Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/
Date: Thu, 22 Dec 2011 12:58:17
Message-Id: e4f04e14465866f91e580ce149eb8c9b9fc05cbf.SwifT@gentoo
1 commit: e4f04e14465866f91e580ce149eb8c9b9fc05cbf
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Thu Dec 22 12:57:44 2011 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Dec 22 12:57:44 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e4f04e14
7
8 Drop module information, is now over at wiki.g.o
9
10 ---
11 xml/selinux/modules/apache.xml | 586 ---------------------------------------
12 xml/selinux/modules/bind.xml | 132 ---------
13 xml/selinux/modules/cron.xml | 389 --------------------------
14 xml/selinux/modules/index.xml | 69 -----
15 xml/selinux/modules/ldap.xml | 105 -------
16 xml/selinux/modules/portage.xml | 325 ----------------------
17 xml/selinux/modules/ssh.xml | 102 -------
18 7 files changed, 0 insertions(+), 1708 deletions(-)
19
20 diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml
21 deleted file mode 100644
22 index 4d6350e..0000000
23 --- a/xml/selinux/modules/apache.xml
24 +++ /dev/null
25 @@ -1,586 +0,0 @@
26 -<?xml version="1.0" encoding="UTF-8"?>
27 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
28 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
29 -
30 -<guide link="/proj/en/hardened/selinux/modules/apache.xml" lang="en">
31 -<title>SELinux Apache Module</title>
32 -<author title="Author">
33 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
34 -</author>
35 -
36 -<abstract>
37 -Within SELinux, the apache module is responsible for defining the
38 -web server related domains and privileges. It is not tied to Apache, despite
39 -its name.
40 -</abstract>
41 -
42 -<!-- The content of this document is licensed under the CC-BY-SA license -->
43 -<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
44 -<license/>
45 -
46 -<version>1</version>
47 -<date>2011-06-02</date>
48 -
49 -<chapter>
50 -<title>Structure</title>
51 -<section>
52 -<title>Domains</title>
53 -<body>
54 -
55 -<figure link="./images/apachedomain.png" short="General Apache domain overview"
56 -caption="General Apache domain overview" />
57 -
58 -<p>
59 -The <c>apache</c> module provides the following domains:
60 -</p>
61 -
62 -<table>
63 -<tr>
64 - <th>Domain</th>
65 - <th>Process(es)</th>
66 - <th>Description</th>
67 -</tr>
68 -<tr>
69 - <ti>httpd_t</ti>
70 - <ti>apache<br />lighttpd</ti>
71 - <ti>Webserver processes</ti>
72 -</tr>
73 -<tr>
74 - <ti>httpd_helper_t</ti>
75 - <ti>htsslpass</ti>
76 - <ti>Domain for the htsslpass process</ti>
77 -</tr>
78 -<tr>
79 - <ti>httpd_php_t</ti>
80 - <ti>php-cgi</ti>
81 - <ti>Domain for PHP support through CGI (php-cgi process)</ti>
82 -</tr>
83 -<tr>
84 - <ti>httpd_rotatelogs_t</ti>
85 - <ti>rotatelogs</ti>
86 - <ti>Domain for the rotatelogs process</ti>
87 -</tr>
88 -<tr>
89 - <ti>httpd_suexec_t</ti>
90 - <ti>suexec</ti>
91 - <ti>
92 - Domain used by the webserver suexec process to switch to another user
93 - before calling and executing a script
94 - </ti>
95 -</tr>
96 -<tr>
97 - <ti>httpd_sys_script_t</ti>
98 - <ti></ti>
99 - <ti>Domain used by the system/package-provided CGI scripts</ti>
100 -</tr>
101 -<tr>
102 - <ti>httpd_user_script_t</ti>
103 - <ti></ti>
104 - <ti>Domain used by the user-provided CGI scripts</ti>
105 -</tr>
106 -</table>
107 -
108 -<impo>
109 -The <c>apache</c> module allows other modules to define their own domains and
110 -types for use by the webservers. This is done through templates. The reference
111 -policy by default enabled two of such templated sets for <e>user</e> and
112 -<e>sys</e>, which you can see in domains like <c>httpd_sys_script_t</c> and
113 -<c>httpd_user_script_t</c>. It is very well possible that on your system, more
114 -of these template-instantiated domains exist.
115 -</impo>
116 -
117 -</body>
118 -</section>
119 -<section>
120 -<title>File Types/Labels</title>
121 -<body>
122 -
123 -<p>
124 -The following table lists the file type/labels defined in the <c>apache</c>
125 -module.
126 -</p>
127 -
128 -<ul>
129 - <li>
130 - If the function mentions <e>(templated)</e> then it means that the types
131 - are generated by the <c>apache</c> module, but that similar others might
132 - exist on your system (called through other modules).
133 - </li>
134 - <li>
135 - When talking about <e>scripts</e>, we mean CGI scripts or other scripts that
136 - are triggered from the webserver, not from an interactive shell session.
137 - </li>
138 -</ul>
139 -
140 -
141 -
142 -<table>
143 -<tr>
144 - <th>Type</th>
145 - <th>Function</th>
146 - <th>Description</th>
147 -</tr>
148 -<tr>
149 - <ti>httpd_exec_t</ti>
150 - <ti>Entrypoint</ti>
151 - <ti>Entrypoint for the webserver processes</ti>
152 -</tr>
153 -<tr>
154 - <ti>httpd_initrc_exec_t</ti>
155 - <ti>Entrypoint</ti>
156 - <ti>Entrypoint for the webserver init scripts</ti>
157 -</tr>
158 -<tr>
159 - <ti>httpd_helper_exec_t</ti>
160 - <ti>Entrypoint</ti>
161 - <ti>Entrypoint for the webserver helper processes</ti>
162 -</tr>
163 -<tr>
164 - <ti>httpd_php_exec_t</ti>
165 - <ti>Entrypoint</ti>
166 - <ti>Entrypoint for the PHP scripts</ti>
167 -</tr>
168 -<tr>
169 - <ti>httpd_rotatelogs_exec_t</ti>
170 - <ti>Entrypoint</ti>
171 - <ti>Entrypoint for the rotatelog helper</ti>
172 -</tr>
173 -<tr>
174 - <ti>httpd_suexec_exec_t</ti>
175 - <ti>Entrypoint</ti>
176 - <ti>Entrypoint for the suexec wrapper</ti>
177 -</tr>
178 -<tr>
179 - <ti>httpd_sys_script_exec_t</ti>
180 - <ti>Entrypoint (templated)</ti>
181 - <ti>
182 - Entrypoint for system CGI scripts (or other callable scripts) that need
183 - access to the system content files (httpd_sys_content_t)
184 - </ti>
185 -</tr>
186 -<tr>
187 - <ti>httpd_user_script_exec_t</ti>
188 - <ti>Entrypoint (templated)</ti>
189 - <ti>
190 - Entrypoint for the user-provided scripts callable from the webserver instances
191 - </ti>
192 -</tr>
193 -<tr>
194 - <ti>httpd_squirrelmail_t</ti>
195 - <ti>Content</ti>
196 - <ti>Squirrelmail files</ti>
197 -</tr>
198 -<tr>
199 - <ti>squirrelmail_spool_t</ti>
200 - <ti>Content</ti>
201 - <ti>Squirrelmail attachment location</ti>
202 -</tr>
203 -<tr>
204 - <ti>httpd_sys_content_t</ti>
205 - <ti>Content (templated)</ti>
206 - <ti>
207 - Readable content for the webservers and system scripts, offered through
208 - the system / packages.
