1 |
commit: e4f04e14465866f91e580ce149eb8c9b9fc05cbf |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Dec 22 12:57:44 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Dec 22 12:57:44 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e4f04e14 |
7 |
|
8 |
Drop module information, is now over at wiki.g.o |
9 |
|
10 |
--- |
11 |
xml/selinux/modules/apache.xml | 586 --------------------------------------- |
12 |
xml/selinux/modules/bind.xml | 132 --------- |
13 |
xml/selinux/modules/cron.xml | 389 -------------------------- |
14 |
xml/selinux/modules/index.xml | 69 ----- |
15 |
xml/selinux/modules/ldap.xml | 105 ------- |
16 |
xml/selinux/modules/portage.xml | 325 ---------------------- |
17 |
xml/selinux/modules/ssh.xml | 102 ------- |
18 |
7 files changed, 0 insertions(+), 1708 deletions(-) |
19 |
|
20 |
diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml |
21 |
deleted file mode 100644 |
22 |
index 4d6350e..0000000 |
23 |
--- a/xml/selinux/modules/apache.xml |
24 |
+++ /dev/null |
25 |
@@ -1,586 +0,0 @@ |
26 |
-<?xml version="1.0" encoding="UTF-8"?> |
27 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
28 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
29 |
- |
30 |
-<guide link="/proj/en/hardened/selinux/modules/apache.xml" lang="en"> |
31 |
-<title>SELinux Apache Module</title> |
32 |
-<author title="Author"> |
33 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
34 |
-</author> |
35 |
- |
36 |
-<abstract> |
37 |
-Within SELinux, the apache module is responsible for defining the |
38 |
-web server related domains and privileges. It is not tied to Apache, despite |
39 |
-its name. |
40 |
-</abstract> |
41 |
- |
42 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
43 |
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
44 |
-<license/> |
45 |
- |
46 |
-<version>1</version> |
47 |
-<date>2011-06-02</date> |
48 |
- |
49 |
-<chapter> |
50 |
-<title>Structure</title> |
51 |
-<section> |
52 |
-<title>Domains</title> |
53 |
-<body> |
54 |
- |
55 |
-<figure link="./images/apachedomain.png" short="General Apache domain overview" |
56 |
-caption="General Apache domain overview" /> |
57 |
- |
58 |
-<p> |
59 |
-The <c>apache</c> module provides the following domains: |
60 |
-</p> |
61 |
- |
62 |
-<table> |
63 |
-<tr> |
64 |
- <th>Domain</th> |
65 |
- <th>Process(es)</th> |
66 |
- <th>Description</th> |
67 |
-</tr> |
68 |
-<tr> |
69 |
- <ti>httpd_t</ti> |
70 |
- <ti>apache<br />lighttpd</ti> |
71 |
- <ti>Webserver processes</ti> |
72 |
-</tr> |
73 |
-<tr> |
74 |
- <ti>httpd_helper_t</ti> |
75 |
- <ti>htsslpass</ti> |
76 |
- <ti>Domain for the htsslpass process</ti> |
77 |
-</tr> |
78 |
-<tr> |
79 |
- <ti>httpd_php_t</ti> |
80 |
- <ti>php-cgi</ti> |
81 |
- <ti>Domain for PHP support through CGI (php-cgi process)</ti> |
82 |
-</tr> |
83 |
-<tr> |
84 |
- <ti>httpd_rotatelogs_t</ti> |
85 |
- <ti>rotatelogs</ti> |
86 |
- <ti>Domain for the rotatelogs process</ti> |
87 |
-</tr> |
88 |
-<tr> |
89 |
- <ti>httpd_suexec_t</ti> |
90 |
- <ti>suexec</ti> |
91 |
- <ti> |
92 |
- Domain used by the webserver suexec process to switch to another user |
93 |
- before calling and executing a script |
94 |
- </ti> |
95 |
-</tr> |
96 |
-<tr> |
97 |
- <ti>httpd_sys_script_t</ti> |
98 |
- <ti></ti> |
99 |
- <ti>Domain used by the system/package-provided CGI scripts</ti> |
100 |
-</tr> |
101 |
-<tr> |
102 |
- <ti>httpd_user_script_t</ti> |
103 |
- <ti></ti> |
104 |
- <ti>Domain used by the user-provided CGI scripts</ti> |
105 |
-</tr> |
106 |
-</table> |
107 |
- |
108 |
-<impo> |
109 |
-The <c>apache</c> module allows other modules to define their own domains and |
110 |
-types for use by the webservers. This is done through templates. The reference |
111 |
-policy by default enabled two of such templated sets for <e>user</e> and |
112 |
-<e>sys</e>, which you can see in domains like <c>httpd_sys_script_t</c> and |
113 |
-<c>httpd_user_script_t</c>. It is very well possible that on your system, more |
114 |
-of these template-instantiated domains exist. |
115 |
-</impo> |
116 |
- |
117 |
-</body> |
118 |
-</section> |
119 |
-<section> |
120 |
-<title>File Types/Labels</title> |
121 |
-<body> |
122 |
- |
123 |
-<p> |
124 |
-The following table lists the file type/labels defined in the <c>apache</c> |
125 |
-module. |
126 |
-</p> |
127 |
- |
128 |
-<ul> |
129 |
- <li> |
130 |
- If the function mentions <e>(templated)</e> then it means that the types |
131 |
- are generated by the <c>apache</c> module, but that similar others might |
132 |
- exist on your system (called through other modules). |
133 |
- </li> |
134 |
- <li> |
135 |
- When talking about <e>scripts</e>, we mean CGI scripts or other scripts that |
136 |
- are triggered from the webserver, not from an interactive shell session. |
137 |
- </li> |
138 |
-</ul> |
139 |
- |
140 |
- |
141 |
- |
142 |
-<table> |
143 |
-<tr> |
144 |
- <th>Type</th> |
145 |
- <th>Function</th> |
146 |
- <th>Description</th> |
147 |
-</tr> |
148 |
-<tr> |
149 |
- <ti>httpd_exec_t</ti> |
150 |
- <ti>Entrypoint</ti> |
151 |
- <ti>Entrypoint for the webserver processes</ti> |
152 |
-</tr> |
153 |
-<tr> |
154 |
- <ti>httpd_initrc_exec_t</ti> |
155 |
- <ti>Entrypoint</ti> |
156 |
- <ti>Entrypoint for the webserver init scripts</ti> |
157 |
-</tr> |
158 |
-<tr> |
159 |
- <ti>httpd_helper_exec_t</ti> |
160 |
- <ti>Entrypoint</ti> |
161 |
- <ti>Entrypoint for the webserver helper processes</ti> |
162 |
-</tr> |
163 |
-<tr> |
164 |
- <ti>httpd_php_exec_t</ti> |
165 |
- <ti>Entrypoint</ti> |
166 |
- <ti>Entrypoint for the PHP scripts</ti> |
167 |
-</tr> |
168 |
-<tr> |
169 |
- <ti>httpd_rotatelogs_exec_t</ti> |
170 |
- <ti>Entrypoint</ti> |
171 |
- <ti>Entrypoint for the rotatelog helper</ti> |
172 |
-</tr> |
173 |
-<tr> |
174 |
- <ti>httpd_suexec_exec_t</ti> |
175 |
- <ti>Entrypoint</ti> |
176 |
- <ti>Entrypoint for the suexec wrapper</ti> |
177 |
-</tr> |
178 |
-<tr> |
179 |
- <ti>httpd_sys_script_exec_t</ti> |
180 |
- <ti>Entrypoint (templated)</ti> |
181 |
- <ti> |
182 |
- Entrypoint for system CGI scripts (or other callable scripts) that need |
183 |
- access to the system content files (httpd_sys_content_t) |
184 |
- </ti> |
185 |
-</tr> |
186 |
-<tr> |
187 |
- <ti>httpd_user_script_exec_t</ti> |
188 |
- <ti>Entrypoint (templated)</ti> |
189 |
- <ti> |
190 |
- Entrypoint for the user-provided scripts callable from the webserver instances |
191 |
- </ti> |
192 |
-</tr> |
193 |
-<tr> |
194 |
- <ti>httpd_squirrelmail_t</ti> |
195 |
- <ti>Content</ti> |
196 |
- <ti>Squirrelmail files</ti> |
197 |
-</tr> |
198 |
-<tr> |
199 |
- <ti>squirrelmail_spool_t</ti> |
200 |
- <ti>Content</ti> |
201 |
- <ti>Squirrelmail attachment location</ti> |
202 |
-</tr> |
203 |
-<tr> |
204 |
- <ti>httpd_sys_content_t</ti> |
205 |
- <ti>Content (templated)</ti> |
206 |
- <ti> |
207 |
- Readable content for the webservers and system scripts, offered through |
208 |
- the system / packages. |
209 |
- </ti> |
210 |
-</tr> |
211 |
-<tr> |
212 |
- <ti>httpd_sys_htaccess_t</ti> |
213 |
- <ti>Content (templated)</ti> |
214 |
- <ti> |
215 |
- Label for the htaccess files, readable by the webserver but not from scripts |
216 |
- or other webserver related domains. |
217 |
- </ti> |
218 |
-</tr> |
219 |
-<tr> |
220 |
