printable">Print</a></p></td></tr> |
412 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr> |
413 |
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
414 |
+This guide helps users to create a properly filled out bug report for SELinux |
415 |
+policy updates. |
416 |
+</p></td></tr> |
417 |
+<tr><td align="left" class="topsep"><p class="alttext"> |
418 |
+ <a href="mailto:swift@g.o" class="altlink"><b>Sven Vermeulen</b></a> |
419 |
+<br><i>Author</i><br></p></td></tr> |
420 |
+<tr lang="en"><td align="center" class="topsep"> |
421 |
+<p class="alttext"><b>Donate</b> to support our development efforts. |
422 |
+ </p> |
423 |
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> |
424 |
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> |
425 |
+</form> |
426 |
+</td></tr> |
427 |
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> |
428 |
+</table></td> |
429 |
+</tr></table></td></tr> |
430 |
+<tr><td colspan="2" align="right" class="infohead"> |
431 |
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. |
432 |
+</td></tr> |
433 |
+</table></body> |
434 |
+</html> |
435 |
|
436 |
diff --git a/html/selinux-development.html b/html/selinux-development.html |
437 |
index 1249769..c56971c 100644 |
438 |
--- a/html/selinux-development.html |
439 |
+++ b/html/selinux-development.html |
440 |
@@ -174,9 +174,15 @@ Every time a new revision comes out, you'll need to clean the |
441 |
</p></td></tr></table> |
442 |
<p class="secthead"><a name="doc_chap2_sect2">Add specific module files</a></p> |
443 |
<p> |
444 |
-To update your policy workspace, use the same tactic as describes |
445 |
-earlier, but now for the specific SELinux policy module package (like |
446 |
-<span class="path" dir="ltr">selinux-postfix</span>). |
447 |
+If you want to or need to work on the policy of a SELinux module (rather than |
448 |
+the base policy), check its ebuild to see if it holds any additional patches |
449 |
+(mentioned through the <span class="code" dir="ltr">POLICY_PATCH</span> variable). If not, then you can work |
450 |
+off the snapshot taken earlier in this guide. |
451 |
+</p> |
452 |
+<p> |
453 |
+However, if a patch (or set of patches) is applied as well, you either need to |
454 |
+apply those manually on the snapshot, or use the following tactics to create a |
455 |
+snapshot just for this module: |
456 |
</p> |
457 |
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
458 |
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Updating the dev/hardened workspace</p></td></tr> |
459 |
@@ -1239,7 +1245,7 @@ it out. |
460 |
</td> |
461 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
462 |
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr> |
463 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr> |
464 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr> |
465 |
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
466 |
When planning to help Gentoo Hardened in the development of SELinux policies, |
467 |
or when trying to debug existing policies, this document should help you get |
468 |
|
469 |
diff --git a/html/selinux-faq.html b/html/selinux-faq.html |
470 |
index 252906f..caa4c46 100644 |
471 |
--- a/html/selinux-faq.html |
472 |
+++ b/html/selinux-faq.html |
473 |
@@ -56,9 +56,7 @@ as well. |
474 |
<li><a href="#enable_selinux">How do I enable SELinux?</a></li> |
475 |
<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li> |
476 |
<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li> |
477 |
-<li><a href="#matchcontext"> |
478 |
- How do I know which file context rule is used for a particular file? |
479 |
-</a></li> |
480 |
+<li><a href="#matchcontext">How do I know which file context rule is used for a particular file?</a></li> |
481 |
<li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li> |
482 |
</ul> |
483 |
<p class="secthead">SELinux Kernel Error Messages</p> |
484 |
@@ -71,15 +69,11 @@ as well. |
485 |
<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li> |
486 |
<li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li> |
487 |
<li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li> |
488 |
-<li><a href="#portage_libsandbox"> |
489 |
- During package installation, ld.so complains 'object 'libsandbox.so' from |
490 |
- LD_PRELOAD cannot be preloaded: ignored' |
491 |
-</a></li> |
492 |
+<li><a href="#portage_libsandbox">During package installation, ld.so complains 'object 'libsandbox.so' |
493 |
+from LD_PRELOAD cannot be preloaded: ignored'</a></li> |
494 |
<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li> |
495 |
-<li><a href="#cronfails"> |
496 |
- Cron fails to load in root's crontab with message '(root) ENTRYPOINT |
497 |
- FAILED (crontabs/root)' |
498 |
-</a></li> |
499 |
+<li><a href="#cronfails">Cron fails to load in root's crontab with message '(root) ENTRYPOINT |
500 |
+FAILED (crontabs/root)'</a></li> |
501 |
<li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li> |
502 |
<li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li> |
503 |
<li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li> |
504 |
@@ -211,9 +205,7 @@ while SELinux was disabled might have created new files or removed the labels |
505 |
from existing files, causing these files to be available without security |
506 |
context. |
507 |
</p></td></tr></table> |
508 |
-<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4"> |
509 |
- How do I know which file context rule is used for a particular file? |
510 |
-</a></p> |
511 |
+<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">How do I know which file context rule is used for a particular file?</a></p> |
512 |
<p> |
513 |
If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security |
514 |
context for the given path (file or directory) should be, but it doesn't tell |
515 |
@@ -344,8 +336,8 @@ class (<span class="code" dir="ltr">process</span>) and privilege (<span class=" |
516 |
the <span class="code" dir="ltr">require { ... }</span> paragraph. |
517 |
</p> |
518 |
<p> |
519 |
-When using interface names, make sure that the type (<span class="code" dir="ltr">ssh_t</span> and |
520 |
-<span class="code" dir="ltr">user_t</span>) is mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph. |
521 |
+When using interface names, make sure that the types (<span class="code" dir="ltr">ssh_t</span> and |
522 |
+<span class="code" dir="ltr">user_t</span>) are mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph. |
523 |
</p> |
524 |
<p> |
525 |
To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span> |
526 |
@@ -498,10 +490,8 @@ It is also not a bad idea to report (after verifying if it hasn't been reported |
527 |
first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so |
528 |
that the default policies are updated accordingly. |
529 |
</p> |
530 |
-<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4"> |
531 |
- During package installation, ld.so complains 'object 'libsandbox.so' from |
532 |
- LD_PRELOAD cannot be preloaded: ignored' |
533 |
-</a></p> |
534 |
+<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">During package installation, ld.so complains 'object 'libsandbox.so' |
535 |
+from LD_PRELOAD cannot be preloaded: ignored'</a></p> |
536 |
<p> |
537 |
During installation of a package, you might see the following error message: |
538 |
</p> |
539 |
@@ -559,10 +549,8 @@ This is also necessary if you logged on to your system as root but through SSH. |
540 |
The default behavior is that SSH sets the lowest role for the particular user |
541 |
when logged on. And you shouldn't allow remote root logins anyhow. |
542 |
</p> |
543 |
-<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6"> |
544 |
- Cron fails to load in root's crontab with message '(root) ENTRYPOINT |
545 |
- FAILED (crontabs/root)' |
546 |
-</a></p> |
547 |
+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">Cron fails to load in root's crontab with message '(root) ENTRYPOINT |
548 |
+FAILED (crontabs/root)'</a></p> |
549 |
<p> |
550 |
When you hit the mentioned error with a root crontab or an administrative |
551 |
users' crontab, but not with a regular users' crontab, then check the context of |
552 |
@@ -670,7 +658,7 @@ rebuild policycoreutils, which will fail to install because Portage cannot set |
553 |
the file labels. |
554 |
</p> |
555 |
<p> |
556 |
-The solution is to rebuild policycoreutils while disabling Portage' selinux |
557 |
+The solution is to rebuild policycoreutils while disabling Portage's selinux |
558 |
support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on |
559 |
the feedback received from <span class="code" dir="ltr">matchpathcon</span>. |
560 |
</p> |
561 |
@@ -679,7 +667,7 @@ the feedback received from <span class="code" dir="ltr">matchpathcon</span>. |
562 |
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
563 |
# <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span> |
564 |
# <span class="code-input">for FILE in $(qlist policycoreutils); do \ |
565 |
-CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</span> |
566 |
+CONTEXT=$(matchpathcon -n ${FILE}); chcon ${CONTEXT} ${FILE}; done</span> |
567 |
</pre></td></tr> |
568 |
</table> |
569 |
<p> |
570 |
@@ -699,8 +687,8 @@ file system mounted with <span class="code" dir="ltr">nosuid</span>. |
571 |
<br><br> |
572 |
</td> |
573 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
574 |
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr> |
575 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 13, 2011</p></td></tr> |
576 |
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@g.o?style=printable">Print</a></p></td></tr> |
577 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 25, 2011</p></td></tr> |
578 |
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
579 |
Frequently Asked Questions on SELinux integration with Gentoo Hardened. |
580 |
The FAQ is a collection of solutions found on IRC, mailinglist, forums or |
581 |
|
582 |
diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using-enforcing.html |
583 |
deleted file mode 100644 |
584 |
index eb5d08a..0000000 |
585 |
--- a/html/selinux/hb-using-enforcing.html |
586 |
+++ /dev/null |
587 |
@@ -1,205 +0,0 @@ |
588 |
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
589 |
-<html lang="en"> |
590 |
-<head> |
591 |
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
592 |
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> |
593 |
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> |
594 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> |
595 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> |
596 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> |
597 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> |
598 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> |
599 |
-<title>Gentoo Linux Handbook Page |
600 |
--- |
601 |
- </title> |
602 |
-</head> |
603 |
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> |
604 |
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> |
605 |
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> |
606 |
-<td width="99%" class="content" valign="top" align="left"> |
607 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
608 |
- </span>Switching to Enforcing Mode</p> |
609 |
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> |
610 |
-<p> |
611 |
-Switching to enforcing mode doesn't require all policies to be fully |
612 |
-operational, nor does it require that the system boots in enforcing mode. You |
613 |
-can first start small by enabling enforcing mode the moment your system is |
614 |
-booted, then enable enforcing during boot (but with the possibility to disable |
615 |
-it again when some things fail) and finally reconfigure your kernel so that |
616 |
-disabling SELinux isn't possible anymore. |
617 |
-</p> |
618 |
-<p class="secthead"><a name="doc_chap1_sect1">Booting, Switch</a></p> |
619 |
-<p> |
620 |
-To boot your system before enabling enforcing mode, just boot as you do |