209 - </ti>
210 -</tr>
211 -<tr>
212 - <ti>httpd_sys_htaccess_t</ti>
213 - <ti>Content (templated)</ti>
214 - <ti>
215 - Label for the htaccess files, readable by the webserver but not from scripts
216 - or other webserver related domains.
217 - </ti>
218 -</tr>
219 -<tr>
220 - <ti>httpd_sys_rw_content_t</ti>
221 - <ti>Content (templated)</ti>
222 - <ti>
223 - Read and writeable content for the webservers and system scripts (not user
224 - scripts).
225 - </ti>
226 -</tr>
227 -<tr>
228 - <ti>httpd_sys_ra_content_t</ti>
229 - <ti>Content (templated)</ti>
230 - <ti>
231 - Read and appendable content for the webservers and system scripts (not user
232 - scripts).
233 - </ti>
234 -</tr>
235 -<tr>
236 - <ti>httpd_user_content_t</ti>
237 - <ti>Content (templated)</ti>
238 - <ti>
239 - Readable content for the webservers and user scripts, offered by (and
240 - writeable by) users.
241 - </ti>
242 -</tr>
243 -<tr>
244 - <ti>httpd_user_htaccess_t</ti>
245 - <ti>Content (templated)</ti>
246 - <ti>
247 - Label for the htaccess files, readable by the webserver but not from scripts
248 - or other webserver related domains.
249 - </ti>
250 -</tr>
251 -<tr>
252 - <ti>httpd_user_rw_content_t</ti>
253 - <ti>Content (templated)</ti>
254 - <ti>
255 - Read and writeable content for the webservers and user scripts (not system
256 - scripts).
257 - </ti>
258 -</tr>
259 -<tr>
260 - <ti>httpd_user_ra_content_t</ti>
261 - <ti>Content (templated)</ti>
262 - <ti>
263 - Read and appendable content for the webservers and user scripts (not system
264 - scripts).
265 - </ti>
266 -</tr>
267 -<tr>
268 - <ti>httpd_php_tmp_t</ti>
269 - <ti>Temporary Files</ti>
270 - <ti>Temporary files from the PHP scripts</ti>
271 -</tr>
272 -<tr>
273 - <ti>httpd_suexec_tmp_t</ti>
274 - <ti>Temporary Files</ti>
275 - <ti>Temporery files for the suexec domain</ti>
276 -</tr>
277 -<tr>
278 - <ti>httpd_tmp_t<br />httpd_tmpfs_t</ti>
279 - <ti>Temporary Files</ti>
280 - <ti>Temporary files from the httpd domain</ti>
281 -</tr>
282 -
283 -<tr>
284 - <ti>httpd_cache_t</ti>
285 - <ti></ti>
286 - <ti>Web server cache</ti>
287 -</tr>
288 -<tr>
289 - <ti>httpd_config_t</ti>
290 - <ti></ti>
291 - <ti>Configuration files</ti>
292 -</tr>
293 -<tr>
294 - <ti>httpd_lock_t</ti>
295 - <ti></ti>
296 - <ti>Lock files</ti>
297 -</tr>
298 -<tr>
299 - <ti>httpd_log_t</ti>
300 - <ti></ti>
301 - <ti>Web server log files</ti>
302 -</tr>
303 -<tr>
304 - <ti>httpd_modules_t</ti>
305 - <ti></ti>
306 - <ti>Webserver modules</ti>
307 -</tr>
308 -<tr>
309 - <ti>httpd_var_lib_t</ti>
310 - <ti></ti>
311 - <ti>Webserver libraries</ti>
312 -</tr>
313 -<tr>
314 - <ti>httpd_var_run_t</ti>
315 - <ti></ti>
316 - <ti>Runtime files for httpd</ti>
317 -</tr>
318 -</table>
319 -
320 -</body>
321 -</section>
322 -</chapter>
323 -<chapter>
324 -<title>Using Apache</title>
325 -<section>
326 -<title>File Locations</title>
327 -<body>
328 -
329 -<p>
330 -The policy offered only contains the right file context rules for the default
331 -locations. If you deviate from these locations, you'll need to update the
332 -contexts accordingly.
333 -</p>
334 -
335 -<p>
336 -The following table provides an overview of common Apache settings (variables in
337 -<path>httpd.conf</path>) that are often changed by end users, and the file
338 -context that it should have. If you use a different webserver you'll need to
339 -base it on the description instead.
340 -</p>
341 -
342 -<table>
343 -<tr>
344 - <th>Setting in httpd.conf</th>
345 - <th>Description</th>
346 - <th>Default Location</th>
347 - <th>File Context(s)</th>
348 -</tr>
349 -<tr>
350 - <ti>DocumentRoot</ti>
351 - <ti>Location where web content is stored (html pages and such)</ti>
352 - <ti>/srv/localhost/www</ti>
353 - <ti>system_u:object_r:httpd_sys_content_t</ti>
354 -</tr>
355 -<tr>
356 - <ti>Document</ti>
357 - <ti>Location where CGI scripts are stored</ti>
358 - <ti>/srv/localhost/cgi-bin</ti>
359 - <ti>system_u:object_r:httpd_sys_script_exec_t</ti>
360 -</tr>
361 -<tr>
362 - <ti>Directory</ti>
363 - <ti>User home directory location where user-provided content is stored</ti>
364 - <ti>/home/*/public_html</ti>
365 - <ti>system_u:object_r:httpd_user_content_t</ti>
366 -</tr>
367 -<tr>
368 - <ti>Directory</ti>
369 - <ti>User home directory location where user-provided CGI scripts are stored</ti>
370 - <ti>/home/*/public_html/cgi-bin</ti>
371 - <ti>system_u:object_r:httpd_user_script_exec_t</ti>
372 -</tr>
373 -</table>
374 -
375 -</body>
376 -</section>
377 -<section>
378 -<title>Sharing Files</title>
379 -<body>
380 -
381 -<p>
382 -The SELinux policy (as part of the <c>miscfiles</c> module) supports two
383 -additional types: <c>public_content_t</c> and <c>public_content_rw_t</c>. These
384 -are used for what is called <e>anonymous files</e> which are readable by all
385 -file-serving services. If all services only need to read from it, then
386 -<c>public_content_t</c> is used. If at least one services needs to write to it,
387 -use <c>public_content_rw_t</c> and toggle the right SELinux boolean for the
388 -domain that needs write access to it (<c>allow_DOMAIN_anon_write</c>).
389 -</p>
390 -
391 -<p>
392 -For instance, if you have files that are shared by Apache, NFS, Samba, ... you
393 -label these <c>public_content_t</c> (read-only) or <c>public_content_rw_t</c>
394 -(read-write for some) and then toggle the appropriate booleans:
395 -</p>
396 -
397 -<pre caption="Enable write access for the httpd_sys_script_t domain to the public_content_rw_t domain">
398 -~# <i>setsebool -P allow_httpd_sys_script_anon_write on</i>
399 -</pre>
400 -
401 -</body>
402 -</section>
403 -<section>
404 -<title>Booleans</title>
405 -<body>
406 -
407 -<p>
408 -The <c>apache</c> module has several booleans which manipulate the allowed
409 -permissions within your installation. The table below gives an overview of the
410 -booleans, but also mentions which USE flags you <e>could</e> associate with it.