- <ti>httpd_sys_rw_content_t</ti> |
221 |
- <ti>Content (templated)</ti> |
222 |
- <ti> |
223 |
- Read and writeable content for the webservers and system scripts (not user |
224 |
- scripts). |
225 |
- </ti> |
226 |
-</tr> |
227 |
-<tr> |
228 |
- <ti>httpd_sys_ra_content_t</ti> |
229 |
- <ti>Content (templated)</ti> |
230 |
- <ti> |
231 |
- Read and appendable content for the webservers and system scripts (not user |
232 |
- scripts). |
233 |
- </ti> |
234 |
-</tr> |
235 |
-<tr> |
236 |
- <ti>httpd_user_content_t</ti> |
237 |
- <ti>Content (templated)</ti> |
238 |
- <ti> |
239 |
- Readable content for the webservers and user scripts, offered by (and |
240 |
- writeable by) users. |
241 |
- </ti> |
242 |
-</tr> |
243 |
-<tr> |
244 |
- <ti>httpd_user_htaccess_t</ti> |
245 |
- <ti>Content (templated)</ti> |
246 |
- <ti> |
247 |
- Label for the htaccess files, readable by the webserver but not from scripts |
248 |
- or other webserver related domains. |
249 |
- </ti> |
250 |
-</tr> |
251 |
-<tr> |
252 |
- <ti>httpd_user_rw_content_t</ti> |
253 |
- <ti>Content (templated)</ti> |
254 |
- <ti> |
255 |
- Read and writeable content for the webservers and user scripts (not system |
256 |
- scripts). |
257 |
- </ti> |
258 |
-</tr> |
259 |
-<tr> |
260 |
- <ti>httpd_user_ra_content_t</ti> |
261 |
- <ti>Content (templated)</ti> |
262 |
- <ti> |
263 |
- Read and appendable content for the webservers and user scripts (not system |
264 |
- scripts). |
265 |
- </ti> |
266 |
-</tr> |
267 |
-<tr> |
268 |
- <ti>httpd_php_tmp_t</ti> |
269 |
- <ti>Temporary Files</ti> |
270 |
- <ti>Temporary files from the PHP scripts</ti> |
271 |
-</tr> |
272 |
-<tr> |
273 |
- <ti>httpd_suexec_tmp_t</ti> |
274 |
- <ti>Temporary Files</ti> |
275 |
- <ti>Temporery files for the suexec domain</ti> |
276 |
-</tr> |
277 |
-<tr> |
278 |
- <ti>httpd_tmp_t<br />httpd_tmpfs_t</ti> |
279 |
- <ti>Temporary Files</ti> |
280 |
- <ti>Temporary files from the httpd domain</ti> |
281 |
-</tr> |
282 |
- |
283 |
-<tr> |
284 |
- <ti>httpd_cache_t</ti> |
285 |
- <ti></ti> |
286 |
- <ti>Web server cache</ti> |
287 |
-</tr> |
288 |
-<tr> |
289 |
- <ti>httpd_config_t</ti> |
290 |
- <ti></ti> |
291 |
- <ti>Configuration files</ti> |
292 |
-</tr> |
293 |
-<tr> |
294 |
- <ti>httpd_lock_t</ti> |
295 |
- <ti></ti> |
296 |
- <ti>Lock files</ti> |
297 |
-</tr> |
298 |
-<tr> |
299 |
- <ti>httpd_log_t</ti> |
300 |
- <ti></ti> |
301 |
- <ti>Web server log files</ti> |
302 |
-</tr> |
303 |
-<tr> |
304 |
- <ti>httpd_modules_t</ti> |
305 |
- <ti></ti> |
306 |
- <ti>Webserver modules</ti> |
307 |
-</tr> |
308 |
-<tr> |
309 |
- <ti>httpd_var_lib_t</ti> |
310 |
- <ti></ti> |
311 |
- <ti>Webserver libraries</ti> |
312 |
-</tr> |
313 |
-<tr> |
314 |
- <ti>httpd_var_run_t</ti> |
315 |
- <ti></ti> |
316 |
- <ti>Runtime files for httpd</ti> |
317 |
-</tr> |
318 |
-</table> |
319 |
- |
320 |
-</body> |
321 |
-</section> |
322 |
-</chapter> |
323 |
-<chapter> |
324 |
-<title>Using Apache</title> |
325 |
-<section> |
326 |
-<title>File Locations</title> |
327 |
-<body> |
328 |
- |
329 |
-<p> |
330 |
-The policy offered only contains the right file context rules for the default |
331 |
-locations. If you deviate from these locations, you'll need to update the |
332 |
-contexts accordingly. |
333 |
-</p> |
334 |
- |
335 |
-<p> |
336 |
-The following table provides an overview of common Apache settings (variables in |
337 |
-<path>httpd.conf</path>) that are often changed by end users, and the file |
338 |
-context that it should have. If you use a different webserver you'll need to |
339 |
-base it on the description instead. |
340 |
-</p> |
341 |
- |
342 |
-<table> |
343 |
-<tr> |
344 |
- <th>Setting in httpd.conf</th> |
345 |
- <th>Description</th> |
346 |
- <th>Default Location</th> |
347 |
- <th>File Context(s)</th> |
348 |
-</tr> |
349 |
-<tr> |
350 |
- <ti>DocumentRoot</ti> |
351 |
- <ti>Location where web content is stored (html pages and such)</ti> |
352 |
- <ti>/srv/localhost/www</ti> |
353 |
- <ti>system_u:object_r:httpd_sys_content_t</ti> |
354 |
-</tr> |
355 |
-<tr> |
356 |
- <ti>Document</ti> |
357 |
- <ti>Location where CGI scripts are stored</ti> |
358 |
- <ti>/srv/localhost/cgi-bin</ti> |
359 |
- <ti>system_u:object_r:httpd_sys_script_exec_t</ti> |
360 |
-</tr> |
361 |
-<tr> |
362 |
- <ti>Directory</ti> |
363 |
- <ti>User home directory location where user-provided content is stored</ti> |
364 |
- <ti>/home/*/public_html</ti> |
365 |
- <ti>system_u:object_r:httpd_user_content_t</ti> |
366 |
-</tr> |
367 |
-<tr> |
368 |
- <ti>Directory</ti> |
369 |
- <ti>User home directory location where user-provided CGI scripts are stored</ti> |
370 |
- <ti>/home/*/public_html/cgi-bin</ti> |
371 |
- <ti>system_u:object_r:httpd_user_script_exec_t</ti> |
372 |
-</tr> |
373 |
-</table> |
374 |
- |
375 |
-</body> |
376 |
-</section> |
377 |
-<section> |
378 |
-<title>Sharing Files</title> |
379 |
-<body> |
380 |
- |
381 |
-<p> |
382 |
-The SELinux policy (as part of the <c>miscfiles</c> module) supports two |
383 |
-additional types: <c>public_content_t</c> and <c>public_content_rw_t</c>. These |
384 |
-are used for what is called <e>anonymous files</e> which are readable by all |
385 |
-file-serving services. If all services only need to read from it, then |
386 |
-<c>public_content_t</c> is used. If at least one services needs to write to it, |
387 |
-use <c>public_content_rw_t</c> and toggle the right SELinux boolean for the |
388 |
-domain that needs write access to it (<c>allow_DOMAIN_anon_write</c>). |
389 |
-</p> |
390 |
- |
391 |
-<p> |
392 |
-For instance, if you have files that are shared by Apache, NFS, Samba, ... you |
393 |
-label these <c>public_content_t</c> (read-only) or <c>public_content_rw_t</c> |
394 |
-(read-write for some) and then toggle the appropriate booleans: |
395 |
-</p> |
396 |
- |
397 |
-<pre caption="Enable write access for the httpd_sys_script_t domain to the public_content_rw_t domain"> |
398 |
-~# <i>setsebool -P allow_httpd_sys_script_anon_write on</i> |
399 |
-</pre> |
400 |
- |
401 |
-</body> |
402 |
-</section> |
403 |
-<section> |
404 |
-<title>Booleans</title> |
405 |
-<body> |
406 |
- |
407 |
-<p> |
408 |
-The <c>apache</c> module has several booleans which manipulate the allowed |
409 |
-permissions within your installation. The table below gives an overview of the |
410 |
-booleans, but also mentions which USE flags you <e>could</e> associate with it. |
411 |
-Note that the booleans are <e>not</e> linked to USE flags. However, if you have |
412 |
-set a particular USE flag for the webserver environment, then you might want to |
413 |
-toggle these booleans as well. |
414 |
-</p> |
415 |
- |
416 |
-<table> |
417 |
-<tr> |
418 |
- <th>Boolean</th> |
419 |
- <th>Description</th> |
420 |
- <th>Gentoo USE flag suggestion</th> |
421 |
-</tr> |
422 |
-<tr> |
423 |
- <ti>allow_httpd_anon_write</ti> |
424 |
- <ti> |
425 |
- Allow the webserver to modify public files (labeled |
426 |
- <c>public_content_rw_t</c>) |
427 |
- </ti> |
428 |
- <ti /> |
429 |
-</tr> |
430 |
-<tr> |
431 |
- <ti>allow_httpd_sys_script_anon_write</ti> |
432 |
- <ti> |
433 |
- Allow the system scripts to modify public files |
434 |
- </ti> |
435 |
- <ti /> |
436 |
-</tr> |
437 |
-<tr> |
438 |