621 |
-currently. Then, when you believe that you can run your system in enforcing |
622 |
-mode, run <span class="code" dir="ltr">setenforce 1</span>. |
623 |
-</p> |
624 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
625 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling enforcing mode</p></td></tr> |
626 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
627 |
-~# <span class="code-input">setenforce 1</span> |
628 |
-</pre></td></tr> |
629 |
-</table> |
630 |
-<p> |
631 |
-It is wise to ensure that you have booted the system but not logged in anywhere |
632 |
-except as the root user. Also verify that the session you're currently in (as |
633 |
-root) uses the <span class="code" dir="ltr">root:sysadm_r:sysadm_t</span> or |
634 |
-<span class="code" dir="ltr">unconfined_u:unconfined_r:unconfined_t</span> context (otherwise trying to |
635 |
-disable enforcing mode might not work). |
636 |
-</p> |
637 |
-<p> |
638 |
-When you realize that things are going very, very wrong, disable SELinux using |
639 |
-<span class="code" dir="ltr">setenforce 0</span> and try to resolve the failures. |
640 |
-</p> |
641 |
-<p class="secthead"><a name="doc_chap1_sect1">Booting in Enforcing Mode (Once)</a></p> |
642 |
-<p> |
643 |
-When you want to boot in enforcing mode, but you don't want to configure SELinux |
644 |
-(yet) to run always in enforcing mode (say you want to try it once), add |
645 |
-<span class="code" dir="ltr">enforcing=1</span> as a boot option inside the boot loader configuration. |
646 |
-</p> |
647 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
648 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample GRUB configuration to boot in enforcing mode</p></td></tr> |
649 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
650 |
-kernel /vmlinuz root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=1</span> |
651 |
-</pre></td></tr> |
652 |
-</table> |
653 |
-<p class="secthead"><a name="doc_chap1_sect1">Booting in Enforcing Mode</a></p> |
654 |
-<p> |
655 |
-Once you believe that you can always (re)boot in enforcing mode, edit |
656 |
-<span class="path" dir="ltr">/etc/selinux/config</span> and change <span class="code" dir="ltr">SELINUX=permissive</span> to |
657 |
-<span class="code" dir="ltr">SELINUX=enforcing</span>. |
658 |
-</p> |
659 |
-<p class="secthead"><a name="doc_chap1_sect1">Reconfiguring the Kernel</a></p> |
660 |
-<p> |
661 |
-Once you are fully confident that you can always and ever remain in enforcing |
662 |
-mode, reconfigure your kernel so that SELinux cannot be disabled anymore. |
663 |
-</p> |
664 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
665 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reconfiguring the Linux kernel</p></td></tr> |
666 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
667 |
-[*] NSA SELinux Support |
668 |
-[ ] NSA SELinux boot parameter |
669 |
-[ ] NSA SELinux runtime disable |
670 |
-<span class="code-comment"># Make sure the following is deselected</span> |
671 |
-<span class="code-input">[ ] NSA SELinux Development Support</span> |
672 |
-[ ] NSA SELinux AVC Statistics |
673 |
-(1) NSA SELinux checkreqprot default value |
674 |
-[ ] NSA SELinux maximum supported policy format version |
675 |
-</pre></td></tr> |
676 |
-</table> |
677 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
678 |
- </span>Analyzing AVC</p> |
679 |
-<p class="secthead"><a name="doc_chap1_sect1">Intrusion or Not</a></p> |
680 |
-<p> |
681 |
-Once you are running in enforcing mode, the role of the |
682 |
-<span class="path" dir="ltr">/var/log/avc.log</span> logfile starts changing. Whereas it was previously |
683 |
-used to inform you about denials which might cause functional failures on your |
684 |
-system, it is now more and more becoming a source of information for the |
685 |
-behavior of applications - and sometimes, the unexpected behavior of it. |
686 |
-</p> |
687 |
-<p> |
688 |
-Being able to read the AVC logs is important, because in the (near) future you |
689 |
-should use the AVC logs to identify potential intrusion attempts. Say that you |
690 |
-are running an Internet-facing web server which is contained within its own |
691 |
-SELinux domain. Suddenly you start getting weird AVC denials of that SELinux |
692 |
-domain trying to read files it really shouldn't read, or write stuff in some |
693 |
-temporary location it shouldn't write anything into. This can be a totally |
694 |
-expected behavior, but can also be a malicious user that is attempting to run |
695 |
-some exploit code against your web server. |
696 |
-</p> |
697 |
-<p> |
698 |
-Interpreting the AVC logs can be considered a time-consuming job if you are |
699 |
-still getting lots of cosmetic (and safe) AVC denials. So let's first see if we |
700 |
-can ignore those... |
701 |
-</p> |
702 |
-<p class="secthead"><a name="doc_chap1_sect1">Ignoring Cosmetic AVC Events</a></p> |
703 |
-<p> |
704 |
-When you get AVC denials which you believe are harmless for your system, you can |
705 |
-create a policy module yourself which contains the exact AVC rule, but using the |
706 |
-<span class="emphasis">dontaudit</span> statement rather than <span class="emphasis">allow</span>. |
707 |
-</p> |
708 |
-<p> |
709 |
-Consider the following AVC denial: |
710 |
-</p> |
711 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
712 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample harmless AVC denial</p></td></tr> |
713 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
714 |
-Jan 6 19:49:25 hpl kernel: [10482.016339] type=1400 audit(1294339765.865:1527): |
715 |
-avc: denied { use } for pid=19421 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs |
716 |
-ino=1552 scontext=system_u:system_r:ifconfig_t |
717 |
-tcontext=system_u:system_r:wpa_cli_t tclass=fd |
718 |
-</pre></td></tr> |
719 |
-</table> |
720 |
-<p> |
721 |
-The denial states that the <span class="code" dir="ltr">ifconfig</span> process is trying to use a file |
722 |
-descriptor within the wpa_cli_t domain. The target file descriptor points to |
723 |
-<span class="path" dir="ltr">/dev/null</span>. This usually means that the <span class="code" dir="ltr">ifconfig</span> process is |
724 |
-started from within the wpa_cli_t domain with <span class="code" dir="ltr">> /dev/null</span> to redirect |
725 |
-its output to the <span class="path" dir="ltr">/dev/null</span> device. Although it is denied (so no output |
726 |
-will be redirected to <span class="path" dir="ltr">/dev/null</span>) it has no functional impact on the |
727 |
-system as the intention was to ignore the output anyhow. |
728 |
-</p> |
729 |
-<p> |
730 |
-So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need |
731 |
-to create a module (like we have seen before in <span title="Link to other book part not available"><font color="#404080">(Creating Specific Allow Rules)</font></span>): |
732 |
-</p> |
733 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
734 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a module to ignore these AVC denials</p></td></tr> |
735 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
736 |
-~$ <span class="code-input">cat ignoreavc.te</span> |
737 |
-module ignoreavc 1.0.0; |
738 |
- |
739 |
-require { |
740 |
- type ifconfig_t; |
741 |
- type wpa_cli_t; |
742 |
- |
743 |
- class fd use; |
744 |
-} |
745 |
- |
746 |
-dontaudit ifconfig_t wpa_cli_t:fd { use }; |
747 |
- |
748 |
-~$ <span class="code-input">checkmodule -m -o ignoreavc.mod ignoreavc.te</span> |
749 |
-~$ <span class="code-input">semodule_package -o ignoreavc.pp -m ignoreavc.mod</span> |
750 |
-~$ <span class="code-input">semodule -i ignoreavc.pp</span> |
751 |
-</pre></td></tr> |
752 |
-</table> |
753 |
-<p> |
754 |
-Once this module is loaded, you should no longer see these denials in your log. |
755 |
-However, if you ever feel that you might have <span class="emphasis">dontaudit</span>'ed too many |
756 |
-things, you can always reload the SELinux policies without the dontaudit |
757 |
-statements: |
758 |
-</p> |
759 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
760 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reloading the SELinux policies without dontaudit</p></td></tr> |
761 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
762 |
-~# <span class="code-input">semodule -R -D</span> |
763 |
-</pre></td></tr> |
764 |
-</table> |
765 |
-<p> |
766 |
-If you are confident to continue with the dontaudit statements again, run the |
767 |
-same command without the <span class="code" dir="ltr">-D</span>. |
768 |
-</p> |
769 |
-<p> |
770 |
-Gentoo Hardened uses a specific boolean called <span class="code" dir="ltr">gentoo_try_dontaudit</span> to |
771 |
-show or hide the denials that the developers believe are cosmetic. Thanks to |
772 |
-this approach, you can first disable the Gentoo-selected dontaudit statements |
773 |
-before showing all of them - which can be quite a lot more. |
774 |
-</p> |
775 |
-</td> |
776 |
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
777 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated March 2, 2011</p></td></tr> |
778 |
-<tr lang="en"><td align="center" class="topsep"> |
779 |
-<p class="alttext"><b>Donate</b> to support our development efforts. |
780 |
- </p> |
781 |
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> |
782 |
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> |
783 |
-</form> |
784 |
-</td></tr> |
785 |
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> |
786 |
-</table></td> |
787 |
-</tr></table></td></tr> |
788 |
-<tr><td colspan="2" align="right" class="infohead"> |
789 |
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. |
790 |
-</td></tr> |
791 |
-</table></body> |
792 |
-</html> |
793 |
|
794 |
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html |
795 |
index 061fe7b..fb5eb85 100644 |
796 |
--- a/html/selinux/hb-using-install.html |
797 |
+++ b/html/selinux/hb-using-install.html |
798 |
@@ -87,19 +87,6 @@ tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext= |
799 |
tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t:s0</span> 0 0 |
800 |
</pre></td></tr> |
801 |
</table> |
802 |
-<p class="secthead"><a name="doc_chap1_sect1">Enabling ~Arch Packages</a></p> |
803 |
-<p> |
804 |
-The current stable SELinux related packages are not fit for use anymore (or are |
805 |
-even broken) so we seriously recommend to enable ~arch packages for SELinux. Add |
806 |
-the following settings to the right file (for instance |
807 |
-<span class="path" dir="ltr">/etc/portage/package.accept_keywords/selinux</span>): |
808 |
-</p> |
809 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
810 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux ~arch packages</p></td></tr> |
811 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
812 |
-=sys-process/vixie-cron-4.1-r11 |
813 |
-</pre></td></tr> |
814 |
-</table> |
815 |
<p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p> |
816 |
<p> |
817 |
Now that you have a running Gentoo Linux installation, switch the Gentoo profile |
818 |
@@ -613,7 +600,7 @@ With that done, enjoy - your first steps into the SELinux world are now made. |
819 |
</p> |
820 |
</td> |
821 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
822 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr> |
823 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 18, 2011</p></td></tr> |
824 |
<tr lang="en"><td align="center" class="topsep"> |
825 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
826 |
</p> |
827 |
|
828 |
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html |
829 |
deleted file mode 100644 |
830 |
index 4212a95..0000000 |
831 |
--- a/html/selinux/hb-using-permissive.html |
832 |
+++ /dev/null |
833 |
@@ -1,609 +0,0 @@ |
834 |
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
835 |
-<html lang="en"> |
836 |
-<head> |
837 |
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