411 -Note that the booleans are <e>not</e> linked to USE flags. However, if you have
412 -set a particular USE flag for the webserver environment, then you might want to
413 -toggle these booleans as well.
414 -</p>
415 -
416 -<table>
417 -<tr>
418 - <th>Boolean</th>
419 - <th>Description</th>
420 - <th>Gentoo USE flag suggestion</th>
421 -</tr>
422 -<tr>
423 - <ti>allow_httpd_anon_write</ti>
424 - <ti>
425 - Allow the webserver to modify public files (labeled
426 - <c>public_content_rw_t</c>)
427 - </ti>
428 - <ti />
429 -</tr>
430 -<tr>
431 - <ti>allow_httpd_sys_script_anon_write</ti>
432 - <ti>
433 - Allow the system scripts to modify public files
434 - </ti>
435 - <ti />
436 -</tr>
437 -<tr>
438 - <ti>allow_httpd_user_script_anon_wriet</ti>
439 - <ti>
440 - Allow the user scripts to modify public files
441 - </ti>
442 - <ti />
443 -</tr>
444 -<tr>
445 - <ti>allow_httpd_mod_auth_pam</ti>
446 - <ti>
447 - Allow the webserver to use the auth_pam module
448 - </ti>
449 - <ti />
450 -</tr>
451 -<tr>
452 - <ti>httpd_builtin_scripting</ti>
453 - <ti>
454 - Needed when your webservers use internal scripting languages like PHP
455 - (languages that are read and interpreted by the webserver directly rather than
456 - called through separate processes like with CGI)
457 - </ti>
458 - <ti />
459 -</tr>
460 -<tr>
461 - <ti>httpd_can_network_connect</ti>
462 - <ti>
463 - Allow the webserver scripts and modules to connect to the network
464 - </ti>
465 - <ti />
466 -</tr>
467 -<tr>
468 - <ti>httpd_can_network_connect_db</ti>
469 - <ti>
470 - Allow the webserver scripts and modules to connect to databases over the
471 - network
472 - </ti>
473 - <ti />
474 -</tr>
475 -<tr>
476 - <ti>httpd_can_network_relay</ti>
477 - <ti>
478 - Allow webservers to act as a relay
479 - </ti>
480 - <ti />
481 -</tr>
482 -<tr>
483 - <ti>httpd_can_sendmail</ti>
484 - <ti>
485 - Allow webservers to send e-mails
486 - </ti>
487 - <ti />
488 -</tr>
489 -<tr>
490 - <ti>httpd_dbus_avahi</ti>
491 - <ti>
492 - Allow webservers to communicate with avahi service via dbus
493 - </ti>
494 - <ti />
495 -</tr>
496 -<tr>
497 - <ti>httpd_enable_cgi</ti>
498 - <ti>
499 - Allow webservers to call CGI scripts (labeled <c>httpd_sys_script_exec_t</c>
500 - or <c>httpd_user_script_exec_t</c>)
501 - </ti>
502 - <ti />
503 -</tr>
504 -<tr>
505 - <ti>httpd_enable_ftp_server</ti>
506 - <ti>
507 - Allow webservers to act as an FTP server by listening on the FTP ports
508 - </ti>
509 - <ti />
510 -</tr>
511 -<tr>
512 - <ti>httpd_enable_homedirs</ti>
513 - <ti>
514 - Allow webservers to read home directories (<c>user_home_t</c>). Not to be
515 - mistaken with <c>httpd_user_content_t</c>, which resides in the users' home
516 - directory but is labeled, well, <c>httpd_user_content_t</c> ;-)
517 - </ti>
518 - <ti />
519 -</tr>
520 -<tr>
521 - <ti>httpd_ssi_exec</ti>
522 - <ti>
523 - Allow webservers to run SSI executables in the same domain as the CGI
524 - scripts
525 - </ti>
526 - <ti />
527 -</tr>
528 -<tr>
529 - <ti>httpd_tty_com</ti>
530 - <ti>
531 - Unify webservers to communicate with the terminal. This is needed when you
532 - need to enter a passphraze for certificates at the terminal.
533 - </ti>
534 - <ti />
535 -</tr>
536 -<tr>
537 - <ti>httpd_unified</ti>
538 - <ti>
539 - When enabled, the various webserver content types (all types with attribute
540 - <c>httpdcontent</c> set) are not differentiated anymore, but all considered
541 - to be readable, writeable and executable by the webserver.
542 - </ti>
543 - <ti />
544 -</tr>
545 -<tr>
546 - <ti>httpd_use_cifs</ti>
547 - <ti>
548 - Allow webservers to access CIFS file systems
549 - </ti>
550 - <ti />
551 -</tr>
552 -<tr>
553 - <ti>httpd_use_gpg</ti>
554 - <ti>
555 - Allow webservers to run gpg
556 - </ti>
557 - <ti />
558 -</tr>
559 -<tr>
560 - <ti>httpd_use_nfs</ti>
561 - <ti>
562 - Allow webservers to access NFS file systems
563 - </ti>
564 - <ti />
565 -</tr>
566 -</table>
567 -
568 -<p>
569 -If you want to toggle booleans, you can do so through <c>setsebool</c>:
570 -</p>
571 -
572 -<pre caption="Enabling the gentoo_try_dontaudit boolean">
573 -<comment>( With the -P flag, the boolean state is persisted across reboots)</comment>
574 -~# <i>setsebool -P httpd_enable_homedirs on</i>
575 -</pre>
576 -
577 -</body>
578 -</section>
579 -<section>
580 -<title>Ports</title>
581 -<body>
582 -
583 -<p>
584 -If you need to run the webserver on a non-default port, you can either mark this
585 -port as an HTTP port (<c>http_port_t</c>) or create the appropriate rule to allow
586 -it to bind to the specified port.
587 -</p>
588 -
589 -<p>
590 -To mark a particular port (say 81) as an HTTP port, use <c>semanage</c>:
591 -</p>
592 -
593 -<pre caption="Labeling port 81 as http_port_t">
594 -~# <i>semanage port -a -t http_port_t -p tcp 81</i>
595 -</pre>
596 -
597 -<p>
598 -If you need to allow the webserver to bind on a port but are not allowed to
599 -modify that ports' type, you'll need to create a policy that allows the
600 -<c>httpd_t</c> domain to bind to the particular port. For instance, to allow it
601 -to bind on the SMTP port:
602 -</p>
603 -
604 -<pre caption="Allow rules to allow httpd_t to bind on SMTP ports">
605 -allow httpd_t smtp_port_t:tcp_socket name_bind;
606 -</pre>
607 -
608 -</body>
609 -</section>
610 -</chapter>
611 -</guide>
612
613 diff --git a/xml/selinux/modules/bind.xml b/xml/selinux/modules/bind.xml
614 deleted file mode 100644
615 index 25c2a11..0000000
616 --- a/xml/selinux/modules/bind.xml
617 +++ /dev/null
618 @@ -1,132 +0,0 @@
619 -<?xml version="1.0" encoding="UTF-8"?>
620 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
621 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
622 -
623 -<guide link="/proj/en/hardened/selinux/modules/bind.xml" lang="en">
624 -<title>SELinux Bind Module</title>
625 -<author title="Author">
626 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
627 -</author>
628 -
629 -<abstract>
630 -Within SELinux, the bind module is responsible for defining the BIND
631 -domains and interactions.