- <ti>allow_httpd_user_script_anon_wriet</ti> |
439 |
- <ti> |
440 |
- Allow the user scripts to modify public files |
441 |
- </ti> |
442 |
- <ti /> |
443 |
-</tr> |
444 |
-<tr> |
445 |
- <ti>allow_httpd_mod_auth_pam</ti> |
446 |
- <ti> |
447 |
- Allow the webserver to use the auth_pam module |
448 |
- </ti> |
449 |
- <ti /> |
450 |
-</tr> |
451 |
-<tr> |
452 |
- <ti>httpd_builtin_scripting</ti> |
453 |
- <ti> |
454 |
- Needed when your webservers use internal scripting languages like PHP |
455 |
- (languages that are read and interpreted by the webserver directly rather than |
456 |
- called through separate processes like with CGI) |
457 |
- </ti> |
458 |
- <ti /> |
459 |
-</tr> |
460 |
-<tr> |
461 |
- <ti>httpd_can_network_connect</ti> |
462 |
- <ti> |
463 |
- Allow the webserver scripts and modules to connect to the network |
464 |
- </ti> |
465 |
- <ti /> |
466 |
-</tr> |
467 |
-<tr> |
468 |
- <ti>httpd_can_network_connect_db</ti> |
469 |
- <ti> |
470 |
- Allow the webserver scripts and modules to connect to databases over the |
471 |
- network |
472 |
- </ti> |
473 |
- <ti /> |
474 |
-</tr> |
475 |
-<tr> |
476 |
- <ti>httpd_can_network_relay</ti> |
477 |
- <ti> |
478 |
- Allow webservers to act as a relay |
479 |
- </ti> |
480 |
- <ti /> |
481 |
-</tr> |
482 |
-<tr> |
483 |
- <ti>httpd_can_sendmail</ti> |
484 |
- <ti> |
485 |
- Allow webservers to send e-mails |
486 |
- </ti> |
487 |
- <ti /> |
488 |
-</tr> |
489 |
-<tr> |
490 |
- <ti>httpd_dbus_avahi</ti> |
491 |
- <ti> |
492 |
- Allow webservers to communicate with avahi service via dbus |
493 |
- </ti> |
494 |
- <ti /> |
495 |
-</tr> |
496 |
-<tr> |
497 |
- <ti>httpd_enable_cgi</ti> |
498 |
- <ti> |
499 |
- Allow webservers to call CGI scripts (labeled <c>httpd_sys_script_exec_t</c> |
500 |
- or <c>httpd_user_script_exec_t</c>) |
501 |
- </ti> |
502 |
- <ti /> |
503 |
-</tr> |
504 |
-<tr> |
505 |
- <ti>httpd_enable_ftp_server</ti> |
506 |
- <ti> |
507 |
- Allow webservers to act as an FTP server by listening on the FTP ports |
508 |
- </ti> |
509 |
- <ti /> |
510 |
-</tr> |
511 |
-<tr> |
512 |
- <ti>httpd_enable_homedirs</ti> |
513 |
- <ti> |
514 |
- Allow webservers to read home directories (<c>user_home_t</c>). Not to be |
515 |
- mistaken with <c>httpd_user_content_t</c>, which resides in the users' home |
516 |
- directory but is labeled, well, <c>httpd_user_content_t</c> ;-) |
517 |
- </ti> |
518 |
- <ti /> |
519 |
-</tr> |
520 |
-<tr> |
521 |
- <ti>httpd_ssi_exec</ti> |
522 |
- <ti> |
523 |
- Allow webservers to run SSI executables in the same domain as the CGI |
524 |
- scripts |
525 |
- </ti> |
526 |
- <ti /> |
527 |
-</tr> |
528 |
-<tr> |
529 |
- <ti>httpd_tty_com</ti> |
530 |
- <ti> |
531 |
- Unify webservers to communicate with the terminal. This is needed when you |
532 |
- need to enter a passphraze for certificates at the terminal. |
533 |
- </ti> |
534 |
- <ti /> |
535 |
-</tr> |
536 |
-<tr> |
537 |
- <ti>httpd_unified</ti> |
538 |
- <ti> |
539 |
- When enabled, the various webserver content types (all types with attribute |
540 |
- <c>httpdcontent</c> set) are not differentiated anymore, but all considered |
541 |
- to be readable, writeable and executable by the webserver. |
542 |
- </ti> |
543 |
- <ti /> |
544 |
-</tr> |
545 |
-<tr> |
546 |
- <ti>httpd_use_cifs</ti> |
547 |
- <ti> |
548 |
- Allow webservers to access CIFS file systems |
549 |
- </ti> |
550 |
- <ti /> |
551 |
-</tr> |
552 |
-<tr> |
553 |
- <ti>httpd_use_gpg</ti> |
554 |
- <ti> |
555 |
- Allow webservers to run gpg |
556 |
- </ti> |
557 |
- <ti /> |
558 |
-</tr> |
559 |
-<tr> |
560 |
- <ti>httpd_use_nfs</ti> |
561 |
- <ti> |
562 |
- Allow webservers to access NFS file systems |
563 |
- </ti> |
564 |
- <ti /> |
565 |
-</tr> |
566 |
-</table> |
567 |
- |
568 |
-<p> |
569 |
-If you want to toggle booleans, you can do so through <c>setsebool</c>: |
570 |
-</p> |
571 |
- |
572 |
-<pre caption="Enabling the gentoo_try_dontaudit boolean"> |
573 |
-<comment>( With the -P flag, the boolean state is persisted across reboots)</comment> |
574 |
-~# <i>setsebool -P httpd_enable_homedirs on</i> |
575 |
-</pre> |
576 |
- |
577 |
-</body> |
578 |
-</section> |
579 |
-<section> |
580 |
-<title>Ports</title> |
581 |
-<body> |
582 |
- |
583 |
-<p> |
584 |
-If you need to run the webserver on a non-default port, you can either mark this |
585 |
-port as an HTTP port (<c>http_port_t</c>) or create the appropriate rule to allow |
586 |
-it to bind to the specified port. |
587 |
-</p> |
588 |
- |
589 |
-<p> |
590 |
-To mark a particular port (say 81) as an HTTP port, use <c>semanage</c>: |
591 |
-</p> |
592 |
- |
593 |
-<pre caption="Labeling port 81 as http_port_t"> |
594 |
-~# <i>semanage port -a -t http_port_t -p tcp 81</i> |
595 |
-</pre> |
596 |
- |
597 |
-<p> |
598 |
-If you need to allow the webserver to bind on a port but are not allowed to |
599 |
-modify that ports' type, you'll need to create a policy that allows the |
600 |
-<c>httpd_t</c> domain to bind to the particular port. For instance, to allow it |
601 |
-to bind on the SMTP port: |
602 |
-</p> |
603 |
- |
604 |
-<pre caption="Allow rules to allow httpd_t to bind on SMTP ports"> |
605 |
-allow httpd_t smtp_port_t:tcp_socket name_bind; |
606 |
-</pre> |
607 |
- |
608 |
-</body> |
609 |
-</section> |
610 |
-</chapter> |
611 |
-</guide> |
612 |
|
613 |
diff --git a/xml/selinux/modules/bind.xml b/xml/selinux/modules/bind.xml |
614 |
deleted file mode 100644 |
615 |
index 25c2a11..0000000 |
616 |
--- a/xml/selinux/modules/bind.xml |
617 |
+++ /dev/null |
618 |
@@ -1,132 +0,0 @@ |
619 |
-<?xml version="1.0" encoding="UTF-8"?> |
620 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
621 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
622 |
- |
623 |
-<guide link="/proj/en/hardened/selinux/modules/bind.xml" lang="en"> |
624 |
-<title>SELinux Bind Module</title> |
625 |
-<author title="Author"> |
626 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
627 |
-</author> |
628 |
- |
629 |
-<abstract> |
630 |
-Within SELinux, the bind module is responsible for defining the BIND |
631 |
-domains and interactions. |
632 |
-</abstract> |
633 |
- |
634 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
635 |
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
636 |
-<license/> |
637 |
- |
638 |
-<version>1</version> |
639 |
-<date>2011-07-09</date> |
640 |
- |
641 |
-<chapter> |
642 |
-<title>Structure</title> |
643 |
-<section> |
644 |
-<title>Domains</title> |
645 |
-<body> |
646 |
- |
647 |
-<figure link="./images/binddomain.png" short="General Bind domain overview" |
648 |
-caption="General Bind domain overview" /> |
649 |
- |
650 |
-<p> |
651 |
-The <c>named_t</c> domain can only be transitioned towards through the |
652 |
-<c>initrc_t</c> domain (i.e. through init scripts). The <c>ndc_t</c> domain |
653 |
-(for the named domain controller) can be transitioned towards through the |
654 |
-<c>initrc_t</c> and <c>sysadm_t</c> (general system administration) domains. |
655 |
-</p> |
656 |
- |
657 |
-</body> |
658 |
-</section> |
659 |
-<section> |
660 |
-<title>File Types/Labels</title> |
661 |
-<body> |
662 |
- |
663 |
-<p> |
664 |
-The following table lists the file type/labels defined in the <c>bind</c> |
665 |
-module. |