838 |
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> |
839 |
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> |
840 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> |
841 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> |
842 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> |
843 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> |
844 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> |
845 |
-<title>Gentoo Linux Handbook Page |
846 |
--- |
847 |
- </title> |
848 |
-</head> |
849 |
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> |
850 |
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> |
851 |
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> |
852 |
-<td width="99%" class="content" valign="top" align="left"> |
853 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
854 |
- </span>Keeping Track of Denials</p> |
855 |
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> |
856 |
-<p> |
857 |
-The moment you start using SELinux in permissive mode, SELinux will start |
858 |
-logging all of its denials through your system logger. Based on this |
859 |
-information, you can and will: |
860 |
-</p> |
861 |
-<ul> |
862 |
- <li> |
863 |
- see if certain domains are missing (for instance, commands are being ran |
864 |
- inside a more standard domain whereas you would expect it to run within a |
865 |
- more specific one) in which case you'll probably look for a SELinux policy |
866 |
- module to introduce the specific domain, |
867 |
- </li> |
868 |
- <li> |
869 |
- see if some files have wrong security contexts in which case you'll either |
870 |
- restore their context or set it yourself, |
871 |
- </li> |
872 |
- <li> |
873 |
- see if some denials are made which you don't expect in which case you'll |
874 |
- find out why the denial is made and what the original policy writer intended |
875 |
- (a prime example would be a website hosted in the wrong location in the file |
876 |
- system) |
877 |
- </li> |
878 |
-</ul> |
879 |
-<p> |
880 |
-Of course, several other aspects can be performed the moment you analyze the |
881 |
-denial messages, but the above ones are the most common. |
882 |
-</p> |
883 |
-<p class="secthead"><a name="doc_chap1_sect1">Configuring System Logger</a></p> |
884 |
-<p> |
885 |
-Before we start investigating denials, let's first configure the system logger |
886 |
-to log the denials in its own log file. If you are running syslog-ng with a |
887 |
-Gentoo Hardened profile, it will already be configured to log these denials in |
888 |
-<span class="path" dir="ltr">/var/log/avc.log</span>: |
889 |
-</p> |
890 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
891 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng configuration</p></td></tr> |
892 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
893 |
-destination avc { file("http://www.gentoo.org/var/log/avc.log"); }; |
894 |
-[...] |
895 |
-filter f_avc { message(".*avc: .*"); }; |
896 |
-filter f_audit { message("^(\\[.*\..*] |)audit.*") and not message(".*avc: .*"); }; |
897 |
-[...] |
898 |
-log { source(kernsrc); filter(f_avc); destination(avc); }; |
899 |
-</pre></td></tr> |
900 |
-</table> |
901 |
-<p> |
902 |
-If you use a different logger, look for the configuration of the kernel audit |
903 |
-events. Throughout the rest of this document, we assume that the log where the |
904 |
-denials are logged in is <span class="path" dir="ltr">/var/log/avc.log</span>. |
905 |
-</p> |
906 |
-<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p> |
907 |
-<p> |
908 |
-When we previously showed a few of SELinux' policy allow rules, what you were |
909 |
-actually looking at was an <span class="emphasis">access vector</span> rule. For instance: |
910 |
-</p> |
911 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
912 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example access vector rule</p></td></tr> |
913 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
914 |
-allow sysadm_t portage_t : process transition ; |
915 |
-</pre></td></tr> |
916 |
-</table> |
917 |
-<p> |
918 |
-Up until now we have seen only the <span class="emphasis">allow</span> permission, but SELinux supports |
919 |
-others as well: |
920 |
-</p> |
921 |
-<ul> |
922 |
- <li> |
923 |
- <span class="emphasis">auditallow</span> will allow an activity to occur, but will still log it |
924 |
- (but then with a "granted" message instead of "denied") |
925 |
- </li> |
926 |
- <li> |
927 |
- <span class="emphasis">dontaudit</span> will not allow an activity to occur but will also not log |
928 |
- this. This is particularly useful where the activity is not needed and would |
929 |
- otherwise fill the <span class="path" dir="ltr">avc.log</span> file. |
930 |
- </li> |
931 |
-</ul> |
932 |
-<p> |
933 |
-To improve efficiency of the policy enforcement, SELinux uses a cache for its |
934 |
-access vectors - the <span class="emphasis">access vector cache</span> or <span class="emphasis">AVC</span>. Whenever some |
935 |
-access is requested which isn't in the cache yet, it is first loaded in the |
936 |
-cache from which the allow/deny is triggered. Hence the "avc" messages and the |
937 |
-<span class="path" dir="ltr">avc.log</span> log file. |
938 |
-</p> |
939 |
-<p class="secthead"><a name="avclog"></a><a name="doc_chap1_sect1">Looking at the AVC Log</a></p> |
940 |
-<p> |
941 |
-During regular system operations, you can keep track of the denials through a |
942 |
-simple <span class="code" dir="ltr">tail</span> session: |
943 |
-</p> |
944 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
945 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Looking at the avc logs</p></td></tr> |
946 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
947 |
-~# <span class="code-input">tail -f /var/log/avc.log</span> |
948 |
-Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 audit(1293872219.247:156): |
949 |
- avc: denied { setattr } for pid=7419 comm="gorg" name="selinux-handbook.xml" dev=dm-3 ino=159061 |
950 |
- scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file |
951 |
-Jan 1 10:08:52 hpl kernel: [ 2944.664577] type=1400 audit(1293872932.907:157): |
952 |
- avc: denied { use } for pid=9917 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs ino=1546 |
953 |
- scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=fd |
954 |
-Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): |
955 |
- avc: denied { create } for pid=10016 comm="logger" |
956 |
- scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket |
957 |
-</pre></td></tr> |
958 |
-</table> |
959 |
-<p> |
960 |
-But how do you interprete such messages? Well, let's take a closer look at the |
961 |
-first denial from the example. |
962 |
-</p> |
963 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
964 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample denial message</p></td></tr> |
965 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
966 |
-<span class="code-comment">[ Standard data within log message, such as date, time, hostname, ... ]</span> |
967 |
-Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 |
968 |
-<span class="code-comment">[ The message is an AVC audit message, telling a deny for the setattr system call ]</span> |
969 |
- audit(1293872219.247:156): avc: denied { setattr } |
970 |
-<span class="code-comment">[ The offending process has PID 7419 and is named "gorg" ]</span> |
971 |
- for pid=7419 comm="gorg" |
972 |
-<span class="code-comment">[ The target for the system call is a file named "selinux-handbook.xml" |
973 |
- on the dm-3 device; the file has inode 159061 ]</span> |
974 |
- name="selinux-handbook.xml" dev=dm-3 ino=159061 |
975 |
-<span class="code-comment">[ The source and target security contexts and the class of the target (in this case, a file) ]</span> |
976 |
- scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file |
977 |
-</pre></td></tr> |
978 |
-</table> |
979 |
-<p> |
980 |
-A similar one can be found of the last line in the example. |
981 |
-</p> |
982 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
983 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Another sample denial message</p></td></tr> |
984 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
985 |
-Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): |
986 |
- avc: denied { create } for pid=10016 comm="logger" |
987 |
- scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket |
988 |
-</pre></td></tr> |
989 |
-</table> |
990 |
-<p> |
991 |
-In this particular case, the offending process is <span class="code" dir="ltr">logger</span> (with PID 10016) |
992 |
-which is trying to create a Unix stream socket (see the <span class="emphasis">tclass</span> |
993 |
-information). |
994 |
-</p> |
995 |
-<p> |
996 |
-Note though that not all AVC messages imply denials. Some accesses recorded by |
997 |
-the access vector cache are grants but which have an explicit <span class="emphasis">auditallow</span> |
998 |
-statement so that this can be tracked in the logs. |
999 |
-</p> |
1000 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
1001 |
- </span>Analyzing Denials</p> |
1002 |
-<p class="secthead"><a name="doc_chap1_sect1">A Standard Setup Might Not Work</a></p> |
1003 |
-<p> |
1004 |
-If you have taken a look at your denials, you'll probably think "If I'm going to |
1005 |
-go to enforcing mode, my system will not function properly" and you might be |
1006 |
-right. At this point, Gentoo Hardened is constantly updating the SELinux |
1007 |
-policies to get you a working system - but we're not fully there yet. For this |
1008 |
-reason, being able to analyze the denials (and take corrective actions) is |
1009 |
-very important. |
1010 |
-</p> |
1011 |
-<p> |
1012 |
-It is not easy to describe what the best option is when you see a denial which |
1013 |
-shouldn't be. But a few ground-rules do apply. |
1014 |
-</p> |
1015 |
-<ul> |
1016 |
- <li> |
1017 |
- Verify if the denial is cosmetic or not. Try focusing on denials of which |
1018 |
- you are <span class="emphasis">sure</span> that they are not cosmetic and will result in a |
1019 |
- malfunction of your system (or that particular command) if no corrective |
1020 |
- action is taken. |
1021 |
- </li> |
1022 |
- <li> |
1023 |
- If you see a denial where the source context is a generic one (such as |
1024 |
- <span class="emphasis">sysadm_t</span> or <span class="emphasis">staff_t</span> or <span class="emphasis">user_t</span>), try to find out if |
1025 |
- there are specific SELinux policy modules for the offending resource. In the |
1026 |
- previous example of the <span class="code" dir="ltr">gorg</span> process, we definitely need to check if |
1027 |
- there is no selinux-gorg SELinux policy. Note that, even if there is none, |
1028 |
- it doesn't mean there shouldn't be ;-) |
1029 |
- </li> |
1030 |
- <li> |
1031 |
- If the target for the denial is a file, verify if its security context is |
1032 |
- correct or if no different context should be given. It is also possible that |
1033 |
- the process is trying to work on the wrong path. Sometimes a simple |
1034 |
- configuration change of that process is sufficient to make it work properly |
1035 |
- under its SELinux policy. |
1036 |
- </li> |
1037 |
-</ul> |
1038 |
-<p> |
1039 |
-During development of the policies, Gentoo Hardened developers will try to |
1040 |
-hide denials they believe are cosmetic. This hiding can be toggled using the |
1041 |
-SELinux <span class="code" dir="ltr">gentoo_try_dontaudit</span> boolean: |
1042 |
-</p> |
1043 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1044 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting and setting Gentoo's gentoo_try_dontaudit boolean</p></td></tr> |
1045 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1046 |
-~# <span class="code-input">getsebool gentoo_try_dontaudit</span> |
1047 |