632 -</abstract>
633 -
634 -<!-- The content of this document is licensed under the CC-BY-SA license -->
635 -<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
636 -<license/>
637 -
638 -<version>1</version>
639 -<date>2011-07-09</date>
640 -
641 -<chapter>
642 -<title>Structure</title>
643 -<section>
644 -<title>Domains</title>
645 -<body>
646 -
647 -<figure link="./images/binddomain.png" short="General Bind domain overview"
648 -caption="General Bind domain overview" />
649 -
650 -<p>
651 -The <c>named_t</c> domain can only be transitioned towards through the
652 -<c>initrc_t</c> domain (i.e. through init scripts). The <c>ndc_t</c> domain
653 -(for the named domain controller) can be transitioned towards through the
654 -<c>initrc_t</c> and <c>sysadm_t</c> (general system administration) domains.
655 -</p>
656 -
657 -</body>
658 -</section>
659 -<section>
660 -<title>File Types/Labels</title>
661 -<body>
662 -
663 -<p>
664 -The following table lists the file type/labels defined in the <c>bind</c>
665 -module.
666 -</p>
667 -
668 -<table>
669 -<tr>
670 - <th>Type</th>
671 - <th>Function</th>
672 - <th>Description</th>
673 -</tr>
674 -<tr>
675 - <ti>named_exec_t</ti>
676 - <ti>Entrypoint</ti>
677 - <ti>Entrypoint domain for the named binaries</ti>
678 -</tr>
679 -<tr>
680 - <ti>named_initrc_exec_t</ti>
681 - <ti>Entrypoint</ti>
682 - <ti>Entrypoint domain for non-Gentoo init scripts</ti>
683 -</tr>
684 -<tr>
685 - <ti>named_checkconf_exec_t</ti>
686 - <ti>Entrypoint</ti>
687 - <ti>Entrypoint for the checkconf binary</ti>
688 -</tr>
689 -<tr>
690 - <ti>ndc_exec_t</ti>
691 - <ti>Entrypoint</ti>
692 - <ti>Entrypoint for the ndc binaries</ti>
693 -</tr>
694 -<tr>
695 - <ti>dnssec_t</ti>
696 - <ti>Configuration</ti>
697 - <ti>Label for the key files used by the named daemon</ti>
698 -</tr>
699 -<tr>
700 - <ti>named_zone_t</ti>
701 - <ti>Configuration</ti>
702 - <ti>Label for the primary zone files</ti>
703 -</tr>
704 -<tr>
705 - <ti>named_cache_t</ti>
706 - <ti>Configuration</ti>
707 - <ti>Label for the cached zone files</ti>
708 -</tr>
709 -<tr>
710 - <ti>named_conf_t</ti>
711 - <ti>Configuration</ti>
712 - <ti>Label for the named configuration files</ti>
713 -</tr>
714 -<tr>
715 - <ti>named_log_t</ti>
716 - <ti>Configuration</ti>
717 - <ti>Label for the named log files</ti>
718 -</tr>
719 -<tr>
720 - <ti>named_tmp_t</ti>
721 - <ti></ti>
722 - <ti>Label for the named temporary files</ti>
723 -</tr>
724 -<tr>
725 - <ti>named_var_run_t</ti>
726 - <ti></ti>
727 - <ti>Label for the named runtime variable data</ti>
728 -</tr>
729 -</table>
730 -
731 -</body>
732 -</section>
733 -</chapter>
734 -<chapter>
735 -<title>Using Bind</title>
736 -<section>
737 -<title>SELinux boolean: named_write_master_zones</title>
738 -<body>
739 -
740 -<p>
741 -The <c>named</c> policy offers one boolean called
742 -<c>named_write_master_zones</c> which, when enabled, allows the named daemon to
743 -write to its master zone files (i.e. <c>named_zone_t</c>). This is used in
744 -master/slave setups.
745 -</p>
746 -
747 -</body>
748 -</section>
749 -</chapter>
750 -</guide>
751
752 diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
753 deleted file mode 100644
754 index e909ff8..0000000
755 --- a/xml/selinux/modules/cron.xml
756 +++ /dev/null
757 @@ -1,389 +0,0 @@
758 -<?xml version="1.0" encoding="UTF-8"?>
759 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
760 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
761 -
762 -<guide link="/proj/en/hardened/selinux/modules/cron.xml" lang="en">
763 -<title>SELinux cron Module</title>
764 -<author title="Author">
765 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
766 -</author>
767 -
768 -<abstract>
769 -Within SELinux, the cron module is responsible for defining the scheduling
770 -domains and interactions.
771 -</abstract>
772 -
773 -<!-- The content of this document is licensed under the CC-BY-SA license -->
774 -<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
775 -<license version="3.0"/>
776 -
777 -<version>3</version>
778 -<date>2011-12-14</date>
779 -
780 -<chapter>
781 -<title>Structure</title>
782 -<section>
783 -<title>Domains</title>
784 -<body>
785 -
786 -<figure link="./images/crondomain.png" short="General cron domain overview"
787 -caption="General cron domain overview" />
788 -
789 -<p>
790 -The cron daemon itself (like <c>vixie-cron</c>) runs in the <e>crond_t</e>
791 -domain. Depending on the cron daemon used, this daemon either immediately
792 -executes the jobs (hence its ability to transition to various other domains) or
793 -does this through an intermediate domain (<e>system_cronjob_t</e> for system
794 -cronjobs and <e>cronjob_t</e> for user cronjobs).
795 -</p>
796 -
797 -<p>
798 -The <e>crontab_t</e> and <e>admin_crontab_t</e> domains are used by the users
799 -(and administrators) for maintaining their crontab files. These files are read
800 -in by the cron daemon.
801 -</p>
802 -
803 -</body>
804 -</section>
805 -<section>
806 -<title>File Types/Labels</title>
807 -<body>
808 -
809 -<p>
810 -The following table lists the file type/labels defined in the <c>cron</c>
811 -module (part of the base policy).