666 |
-</p> |
667 |
- |
668 |
-<table> |
669 |
-<tr> |
670 |
- <th>Type</th> |
671 |
- <th>Function</th> |
672 |
- <th>Description</th> |
673 |
-</tr> |
674 |
-<tr> |
675 |
- <ti>named_exec_t</ti> |
676 |
- <ti>Entrypoint</ti> |
677 |
- <ti>Entrypoint domain for the named binaries</ti> |
678 |
-</tr> |
679 |
-<tr> |
680 |
- <ti>named_initrc_exec_t</ti> |
681 |
- <ti>Entrypoint</ti> |
682 |
- <ti>Entrypoint domain for non-Gentoo init scripts</ti> |
683 |
-</tr> |
684 |
-<tr> |
685 |
- <ti>named_checkconf_exec_t</ti> |
686 |
- <ti>Entrypoint</ti> |
687 |
- <ti>Entrypoint for the checkconf binary</ti> |
688 |
-</tr> |
689 |
-<tr> |
690 |
- <ti>ndc_exec_t</ti> |
691 |
- <ti>Entrypoint</ti> |
692 |
- <ti>Entrypoint for the ndc binaries</ti> |
693 |
-</tr> |
694 |
-<tr> |
695 |
- <ti>dnssec_t</ti> |
696 |
- <ti>Configuration</ti> |
697 |
- <ti>Label for the key files used by the named daemon</ti> |
698 |
-</tr> |
699 |
-<tr> |
700 |
- <ti>named_zone_t</ti> |
701 |
- <ti>Configuration</ti> |
702 |
- <ti>Label for the primary zone files</ti> |
703 |
-</tr> |
704 |
-<tr> |
705 |
- <ti>named_cache_t</ti> |
706 |
- <ti>Configuration</ti> |
707 |
- <ti>Label for the cached zone files</ti> |
708 |
-</tr> |
709 |
-<tr> |
710 |
- <ti>named_conf_t</ti> |
711 |
- <ti>Configuration</ti> |
712 |
- <ti>Label for the named configuration files</ti> |
713 |
-</tr> |
714 |
-<tr> |
715 |
- <ti>named_log_t</ti> |
716 |
- <ti>Configuration</ti> |
717 |
- <ti>Label for the named log files</ti> |
718 |
-</tr> |
719 |
-<tr> |
720 |
- <ti>named_tmp_t</ti> |
721 |
- <ti></ti> |
722 |
- <ti>Label for the named temporary files</ti> |
723 |
-</tr> |
724 |
-<tr> |
725 |
- <ti>named_var_run_t</ti> |
726 |
- <ti></ti> |
727 |
- <ti>Label for the named runtime variable data</ti> |
728 |
-</tr> |
729 |
-</table> |
730 |
- |
731 |
-</body> |
732 |
-</section> |
733 |
-</chapter> |
734 |
-<chapter> |
735 |
-<title>Using Bind</title> |
736 |
-<section> |
737 |
-<title>SELinux boolean: named_write_master_zones</title> |
738 |
-<body> |
739 |
- |
740 |
-<p> |
741 |
-The <c>named</c> policy offers one boolean called |
742 |
-<c>named_write_master_zones</c> which, when enabled, allows the named daemon to |
743 |
-write to its master zone files (i.e. <c>named_zone_t</c>). This is used in |
744 |
-master/slave setups. |
745 |
-</p> |
746 |
- |
747 |
-</body> |
748 |
-</section> |
749 |
-</chapter> |
750 |
-</guide> |
751 |
|
752 |
diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml |
753 |
deleted file mode 100644 |
754 |
index e909ff8..0000000 |
755 |
--- a/xml/selinux/modules/cron.xml |
756 |
+++ /dev/null |
757 |
@@ -1,389 +0,0 @@ |
758 |
-<?xml version="1.0" encoding="UTF-8"?> |
759 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
760 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
761 |
- |
762 |
-<guide link="/proj/en/hardened/selinux/modules/cron.xml" lang="en"> |
763 |
-<title>SELinux cron Module</title> |
764 |
-<author title="Author"> |
765 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
766 |
-</author> |
767 |
- |
768 |
-<abstract> |
769 |
-Within SELinux, the cron module is responsible for defining the scheduling |
770 |
-domains and interactions. |
771 |
-</abstract> |
772 |
- |
773 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
774 |
-<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> |
775 |
-<license version="3.0"/> |
776 |
- |
777 |
-<version>3</version> |
778 |
-<date>2011-12-14</date> |
779 |
- |
780 |
-<chapter> |
781 |
-<title>Structure</title> |
782 |
-<section> |
783 |
-<title>Domains</title> |
784 |
-<body> |
785 |
- |
786 |
-<figure link="./images/crondomain.png" short="General cron domain overview" |
787 |
-caption="General cron domain overview" /> |
788 |
- |
789 |
-<p> |
790 |
-The cron daemon itself (like <c>vixie-cron</c>) runs in the <e>crond_t</e> |
791 |
-domain. Depending on the cron daemon used, this daemon either immediately |
792 |
-executes the jobs (hence its ability to transition to various other domains) or |
793 |
-does this through an intermediate domain (<e>system_cronjob_t</e> for system |
794 |
-cronjobs and <e>cronjob_t</e> for user cronjobs). |
795 |
-</p> |
796 |
- |
797 |
-<p> |
798 |
-The <e>crontab_t</e> and <e>admin_crontab_t</e> domains are used by the users |
799 |
-(and administrators) for maintaining their crontab files. These files are read |
800 |
-in by the cron daemon. |
801 |
-</p> |
802 |
- |
803 |
-</body> |
804 |
-</section> |
805 |
-<section> |
806 |
-<title>File Types/Labels</title> |
807 |
-<body> |
808 |
- |
809 |
-<p> |
810 |
-The following table lists the file type/labels defined in the <c>cron</c> |
811 |
-module (part of the base policy). |
812 |
-</p> |
813 |
- |
814 |
-<table> |
815 |
-<tr> |
816 |
- <th>Type</th> |
817 |
- <th>Function</th> |
818 |
- <th>Description</th> |
819 |
-</tr> |
820 |
-<tr> |
821 |
- <ti>cronjob_t</ti> |
822 |
- <ti>Domain</ti> |
823 |
- <ti>Domain for end user cronjobs</ti> |
824 |
-</tr> |
825 |
-<tr> |
826 |
- <ti>system_cronjob_t</ti> |
827 |
- <ti>Domain</ti> |
828 |
- <ti>Domain for system cronjobs</ti> |
829 |
-</tr> |
830 |
-<tr> |
831 |
- <ti>crond_t</ti> |
832 |
- <ti>Domain</ti> |
833 |
- <ti>Domain for the cron daemon</ti> |
834 |
-</tr> |
835 |
-<tr> |
836 |
- <ti>admin_crontab_t</ti> |
837 |
- <ti>Domain</ti> |
838 |
- <ti>Domain for administrator-started crontab commands</ti> |
839 |
-</tr> |
840 |
-<tr> |
841 |
- <ti>crontab_t</ti> |
842 |
- <ti>Domain</ti> |
843 |
- <ti>Domain for user-started crontab commands</ti> |
844 |
-</tr> |
845 |
-<tr> |
846 |
- <ti>crond_exec_t</ti> |
847 |
- <ti>Entrypoint</ti> |
848 |
- <ti>Entrypoint for the cron daemon binaries</ti> |
849 |
-</tr> |
850 |
-<tr> |
851 |
- <ti>crontab_exec_t</ti> |
852 |
- <ti>Entrypoint</ti> |
853 |
- <ti>Entrypoint for the crontab commands</ti> |
854 |
-</tr> |
855 |
-<tr> |
856 |
- <ti>cron_spool_t</ti> |
857 |
- <ti>Configuration</ti> |
858 |
- <ti>Spool files (where the user crontab files are in)</ti> |
859 |
-</tr> |
860 |
-<tr> |
861 |
- <ti>user_cron_spool_t</ti> |
862 |
- <ti>Configuration</ti> |
863 |
- <ti>Spool files (for the user crontab files)</ti> |
864 |
-</tr> |
865 |
-<tr> |
866 |
- <ti>system_cron_spool_t</ti> |
867 |
- <ti>Configuration</ti> |
868 |
- <ti>Spool files (where the system crontab files are in)</ti> |
869 |
-</tr> |
870 |
-<tr> |
871 |
- <ti>cron_var_lib_t</ti> |
872 |
- <ti></ti> |
873 |
- <ti>Label for cron's /var/lib items</ti> |
874 |
-</tr> |
875 |
-<tr> |
876 |
- <ti>cron_var_run_t</ti> |
877 |
- <ti></ti> |
878 |
- <ti>Label for cron's /var/run items</ti> |
879 |
-</tr> |
880 |
-<tr> |
881 |
- <ti>cron_log_t</ti> |
882 |
- <ti></ti> |
883 |
- <ti>Label for cron's logfiles (/var/log/cron)</ti> |
884 |
-</tr> |
885 |
-<tr> |
886 |
- <ti>crond_tmp_t</ti> |
887 |
- <ti></ti> |
888 |
- <ti>Label for the cron daemon's temporary files</ti> |
889 |
-</tr> |
890 |
-<tr> |
891 |
- <ti>crond_var_run_t</ti> |
892 |
- <ti></ti> |
893 |
- <ti>Label for the cron daemon's /var/run items</ti> |
894 |
-</tr> |
895 |
-<tr> |
896 |
- <ti>system_cronjob_lock_t</ti> |
897 |
- <ti></ti> |
898 |
- <ti>Label for the system cronjobs' lock files</ti> |
899 |
-</tr> |
900 |
-<tr> |
901 |
- <ti>system_cronjob_tmp_t</ti> |
902 |
- <ti></ti> |