-gentoo_try_dontaudit --> off |
1048 |
-~# <span class="code-input">setsebool -P gentoo_try_dontaudit on</span> |
1049 |
-</pre></td></tr> |
1050 |
-</table> |
1051 |
-<p> |
1052 |
-When set, the denials that are believed to be cosmetic are hidden from your |
1053 |
-audit logs. But if your system is not functioning properly and you do not see |
1054 |
-any denials, it is wise to toggle this boolean again to verify if the denial |
1055 |
-is now shown or not. |
1056 |
-</p> |
1057 |
-<p class="secthead"><a name="doc_chap1_sect1">Installing Additional SELinux Policy Modules</a></p> |
1058 |
-<p> |
1059 |
-When a denial is found for which you think a SELinux policy module should |
1060 |
-exist, find out which package provides the offending resource and verify if |
1061 |
-Gentoo offers a SELinux policy for that package. If it does, install it and |
1062 |
-relabel the files of the package. |
1063 |
-</p> |
1064 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1065 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding Gentoo SELinux packages</p></td></tr> |
1066 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1067 |
-~# <span class="code-input">tail -f /var/log/avc.log</span> |
1068 |
-Jan 1 09:42:37 hpl kernel: [ 1372.708172] type=1400 audit(1293871357.972:76): |
1069 |
- avc: denied { search } for pid=6937 comm="screen" name="selinux" dev=dm-0 |
1070 |
- ino=1053303 scontext=staff_u:staff_r:staff_t |
1071 |
- tcontext=staff_u:object_r:user_home_t tclass=dir |
1072 |
- |
1073 |
-~# <span class="code-input">whereis screen</span> |
1074 |
-screen: /usr/bin/screen |
1075 |
- |
1076 |
-~# <span class="code-input">qfile /usr/bin/screen</span> |
1077 |
-app-misc/screen (/usr/bin/screen) |
1078 |
- |
1079 |
-~# <span class="code-input">emerge --search selinux-screen</span> |
1080 |
-Searching... |
1081 |
-[ Results for search key : selinux-screen ] |
1082 |
-[ Applications found : 1 ] |
1083 |
- |
1084 |
-* sec-policy/selinux-screen |
1085 |
- Latest version available: 2.20110726 |
1086 |
- Latest version installed: 2.20110726 |
1087 |
- Size of files: 574 kB |
1088 |
- Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ |
1089 |
- Description: SELinux policy for screen |
1090 |
- License: GPL-2 |
1091 |
- |
1092 |
-~# <span class="code-input">emerge selinux-screen</span> |
1093 |
-[...] |
1094 |
- |
1095 |
-~# <span class="code-input">rlpkg screen</span> |
1096 |
-Relabeling: app-misc/screen-4.0.3 |
1097 |
-</pre></td></tr> |
1098 |
-</table> |
1099 |
-<p> |
1100 |
-If you believe a SELinux policy module should exist but you cannot find one, |
1101 |
-then you can either download the reference policy tarball (which you might find |
1102 |
-in your <span class="path" dir="ltr">distfiles</span> directory - it is called |
1103 |
-<span class="path" dir="ltr">refpolicy-2.YYYYMMDD.tar.bz2</span>) and see if there are already modules |
1104 |
-available (look inside the <span class="path" dir="ltr">refpolicy/policy/modules</span> location) or |
1105 |
-ask around on #gentoo-hardened on irc.freenode.net. |
1106 |
-</p> |
1107 |
-<p class="secthead"><a name="doc_chap1_sect1">Updating the Security Contexts of Files</a></p> |
1108 |
-<p> |
1109 |
-The most common case of denials when the necessary policies are in place are |
1110 |
-wrongly labeled files or directories (in other words, the security context of |
1111 |
-the target file or directory is not what the policy would expect). This can be |
1112 |
-either because the file has not been (re)labeled after the policy has been |
1113 |
-loaded or because the label has for some reason changed (case 1) or because |
1114 |
-the path of the file is not in accordance to the file context specifications |
1115 |
-in the SELinux module (case 2). |
1116 |
-</p> |
1117 |
-<p> |
1118 |
-The first possibility (security context correct in policy, but not applied) can |
1119 |
-be easily fixed using the <span class="code" dir="ltr">restorecon</span> command. You can apply it against a |
1120 |
-single file, or run it recursively using the <span class="code" dir="ltr">-R</span> option. |
1121 |
-</p> |
1122 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1123 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running restorecon to restore a security context</p></td></tr> |
1124 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1125 |
-~# <span class="code-input">restorecon /etc/make.conf</span> |
1126 |
-</pre></td></tr> |
1127 |
-</table> |
1128 |
-<p> |
1129 |
-If the file context definition in the policy however doesn't apply to the file |
1130 |
-(or directory), you can still tell your system to label the file or directory |
1131 |
-accordingly. For instance, say you have your <span class="path" dir="ltr">lvm.conf</span> file inside |
1132 |
-<span class="path" dir="ltr">/etc</span> rather than <span class="path" dir="ltr">/etc/lvm</span> as the policy would expect, |
1133 |
-then you can still label the file correctly using <span class="code" dir="ltr">semanage</span>. With |
1134 |
-<span class="code" dir="ltr">semanage</span>, you assign a correct security context unrelated to any |
1135 |
-module. It is a local setting - but which is persistent across reboots and |
1136 |
-relabelling activities. |
1137 |
-</p> |
1138 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1139 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting a new file context using semanage</p></td></tr> |
1140 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1141 |
-~# <span class="code-input">semanage fcontext -a -t lvm_etc_t /etc/lvm.conf</span> |
1142 |
-~# <span class="code-input">restorecon /etc/lvm.conf</span> |
1143 |
-</pre></td></tr> |
1144 |
-</table> |
1145 |
-<p> |
1146 |
-If you want to make such a definition part of a module you're writing, you will |
1147 |
-need to create a file context file which contains the definition(s) for the |
1148 |
-files whose context you want to set. Writing policy modules is described later |
1149 |
-in this book in <span title="Link to other book part not available"><font color="#404080">(Adding SELinux Policy |
1150 |
-Modules)</font></span>. |
1151 |
-</p> |
1152 |
-<p class="secthead"><a name="create_module"></a><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p> |
1153 |
-<p> |
1154 |
-If a denial isn't resolved through an available SELinux policy module or a |
1155 |
-corrective action taken against the target file or directory, or there |
1156 |
-is no such module available, then you might opt to create your own policy. If |
1157 |
-your goal is to allow a specific set of rules (rather than to write a |
1158 |
-full-fledged SELinux policy module) then you can use the <span class="code" dir="ltr">audit2allow</span> tool |
1159 |
-to generate a policy based on the denial logs. |
1160 |
-</p> |
1161 |
-<p> |
1162 |
-With <span class="code" dir="ltr">audit2allow</span>, you can transform an AVC denial message into a SELinux |
1163 |
-policy module definition. This can then be compiled into a binary policy module |
1164 |
-and finally packaged into an easily (re)loadable SELinux policy module. It is |
1165 |
-recommended to keep the (raw) AVC logs that you use to build the SELinux policy |
1166 |
-module as this will allow you to continuously update the module when new denials |
1167 |
-occur. |
1168 |
-</p> |
1169 |
-<p> |
1170 |
-For instance, to allow some <span class="code" dir="ltr">sudo</span>-related denials, you can do the |
1171 |
-following steps... |
1172 |
-</p> |
1173 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1174 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Generating, building and inserting a SELinux policy</p></td></tr> |
1175 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1176 |
-<span class="code-comment">[ We append the AVC messages to the sudo.raw file so that, in the future, we can |
1177 |
- add additional denial messages inside the same raw file which will be used to |
1178 |
- build a new SELinux policy module ]</span> |
1179 |
-~# <span class="code-input">grep 'comm="sudo"' /var/log/avc.log >> sudo.raw</span> |
1180 |
- |
1181 |
-<span class="code-comment">[ We generate a module definition called 'fixsudo' based on the captured AVC denials ]</span> |
1182 |
-~# <span class="code-input">cat sudo.raw | audit2allow -m fixsudo > fixsudo.te</span> |
1183 |
- |
1184 |
-<span class="code-comment">[ Next we build the SELinux module ]</span> |
1185 |
-~# <span class="code-input">checkmodule -m -o fixsudo.mod fixsudo.te</span> |
1186 |
-~# <span class="code-input">semodule_package -o fixsudo.pp -m fixsudo.mod</span> |
1187 |
-</pre></td></tr> |
1188 |
-</table> |
1189 |
-<p> |
1190 |
-The generated policy module (with the <span class="path" dir="ltr">.pp</span> suffix) can then be |
1191 |
-dynamically loaded into the SELinux policy store: |
1192 |
-</p> |
1193 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1194 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Loading the generated module</p></td></tr> |
1195 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1196 |
-~# <span class="code-input">semodule -i fixsudo.pp</span> |
1197 |
-</pre></td></tr> |
1198 |
-</table> |
1199 |
-<p> |
1200 |
-The module definition (in our example called <span class="path" dir="ltr">fixsudo.te</span>) can be |
1201 |
-modified as you please - it's content is standard ASCII, human readable. |
1202 |
-</p> |
1203 |
-<p> |
1204 |
-Not all denials that you might get are bugs in the default security policy. |
1205 |
-It is very probable that you use your system in a slightly different way than |
1206 |
-intended within the Gentoo Hardened SELinux default policy. However, if you |
1207 |
-believe that you had to change your runtime policy due to a bug in the |
1208 |
-current policy, please report it on <a href="https://bugs.gentoo.org">Bugzilla</a> so that the Gentoo Hardened |
1209 |
-SELinux developers can take a look at it. Also, don't hesitate to contact |
1210 |
-the Gentoo Hardened SELinux developers if you are uncertain about things. |
1211 |
-</p> |
1212 |
-<p> |
1213 |
-They don't bite. They get fed regularly so they don't have to. |
1214 |
-</p> |
1215 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
1216 |
- </span>Working with SELinux</p> |
1217 |
-<p class="secthead"><a name="doc_chap1_sect1">Loading and Unloading of Modules</a></p> |
1218 |
-<p> |
1219 |
-We have already crossed SELinux modules quite a few times. You even saw that, in |
1220 |
-order to load a module, you can use <span class="code" dir="ltr">semodule -i modulename.pp</span>. The |
1221 |
-<span class="code" dir="ltr">semodule</span> command offers the following functions: |
1222 |
-</p> |
1223 |
-<ul> |
1224 |
- <li> |
1225 |
- With <span class="code" dir="ltr">semodule -i modulename.pp</span> you (re)install a module (or install |
1226 |
- a higher version of said module) |
1227 |
- </li> |
1228 |
- <li> |
1229 |
- With <span class="code" dir="ltr">semodule -u modulename.pp</span> you upgrade an existing installed |
1230 |
- module with a new version of this module |
1231 |
- </li> |
1232 |
- <li> |
1233 |
- With <span class="code" dir="ltr">semodule -r modulename.pp</span> you remove a module from the SELinux |
1234 |
- policy store. It will not be reloaded, not even after a reboot. |
1235 |
- </li> |
1236 |
- <li> |
1237 |
- With <span class="code" dir="ltr">semodule -R</span> you reload the policies. An interesting feature here |
1238 |
- is that you can add <span class="code" dir="ltr">-D</span> which will <span class="emphasis">disable</span> the <span class="emphasis">dontaudit</span> |
1239 |
- rules from the policy. This can be useful, especially later in enforcing |
1240 |
- mode, to find out why something is failing even though you get no denials. |
1241 |
- </li> |
1242 |
- <li> |
1243 |
- With <span class="code" dir="ltr">semodule -B</span> you force a rebuild of the policy (which includes by |
1244 |
