Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Sven Vermeulen (swift)" <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-intro-concepts.xml hb-using-install.xml hb-using-policies.xml hb-using-states.xml
Date: Sun, 29 Apr 2012 14:26:55
Message-Id: 20120429142640.DD4D82004B@flycatcher.gentoo.org
1 swift 12/04/29 14:26:40
2
3 Modified: hb-intro-concepts.xml hb-using-install.xml
4 hb-using-policies.xml hb-using-states.xml
5 Log:
6 Update with 20120215 related material
7
8 Revision Changes Path
9 1.9 xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml
10
11 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml?rev=1.9&view=markup
12 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml?rev=1.9&content-type=text/plain
13 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml?r1=1.8&r2=1.9
14
15 Index: hb-intro-concepts.xml
16 ===================================================================
17 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v
18 retrieving revision 1.8
19 retrieving revision 1.9
20 diff -u -r1.8 -r1.9
21 --- hb-intro-concepts.xml 10 Apr 2012 20:19:19 -0000 1.8
22 +++ hb-intro-concepts.xml 29 Apr 2012 14:26:40 -0000 1.9
23 @@ -4,11 +4,11 @@
24 <!-- The content of this document is licensed under the CC-BY-SA license -->
25 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
26
27 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.8 2012/04/10 20:19:19 swift Exp $ -->
28 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.9 2012/04/29 14:26:40 swift Exp $ -->
29
30 <sections>
31 -<version>5</version>
32 -<date>2011-07-21</date>
33 +<version>6</version>
34 +<date>2012-04-29</date>
35
36 <section>
37 <title>Introduction</title>
38 @@ -81,6 +81,13 @@
39 that the <e>mls</e> policy is currently not fit yet for production use.
40 </p>
41
42 +<note>
43 +To clear up some confusion, especially when trying to seek support outside
44 +Gentoo: our "strict" implementation is not what was "strict" up to the year
45 +2008. The old meaning of strict involved a different implementation of the
46 +policy.
47 +</note>
48 +
49 </body>
50 </subsection>
51 </section>
52
53
54
55 1.15 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml
56
57 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.15&view=markup
58 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.15&content-type=text/plain
59 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.14&r2=1.15
60
61 Index: hb-using-install.xml
62 ===================================================================
63 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
64 retrieving revision 1.14
65 retrieving revision 1.15
66 diff -u -r1.14 -r1.15
67 --- hb-using-install.xml 10 Apr 2012 20:19:19 -0000 1.14
68 +++ hb-using-install.xml 29 Apr 2012 14:26:40 -0000 1.15
69 @@ -4,11 +4,11 @@
70 <!-- The content of this document is licensed under the CC-BY-SA license -->
71 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
72
73 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.14 2012/04/10 20:19:19 swift Exp $ -->
74 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.15 2012/04/29 14:26:40 swift Exp $ -->
75
76 <sections>
77 -<version>20</version>
78 -<date>2012-04-10</date>
79 +<version>21</version>
80 +<date>2012-04-29</date>
81
82 <section>
83 <title>Installing Gentoo (Hardened)</title>
84 @@ -91,6 +91,10 @@
85 </body>
86 </subsection>
87 -->
88 +<!--
89 +TODO Validate after 2.20120215-r8 is stable that this is no longer
90 +necessary? Not sure about it though : check userspace ebuilds as well.
91 +-->
92 <subsection>
93 <title>Switching to Python 2</title>
94 <body>
95 @@ -273,19 +277,6 @@
96 </p>
97
98 <ul>
99 - <!--
100 - TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed
101 - anymore
102 - -->
103 - <li>
104 - If you use LVM for one or more file systems, you need to edit
105 - <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
106 - and <path>lvm-stop.sh</path> and set the config location from
107 - <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the
108 - <path>/etc/lvm/lock</path> directory. Finally, add
109 - <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your
110 - <path>make.conf</path> file.
111 - </li>
112 <li>
113 Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
114 either remove those or make them a copy of their counterpart so that they
115 @@ -411,8 +402,8 @@
116
117 <pre caption="Enabling selinux-specific file system options">
118 <comment># The udev mount is due to bug #373381</comment>
119 -udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
120 -none /selinux selinuxfs defaults 0 0
121 +udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
122 +none /sys/fs/selinux selinuxfs defaults 0 0
123 </pre>
124
125 <note>
126 @@ -420,14 +411,6 @@
127 level, so <c>...:device_t:s0</c>.