903 |
- <ti>Label for the system cronjobs' temporary files</ti> |
904 |
-</tr> |
905 |
-<tr> |
906 |
- <ti>admin_crontab_tmp_t</ti> |
907 |
- <ti></ti> |
908 |
- <ti> |
909 |
- Label for temporary files created by a system administrators' crontab |
910 |
- command |
911 |
- </ti> |
912 |
-</tr> |
913 |
-<tr> |
914 |
- <ti>crontab_tmp_t</ti> |
915 |
- <ti></ti> |
916 |
- <ti>Label for temporary files created by a users' crontab command</ti> |
917 |
-</tr> |
918 |
-</table> |
919 |
- |
920 |
-</body> |
921 |
-</section> |
922 |
-<section> |
923 |
-<title>Booleans</title> |
924 |
-<body> |
925 |
- |
926 |
-<p> |
927 |
-The <c>cron</c> domain supports the following SELinux booleans, which can be set |
928 |
-/ unset using the standard <c>setsebool</c> statements. |
929 |
-</p> |
930 |
- |
931 |
-<table> |
932 |
-<tr> |
933 |
- <th>Boolean</th> |
934 |
- <th>Default</th> |
935 |
- <th>Description</th> |
936 |
-</tr> |
937 |
-<tr> |
938 |
- <ti>cron_can_relabel</ti> |
939 |
- <ti>false</ti> |
940 |
- <ti> |
941 |
- Allow jobs running in the <e>system_cronjob_t</e> domain to relabel files |
942 |
- and directories. When set, these jobs can also call the <c>setfiles</c> and |
943 |
- <c>restorecon</c> commands. |
944 |
- </ti> |
945 |
-</tr> |
946 |
-<tr> |
947 |
- <ti>fcron_crond</ti> |
948 |
- <ti>false</ti> |
949 |
- <ti> |
950 |
- Needed to set more privileges for the cron domains in case <c>fcron</c> is |
951 |
- used as a cron daemon. These privileges are not necessary for other cron |
952 |
- daemons and as such are "behind" this boolean. |
953 |
- </ti> |
954 |
-</tr> |
955 |
-</table> |
956 |
- |
957 |
-</body> |
958 |
-</section> |
959 |
-</chapter> |
960 |
-<chapter> |
961 |
-<title>Using Cron</title> |
962 |
-<section> |
963 |
-<title>System Administration</title> |
964 |
-<body> |
965 |
- |
966 |
-<p> |
967 |
-If you want to perform system administrative tasks using cronjobs, you will need |
968 |
-to take special care that the domain in which the job runs has sufficient |
969 |
-privileges. |
970 |
-</p> |
971 |
- |
972 |
-<p> |
973 |
-First, make sure that your cronjobs run in the <e>system_cronjob_t</e> domains. |
974 |
-This means that the cronjobs must be defined as either |
975 |
-</p> |
976 |
- |
977 |
-<ul> |
978 |
- <li> |
979 |
- scripts in the <path>/etc/cron.hourly</path>, <path>/etc/cron.daily</path>, |
980 |
- ... directories |
981 |
- </li> |
982 |
- <li> |
983 |
- crontab entries in the <path>/etc/cron.d</path> directory |
984 |
- </li> |
985 |
- <li> |
986 |
- crontab entries in the <path>/etc/crontab</path> file |
987 |
- </li> |
988 |
-</ul> |
989 |
- |
990 |
-<p> |
991 |
-Second, make sure that your <path>/etc/crontab</path> uses <c>HOME=/</c>. |
992 |
-Setting this to another <c>HOME</c> directory might confuse some applications. |
993 |
-With SELinux enabled, this could cause those applications to try and read the |
994 |
-root users' home directory, which isn't allowed by policy. |
995 |
-</p> |
996 |
- |
997 |
-<p> |
998 |
-Next, verify that the commands you want to run (and thus their target domain in |
999 |
-which they will run) are allowed for the <e>system_cronjob_t</e> domain. |
1000 |
-</p> |
1001 |
- |
1002 |
-<pre caption="Validationg the system_cronjob_t privileges"> |
1003 |
-<comment># Example to verify if we can call emerge</comment> |
1004 |
-~# <i>sesearch -s system_cronjob_t -t portage_t -A</i> |
1005 |
-Found 1 semantic av rules: |
1006 |
- allow system_cronjob_t portage_t : process transition; |
1007 |
-</pre> |
1008 |
- |
1009 |
-<p> |
1010 |
-If the domain does not have the necessary privileges, you need to update the |
1011 |
-policy. More information on maintaining the SELinux policy can be found in the |
1012 |
-<uri link="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo |
1013 |
-Hardened SELinux Handbook</uri>. |
1014 |
-</p> |
1015 |
- |
1016 |
-<p> |
1017 |
-An example policy file to allow executing <c>dmesg</c>: |
1018 |
-</p> |
1019 |
- |
1020 |
-<pre caption="Allowing system_cronjob_t to execute dmesg"> |
1021 |
-policy_module(fixcron, 1.0) |
1022 |
- |
1023 |
-require { |
1024 |
- type dmesg_t; |
1025 |
-} |
1026 |
- |
1027 |
-cron_system_entry(dmesg_t) |
1028 |
-</pre> |
1029 |
- |
1030 |
-<p> |
1031 |
-For more information or help with managing your policies, do not hesitate to |
1032 |
-drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>. |
1033 |
-</p> |
1034 |
- |
1035 |
-</body> |
1036 |
-</section> |
1037 |
-<section> |
1038 |
-<title>User (incl. root) Cronjobs</title> |
1039 |
-<body> |
1040 |
- |
1041 |
-<impo> |
1042 |
-Part of this is for vixie-cron users with USE="ubac" set, but even if this is |
1043 |
-not the case it is still pertinent (cfr. the default_contexts issue). |
1044 |
-</impo> |
1045 |
- |
1046 |
-<p> |
1047 |
-When working with end user crontabs (those triggered / managed through the |
1048 |
-<c>crontab</c> command), you must take care that you do this as the <e>SELinux |
1049 |
-user</e> which is associated with the file (this is a result of the SELinux User |
1050 |
-Based Access Control, aka <e>UBAC</e>). In other words, if you want to edit the |
1051 |
-root users' <path>crontab</path> file, you need to be the <c>root</c> SELinux |
1052 |
-user (and not a staff user that <c>su</c>/<c>sudo</c>'ed into root). |
1053 |
-</p> |
1054 |
- |
1055 |
-<p> |
1056 |
-If this was not done correctly, you will get the following error: |
1057 |
-</p> |
1058 |
- |
1059 |
-<pre caption="Error due to mismatch on SELinux user"> |
1060 |
-cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root) |
1061 |
-</pre> |
1062 |
- |
1063 |
-<p> |
1064 |
-Verify that the file's user and SELinux user match: |
1065 |
-</p> |
1066 |
- |
1067 |
-<pre caption="Verify that the SELinux user and file user ownership matches"> |
1068 |
-~# <i>ls -Z /var/spool/cron/crontabs/root</i> |
1069 |
-staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root |
1070 |
- |
1071 |
-~# <i>semanage login -l | grep root</i> |
1072 |
-root root |
1073 |
-</pre> |
1074 |
- |
1075 |
-<p> |
1076 |
-In the above case, the root Unix account (cfr filename of the crontab file) is |
1077 |
-mapped to the root SELinux user (cfr second "root" in the <c>semanage login |
1078 |
--l</c> output). However, the SELinux user of the crontab file is <e>staff_u</e> |
1079 |
-instead of <e>root</e>, which is why the failure occurred. |
1080 |
-</p> |
1081 |
- |
1082 |
-<p> |
1083 |
-To fix this, use <c>chcon</c>: |
1084 |
-</p> |
1085 |
- |
1086 |
-<pre caption="Fix the crontab SELinux user ownership"> |
1087 |
-~# <i>chcon -u root /var/spool/cron/crontabs/root</i> |
1088 |
-</pre> |
1089 |
- |
1090 |
-<p> |
1091 |
-Another problem that you might see is immediately at startup: |
1092 |
-</p> |
1093 |
- |
1094 |
-<pre caption="Entrypoint failure on crontab"> |
1095 |
-cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab) |
1096 |
-</pre> |
1097 |
- |
1098 |
-<p> |
1099 |
-In this case, even if the user of the file is correct, it is most likely due to |
1100 |
-the <path>/etc/selinux/*/contexts/default_context</path> file containing an |
1101 |
-incorrect definition. Look at the cron-related line and verify that each |
1102 |
-mentioned context is valid. For instance: |