- default a reload of the policy as well). Amongst some other things, such a |
1245 |
- rebuild will read up on the existing users' and their home directories and |
1246 |
- create the associated domains. |
1247 |
- </li> |
1248 |
-</ul> |
1249 |
-<p class="secthead"><a name="doc_chap1_sect1">Listing Modules</a></p> |
1250 |
-<p> |
1251 |
-With the <span class="code" dir="ltr">semodule -l</span> command you can get an overview of the installed |
1252 |
-modules, together with their current version. When you have issues with SELinux |
1253 |
-policies and are trying to get online help on the matter, knowing the version of |
1254 |
-the particular module is important to help you troubleshoot problems. |
1255 |
-</p> |
1256 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1257 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the installed modules</p></td></tr> |
1258 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1259 |
-~# <span class="code-input">semodule -l</span> |
1260 |
-dbus 1.14.0 |
1261 |
-dnsmasq 1.9.0 |
1262 |
-hal 1.13.0 |
1263 |
-[...] |
1264 |
-</pre></td></tr> |
1265 |
-</table> |
1266 |
-<p class="secthead"><a name="doc_chap1_sect1">Switching Roles</a></p> |
1267 |
-<p> |
1268 |
-When you are working with a SELinux system, your default users will be using the |
1269 |
-user_u SELinux login (and as such the user_r SELinux role) so they will not need |
1270 |
-to perform any role switching: there are no other roles they can switch to. |
1271 |
-</p> |
1272 |
-<p> |
1273 |
-Accounts that you use to perform more administrative tasks however are most |
1274 |
-likely mapped to the staff_u SELinux login or have their own login but with the |
1275 |
-same roles supported: staff_r and sysadm_r. These accounts should by default |
1276 |
-start within the staff_r role. Although still restricted, it has more |
1277 |
-possibilities (with respect to supported target domains to transition to) |
1278 |
-than the user_r role. |
1279 |
-</p> |
1280 |
-<p> |
1281 |
-The major difference however is that these users will also have to switch roles |
1282 |
-from time to time. For instance, if you want to use Portage - even just for |
1283 |
-querying the tree - you will need to be in the sysadm_r role. To switch roles, |
1284 |
-use the <span class="code" dir="ltr">newrole</span> command: |
1285 |
-</p> |
1286 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1287 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr> |
1288 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1289 |
-~$ <span class="code-input">newrole -r sysadm_r</span> |
1290 |
-Password: <span class="code-comment">(Enter your personal password)</span> |
1291 |
-~$ |
1292 |
-</pre></td></tr> |
1293 |
-</table> |
1294 |
-<p> |
1295 |
-With <span class="code" dir="ltr">id -Z</span> you can verify that you have indeed successfully switched |
1296 |
-roles. |
1297 |
-</p> |
1298 |
-<p> |
1299 |
-Now how do you know that you need to switch roles? Generally, you will get a |
1300 |
-<span class="emphasis">Permission denied</span> statement on one or more files: |
1301 |
-</p> |
1302 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1303 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting to know when to switch roles</p></td></tr> |
1304 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1305 |
-~$ <span class="code-input">emerge --info</span> |
1306 |
-Permission denied: '/etc/make.conf' |
1307 |
-</pre></td></tr> |
1308 |
-</table> |
1309 |
-<p> |
1310 |
-You might not be able, from within your current role, to find out if switching |
1311 |
-roles is sufficient to gain read access. Within your current role, you might not |
1312 |
-be able to get to view the current security context or query the SELinux AV |
1313 |
-rules. But if you switch to the sysadm_r role and run the necessary queries, you |
1314 |
-might get the information you need: |
1315 |
-</p> |
1316 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1317 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Verifying read access against the /etc/make.conf file</p></td></tr> |
1318 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1319 |
-~$ <span class="code-input">id -Z</span> |
1320 |
-staff_u:staff_r:staff_t |
1321 |
-~$ <span class="code-input">newrole -r sysadm_r</span> |
1322 |
-Password: <span class="code-comment">(Enter your personal password)</span> |
1323 |
-~$ <span class="code-input">id -Z</span> |
1324 |
-staff_u:sysadm_r:sysadm_t |
1325 |
-~$ <span class="code-input">ls -Z /etc/make.conf</span> |
1326 |
-system_u:object_r:portage_conf_t /etc/make.conf |
1327 |
-~$ <span class="code-input">sesearch -t portage_conf_t -c file -p read -A -d</span> |
1328 |
-Found 8 semantic av rules: |
1329 |
- allow portage_t portage_conf_t : file { ioctl read getattr lock execute execute_no_trans open } ; |
1330 |
- <span class="code-comment"># This is the one we are looking for</span> |
1331 |
- allow sysadm_t portage_conf_t : file { ioctl read write ... } ; |
1332 |
- allow portage_fetch_t portage_conf_t : file { ioctl read getattr lock open } ; |
1333 |
- allow restorecond_t portage_conf_t : file { ioctl read getattr lock relabelfrom relabelto open } ; |
1334 |
- allow gcc_config_t portage_conf_t : file { ioctl read getattr lock open } ; |
1335 |
- allow portage_sandbox_t portage_conf_t : file { ioctl read getattr lock open } ; |
1336 |
- allow rsync_t portage_conf_t : file { ioctl read getattr lock open } ; |
1337 |
- allow mount_t portage_conf_t : file { ioctl read getattr lock open } ; |
1338 |
-</pre></td></tr> |
1339 |
-</table> |
1340 |
-<p> |
1341 |
-As you can see, the sysadm_t domain (which is affiliated with the sysadm_r role) |
1342 |
-has the necessary read access, whereas there is no sign of any read access for |
1343 |
-the staff_t domain. |
1344 |
-</p> |
1345 |
-<p class="secthead"><a name="doc_chap1_sect1">Using File Labels</a></p> |
1346 |
-<p> |
1347 |
-During regular system usage, you will get into situations where you need to set |
1348 |
-file labels (security contexts). We have already covered the use of |
1349 |
-<span class="code" dir="ltr">semanage</span> and <span class="code" dir="ltr">restorecon</span> to do so, but a few other methods exist as |
1350 |
-well, each of them for specific purposes... |
1351 |
-</p> |
1352 |
-<p> |
1353 |
-With <span class="code" dir="ltr">chcon</span> users (and not only administrators) can relabel files (if they |
1354 |
-have the necessary privileges to do so) to the type they want. As an example, |
1355 |
-consider the domains and rules for the Mozilla applications (such as firefox). |
1356 |
-By default, this domain has no ability to create new files in the user home |
1357 |
-directory. However, a specific domain has been created (mozilla_home_t) in which |
1358 |
-the application can create files. By creating a folder (say |
1359 |
-<span class="path" dir="ltr">Downloads</span>) and relabeling it correctly, the application is able to |
1360 |
-create new files inside this location. |
1361 |
-</p> |
1362 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1363 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling a directory</p></td></tr> |
1364 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1365 |
-~$ <span class="code-input">ls -Zd ~/Downloads</span> |
1366 |
-staff_u:object_r:user_home_t Downloads/ |
1367 |
-~$ <span class="code-input">chcon -t mozilla_home_t ~/Downloads</span> |
1368 |
-~$ <span class="code-input">ls -Zd ~/Downloads</span> |
1369 |
-staff_u:object_r:mozilla_home_t |
1370 |
-</pre></td></tr> |
1371 |
-</table> |
1372 |
-<p> |
1373 |
-It is important to understand that relabeling is a specific privilege which is |
1374 |
-also governed by SELinux policies (the staff_t domain has this privilege on the |
1375 |
-user_home_t domain). Also, the target domain (mozilla_home_t) is still |
1376 |
-manageable by the staff_t domain (including relabeling) so that the relabeling |
1377 |
-activity doesn't lower the privileges that staff_t has on this folder. This |
1378 |
-isn't always the case, so be careful when you relabel. |
1379 |
-</p> |
1380 |
-<p> |
1381 |
-Relabelling files is governed by the relabelfrom and relabelto privileges. |
1382 |
-Consider the following two hypothetical rules: |
1383 |
-</p> |
1384 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1385 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling rules</p></td></tr> |
1386 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1387 |
-allow staff_t foo_t : dir { relabelfrom relabelto }; |
1388 |
-allow staff_t bar_t : dir { relabelto }; |
1389 |
-</pre></td></tr> |
1390 |
-</table> |
1391 |
-<p> |
1392 |
-In the first rule, the staff_t domain has the ability to relabel directories |
1393 |
-that are currently in the foo_t domain (relabelfrom) and to relabel directories |
1394 |
-to the foo_t domain (if their source domain has a correct relabelfrom |
1395 |
-privilege). In the second rule, the staff_t domain is only able to relabel |
1396 |
-directories to the bar_t domain. However, once a directory has the bar_t domain, |
1397 |
-the staff_t domain has no ability to relabel it to something else (no |
1398 |
-relabelfrom privilege). |
1399 |
-</p> |
1400 |
-<p class="secthead"><a name="doc_chap1_sect1">Relabelling Gentoo Package Content</a></p> |
1401 |
-<p> |
1402 |
-As a last section let's talk about Gentoo support for relabeling files. By |
1403 |
-default, Portage will relabel all files of a package once it is installed. This |
1404 |
-is governed by the FEATURES="selinux" setting which is enabled when you select |
1405 |
-the selinux profiles. An administrator can also relabel the contents of a |
1406 |
-package using the (Gentoo-specific) <span class="code" dir="ltr">rlpkg</span> command (installed through |
1407 |
-the policycoreutils package): |
1408 |
-</p> |
1409 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1410 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling the files and directories of a package</p></td></tr> |
1411 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1412 |
-~# <span class="code-input">rlpkg net-tools</span> |
1413 |
-Relabeling: sys-apps/net-tools-1.60_p20090728014017-r1 |
1414 |
-</pre></td></tr> |
1415 |
-</table> |
1416 |
-<p> |
1417 |
-The same tool can be used to relabel the entire system: |
1418 |
-</p> |
1419 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1420 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling the entire (file) system</p></td></tr> |
1421 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1422 |
-~# <span class="code-input">rlpkg -a -r</span> |
1423 |
-</pre></td></tr> |
1424 |
-</table> |
1425 |
-</td> |
1426 |
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
1427 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr> |
1428 |
-<tr lang="en"><td align="center" class="topsep"> |
1429 |
-<p class="alttext"><b>Donate</b> to support our development efforts. |
1430 |
- </p> |
1431 |
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> |
1432 |
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> |
1433 |
-</form> |
1434 |
-</td></tr> |
1435 |
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> |
1436 |
-</table></td> |
1437 |
-</tr></table></td></tr> |
1438 |
-<tr><td colspan="2" align="right" class="infohead"> |
1439 |
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. |
1440 |
-</td></tr> |
1441 |
-</table></body> |
1442 |
-</html> |
1443 |
|
1444 |
diff --git a/html/selinux/hb-using-policymodules.html b/html/selinux/hb-using-policymodules.html |
1445 |
deleted file mode 100644 |
1446 |
index 9a098cc..0000000 |
1447 |
--- a/html/selinux/hb-using-policymodules.html |
1448 |
+++ /dev/null |
1449 |
@@ -1,541 +0,0 @@ |
1450 |
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
1451 |
-<html lang="en"> |
1452 |
-<head> |
1453 |
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
1454 |