128 </note>
129
130 -<p>
131 -Make the <path>/selinux</path> mountpoint as well:
132 -</p>
133 -
134 -<pre caption="Creating the /selinux mountpoint">
135 -~# <i>mkdir /selinux</i>
136 -</pre>
137 -
138 </body>
139 </subsection>
140 <subsection>
141 @@ -436,7 +419,7 @@
142
143 <p>
144 With the above changes made, reboot your system. Assert yourself that you are
145 -now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file
146 +now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file
147 system should be mounted). Don't worry - SELinux is at this point not activated.
148 </p>
149
150
151
152
153 1.4 xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml
154
155 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml?rev=1.4&view=markup
156 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml?rev=1.4&content-type=text/plain
157 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml?r1=1.3&r2=1.4
158
159 Index: hb-using-policies.xml
160 ===================================================================
161 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml,v
162 retrieving revision 1.3
163 retrieving revision 1.4
164 diff -u -r1.3 -r1.4
165 --- hb-using-policies.xml 10 Apr 2012 20:19:19 -0000 1.3
166 +++ hb-using-policies.xml 29 Apr 2012 14:26:40 -0000 1.4
167 @@ -4,11 +4,11 @@
168 <!-- The content of this document is licensed under the CC-BY-SA license -->
169 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
170
171 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml,v 1.3 2012/04/10 20:19:19 swift Exp $ -->
172 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-policies.xml,v 1.4 2012/04/29 14:26:40 swift Exp $ -->
173
174 <sections>
175 -<version>3</version>
176 -<date>2012-03-01</date>
177 +<version>4</version>
178 +<date>2012-04-29</date>
179
180 <section>
181 <title>SELinux Policy Language</title>
182 @@ -341,6 +341,121 @@
183 ')
184 </pre>
185
186 +<p>
187 +The following table shows a few common interfaces that could be in use. We
188 +seriously recommend to look at the available interfaces when enhancing or
189 +creating your own modules - and be sure to pick the interface that adds just
190 +what you need, nothing more.
191 +</p>
192 +
193 +<table>
194 +<tr>
195 + <th colspan="3">Templates</th>
196 +</tr>
197 +<tr>
198 + <th>Suffix</th>
199 + <th>Example</th>
200 + <th>Description</th>
201 +</tr>
202 +<tr>
203 + <ti>_template</ti>
204 + <ti>virt_domain_template(prefix)</ti>
205 + <ti>
206 + Not really an interface, templates create additional domains based on the
207 + information given to them. This is usually done for fine-grained policy
208 + templates with a common (sub)set of privileges.
209 + </ti>
210 +</tr>
211 +<tr>
212 + <th colspan="3">Transformations</th>
213 +</tr>
214 +<tr>
215 + <th>Suffix</th>
216 + <th>Example</th>
217 + <th>Description</th>
218 +</tr>
219 +<tr>
220 + <ti></ti>
221 + <ti>miscfiles_cert_type(resource)</ti>
222 + <ti>
223 + Transformation interfaces generally add specific attributes to resources or
224 + domains. Attributes "transform" the given resource into something more. In
225 + the given example, the miscfiles_cert_type(resource) assigns the cert_type
226 + attribute to the resource (and also marks it as a file). Interfaces, like
227 + miscfiles_read_all_certs work on these attributes.
228 + </ti>
229 +</tr>
230 +<tr>
231 + <th colspan="3">Access interfaces</th>
232 +</tr>
233 +<tr>
234 + <th>Suffix</th>
235 + <th>Example</th>
236 + <th>Description</th>
237 +</tr>
238 +<tr>
239 + <ti>_&lt;access&gt;_&lt;resource&gt;</ti>
240 + <ti>mta_getattr_spool(domain)</ti>
241 + <ti>
242 + Grant the specified domain access towards the shown resource. The resource
243 + usually defines the type too (like kudzu_getattr_exec_files: grant getattr
244 + on the kudzu_exec_t files) unless it is obvious from the name, or when the
245 + resource is a more specific term towards the domain. It can also include
246 + dontaudit (like mta_dontaudit_getattr_spool).