812 -</p>
813 -
814 -<table>
815 -<tr>
816 - <th>Type</th>
817 - <th>Function</th>
818 - <th>Description</th>
819 -</tr>
820 -<tr>
821 - <ti>cronjob_t</ti>
822 - <ti>Domain</ti>
823 - <ti>Domain for end user cronjobs</ti>
824 -</tr>
825 -<tr>
826 - <ti>system_cronjob_t</ti>
827 - <ti>Domain</ti>
828 - <ti>Domain for system cronjobs</ti>
829 -</tr>
830 -<tr>
831 - <ti>crond_t</ti>
832 - <ti>Domain</ti>
833 - <ti>Domain for the cron daemon</ti>
834 -</tr>
835 -<tr>
836 - <ti>admin_crontab_t</ti>
837 - <ti>Domain</ti>
838 - <ti>Domain for administrator-started crontab commands</ti>
839 -</tr>
840 -<tr>
841 - <ti>crontab_t</ti>
842 - <ti>Domain</ti>
843 - <ti>Domain for user-started crontab commands</ti>
844 -</tr>
845 -<tr>
846 - <ti>crond_exec_t</ti>
847 - <ti>Entrypoint</ti>
848 - <ti>Entrypoint for the cron daemon binaries</ti>
849 -</tr>
850 -<tr>
851 - <ti>crontab_exec_t</ti>
852 - <ti>Entrypoint</ti>
853 - <ti>Entrypoint for the crontab commands</ti>
854 -</tr>
855 -<tr>
856 - <ti>cron_spool_t</ti>
857 - <ti>Configuration</ti>
858 - <ti>Spool files (where the user crontab files are in)</ti>
859 -</tr>
860 -<tr>
861 - <ti>user_cron_spool_t</ti>
862 - <ti>Configuration</ti>
863 - <ti>Spool files (for the user crontab files)</ti>
864 -</tr>
865 -<tr>
866 - <ti>system_cron_spool_t</ti>
867 - <ti>Configuration</ti>
868 - <ti>Spool files (where the system crontab files are in)</ti>
869 -</tr>
870 -<tr>
871 - <ti>cron_var_lib_t</ti>
872 - <ti></ti>
873 - <ti>Label for cron's /var/lib items</ti>
874 -</tr>
875 -<tr>
876 - <ti>cron_var_run_t</ti>
877 - <ti></ti>
878 - <ti>Label for cron's /var/run items</ti>
879 -</tr>
880 -<tr>
881 - <ti>cron_log_t</ti>
882 - <ti></ti>
883 - <ti>Label for cron's logfiles (/var/log/cron)</ti>
884 -</tr>
885 -<tr>
886 - <ti>crond_tmp_t</ti>
887 - <ti></ti>
888 - <ti>Label for the cron daemon's temporary files</ti>
889 -</tr>
890 -<tr>
891 - <ti>crond_var_run_t</ti>
892 - <ti></ti>
893 - <ti>Label for the cron daemon's /var/run items</ti>
894 -</tr>
895 -<tr>
896 - <ti>system_cronjob_lock_t</ti>
897 - <ti></ti>
898 - <ti>Label for the system cronjobs' lock files</ti>
899 -</tr>
900 -<tr>
901 - <ti>system_cronjob_tmp_t</ti>
902 - <ti></ti>
903 - <ti>Label for the system cronjobs' temporary files</ti>
904 -</tr>
905 -<tr>
906 - <ti>admin_crontab_tmp_t</ti>
907 - <ti></ti>
908 - <ti>
909 - Label for temporary files created by a system administrators' crontab
910 - command
911 - </ti>
912 -</tr>
913 -<tr>
914 - <ti>crontab_tmp_t</ti>
915 - <ti></ti>
916 - <ti>Label for temporary files created by a users' crontab command</ti>
917 -</tr>
918 -</table>
919 -
920 -</body>
921 -</section>
922 -<section>
923 -<title>Booleans</title>
924 -<body>
925 -
926 -<p>
927 -The <c>cron</c> domain supports the following SELinux booleans, which can be set
928 -/ unset using the standard <c>setsebool</c> statements.
929 -</p>
930 -
931 -<table>
932 -<tr>
933 - <th>Boolean</th>
934 - <th>Default</th>
935 - <th>Description</th>
936 -</tr>
937 -<tr>
938 - <ti>cron_can_relabel</ti>
939 - <ti>false</ti>
940 - <ti>
941 - Allow jobs running in the <e>system_cronjob_t</e> domain to relabel files
942 - and directories. When set, these jobs can also call the <c>setfiles</c> and
943 - <c>restorecon</c> commands.
944 - </ti>
945 -</tr>
946 -<tr>
947 - <ti>fcron_crond</ti>
948 - <ti>false</ti>
949 - <ti>
950 - Needed to set more privileges for the cron domains in case <c>fcron</c> is
951 - used as a cron daemon. These privileges are not necessary for other cron
952 - daemons and as such are "behind" this boolean.
953 - </ti>
954 -</tr>
955 -</table>
956 -
957 -</body>
958 -</section>
959 -</chapter>
960 -<chapter>
961 -<title>Using Cron</title>
962 -<section>
963 -<title>System Administration</title>
964 -<body>
965 -
966 -<p>
967 -If you want to perform system administrative tasks using cronjobs, you will need
968 -to take special care that the domain in which the job runs has sufficient
969 -privileges.
970 -</p>
971 -
972 -<p>
973 -First, make sure that your cronjobs run in the <e>system_cronjob_t</e> domains.
974 -This means that the cronjobs must be defined as either
975 -</p>
976 -
977 -<ul>
978 - <li>
979 - scripts in the <path>/etc/cron.hourly</path>, <path>/etc/cron.daily</path>,
980 - ... directories
981 - </li>
982 - <li>
983 - crontab entries in the <path>/etc/cron.d</path> directory
984 - </li>
985 - <li>
986 - crontab entries in the <path>/etc/crontab</path> file
987 - </li>
988 -</ul>
989 -
990 -<p>
991 -Second, make sure that your <path>/etc/crontab</path> uses <c>HOME=/</c>.
992 -Setting this to another <c>HOME</c> directory might confuse some applications.
993 -With SELinux enabled, this could cause those applications to try and read the
994 -root users' home directory, which isn't allowed by policy.
995 -</p>
996 -
997 -<p>
998 -Next, verify that the commands you want to run (and thus their target domain in
999 -which they will run) are allowed for the <e>system_cronjob_t</e> domain.
1000 -</p>
1001 -
1002 -<pre caption="Validationg the system_cronjob_t privileges">
1003 -<comment># Example to verify if we can call emerge</comment>
1004 -~# <i>sesearch -s system_cronjob_t -t portage_t -A</i>
1005 -Found 1 semantic av rules:
1006 - allow system_cronjob_t portage_t : process transition;
1007 -</pre>
1008 -
1009 -<p>
1010 -If the domain does not have the necessary privileges, you need to update the
1011 -policy. More information on maintaining the SELinux policy can be found in the
1012 -<uri link="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo
1013 -Hardened SELinux Handbook</uri>.
1014 -</p>
1015 -
1016 -<p>
1017 -An example policy file to allow executing <c>dmesg</c>:
1018 -</p>
1019 -
1020 -<pre caption="Allowing system_cronjob_t to execute dmesg">
1021 -policy_module(fixcron, 1.0)
1022 -
1023 -require {
1024 - type dmesg_t;
1025 -}
1026 -
1027 -cron_system_entry(dmesg_t)
1028 -</pre>
1029 -
1030 -<p>
1031 -For more information or help with managing your policies, do not hesitate to
1032 -drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>.
1033 -</p>
1034 -
1035 -</body>
1036 -</section>
1037 -<section>
1038 -<title>User (incl. root) Cronjobs</title>
1039 -<body>
1040 -
1041 -<impo>
1042 -Part of this is for vixie-cron users with USE="ubac" set, but even if this is
1043 -not the case it is still pertinent (cfr. the default_contexts issue).
1044 -</impo>
1045 -
1046 -<p>
1047 -When working with end user crontabs (those triggered / managed through the
1048 -<c>crontab</c> command), you must take care that you do this as the <e>SELinux
1049 -user</e> which is associated with the file (this is a result of the SELinux User
1050 -Based Access Control, aka <e>UBAC</e>). In other words, if you want to edit the
1051 -root users' <path>crontab</path> file, you need to be the <c>root</c> SELinux
1052 -user (and not a staff user that <c>su</c>/<c>sudo</c>'ed into root).