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> |
1455 |
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> |
1456 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> |
1457 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> |
1458 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> |
1459 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> |
1460 |
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> |
1461 |
-<title>Gentoo Linux Handbook Page |
1462 |
--- |
1463 |
- </title> |
1464 |
-</head> |
1465 |
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> |
1466 |
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> |
1467 |
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> |
1468 |
-<td width="99%" class="content" valign="top" align="left"> |
1469 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
1470 |
- </span>Writing Simple Policies</p> |
1471 |
-<p class="secthead"><a name="doc_chap1_sect1">Writing a TE File</a></p> |
1472 |
-<p> |
1473 |
-Let us summarize our previous experiences with writing simple policies. We have |
1474 |
-already covered how to write a <span class="path" dir="ltr">.te</span> file and convert it to a |
1475 |
-loadable SELinux module. Let's go over this once again with a simple example: |
1476 |
-allowing execmem for the mozilla_t domain. |
1477 |
-</p> |
1478 |
-<p> |
1479 |
-When using the <span class="path" dir="ltr">selinux-mozilla</span> provided SELinux module, you might |
1480 |
-still get a failure if you are using the 32-bit binary firefox package |
1481 |
-(<span class="path" dir="ltr">www-client/firefox-bin</span>) and if you do not allow memexec (see the |
1482 |
-<span class="code" dir="ltr">allow_memexec</span> boolean). You will probably find an AVC denial telling you |
1483 |
-this exact same thing. If you want to allow just mozilla_t to run execmem, you |
1484 |
-can write the following <span class="path" dir="ltr">fixmozilla.te</span> module: |
1485 |
-</p> |
1486 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1487 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Content of fixmozilla.te</p></td></tr> |
1488 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1489 |
-module fixmozilla 1.0.0; |
1490 |
- |
1491 |
-require { |
1492 |
- type mozilla_t; |
1493 |
- class process execmem; |
1494 |
-} |
1495 |
- |
1496 |
-allow mozilla_t self:process { execmem }; |
1497 |
-</pre></td></tr> |
1498 |
-</table> |
1499 |
-<p> |
1500 |
-This simple policy sais that the module is called <span class="emphasis">fixmozilla</span> with module |
1501 |
-version <span class="emphasis">1.0.0</span> (it is wise to update this version every time you update |
1502 |
-the content of the module so that you can quickly verify with <span class="code" dir="ltr">semodule -l</span> |
1503 |
-if the new version is loaded or not). It requires the <span class="emphasis">mozilla_t</span> domain |
1504 |
-(if <span class="path" dir="ltr">sec-policy/selinux-mozilla</span> isn't installed, loading of this |
1505 |
-policy will fail as it will not find the mozilla_t domain) and the |
1506 |
-<span class="emphasis">process</span> class with the <span class="emphasis">execmem</span> operation. The policy itself |
1507 |
-(the AVC statement) is to allow the mozilla_t domain to use execmem on its |
1508 |
-own processes. |
1509 |
-</p> |
1510 |
-<p> |
1511 |
-To convert this source into a loadable policy, we first convert it into a |
1512 |
-<span class="path" dir="ltr">.mod</span> file: |
1513 |
-</p> |
1514 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1515 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Converting a .te file to a .mod file</p></td></tr> |
1516 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1517 |
-~$ <span class="code-input">checkmodule -m -o fixmozilla.mod fixmozilla.te</span> |
1518 |
-</pre></td></tr> |
1519 |
-</table> |
1520 |
-<p> |
1521 |
-In this particular command, we create a non-base (<span class="code" dir="ltr">-m</span>) module file |
1522 |
-(<span class="path" dir="ltr">fixmozilla.mod</span>) which contains the statements offered by the |
1523 |
-<span class="path" dir="ltr">fixmozilla.te</span> file. If you are running an MLS/MCS system you will |
1524 |
-need to add the <span class="code" dir="ltr">-M</span> option. |
1525 |
-</p> |
1526 |
-<p> |
1527 |
-Next we package this module into a loadable SELinux module: |
1528 |
-</p> |
1529 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1530 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Packaging the .mod file to a loadable SELinux module</p></td></tr> |
1531 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1532 |
-~$ <span class="code-input">semodule_package -o fixmozilla.pp -m fixmozilla.mod</span> |
1533 |
-</pre></td></tr> |
1534 |
-</table> |
1535 |
-<p> |
1536 |
-This final module file (<span class="path" dir="ltr">fixmozilla.pp</span>) can then be loaded into the |
1537 |
-SELinux policy store using <span class="code" dir="ltr">semodule -i fixmozilla.pp</span>. |
1538 |
-</p> |
1539 |
-<p> |
1540 |
-Using this relatively simple method, you can create all the policy rules you |
1541 |
-want. However, you most likely want to add information on file labeling as |
1542 |
-well... |
1543 |
-</p> |
1544 |
-<p class="secthead"><a name="doc_chap1_sect1">Writing an FC File</a></p> |
1545 |
-<p> |
1546 |
-An FC file (<span class="emphasis">File Context</span>) contains the file labels (security contexts) |
1547 |
-that should be assigned to particular files. If you structure your modules |
1548 |
-correctly, you most likely have policies for particular programs, and you would |
1549 |
-like to label the program files and binaries accordingly. This is what the |
1550 |
-<span class="path" dir="ltr">.fc</span> files are for. |
1551 |
-</p> |
1552 |
-<p> |
1553 |
-Let's take a look at a sample .fc file which contains the various types of |
1554 |
-context definitions that are supported: |
1555 |
-</p> |
1556 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1557 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample .fc file</p></td></tr> |
1558 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1559 |
-/var/.* gen_context(system_u:object_r:var_t) |
1560 |
-/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t) |
1561 |
-/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t) |
1562 |
-/vmlinuz.* -l gen_context(system_u:object_r:boot_t) |
1563 |
-/usr/bin/firefox -- gen_context(system_u:object_r:mozilla_exec_t) |
1564 |
-/tmp/\.ICE-unix/.* -s <<none>> |
1565 |
-/dev/initctl -p gen_context(system_u:object_r:initctl_t) |
1566 |
-/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t) |
1567 |
-</pre></td></tr> |
1568 |
-</table> |
1569 |
-<p> |
1570 |
-The first column (in every line) starts with a regular expression to match |
1571 |
-against a file's path. This is usually sufficient to match any possible file. |
1572 |
-SELinux does support some special variables like ROLE, HOME_DIR, HOME_ROOT and |
1573 |
-USER which are substituted with their corresponding values when the file context |
1574 |
-is (re)compiled (for instance when you add or delete SELinux users or rebuild |
1575 |
-the policy using <span class="code" dir="ltr">semodule</span>). |
1576 |
-</p> |
1577 |
-<p> |
1578 |
-The second column, if available, starts with a dash followed by the file type: |
1579 |
-<span class="code" dir="ltr">c</span>haracter device, <span class="code" dir="ltr">b</span>lock device, symbolic <span class="code" dir="ltr">l</span>ink, |
1580 |
-<span class="code" dir="ltr">s</span>ocket, <span class="code" dir="ltr">d</span>irectory, named <span class="code" dir="ltr">p</span>ipe or a regular file (<span class="code" dir="ltr">-</span>). |
1581 |
-</p> |
1582 |
-<p> |
1583 |
-The last column gives the security context (label) that should be assigned to |
1584 |
-the resource(s) that match the regular expression. You should always see the |
1585 |
-"standard three" (user, role, domain), but you might also see the security level |
1586 |
-and even category if MLS/MCS is used or supported by the module. |
1587 |
-</p> |
1588 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1589 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample file context with MLS/MCS support</p></td></tr> |
1590 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1591 |
-/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15,c0.c255) |
1592 |
-</pre></td></tr> |
1593 |
-</table> |
1594 |
-<p> |
1595 |
-You can write your own FC file. For instance, Gentoo adds the following |
1596 |
-definition to the <span class="path" dir="ltr">sec-policy/selinux-mozilla</span> package to support the |
1597 |
-binary firefox package: |
1598 |
-</p> |
1599 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1600 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example .fc content</p></td></tr> |
1601 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1602 |
-/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
1603 |
-/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
1604 |
-/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
1605 |
-/opt/firefox/run-mozilla.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
1606 |
-/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
1607 |
-/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
1608 |
-</pre></td></tr> |
1609 |
-</table> |
1610 |
-<p> |
1611 |
-If you want to add such a file to your policy, add it during the |
1612 |
-<span class="code" dir="ltr">semodule_package</span> phase: |
1613 |
-</p> |
1614 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1615 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding file context information to a policy</p></td></tr> |
1616 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1617 |
-~$ <span class="code-input">semodule_package -o fixmozilla.pp -m fixmozilla.mod -f fixmozilla.fc</span> |
1618 |
-</pre></td></tr> |
1619 |
-</table> |
1620 |
-<p> |
1621 |
-Once this policy is loaded, you can use tools like <span class="code" dir="ltr">matchpathcon</span>, |
1622 |
-<span class="code" dir="ltr">restorecon</span> and more as they now know how to deal with the files you have |
1623 |
-mentioned in your file context file. |
1624 |
-</p> |
1625 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
1626 |
- </span>Building a Reference Policy Module</p> |
1627 |
-<p class="secthead"><a name="doc_chap1_sect1">Introduction to the Reference Policy</a></p> |
1628 |
-<p> |
1629 |
-Initially we have already covered the fact that Gentoo Hardened bases its |
1630 |
-policies on the reference policy maintained by Tresys. This reference policy |
1631 |
-offers an important additional functionality during module development: |
1632 |
-interfaces. |
1633 |
-</p> |
1634 |
-<p> |
1635 |
-By creating an interface, you actually create a function of some sort which can |
1636 |
-be used in other modules. Such interfaces allow module writers to generate rules |
1637 |
-to interact with the domain of their module without knowing what the other |
1638 |
-domains are. For instance, the mozilla module has an interface definition like |
1639 |
-so: |
1640 |
-</p> |
1641 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1642 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example interface definition</p></td></tr> |
1643 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1644 |
-interface(`mozilla_read_user_home_files',` |
1645 |
- gen_require(` |
1646 |
- type mozilla_home_t; |
1647 |
- ') |
1648 |
- |
1649 |
- allow $1 mozilla_home_t:dir list_dir_perms; |
1650 |
- allow $1 mozilla_home_t:file read_file_perms; |
1651 |
- allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; |
1652 |
- userdom_search_user_home_dirs($1) |
1653 |
-') |
1654 |
-</pre></td></tr> |
1655 |
-</table> |
1656 |
-<p> |
1657 |
-This interface allows other modules to use the |
1658 |