1103 |
-</p> |
1104 |
- |
1105 |
-<pre caption="Verify if contexts are valid"> |
1106 |
-<comment># Verify the context "system_r:cronjob_t:s0"</comment> |
1107 |
-~# <i>seinfo -rsystem_r -x | grep cronjob</i> |
1108 |
- system_cronjob_t |
1109 |
-</pre> |
1110 |
- |
1111 |
-<p> |
1112 |
-In the above case, <e>cronjob_t</e> is not valid, but <e>system_cronjob_t</e> is. |
1113 |
-</p> |
1114 |
- |
1115 |
-</body> |
1116 |
-</section> |
1117 |
-<section> |
1118 |
-<title>Reporting Cron and SELinux Issues</title> |
1119 |
-<body> |
1120 |
- |
1121 |
-<p> |
1122 |
-If you have an issue with cron and believe that it is related to SELinux, please |
1123 |
-also give the output of the following command: |
1124 |
-</p> |
1125 |
- |
1126 |
-<pre caption="Getting the initial context from crond_t"> |
1127 |
-<comment># Get the domain under which system-level jobs will run</comment> |
1128 |
-~# <i>getseuser system_u system_u:system_r:crond_t</i> |
1129 |
-seuser: system_u, level (null) |
1130 |
-Context 0 system_u:system_r:system_cronjob_t |
1131 |
- |
1132 |
-<comment># Get the domain under which user-level jobs will run</comment> |
1133 |
-~# <i>getseuser john system_u:system_r:crond_t</i> |
1134 |
-seuser: user_u, level (null) |
1135 |
-Context 0 user_u:user_r:cronjob_t |
1136 |
-</pre> |
1137 |
- |
1138 |
-<note> |
1139 |
-The <c>getseuser</c> command usually takes a Unix account name for the first |
1140 |
-argument, but treats <c>system_u</c> as a special case. |
1141 |
-</note> |
1142 |
- |
1143 |
-</body> |
1144 |
-</section> |
1145 |
-</chapter> |
1146 |
-</guide> |
1147 |
|
1148 |
diff --git a/xml/selinux/modules/index.xml b/xml/selinux/modules/index.xml |
1149 |
deleted file mode 100644 |
1150 |
index d93bf05..0000000 |
1151 |
--- a/xml/selinux/modules/index.xml |
1152 |
+++ /dev/null |
1153 |
@@ -1,69 +0,0 @@ |
1154 |
-<?xml version="1.0" encoding="UTF-8"?> |
1155 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
1156 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
1157 |
- |
1158 |
-<guide link="/proj/en/hardened/selinux/modules/index.xml" lang="en"> |
1159 |
-<title>SELinux Modules</title> |
1160 |
-<author title="Author"> |
1161 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
1162 |
-</author> |
1163 |
- |
1164 |
-<abstract> |
1165 |
-SELinux aggregates its permissions in modules to make the entire policy more |
1166 |
-manageable. To help users work with these modules, we document the common |
1167 |
-modules and how to work with them. |
1168 |
-</abstract> |
1169 |
- |
1170 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1171 |
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
1172 |
-<license/> |
1173 |
- |
1174 |
-<version>1</version> |
1175 |
-<date>2011-07-09</date> |
1176 |
- |
1177 |
-<chapter> |
1178 |
-<title>Modules</title> |
1179 |
-<section> |
1180 |
-<body> |
1181 |
- |
1182 |
-<p> |
1183 |
-If you use Gentoo Hardened with SELinux, then you'll eventually need to |
1184 |
-configure your system to work with the policies (or update the policies to work |
1185 |
-with your system). To help you tune the policy, insight in how the modules are |
1186 |
-structured and what they contain is necessary. |
1187 |
-</p> |
1188 |
- |
1189 |
-<p> |
1190 |
-Gentoo Hardened tries to document the common modules as well as how they are |
1191 |
-structured. Also, we document what configuration changes are often requested and |
1192 |
-how to deal with them. If a module contains booleans, we explain them in more |
1193 |
-detail. |
1194 |
-</p> |
1195 |
- |
1196 |
-</body> |
1197 |
-</section> |
1198 |
-<section> |
1199 |
-<title>Administrative Modules</title> |
1200 |
-<body> |
1201 |
- |
1202 |
-<ul> |
1203 |
- <li><uri link="portage.xml">Portage</uri></li> |
1204 |
-</ul> |
1205 |
- |
1206 |
-</body> |
1207 |
-</section> |
1208 |
-<section> |
1209 |
-<title>Services (Daemons)</title> |
1210 |
-<body> |
1211 |
- |
1212 |
-<ul> |
1213 |
- <li><uri link="bind.xml">BIND server</uri> (bind)</li> |
1214 |
- <li><uri link="cron.xml">Cron service</uri> (vixie-cron)</li> |
1215 |
- <li><uri link="ldap.xml">LDAP servers</uri> (openldap)</li> |
1216 |
- <li><uri link="apache.xml">Web servers</uri> (apache, lighttpd)</li> |
1217 |
-</ul> |
1218 |
- |
1219 |
-</body> |
1220 |
-</section> |
1221 |
-</chapter> |
1222 |
-</guide> |
1223 |
|
1224 |
diff --git a/xml/selinux/modules/ldap.xml b/xml/selinux/modules/ldap.xml |
1225 |
deleted file mode 100644 |
1226 |
index 4da1c55..0000000 |
1227 |
--- a/xml/selinux/modules/ldap.xml |
1228 |
+++ /dev/null |
1229 |
@@ -1,105 +0,0 @@ |
1230 |
-<?xml version="1.0" encoding="UTF-8"?> |
1231 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
1232 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
1233 |
- |
1234 |
-<guide link="/proj/en/hardened/selinux/modules/ldap.xml" lang="en"> |
1235 |
-<title>SELinux LDAP Module</title> |
1236 |
-<author title="Author"> |
1237 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
1238 |
-</author> |
1239 |
- |
1240 |
-<abstract> |
1241 |
-Within SELinux, the ldap module is responsible for defining the openldap |
1242 |
-domains and interactions. |
1243 |
-</abstract> |
1244 |
- |
1245 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1246 |
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
1247 |
-<license/> |
1248 |
- |
1249 |
-<version>1</version> |
1250 |
-<date>2011-07-09</date> |
1251 |
- |
1252 |
-<chapter> |
1253 |
-<title>Structure</title> |
1254 |
-<section> |
1255 |
-<title>Domains</title> |
1256 |
-<body> |
1257 |
- |
1258 |
-<figure link="./images/ldapdomain.png" short="General LDAP domain overview" |
1259 |
-caption="General LDAP domain overview" /> |
1260 |
- |
1261 |
-<p> |
1262 |
-The <c>slapd</c> daemon runs within the <c>slapd_t</c> domain and can only be |
1263 |
-transitioned towards through the <c>sysadm_t</c> (general system administrative |
1264 |
-domain) or <c>initrc_t</c> (init script launched) domains. |
1265 |
-</p> |
1266 |
- |
1267 |
-</body> |
1268 |
-</section> |
1269 |
-<section> |
1270 |
-<title>File Types/Labels</title> |
1271 |
-<body> |
1272 |
- |
1273 |
-<p> |
1274 |
-The following table lists the file type/labels defined in the <c>ldap</c> |
1275 |
-module. |
1276 |
-</p> |
1277 |
- |
1278 |
-<table> |
1279 |
-<tr> |
1280 |
- <th>Type</th> |
1281 |
- <th>Function</th> |
1282 |
- <th>Description</th> |
1283 |
-</tr> |
1284 |
-<tr> |
1285 |
- <ti>slapd_exec_t</ti> |
1286 |
- <ti>Entrypoint</ti> |
1287 |
- <ti>Executable entry point for the slapd daemon binaries</ti> |
1288 |
-</tr> |
1289 |
-<tr> |
1290 |
- <ti>slapd_etc_t</ti> |
1291 |
- <ti>Configuration</ti> |
1292 |
- <ti>Label for OpenLDAP configuration files</ti> |
1293 |
-</tr> |
1294 |
-<tr> |
1295 |
- <ti>slapd_cert_t</ti> |
1296 |
- <ti>Configuration</ti> |
1297 |
- <ti>Label for certificate keystores used by OpenLDAP</ti> |
1298 |
-</tr> |
1299 |
-<tr> |
1300 |
- <ti>slapd_db_t</ti> |
1301 |
- <ti>Configuration</ti> |
1302 |
- <ti>Label for the OpenLDAP database files (backend content)</ti> |
1303 |
-</tr> |
1304 |
-<tr> |
1305 |
- <ti>slapd_replog_t</ti> |
1306 |
- <ti>Configuration</ti> |
1307 |
- <ti>Label for the slurpd replication log location</ti> |
1308 |
-</tr> |
1309 |
-<tr> |
1310 |
- <ti>slapd_lock_t</ti> |