1053 -</p>
1054 -
1055 -<p>
1056 -If this was not done correctly, you will get the following error:
1057 -</p>
1058 -
1059 -<pre caption="Error due to mismatch on SELinux user">
1060 -cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
1061 -</pre>
1062 -
1063 -<p>
1064 -Verify that the file's user and SELinux user match:
1065 -</p>
1066 -
1067 -<pre caption="Verify that the SELinux user and file user ownership matches">
1068 -~# <i>ls -Z /var/spool/cron/crontabs/root</i>
1069 -staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
1070 -
1071 -~# <i>semanage login -l | grep root</i>
1072 -root root
1073 -</pre>
1074 -
1075 -<p>
1076 -In the above case, the root Unix account (cfr filename of the crontab file) is
1077 -mapped to the root SELinux user (cfr second "root" in the <c>semanage login
1078 --l</c> output). However, the SELinux user of the crontab file is <e>staff_u</e>
1079 -instead of <e>root</e>, which is why the failure occurred.
1080 -</p>
1081 -
1082 -<p>
1083 -To fix this, use <c>chcon</c>:
1084 -</p>
1085 -
1086 -<pre caption="Fix the crontab SELinux user ownership">
1087 -~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
1088 -</pre>
1089 -
1090 -<p>
1091 -Another problem that you might see is immediately at startup:
1092 -</p>
1093 -
1094 -<pre caption="Entrypoint failure on crontab">
1095 -cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
1096 -</pre>
1097 -
1098 -<p>
1099 -In this case, even if the user of the file is correct, it is most likely due to
1100 -the <path>/etc/selinux/*/contexts/default_context</path> file containing an
1101 -incorrect definition. Look at the cron-related line and verify that each
1102 -mentioned context is valid. For instance:
1103 -</p>
1104 -
1105 -<pre caption="Verify if contexts are valid">
1106 -<comment># Verify the context "system_r:cronjob_t:s0"</comment>
1107 -~# <i>seinfo -rsystem_r -x | grep cronjob</i>
1108 - system_cronjob_t
1109 -</pre>
1110 -
1111 -<p>
1112 -In the above case, <e>cronjob_t</e> is not valid, but <e>system_cronjob_t</e> is.
1113 -</p>
1114 -
1115 -</body>
1116 -</section>
1117 -<section>
1118 -<title>Reporting Cron and SELinux Issues</title>
1119 -<body>
1120 -
1121 -<p>
1122 -If you have an issue with cron and believe that it is related to SELinux, please
1123 -also give the output of the following command:
1124 -</p>
1125 -
1126 -<pre caption="Getting the initial context from crond_t">
1127 -<comment># Get the domain under which system-level jobs will run</comment>
1128 -~# <i>getseuser system_u system_u:system_r:crond_t</i>
1129 -seuser: system_u, level (null)
1130 -Context 0 system_u:system_r:system_cronjob_t
1131 -
1132 -<comment># Get the domain under which user-level jobs will run</comment>
1133 -~# <i>getseuser john system_u:system_r:crond_t</i>
1134 -seuser: user_u, level (null)
1135 -Context 0 user_u:user_r:cronjob_t
1136 -</pre>
1137 -
1138 -<note>
1139 -The <c>getseuser</c> command usually takes a Unix account name for the first
1140 -argument, but treats <c>system_u</c> as a special case.
1141 -</note>
1142 -
1143 -</body>
1144 -</section>
1145 -</chapter>
1146 -</guide>
1147
1148 diff --git a/xml/selinux/modules/index.xml b/xml/selinux/modules/index.xml
1149 deleted file mode 100644
1150 index d93bf05..0000000
1151 --- a/xml/selinux/modules/index.xml
1152 +++ /dev/null
1153 @@ -1,69 +0,0 @@
1154 -<?xml version="1.0" encoding="UTF-8"?>
1155 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
1156 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
1157 -
1158 -<guide link="/proj/en/hardened/selinux/modules/index.xml" lang="en">
1159 -<title>SELinux Modules</title>
1160 -<author title="Author">
1161 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
1162 -</author>
1163 -
1164 -<abstract>
1165 -SELinux aggregates its permissions in modules to make the entire policy more
1166 -manageable. To help users work with these modules, we document the common
1167 -modules and how to work with them.
1168 -</abstract>
1169 -
1170 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1171 -<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
1172 -<license/>
1173 -
1174 -<version>1</version>
1175 -<date>2011-07-09</date>
1176 -
1177 -<chapter>
1178 -<title>Modules</title>
1179 -<section>
1180 -<body>
1181 -
1182 -<p>
1183 -If you use Gentoo Hardened with SELinux, then you'll eventually need to
1184 -configure your system to work with the policies (or update the policies to work
1185 -with your system). To help you tune the policy, insight in how the modules are
1186 -structured and what they contain is necessary.
1187 -</p>
1188 -
1189 -<p>
1190 -Gentoo Hardened tries to document the common modules as well as how they are
1191 -structured. Also, we document what configuration changes are often requested and
1192 -how to deal with them. If a module contains booleans, we explain them in more
1193 -detail.
1194 -</p>
1195 -
1196 -</body>
1197 -</section>
1198 -<section>
1199 -<title>Administrative Modules</title>
1200 -<body>
1201 -
1202 -<ul>
1203 - <li><uri link="portage.xml">Portage</uri></li>
1204 -</ul>
1205 -
1206 -</body>
1207 -</section>
1208 -<section>
1209 -<title>Services (Daemons)</title>
1210 -<body>
1211 -
1212 -<ul>
1213 - <li><uri link="bind.xml">BIND server</uri> (bind)</li>
1214 - <li><uri link="cron.xml">Cron service</uri> (vixie-cron)</li>
1215 - <li><uri link="ldap.xml">LDAP servers</uri> (openldap)</li>
1216 - <li><uri link="apache.xml">Web servers</uri> (apache, lighttpd)</li>
1217 -</ul>
1218 -
1219 -</body>
1220 -</section>
1221 -</chapter>
1222 -</guide>
1223
1224 diff --git a/xml/selinux/modules/ldap.xml b/xml/selinux/modules/ldap.xml
1225 deleted file mode 100644
1226 index 4da1c55..0000000
1227 --- a/xml/selinux/modules/ldap.xml
1228 +++ /dev/null
1229 @@ -1,105 +0,0 @@
1230 -<?xml version="1.0" encoding="UTF-8"?>
1231 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
1232 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
1233 -
1234 -<guide link="/proj/en/hardened/selinux/modules/ldap.xml" lang="en">
1235 -<title>SELinux LDAP Module</title>
1236 -<author title="Author">
1237 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
1238 -</author>
1239 -
1240 -<abstract>
1241 -Within SELinux, the ldap module is responsible for defining the openldap
1242 -domains and interactions.
1243 -</abstract>
1244 -
1245 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1246 -<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
1247 -<license/>
1248 -
1249 -<version>1</version>
1250 -<date>2011-07-09</date>
1251 -
1252 -<chapter>
1253 -<title>Structure</title>
1254 -<section>
1255 -<title>Domains</title>
1256 -<body>
1257 -
1258 -<figure link="./images/ldapdomain.png" short="General LDAP domain overview"
1259 -caption="General LDAP domain overview" />
1260 -
1261 -<p>
1262 -The <c>slapd</c> daemon runs within the <c>slapd_t</c> domain and can only be
1263 -transitioned towards through the <c>sysadm_t</c> (general system administrative
1264 -domain) or <c>initrc_t</c> (init script launched) domains.
1265 -</p>
1266 -
1267 -</body>
1268 -</section>
1269 -<section>
1270 -<title>File Types/Labels</title>
1271 -<body>
1272 -
1273 -<p>
1274 -The following table lists the file type/labels defined in the <c>ldap</c>
1275 -module.