-<span class="code" dir="ltr">mozilla_read_user_home_files</span> function if they want their domain to be |
1659 |
-able to (in this case) read the files in the mozilla_home_t domain. Of course, |
1660 |
-they can add all statements inside their own definition, but then they would |
1661 |
-have to require that the mozilla module is loaded, which might be a wrong |
1662 |
-assumption, and duplicate the same allow statements for each application. |
1663 |
-The use of interfaces makes policy development easier. |
1664 |
-</p> |
1665 |
-<p> |
1666 |
-Also, the reference policy allows the use of <span class="emphasis">optional</span> statements: |
1667 |
-a module can call an interface of another module, but this may not fail if |
1668 |
-the other module is not available on a users' system. |
1669 |
-</p> |
1670 |
-<p> |
1671 |
-For instance, in the evolution policy: |
1672 |
-</p> |
1673 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1674 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Extract from evolution.te</p></td></tr> |
1675 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1676 |
-optional_policy(` |
1677 |
- mozilla_read_user_home_files(evolution_t) |
1678 |
- mozilla_domtrans(evolution_t) |
1679 |
-') |
1680 |
-</pre></td></tr> |
1681 |
-</table> |
1682 |
-<p> |
1683 |
-In this extract we see that the previously defined interface is called with |
1684 |
-argument evolution_t (the Evolution domain) within an <span class="code" dir="ltr">optional_policy</span> |
1685 |
-clause. As a result, building this policy will attempt to call this interface, |
1686 |
-but if the interface is missing (because the mozilla module isn't installed) it |
1687 |
-will not fail the build of the evolution module. |
1688 |
-</p> |
1689 |
-<p> |
1690 |
-Using the interfaces allows for a clean separation of the various modules. |
1691 |
-Within the reference policy, the following guidelines are used: |
1692 |
-</p> |
1693 |
-<ul> |
1694 |
- <li> |
1695 |
- Inside a <span class="path" dir="ltr">.te</span> file, the only domains that are allowed to be |
1696 |
- mentioned are those defined in the same <span class="path" dir="ltr">.te</span> file. Any |
1697 |
- interaction with other domains need to happen through interfaces offered by |
1698 |
- that domain. |
1699 |
- </li> |
1700 |
- <li> |
1701 |
- Inside an <span class="path" dir="ltr">.if</span> file, where the interfaces are defined, an XML |
1702 |
- like syntax is used to document each interface, allowing for developers to |
1703 |
- read easily what an interface is meant to do (because honestly, there are |
1704 |
- far more complex interfaces than the one we have previously shown) |
1705 |
- </li> |
1706 |
- <li> |
1707 |
- Distribution-specific aspects of modules should be enclosed within a |
1708 |
- <span class="code" dir="ltr">ifdef(`distro_gentoo',`...')</span> statement (example for Gentoo). This |
1709 |
- statement is supported in all three files (<span class="path" dir="ltr">.te</span>, |
1710 |
- <span class="path" dir="ltr">.if</span> and <span class="path" dir="ltr">.fc</span>). |
1711 |
- </li> |
1712 |
-</ul> |
1713 |
-<p class="secthead"><a name="doc_chap1_sect1">Building the Reference Policy Module</a></p> |
1714 |
-<p> |
1715 |
-If you want to build a module using the reference policy interfaces, you first |
1716 |
-need to create the <span class="path" dir="ltr">.te</span> file and, optionally (but most likely |
1717 |
-needed) <span class="path" dir="ltr">.if</span> and <span class="path" dir="ltr">.fc</span> file. It is wise to start from an |
1718 |
-example set of files for a similar application. If you want to or need to use |
1719 |
-interfaces of different modules, you can find the interfaces that are valid on |
1720 |
-your system inside <span class="path" dir="ltr">/usr/share/selinux/strict/include</span>. |
1721 |
-</p> |
1722 |
-<p> |
1723 |
-Once you want to build the module, copy the |
1724 |
-<span class="path" dir="ltr">/usr/share/selinux/strict/include/Makefile</span> file inside the |
1725 |
-directory where your policy definition(s) are stored. Then, call the <span class="code" dir="ltr">make</span> |
1726 |
-command to build the policy modules. |
1727 |
-</p> |
1728 |
-<p> |
1729 |
-The result should be one (or more) loadable SELinux modules. |
1730 |
-</p> |
1731 |
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
1732 |
- </span>Example: Start Building the Skype Policy</p> |
1733 |
-<p class="secthead"><a name="doc_chap1_sect1">Labelling</a></p> |
1734 |
-<p> |
1735 |
-Let's start to create a sample reference policy based SELinux module for the <span class="code" dir="ltr">skype</span> |
1736 |
-application. This application is a well-known application used to perform voice- |
1737 |
-and video chats across the Internet. We will not finish the module in this |
1738 |
-chapter (as the exercise will become a repetitive try-and-correct cycle which |
1739 |
-isn't the purpose to document here) but rather show an approach on how to deal |
1740 |
-with such policy building exercises. |
1741 |
-</p> |
1742 |
-<p> |
1743 |
-First get acquainted with the application. |
1744 |
-</p> |
1745 |
-<p> |
1746 |
-The usual way of interacting with <span class="code" dir="ltr">skype</span> is from an end-user point (not |
1747 |
-administrator). From interacting with it in permissive mode (or from a |
1748 |
-non-SELinux system) we know it creates a <span class="path" dir="ltr">~/.Skype</span> folder for its |
1749 |
-configuration, chat history and more. |
1750 |
-</p> |
1751 |
-<p> |
1752 |
-Given this above information, let's take a look at the content of the |
1753 |
-<span class="path" dir="ltr">net-im/skype</span> package: |
1754 |
-</p> |
1755 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1756 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Content of the skype package</p></td></tr> |
1757 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1758 |
-~$ <span class="code-input">qlist skype</span> |
1759 |
-<span class="code-comment">(Output shortened for clarity)</span> |
1760 |
-/usr/bin/skype |
1761 |
-/usr/share/... <span class="code-comment"># Unrelated to the application but used by distribution</span> |
1762 |
-/opt/skype/skype |
1763 |
-/opt/skype/sounds/... |
1764 |
-/opt/skype/lang/... |
1765 |
-/opt/skype/avatars/... |
1766 |
-</pre></td></tr> |
1767 |
-</table> |
1768 |
-<p> |
1769 |
-Given this information, we could create the following file context definition: |
1770 |
-</p> |
1771 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1772 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample file context for skype</p></td></tr> |
1773 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1774 |
-/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
1775 |
-/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
1776 |
-HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) |
1777 |
-</pre></td></tr> |
1778 |
-</table> |
1779 |
-<p> |
1780 |
-We will not give the various skype files a specific label - they are all |
1781 |
-read-only files so can keep the default label assigned to them. |
1782 |
-</p> |
1783 |
-<p> |
1784 |
-Within the <span class="path" dir="ltr">skype.te</span> file, we define the necessary domains and |
1785 |
-also use the first interfaces which are often associated with this kind of |
1786 |
-domains (for reasoning you can read the sources for the apache module or |
1787 |
-other services). A sample module to base our definition from could be |
1788 |
-telepathy... |
1789 |
-</p> |
1790 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1791 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Initial skype module definition</p></td></tr> |
1792 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1793 |
-policy_module(skype, 1.0.0) |
1794 |
- |
1795 |
-type skype_t; |
1796 |
-type skype_exec_t; |
1797 |
-application_domain(skype_t, skype_exec_t) |
1798 |
- |
1799 |
-type skype_home_t; |
1800 |
-userdom_user_home_content(skype_home_t) |
1801 |
- |
1802 |
-# Allow skype_t to put files in the skype_home_t location(s) |
1803 |
-manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) |
1804 |
-manage_files_pattern(skype_t, skype_home_t, skype_home_t) |
1805 |
-userdom_user_home_dir_filetrans(skype_t, skype_home_t, { dir file }) |
1806 |
-userdom_search_user_home_dirs(skype_t) |
1807 |
-</pre></td></tr> |
1808 |
-</table> |
1809 |
-<p> |
1810 |
-Again, we're not going to cover the various interfaces and explain them. They |
1811 |
-are documented and available on the system, and there are plenty of examples to |
1812 |
-use. |
1813 |
-</p> |
1814 |
-<p> |
1815 |
-Finally, we are going to create an interface to allow users to transition to the |
1816 |
-skype_t domain. The idea here is that you add <span class="code" dir="ltr">skype_role(role, domain)</span> in |
1817 |
-the <span class="path" dir="ltr">.te</span> definition of the users' domain or within your own policy. |
1818 |
-</p> |
1819 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1820 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Defining the skype_role interface</p></td></tr> |
1821 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1822 |
-interface(`skype_role',` |
1823 |
- gen_require(` |
1824 |
- type skype_t, skype_exec_t; |
1825 |
- ') |
1826 |
- |
1827 |
- role $1 types skype_t; |
1828 |
- |
1829 |
- domain_auto_trans($2, skype_exec_t, skype_t) |
1830 |
-') |
1831 |
-</pre></td></tr> |
1832 |
-</table> |
1833 |
-<p> |
1834 |
-Build the module and load it in the SELinux module store. Next, create a small |
1835 |
-policy to allow users (user_r, user_t) to access skype: |
1836 |
-</p> |
1837 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1838 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding access to skype for users</p></td></tr> |
1839 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1840 |
-~$ <span class="code-input">cat skypeusers.te</span> |
1841 |
-policy_module(skypeusers, 1.0.0) |
1842 |
- |
1843 |
-gen_require(` |
1844 |
- type user_t; |
1845 |
- role user_r; |
1846 |
- type staff_t; |
1847 |
- role staff_r; |
1848 |
-') |
1849 |
- |
1850 |
-optional_policy(` |
1851 |
- skype_role(user_r, user_t) |
1852 |
- skype_role(staff_r, staff_t) |
1853 |
-') |
1854 |
-</pre></td></tr> |
1855 |
-</table> |
1856 |
-<p> |
1857 |
-Build that module as well and load it. A regular SELinux user should now have |
1858 |
-the ability to execute skype_exec_t and transition to the skype_t domain. |
1859 |
-</p> |
1860 |
-<p class="secthead"><a name="doc_chap1_sect1">Dry Run</a></p> |
1861 |
-<p> |
1862 |
-With the policy loaded, do a dry run. Relabel the files of the |
1863 |
-<span class="path" dir="ltr">net-im/skype</span> package (and if you have previously ran skype yourself, |
1864 |
-relabel the <span class="path" dir="ltr">~/.Skype</span> folder as well), then start <span class="code" dir="ltr">skype</span> and both |
1865 |
-watch skype's output as well as the AVC denials. |
1866 |
-</p> |
1867 |
-<p> |
1868 |
-We notice that the binary (skype) hangs and cannot be killed. In the AVC denial |
1869 |
-logs, we notice the following denials: |
1870 |
-</p> |
1871 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1872 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Shown denials while running skype</p></td></tr> |
1873 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1874 |
-Jan 6 22:01:56 hpl kernel: [18418.420427] type=1400 audit(1294347716.358:2221): |
1875 |
-avc: denied { read write } for pid=25540 comm="skype" name="1" dev=devpts |
1876 |
-ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:object_r:user_devpts_t |
1877 |
-tclass=chr_file |
1878 |
-Jan 6 22:01:56 hpl kernel: [18418.420455] type=1400 audit(1294347716.358:2222): |
1879 |
-avc: denied { use } for pid=25540 comm="skype" path="http://www.gentoo.org/dev/pts/1" dev=devpts |
1880 |
-ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t |
1881 |