247 + </ti>
248 +</tr>
249 +<tr>
250 + <ti>_exec</ti>
251 + <ti>dmesg_exec(domain)</ti>
252 + <ti>
253 + Grant one domain the right to execute the given domains' executable file (in
254 + the example, allow "domain" to execute dmesg_exec_t files), but without
255 + implying that the domains transition. In other words, dmesg gets executed
256 + but still confined by the privileges of the source domain.
257 + </ti>
258 +</tr>
259 +<tr>
260 + <ti>_domtrans</ti>
261 + <ti>dmesg_domtrans(domain)</ti>
262 + <ti>
263 + Grant one domain execute and transition privileges towards the new domain.
264 + This interface is most commonly used to allow application domains to
265 + transition to another. In the given example, dmesg is ran with the
266 + privileges of the dmesg_t domain.
267 + </ti>
268 +</tr>
269 +<tr>
270 + <ti>_run</ti>
271 + <ti>netutils_run(domain, role)</ti>
272 + <ti>
273 + Grant a given role and domain the rights to execute and transition towards
274 + the given domain. This is usually granted to (existing) user roles and
275 + domains and gives them the set of privileges needed to interact safely with
276 + the new (interactive) domain (such as terminal access).
277 + </ti>
278 +</tr>
279 +<tr>
280 + <ti>_role</ti>
281 + <ti>xserver_role(role, domain)</ti>
282 + <ti>
283 + Allow the given role and domain the necessary permissions to transition and
284 + interact with the given domain. This interface is enhanced with the
285 + privileges to interact with the domain (and its underlying files) more
286 + thoroughly, and is usually assigned to newly created users or roles within
287 + the policy (rather than enhance existing user domains and roles).
288 + </ti>
289 +</tr>
290 +<tr>
291 + <ti>_admin</ti>
292 + <ti>aide_admin(domain)</ti>
293 + <ti>
294 + Grant the given domain the rights to administer the target domains'
295 + environment. This usually involves privileges to manage and relabel all
296 + affiliated files, directories, sockets, etc.
297 + </ti>
298 +</tr>
299 +</table>
300 +
301 </body>
302 </subsection>
303 </section>
304
305
306
307 1.5 xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml
308
309 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.5&view=markup
310 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?rev=1.5&content-type=text/plain
311 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml?r1=1.4&r2=1.5
312
313 Index: hb-using-states.xml
314 ===================================================================
315 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v
316 retrieving revision 1.4
317 retrieving revision 1.5
318 diff -u -r1.4 -r1.5
319 --- hb-using-states.xml 10 Apr 2012 20:19:19 -0000 1.4
320 +++ hb-using-states.xml 29 Apr 2012 14:26:40 -0000 1.5
321 @@ -4,11 +4,11 @@
322 <!-- The content of this document is licensed under the CC-BY-SA license -->
323 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
324
325 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.4 2012/04/10 20:19:19 swift Exp $ -->
326 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-states.xml,v 1.5 2012/04/29 14:26:40 swift Exp $ -->
327
328 <sections>
329 -<version>1</version>
330 -<date>2011-10-15</date>
331 +<version>2</version>
332 +<date>2012-04-29</date>
333
334 <section>
335 <title>SELinux States</title>
336 @@ -191,6 +191,26 @@
337
338 </body>
339 </subsection>
340 +<subsection>
341 +<title>Domain-permissive Mode</title>
342 +<body>
343 +
344 +<p>
345 +You can also opt to mark a single domain permissive while running the rest of
346 +the system in an enforcing state. For instance, to mark mplayer_t as a
347 +permissive domain (which means that SELinux does not enforce anything):
348 +</p>
349 +
350 +<pre caption="Marking mplayer_t as permissive">
351 +# <i>semanage permissive -a mplayer_t</i>
352 +</pre>
353 +
354 +<p>
355 +With the <c>-d</c> option, you can remove the permissive mark again.
356 +</p>
357 +
358 +</body>
359 +</subsection>
360 </section>
361
362 <section>
Report Message
Find on MARC Find on Google Groups