1311 |
- <ti></ti> |
1312 |
- <ti>Label for the lock files (runtime)</ti> |
1313 |
-</tr> |
1314 |
-<tr> |
1315 |
- <ti>slapd_tmp_t</ti> |
1316 |
- <ti></ti> |
1317 |
- <ti>Label for the temporary files</ti> |
1318 |
-</tr> |
1319 |
-<tr> |
1320 |
- <ti>slapd_var_run_t</ti> |
1321 |
- <ti></ti> |
1322 |
- <ti>Label for the runtime variable data</ti> |
1323 |
-</tr> |
1324 |
-<tr> |
1325 |
- <ti>slapd_initrc_exec_t</ti> |
1326 |
- <ti></ti> |
1327 |
- <ti>Label for non-Gentoo init script</ti> |
1328 |
-</tr> |
1329 |
-</table> |
1330 |
- |
1331 |
-</body> |
1332 |
-</section> |
1333 |
-</chapter> |
1334 |
-</guide> |
1335 |
|
1336 |
diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml |
1337 |
deleted file mode 100644 |
1338 |
index 293b8b0..0000000 |
1339 |
--- a/xml/selinux/modules/portage.xml |
1340 |
+++ /dev/null |
1341 |
@@ -1,325 +0,0 @@ |
1342 |
-<?xml version="1.0" encoding="UTF-8"?> |
1343 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
1344 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
1345 |
- |
1346 |
-<guide link="/proj/en/hardened/selinux/modules/portage.xml" lang="en"> |
1347 |
-<title>SELinux Portage Module</title> |
1348 |
-<author title="Author"> |
1349 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
1350 |
-</author> |
1351 |
- |
1352 |
-<abstract> |
1353 |
-Within SELinux, the portage module is responsible for defining the |
1354 |
-Gentoo-related domains and privileges, including those for the Portage package |
1355 |
-manager, Gentoo-specific file system locations and the command-line wrappers. |
1356 |
-</abstract> |
1357 |
- |
1358 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1359 |
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
1360 |
-<license/> |
1361 |
- |
1362 |
-<version>4</version> |
1363 |
-<date>2011-07-21</date> |
1364 |
- |
1365 |
-<chapter> |
1366 |
-<title>Structure</title> |
1367 |
-<section> |
1368 |
-<title>Domains</title> |
1369 |
-<body> |
1370 |
- |
1371 |
-<figure link="./images/portagedomain.png" short="General Portage domain overview" |
1372 |
-caption="General Portage domain overview" /> |
1373 |
- |
1374 |
-<p> |
1375 |
-The <c>portage</c> module provides the following domains: |
1376 |
-</p> |
1377 |
- |
1378 |
-<table> |
1379 |
-<tr> |
1380 |
- <th>Domain</th> |
1381 |
- <th>Process(es)</th> |
1382 |
- <th>Description</th> |
1383 |
-</tr> |
1384 |
-<tr> |
1385 |
- <ti>portage_t</ti> |
1386 |
- <ti>emerge, ebuild, quickpkg, ebuild.sh, regenworld, sandbox</ti> |
1387 |
- <ti>Gentoo's package manager domain</ti> |
1388 |
-</tr> |
1389 |
-<tr> |
1390 |
- <ti>portage_sandbox_t</ti> |
1391 |
- <ti>sandbox</ti> |
1392 |
- <ti>Portage compile sandbox domain</ti> |
1393 |
-</tr> |
1394 |
-<tr> |
1395 |
- <ti>portage_fetch_t</ti> |
1396 |
- <ti>rsync</ti> |
1397 |
- <ti> |
1398 |
- Domain responsible for fetching ebuilds and sources and storing them on |
1399 |
- the system |
1400 |
- </ti> |
1401 |
-</tr> |
1402 |
-<tr> |
1403 |
- <ti>gcc_config_t</ti> |
1404 |
- <ti>gcc-config</ti> |
1405 |
- <ti>Domain for the gcc-config wrapper</ti> |
1406 |
-</tr> |
1407 |
-</table> |
1408 |
- |
1409 |
-</body> |
1410 |
-</section> |
1411 |
-<section> |
1412 |
-<title>File Types/Labels</title> |
1413 |
-<body> |
1414 |
- |
1415 |
-<p> |
1416 |
-The following table lists the file type/labels defined in the <c>portage</c> |
1417 |
-module. |
1418 |
-</p> |
1419 |
- |
1420 |
-<table> |
1421 |
-<tr> |
1422 |
- <th>Type</th> |
1423 |
- <th>Description</th> |
1424 |
-</tr> |
1425 |
-<tr> |
1426 |
- <ti>portage_exec_t</ti> |
1427 |
- <ti> |
1428 |
- Entrypoints for the portage and protage-related domains. Used for binaries |
1429 |
- or scripts such as sandbox, emerge, ... |
1430 |
- </ti> |
1431 |
-</tr> |
1432 |
-<tr> |
1433 |
- <ti>gcc_config_exec_t</ti> |
1434 |
- <ti> |
1435 |
- Entrypoints for the gcc-config wrapper domain |
1436 |
- </ti> |
1437 |
-</tr> |
1438 |
-<tr> |
1439 |
- <ti>portage_ebuild_t</ti> |
1440 |
- <ti> |
1441 |
- Type assigned to the ebuild files and directories |
1442 |
- </ti> |
1443 |
-</tr> |
1444 |
-<tr> |
1445 |
- <ti>portage_srcrepo_t</ti> |
1446 |
- <ti> |
1447 |
- Type assigned to the live repository pulls (git, svn, cvs, ...) used by live |
1448 |
- ebuilds |
1449 |
- </ti> |
1450 |
-</tr> |
1451 |
-<tr> |
1452 |
- <ti>portage_fetch_tmp_t</ti> |
1453 |
- <ti> |
1454 |
- Type used by the portage_fetch_t domain when storing files in a temporary |
1455 |
- location |
1456 |
- </ti> |
1457 |
-</tr> |
1458 |
-<tr> |
1459 |
- <ti>portage_db_t</ti> |
1460 |
- <ti> |
1461 |
- Type used by Portage' data files |
1462 |
- </ti> |
1463 |
-</tr> |
1464 |
-<tr> |
1465 |
- <ti>portage_conf_t</ti> |
1466 |
- <ti> |
1467 |
- Type used by Portage' configuration files |
1468 |
- </ti> |
1469 |
-</tr> |
1470 |
-<tr> |
1471 |
- <ti>portage_cache_t</ti> |
1472 |
- <ti> |
1473 |
- Type used for the Portage cache |
1474 |
- </ti> |
1475 |
-</tr> |
1476 |
-<tr> |
1477 |
- <ti>portage_log_t</ti> |
1478 |
- <ti> |
1479 |
- Type used by Portage for its log files |
1480 |
- </ti> |
1481 |
-</tr> |
1482 |
-<tr> |
1483 |
- <ti>portage_tmp_t<br />portage_tmpfs_t</ti> |
1484 |
- <ti> |
1485 |
- Type used by Portage for temporary files |
1486 |
- </ti> |
1487 |
-</tr> |
1488 |
-</table> |
1489 |
- |
1490 |
-</body> |
1491 |
-</section> |
1492 |
-<section> |
1493 |
-<title>Other Types</title> |
1494 |
-<body> |
1495 |
- |
1496 |
-<p> |
1497 |
-Besides the file and file location types, the following types are also defined: |
1498 |
-</p> |
1499 |
- |
1500 |
-<table> |
1501 |
-<tr> |
1502 |
- <th>Type</th> |
1503 |
- <th>Description</th> |
1504 |
-</tr> |
1505 |
-<tr> |
1506 |
- <ti>portage_devpts_t</ti> |
1507 |
- <ti> |
1508 |
- Type used for the terminal output device/location |
1509 |
- </ti> |
1510 |
-</tr> |
1511 |
-</table> |
1512 |
- |
1513 |
-</body> |
1514 |
-</section> |
1515 |
-</chapter> |
1516 |
-<chapter> |
1517 |
-<title>Using Portage</title> |
1518 |
-<section> |
1519 |
-<title>File Locations</title> |
1520 |
-<body> |
1521 |
- |
1522 |
-<p> |
1523 |
-The policy offered only contains the right file context rules for the default |
1524 |
-locations. If you deviate from these locations, you'll need to update the |
1525 |
-contexts accordingly. |
1526 |
-</p> |
1527 |
- |
1528 |
-<p> |
1529 |
-The following table provides an overview of the Portage settings (variables in |
1530 |
-<path>make.conf</path>) that are commonly changed by end users, and the file |
1531 |
-context that it should have. |
1532 |
-</p> |
1533 |
- |
1534 |
-<table> |
1535 |
-<tr> |
1536 |
- <th>Variable in make.conf</th> |
1537 |
- <th>Default Location</th> |
1538 |
- <th>File Context(s)</th> |
1539 |
-</tr> |
1540 |
-<tr> |
1541 |
- <ti> |
1542 |
- ${PORTDIR} |
1543 |
- </ti> |
1544 |
- <ti> |
1545 |
- <path>/usr/portage</path> |
1546 |
- </ti> |
1547 |
- <ti> |
1548 |
- system_u:object_r:portage_ebuild_t |
1549 |
- </ti> |
1550 |
-</tr> |
1551 |
-<tr> |
1552 |
- <ti> |
1553 |
- ${DISTDIR}/svn-src<br /> |
1554 |
- ${DISTDIR}/git-src<br /> |
1555 |
- ${DISTDIR}/cvs-src |
1556 |
- </ti> |
1557 |
- <ti> |
1558 |
- <path>/usr/portage/distfiles/svn-src</path><br /> |
1559 |
- <path>/usr/portage/distfiles/git-src</path><br /> |
1560 |
- <path>/usr/portage/distfiles/cvs-src</path> |