1276 -</p>
1277 -
1278 -<table>
1279 -<tr>
1280 - <th>Type</th>
1281 - <th>Function</th>
1282 - <th>Description</th>
1283 -</tr>
1284 -<tr>
1285 - <ti>slapd_exec_t</ti>
1286 - <ti>Entrypoint</ti>
1287 - <ti>Executable entry point for the slapd daemon binaries</ti>
1288 -</tr>
1289 -<tr>
1290 - <ti>slapd_etc_t</ti>
1291 - <ti>Configuration</ti>
1292 - <ti>Label for OpenLDAP configuration files</ti>
1293 -</tr>
1294 -<tr>
1295 - <ti>slapd_cert_t</ti>
1296 - <ti>Configuration</ti>
1297 - <ti>Label for certificate keystores used by OpenLDAP</ti>
1298 -</tr>
1299 -<tr>
1300 - <ti>slapd_db_t</ti>
1301 - <ti>Configuration</ti>
1302 - <ti>Label for the OpenLDAP database files (backend content)</ti>
1303 -</tr>
1304 -<tr>
1305 - <ti>slapd_replog_t</ti>
1306 - <ti>Configuration</ti>
1307 - <ti>Label for the slurpd replication log location</ti>
1308 -</tr>
1309 -<tr>
1310 - <ti>slapd_lock_t</ti>
1311 - <ti></ti>
1312 - <ti>Label for the lock files (runtime)</ti>
1313 -</tr>
1314 -<tr>
1315 - <ti>slapd_tmp_t</ti>
1316 - <ti></ti>
1317 - <ti>Label for the temporary files</ti>
1318 -</tr>
1319 -<tr>
1320 - <ti>slapd_var_run_t</ti>
1321 - <ti></ti>
1322 - <ti>Label for the runtime variable data</ti>
1323 -</tr>
1324 -<tr>
1325 - <ti>slapd_initrc_exec_t</ti>
1326 - <ti></ti>
1327 - <ti>Label for non-Gentoo init script</ti>
1328 -</tr>
1329 -</table>
1330 -
1331 -</body>
1332 -</section>
1333 -</chapter>
1334 -</guide>
1335
1336 diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
1337 deleted file mode 100644
1338 index 293b8b0..0000000
1339 --- a/xml/selinux/modules/portage.xml
1340 +++ /dev/null
1341 @@ -1,325 +0,0 @@
1342 -<?xml version="1.0" encoding="UTF-8"?>
1343 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
1344 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
1345 -
1346 -<guide link="/proj/en/hardened/selinux/modules/portage.xml" lang="en">
1347 -<title>SELinux Portage Module</title>
1348 -<author title="Author">
1349 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
1350 -</author>
1351 -
1352 -<abstract>
1353 -Within SELinux, the portage module is responsible for defining the
1354 -Gentoo-related domains and privileges, including those for the Portage package
1355 -manager, Gentoo-specific file system locations and the command-line wrappers.
1356 -</abstract>
1357 -
1358 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1359 -<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
1360 -<license/>
1361 -
1362 -<version>4</version>
1363 -<date>2011-07-21</date>
1364 -
1365 -<chapter>
1366 -<title>Structure</title>
1367 -<section>
1368 -<title>Domains</title>
1369 -<body>
1370 -
1371 -<figure link="./images/portagedomain.png" short="General Portage domain overview"
1372 -caption="General Portage domain overview" />
1373 -
1374 -<p>
1375 -The <c>portage</c> module provides the following domains:
1376 -</p>
1377 -
1378 -<table>
1379 -<tr>
1380 - <th>Domain</th>
1381 - <th>Process(es)</th>
1382 - <th>Description</th>
1383 -</tr>
1384 -<tr>
1385 - <ti>portage_t</ti>
1386 - <ti>emerge, ebuild, quickpkg, ebuild.sh, regenworld, sandbox</ti>
1387 - <ti>Gentoo's package manager domain</ti>
1388 -</tr>
1389 -<tr>
1390 - <ti>portage_sandbox_t</ti>
1391 - <ti>sandbox</ti>
1392 - <ti>Portage compile sandbox domain</ti>
1393 -</tr>
1394 -<tr>
1395 - <ti>portage_fetch_t</ti>
1396 - <ti>rsync</ti>
1397 - <ti>
1398 - Domain responsible for fetching ebuilds and sources and storing them on
1399 - the system
1400 - </ti>
1401 -</tr>
1402 -<tr>
1403 - <ti>gcc_config_t</ti>
1404 - <ti>gcc-config</ti>
1405 - <ti>Domain for the gcc-config wrapper</ti>
1406 -</tr>
1407 -</table>
1408 -
1409 -</body>
1410 -</section>
1411 -<section>
1412 -<title>File Types/Labels</title>
1413 -<body>
1414 -
1415 -<p>
1416 -The following table lists the file type/labels defined in the <c>portage</c>
1417 -module.
1418 -</p>
1419 -
1420 -<table>
1421 -<tr>
1422 - <th>Type</th>
1423 - <th>Description</th>
1424 -</tr>
1425 -<tr>
1426 - <ti>portage_exec_t</ti>
1427 - <ti>
1428 - Entrypoints for the portage and protage-related domains. Used for binaries
1429 - or scripts such as sandbox, emerge, ...
1430 - </ti>
1431 -</tr>
1432 -<tr>
1433 - <ti>gcc_config_exec_t</ti>
1434 - <ti>
1435 - Entrypoints for the gcc-config wrapper domain
1436 - </ti>
1437 -</tr>
1438 -<tr>
1439 - <ti>portage_ebuild_t</ti>
1440 - <ti>
1441 - Type assigned to the ebuild files and directories
1442 - </ti>
1443 -</tr>
1444 -<tr>
1445 - <ti>portage_srcrepo_t</ti>
1446 - <ti>
1447 - Type assigned to the live repository pulls (git, svn, cvs, ...) used by live
1448 - ebuilds
1449 - </ti>
1450 -</tr>
1451 -<tr>
1452 - <ti>portage_fetch_tmp_t</ti>
1453 - <ti>
1454 - Type used by the portage_fetch_t domain when storing files in a temporary
1455 - location
1456 - </ti>
1457 -</tr>
1458 -<tr>
1459 - <ti>portage_db_t</ti>
1460 - <ti>
1461 - Type used by Portage' data files
1462 - </ti>
1463 -</tr>
1464 -<tr>
1465 - <ti>portage_conf_t</ti>
1466 - <ti>
1467 - Type used by Portage' configuration files
1468 - </ti>
1469 -</tr>
1470 -<tr>
1471 - <ti>portage_cache_t</ti>
1472 - <ti>
1473 - Type used for the Portage cache
1474 - </ti>
1475 -</tr>
1476 -<tr>
1477 - <ti>portage_log_t</ti>
1478 - <ti>
1479 - Type used by Portage for its log files
1480 - </ti>
1481 -</tr>
1482 -<tr>
1483 - <ti>portage_tmp_t<br />portage_tmpfs_t</ti>
1484 - <ti>
1485 - Type used by Portage for temporary files
1486 - </ti>
1487 -</tr>
1488 -</table>
1489 -
1490 -</body>
1491 -</section>
1492 -<section>
1493 -<title>Other Types</title>
1494 -<body>
1495 -
1496 -<p>
1497 -Besides the file and file location types, the following types are also defined:
1498 -</p>
1499 -
1500 -<table>
1501 -<tr>
1502 - <th>Type</th>
1503 - <th>Description</th>
1504 -</tr>
1505 -<tr>
1506 - <ti>portage_devpts_t</ti>
1507 - <ti>
1508 - Type used for the terminal output device/location
1509 - </ti>
1510 -</tr>
1511 -</table>
1512 -
1513 -</body>
1514 -</section>
1515 -</chapter>
1516 -<chapter>
1517 -<title>Using Portage</title>
1518 -<section>
1519 -<title>File Locations</title>
1520 -<body>
1521 -
1522 -<p>
1523 -The policy offered only contains the right file context rules for the default
1524 -locations. If you deviate from these locations, you'll need to update the
1525 -contexts accordingly.