-tclass=fd |
1882 |
-Jan 6 22:01:56 hpl kernel: [18418.420563] type=1400 audit(1294347716.358:2225): |
1883 |
-avc: denied { sigchld } for pid=6532 comm="bash" |
1884 |
-scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t tclass=process |
1885 |
-</pre></td></tr> |
1886 |
-</table> |
1887 |
-<p> |
1888 |
-Note that the attempt is done in enforcing mode - running in permissive mode |
1889 |
-will yield more AVC denials and is also a plausible way to create the necessary |
1890 |
-rules. |
1891 |
-</p> |
1892 |
-<p> |
1893 |
-From the denials, we see that skype attempts to use the pts in which the command |
1894 |
-is ran (notice that this fails because we didn't explicitly allow it) and also |
1895 |
-fails to exit properly (a sigchld signal isn't allowed to be submitted). |
1896 |
-</p> |
1897 |
-<p> |
1898 |
-By looking into the example policies already around, we notice that they have |
1899 |
-interfaces in use such as <span class="code" dir="ltr">userdom_use_user_terminals</span> as well as generic |
1900 |
-allowances such as <span class="code" dir="ltr">ps_process_pattern</span> (to allow users to view a process |
1901 |
-and kill it). This is a nice example of how a type enforcement MAC system works: |
1902 |
-nothing is assumed by default. |
1903 |
-</p> |
1904 |
-<p class="secthead"><a name="doc_chap1_sect1">Next Dry Run</a></p> |
1905 |
-<p> |
1906 |
-So after adding some interfaces to allow the use of the user terminals, file |
1907 |
-descriptors and also allow process signals to be sent, we try to run the |
1908 |
-application again. Now, we get: |
1909 |
-</p> |
1910 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1911 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Output of running the skype command</p></td></tr> |
1912 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1913 |
-~$ <span class="code-input">skype</span> |
1914 |
-Killed |
1915 |
- |
1916 |
-~$ <span class="code-input">cat /var/log/avc.log</span> |
1917 |
-Jan 6 22:27:41 hpl kernel: [19961.313321] type=1400 |
1918 |
-audit(1294349261.991:9089017): avc: denied { execmem } for pid=27256 |
1919 |
-comm="skype" scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:skype_t |
1920 |
-tclass=process |
1921 |
-</pre></td></tr> |
1922 |
-</table> |
1923 |
-<p> |
1924 |
-At least <span class="code" dir="ltr">skype</span> now exits. From the AVC log, we see that it wants to call |
1925 |
-execmem (which isn't something we like, but have seen in the past for mozilla as |
1926 |
-well). Okay, let's allow this, rebuild the modules and retry. |
1927 |
-</p> |
1928 |
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
1929 |
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Output of running the skype command again</p></td></tr> |
1930 |
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
1931 |
-~$ <span class="code-input">skype</span> |
1932 |
-./skype: error while loading shared libraries: libasound.so.2: cannot open |
1933 |
-shared object file: Permission denied |
1934 |
- |
1935 |
-~$ <span class="code-input">cat /var/log/avc.log</span> |
1936 |
-Jan 6 22:33:41 hpl kernel: [20319.960127] type=1400 |
1937 |
-audit(1294349621.275:9089042): avc: denied { read } for pid=27536 |
1938 |
-comm="skype" name="libasound.so.2" dev=dm-1 ino=525098 |
1939 |
-scontext=staff_u:staff_r:skype_t tcontext=system_u:object_r:usr_t |
1940 |
-tclass=lnk_file |
1941 |
-</pre></td></tr> |
1942 |
-</table> |
1943 |
-<p> |
1944 |
-Okay, we need to grant it read rights to links within the usr_t domain (and most |
1945 |
-likely then load libraries from the lib_t domain, so we need to add |
1946 |
-<span class="code" dir="ltr">files_read_usr_symlinks</span> and <span class="code" dir="ltr">libs_use_ld_so</span>, etc. |
1947 |
-</p> |
1948 |
-<p class="secthead"><a name="doc_chap1_sect1">Finishing Up</a></p> |
1949 |
-<p> |
1950 |
-After running into the standard "can't start" issues, you'll notice that the |
1951 |
-application then wants to bind and connect to ports - which are also protected |
1952 |
-by SELinux and can be manipulated by various interfaces. It wants to access your |
1953 |
-soundcard and webcam, etc. |
1954 |
-</p> |
1955 |
-<p> |
1956 |
-As you can see from the above information, writing policies correctly isn't |
1957 |
-easy. You need to constantly keep in mind what you are allowing - aren't you |
1958 |
-granting too much? Are you forgetting something? Also, the first time(s) you |
1959 |
-create policies it will take lots of time, but over time you will grow better in |
1960 |
-it. You'll start realizing what all those standard things are that you need to |
1961 |
-allow and what not. |
1962 |
-</p> |
1963 |
-<p> |
1964 |
-Writing SELinux policies isn't hard, but it's far more difficult than setting |
1965 |
-the standard Linux permissions on files and directories. It requires a decent |
1966 |
-knowledge of how the application behaves and what the SELinux reference policy |
1967 |
-interfaces grant when you select them. |
1968 |
-</p> |
1969 |
-<p> |
1970 |
-If you ever feel like writing these policies, don't hesitate to read up on the |
1971 |
-various resources at the end of this book. |
1972 |
-</p> |
1973 |
-</td> |
1974 |
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
1975 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated March 2, 2011</p></td></tr> |
1976 |
-<tr lang="en"><td align="center" class="topsep"> |
1977 |
-<p class="alttext"><b>Donate</b> to support our development efforts. |
1978 |
- </p> |
1979 |
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> |
1980 |
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@g.o"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> |
1981 |
-</form> |
1982 |
-</td></tr> |
1983 |
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> |
1984 |
-</table></td> |
1985 |
-</tr></table></td></tr> |
1986 |
-<tr><td colspan="2" align="right" class="infohead"> |
1987 |
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. |
1988 |
-</td></tr> |
1989 |
-</table></body> |
1990 |
-</html> |
1991 |
|
1992 |
diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html |
1993 |
index 41e19bd..98817d2 100644 |
1994 |
--- a/html/selinux/hb-using-states.html |
1995 |
+++ b/html/selinux/hb-using-states.html |
1996 |
@@ -253,7 +253,7 @@ level can access it. |
1997 |
<p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p> |
1998 |
<p> |
1999 |
It is not recommended to switch between types often. At best, you choose your |
2000 |
-policy type at install type and stick with it. But it is not impossible (nor |
2001 |
+policy type at install time and stick with it. But it is not impossible (nor |
2002 |
that hard) to switch between types. |
2003 |
</p> |
2004 |
<p> |
2005 |
|
2006 |
diff --git a/html/selinux/index.html b/html/selinux/index.html |
2007 |
index c9ffd77..b61b1b8 100644 |
2008 |
--- a/html/selinux/index.html |
2009 |
+++ b/html/selinux/index.html |
2010 |
@@ -84,20 +84,25 @@ As a result, we |
2011 |
<td class="infohead"><b>Role</b></td> |
2012 |
</tr> |
2013 |
<tr> |
2014 |
- <td class="tableinfo">Chris PeBenito</td> |
2015 |
- <td class="tableinfo">pebenito</td> |
2016 |
- <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td> |
2017 |
- </tr> |
2018 |
- <tr> |
2019 |
<td class="tableinfo">Sven Vermeulen</td> |
2020 |
<td class="tableinfo">swift</td> |
2021 |
- <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td> |
2022 |
+ <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td> |
2023 |
</tr> |
2024 |
<tr> |
2025 |
<td class="tableinfo">Anthony G. Basile</td> |
2026 |
<td class="tableinfo">blueness</td> |
2027 |
<td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td> |
2028 |
</tr> |
2029 |
+ <tr> |
2030 |
+ <td class="tableinfo">Chris PeBenito</td> |
2031 |
+ <td class="tableinfo">pebenito</td> |
2032 |
+ <td class="tableinfo">Developer ( Policy development, Userspace tools )</td> |
2033 |
+ </tr> |
2034 |
+ <tr> |
2035 |
+ <td class="tableinfo">Matt Thode</td> |
2036 |
+ <td class="tableinfo">prometheanfire</td> |
2037 |
+ <td class="tableinfo">Developer ( Policy development, Support )</td> |
2038 |
+ </tr> |
2039 |
</table> |
2040 |
<p> |
2041 |
All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@g.o</span>. |
2042 |
@@ -135,6 +140,9 @@ The following people, although non-developer, are actively contributing to the p |
2043 |
<a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a> |
2044 |
</li> |
2045 |
<li> |
2046 |
+ <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a> |
2047 |
+ </li> |
2048 |
+ <li> |
2049 |
<a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a> |
2050 |
</li> |
2051 |
<li> |
2052 |
|
2053 |
diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html |
2054 |
index bd04178..a903353 100644 |
2055 |
--- a/html/selinux/selinux-handbook.html |
2056 |
+++ b/html/selinux/selinux-handbook.html |
2057 |
@@ -23,11 +23,11 @@ |
2058 |
|
2059 |
[ < ] |
2060 |
|
2061 |
- [ <a href="selinux-handbook.xml">Home</a> ] |
2062 |
+ [ <a href="pebenito@g.o">Home</a> ] |
2063 |
|
2064 |
- [ <a href="selinux-handbook.xml?part=1">></a> ] |
2065 |
+ [ <a href="pebenito@g.o?part=1">></a> ] |
2066 |
|
2067 |
- [ <a href="selinux-handbook.xml?part=1">>></a> ] |
2068 |
+ [ <a href="pebenito@g.o?part=1">>></a> ] |
2069 |
</p> |
2070 |
<hr> |
2071 |
<h1>Gentoo SELinux Handbook</h1> |
2072 |
@@ -111,11 +111,11 @@ them. |
2073 |
|
2074 |
[ < ] |
2075 |
|
2076 |
- [ <a href="selinux-handbook.xml">Home</a> ] |
2077 |
+ [ <a href="pebenito@g.o">Home</a> ] |
2078 |
|
2079 |
- [ <a href="selinux-handbook.xml?part=1">></a> ] |
2080 |
+ [ <a href="pebenito@g.o?part=1">></a> ] |
2081 |
|
2082 |
- [ <a href="selinux-handbook.xml?part=1">>></a> ] |
2083 |
+ [ <a href="pebenito@g.o?part=1">>></a> ] |
2084 |
</p> |
2085 |
<hr> |
2086 |
<p class="copyright"> |
2087 |
@@ -136,8 +136,8 @@ them. |
2088 |
--> |
2089 |
</td> |
2090 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
2091 |
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-handbook.xml?style=printable">Print</a></p></td></tr> |
2092 |
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="selinux-handbook.xml?full=1">View all</a></p></td></tr> |
2093 |
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@g.o?style=printable">Print</a></p></td></tr> |
2094 |
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="pebenito@g.o?full=1">View all</a></p></td></tr> |
2095 |
<tr><td class="topsep" align="center"><p class="alttext">Updated September 18, 2011</p></td></tr> |
2096 |
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
2097 |
This is the Gentoo SELinux Handbook. |
2098 |
|
2099 |
diff --git a/html/support-state.html b/html/support-state.html |
2100 |
index 94aad74..a42568c 100644 |
2101 |
--- a/html/support-state.html |
2102 |
+++ b/html/support-state.html |
2103 |
@@ -178,12 +178,12 @@ reports and feedback). |
2104 |
<tr> |
2105 |
<td class="tableinfo">x86</td> |
2106 |
<td class="tableinfo">In place</td> |
2107 |
- <td class="tableinfo">Still ~arch for the time being</td> |
2108 |
+ <td class="tableinfo"></td> |
2109 |
</tr> |
2110 |
<tr> |
2111 |
<td class="tableinfo">amd64 / x86_64</td> |
2112 |
<td class="tableinfo">In place</td> |
2113 |
- <td class="tableinfo">Still ~arch for the time being</td> |
2114 |
+ <td class="tableinfo"></td> |
2115 |
</tr> |
2116 |
<tr> |
2117 |
<td class="tableinfo">ppc</td> |
2118 |
@@ -235,7 +235,7 @@ reports and feedback). |
2119 |
</td> |
2120 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
2121 |
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr> |
2122 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 25, 2011</p></td></tr> |
2123 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 17, 2011</p></td></tr> |
2124 |
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
2125 |
The support state of the Gentoo Hardened project describes the supported |
2126 |
platforms, setups and additional requirements for each of the subprojects |