1561 |
- </ti> |
1562 |
- <ti> |
1563 |
- system_u:object_r:portage_srcrepo_t |
1564 |
- </ti> |
1565 |
-</tr> |
1566 |
-<tr> |
1567 |
- <ti>${PKGDIR}</ti> |
1568 |
- <ti> |
1569 |
- <path>/usr/portage/packages</path> |
1570 |
- </ti> |
1571 |
- <ti> |
1572 |
- system_u:object_r:portage_ebuild_t |
1573 |
- </ti> |
1574 |
-</tr> |
1575 |
-<tr> |
1576 |
- <ti>${PORT_LOGDIR}</ti> |
1577 |
- <ti> |
1578 |
- <path>/var/log/portage</path> |
1579 |
- </ti> |
1580 |
- <ti> |
1581 |
- system_u:object_r:portage_log_t |
1582 |
- </ti> |
1583 |
-</tr> |
1584 |
-<tr> |
1585 |
- <ti>${PORTAGE_TMPDIR}</ti> |
1586 |
- <ti> |
1587 |
- <path>/var/tmp/portage</path> |
1588 |
- </ti> |
1589 |
- <ti> |
1590 |
- system_u:object_r:portage_tmp_t |
1591 |
- </ti> |
1592 |
-</tr> |
1593 |
-</table> |
1594 |
- |
1595 |
-<p> |
1596 |
-If you use different locations, use the following commands to update the file |
1597 |
-contexts accordingly: |
1598 |
-</p> |
1599 |
- |
1600 |
-<pre caption="Updating file contexts"> |
1601 |
-<comment>( Example for a different PORTDIR location, say /var/repo/portage )</comment> |
1602 |
-~# <i>semanage -a -t portage_ebuild_t /var/repo/portage</i> |
1603 |
-~# <i>restorecon -R /var/repo/portage</i> |
1604 |
-</pre> |
1605 |
- |
1606 |
-<p> |
1607 |
-Don't forget that Portage uses subdirectories with different labels (think |
1608 |
-distfiles or the repositories for the live ebuilds) so take care when |
1609 |
-relabelling locations! |
1610 |
-</p> |
1611 |
- |
1612 |
-<p> |
1613 |
-If you are using different mounts, you might need to use the |
1614 |
-<c>rootcontext=</c> mount option to set the initial context. If the file system |
1615 |
-does not suppor SELinux contexts (like NFS), you can use the <c>context=</c> |
1616 |
-mount option to force the context of all files on the mounted location. |
1617 |
-</p> |
1618 |
- |
1619 |
-</body> |
1620 |
-</section> |
1621 |
-<section> |
1622 |
-<title>Booleans</title> |
1623 |
-<body> |
1624 |
- |
1625 |
-<p> |
1626 |
-The Portage module within Gentoo defines three booleans, called |
1627 |
-<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_use_nfs</c> and |
1628 |
-<c>gentoo_wait_requests</c>. |
1629 |
-</p> |
1630 |
- |
1631 |
-<p> |
1632 |
-When <c>gentoo_try_dontaudit</c> is enabled, the policy will hide the AVC |
1633 |
-denials of which the Gentoo developers believe they are harmless (cosmetic). |
1634 |
-If this boolean is enabled and you are experiencing permission problems, it |
1635 |
-is wise to first disable the boolean and see if you now get any denials that |
1636 |
-could explain the problem. |
1637 |
-</p> |
1638 |
- |
1639 |
-<p> |
1640 |
-When <c>gentoo_portage_use_nfs</c> is enabled, then the Portage-related |
1641 |
-domains will be able to manage the <c>nfs_t</c> and as such, allow for the |
1642 |
-Portage tree and other locations to be NFS-mounted without correcting their |
1643 |
-label (which is still supported when using the <c>context=</c> mount option). |
1644 |
-</p> |
1645 |
- |
1646 |
-<p> |
1647 |
-When <c>gentoo_wait_requests</c> is enabled, then policy rules that are |
1648 |
-introduced to get things working, but which are temporary until the upstream |
1649 |
-project enhances its application (and a bug report is opened for it), are |
1650 |
-active. Disabling this boolean is only recommended if you are running the |
1651 |
-system with the proper patches and is more used for development traceability. |
1652 |
-</p> |
1653 |
- |
1654 |
-<p> |
1655 |
-To switch booleans, use <c>setsebool</c> or <c>togglesebool</c>. |
1656 |
-</p> |
1657 |
- |
1658 |
-<pre caption="Enabling the gentoo_try_dontaudit boolean"> |
1659 |
-<comment>( With the -P flag, the boolean state is persisted across reboots)</comment> |
1660 |
-~# <i>setsebool -P gentoo_try_dontaudit on</i> |
1661 |
-</pre> |
1662 |
- |
1663 |
-</body> |
1664 |
-</section> |
1665 |
-</chapter> |
1666 |
-</guide> |
1667 |
|
1668 |
diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml |
1669 |
deleted file mode 100644 |
1670 |
index 20edf7a..0000000 |
1671 |
--- a/xml/selinux/modules/ssh.xml |
1672 |
+++ /dev/null |
1673 |
@@ -1,102 +0,0 @@ |
1674 |
-<?xml version="1.0" encoding="UTF-8"?> |
1675 |
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
1676 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ --> |
1677 |
- |
1678 |
-<guide link="/proj/en/hardened/selinux/modules/ssh.xml" disclaimer="draft" lang="en"> |
1679 |
-<title>SELinux SSH Module</title> |
1680 |
-<author title="Author"> |
1681 |
- <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail> |
1682 |
-</author> |
1683 |
- |
1684 |
-<abstract> |
1685 |
-Within SELinux, the SSH module is responsible for defining what openssh can do |
1686 |
-</abstract> |
1687 |
- |
1688 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1689 |
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
1690 |
-<license/> |
1691 |
- |
1692 |
-<version>1</version> |
1693 |
-<date>2011-07-09</date> |
1694 |
- |
1695 |
-<chapter> |
1696 |
-<title>Structure</title> |
1697 |
-<section> |
1698 |
-<title>Domains</title> |
1699 |
-<body> |
1700 |
- |
1701 |
-<figure link="./images/sshdomain.png" short="General SSH domain overview" |
1702 |
-caption="General SSH domain overview" /> |
1703 |
- |
1704 |
-<p> |
1705 |
-The... |
1706 |
-</p> |
1707 |
- |
1708 |
-</body> |
1709 |
-</section> |
1710 |
-<section> |
1711 |
-<title>File Types/Labels</title> |
1712 |
-<body> |
1713 |
- |
1714 |
-<p> |
1715 |
-The following table lists the file type/labels defined in the <c>ldap</c> |
1716 |
-module. |
1717 |
-</p> |
1718 |
- |
1719 |
-<table> |
1720 |
-<tr> |
1721 |
- <th>Type</th> |
1722 |
- <th>Function</th> |
1723 |
- <th>Description</th> |
1724 |
-</tr> |
1725 |
-<tr> |
1726 |
- <ti>slapd_exec_t</ti> |
1727 |
- <ti>Entrypoint</ti> |
1728 |
- <ti>Executable entry point for the slapd daemon binaries</ti> |
1729 |
-</tr> |
1730 |
-<tr> |
1731 |
- <ti>slapd_etc_t</ti> |
1732 |
- <ti>Configuration</ti> |
1733 |
- <ti>Label for OpenLDAP configuration files</ti> |
1734 |
-</tr> |
1735 |
-<tr> |
1736 |
- <ti>slapd_cert_t</ti> |
1737 |
- <ti>Configuration</ti> |
1738 |
- <ti>Label for certificate keystores used by OpenLDAP</ti> |
1739 |
-</tr> |
1740 |
-<tr> |
1741 |
- <ti>slapd_db_t</ti> |
1742 |
- <ti>Configuration</ti> |
1743 |
- <ti>Label for the OpenLDAP database files (backend content)</ti> |
1744 |
-</tr> |
1745 |
-<tr> |
1746 |
- <ti>slapd_replog_t</ti> |
1747 |
- <ti>Configuration</ti> |
1748 |
- <ti>Label for the slurpd replication log location</ti> |
1749 |
-</tr> |
1750 |
-<tr> |
1751 |
- <ti>slapd_lock_t</ti> |
1752 |
- <ti></ti> |
1753 |
- <ti>Label for the lock files (runtime)</ti> |
1754 |
-</tr> |
1755 |
-<tr> |
1756 |
- <ti>slapd_tmp_t</ti> |
1757 |
- <ti></ti> |
1758 |
- <ti>Label for the temporary files</ti> |
1759 |
-</tr> |
1760 |
-<tr> |
1761 |
- <ti>slapd_var_run_t</ti> |
1762 |
- <ti></ti> |
1763 |
- <ti>Label for the runtime variable data</ti> |
1764 |
-</tr> |
1765 |
-<tr> |
1766 |
- <ti>slapd_initrc_exec_t</ti> |
1767 |
- <ti></ti> |
1768 |
- <ti>Label for non-Gentoo init script</ti> |
1769 |
-</tr> |
1770 |
-</table> |
1771 |
- |
1772 |
-</body> |
1773 |
-</section> |
1774 |
-</chapter> |
1775 |
-</guide> |