1526 -</p>
1527 -
1528 -<p>
1529 -The following table provides an overview of the Portage settings (variables in
1530 -<path>make.conf</path>) that are commonly changed by end users, and the file
1531 -context that it should have.
1532 -</p>
1533 -
1534 -<table>
1535 -<tr>
1536 - <th>Variable in make.conf</th>
1537 - <th>Default Location</th>
1538 - <th>File Context(s)</th>
1539 -</tr>
1540 -<tr>
1541 - <ti>
1542 - ${PORTDIR}
1543 - </ti>
1544 - <ti>
1545 - <path>/usr/portage</path>
1546 - </ti>
1547 - <ti>
1548 - system_u:object_r:portage_ebuild_t
1549 - </ti>
1550 -</tr>
1551 -<tr>
1552 - <ti>
1553 - ${DISTDIR}/svn-src<br />
1554 - ${DISTDIR}/git-src<br />
1555 - ${DISTDIR}/cvs-src
1556 - </ti>
1557 - <ti>
1558 - <path>/usr/portage/distfiles/svn-src</path><br />
1559 - <path>/usr/portage/distfiles/git-src</path><br />
1560 - <path>/usr/portage/distfiles/cvs-src</path>
1561 - </ti>
1562 - <ti>
1563 - system_u:object_r:portage_srcrepo_t
1564 - </ti>
1565 -</tr>
1566 -<tr>
1567 - <ti>${PKGDIR}</ti>
1568 - <ti>
1569 - <path>/usr/portage/packages</path>
1570 - </ti>
1571 - <ti>
1572 - system_u:object_r:portage_ebuild_t
1573 - </ti>
1574 -</tr>
1575 -<tr>
1576 - <ti>${PORT_LOGDIR}</ti>
1577 - <ti>
1578 - <path>/var/log/portage</path>
1579 - </ti>
1580 - <ti>
1581 - system_u:object_r:portage_log_t
1582 - </ti>
1583 -</tr>
1584 -<tr>
1585 - <ti>${PORTAGE_TMPDIR}</ti>
1586 - <ti>
1587 - <path>/var/tmp/portage</path>
1588 - </ti>
1589 - <ti>
1590 - system_u:object_r:portage_tmp_t
1591 - </ti>
1592 -</tr>
1593 -</table>
1594 -
1595 -<p>
1596 -If you use different locations, use the following commands to update the file
1597 -contexts accordingly:
1598 -</p>
1599 -
1600 -<pre caption="Updating file contexts">
1601 -<comment>( Example for a different PORTDIR location, say /var/repo/portage )</comment>
1602 -~# <i>semanage -a -t portage_ebuild_t /var/repo/portage</i>
1603 -~# <i>restorecon -R /var/repo/portage</i>
1604 -</pre>
1605 -
1606 -<p>
1607 -Don't forget that Portage uses subdirectories with different labels (think
1608 -distfiles or the repositories for the live ebuilds) so take care when
1609 -relabelling locations!
1610 -</p>
1611 -
1612 -<p>
1613 -If you are using different mounts, you might need to use the
1614 -<c>rootcontext=</c> mount option to set the initial context. If the file system
1615 -does not suppor SELinux contexts (like NFS), you can use the <c>context=</c>
1616 -mount option to force the context of all files on the mounted location.
1617 -</p>
1618 -
1619 -</body>
1620 -</section>
1621 -<section>
1622 -<title>Booleans</title>
1623 -<body>
1624 -
1625 -<p>
1626 -The Portage module within Gentoo defines three booleans, called
1627 -<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_use_nfs</c> and
1628 -<c>gentoo_wait_requests</c>.
1629 -</p>
1630 -
1631 -<p>
1632 -When <c>gentoo_try_dontaudit</c> is enabled, the policy will hide the AVC
1633 -denials of which the Gentoo developers believe they are harmless (cosmetic).
1634 -If this boolean is enabled and you are experiencing permission problems, it
1635 -is wise to first disable the boolean and see if you now get any denials that
1636 -could explain the problem.
1637 -</p>
1638 -
1639 -<p>
1640 -When <c>gentoo_portage_use_nfs</c> is enabled, then the Portage-related
1641 -domains will be able to manage the <c>nfs_t</c> and as such, allow for the
1642 -Portage tree and other locations to be NFS-mounted without correcting their
1643 -label (which is still supported when using the <c>context=</c> mount option).
1644 -</p>
1645 -
1646 -<p>
1647 -When <c>gentoo_wait_requests</c> is enabled, then policy rules that are
1648 -introduced to get things working, but which are temporary until the upstream
1649 -project enhances its application (and a bug report is opened for it), are
1650 -active. Disabling this boolean is only recommended if you are running the
1651 -system with the proper patches and is more used for development traceability.
1652 -</p>
1653 -
1654 -<p>
1655 -To switch booleans, use <c>setsebool</c> or <c>togglesebool</c>.
1656 -</p>
1657 -
1658 -<pre caption="Enabling the gentoo_try_dontaudit boolean">
1659 -<comment>( With the -P flag, the boolean state is persisted across reboots)</comment>
1660 -~# <i>setsebool -P gentoo_try_dontaudit on</i>
1661 -</pre>
1662 -
1663 -</body>
1664 -</section>
1665 -</chapter>
1666 -</guide>
1667
1668 diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml
1669 deleted file mode 100644
1670 index 20edf7a..0000000
1671 --- a/xml/selinux/modules/ssh.xml
1672 +++ /dev/null
1673 @@ -1,102 +0,0 @@
1674 -<?xml version="1.0" encoding="UTF-8"?>
1675 -<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
1676 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
1677 -
1678 -<guide link="/proj/en/hardened/selinux/modules/ssh.xml" disclaimer="draft" lang="en">
1679 -<title>SELinux SSH Module</title>
1680 -<author title="Author">
1681 - <mail link="sven.vermeulen@××××××.be">Sven Vermeulen</mail>
1682 -</author>
1683 -
1684 -<abstract>
1685 -Within SELinux, the SSH module is responsible for defining what openssh can do
1686 -</abstract>
1687 -
1688 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1689 -<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
1690 -<license/>
1691 -
1692 -<version>1</version>
1693 -<date>2011-07-09</date>
1694 -
1695 -<chapter>
1696 -<title>Structure</title>
1697 -<section>
1698 -<title>Domains</title>
1699 -<body>
1700 -
1701 -<figure link="./images/sshdomain.png" short="General SSH domain overview"
1702 -caption="General SSH domain overview" />
1703 -
1704 -<p>
1705 -The...
1706 -</p>
1707 -
1708 -</body>
1709 -</section>
1710 -<section>
1711 -<title>File Types/Labels</title>
1712 -<body>
1713 -
1714 -<p>
1715 -The following table lists the file type/labels defined in the <c>ldap</c>
1716 -module.
1717 -</p>
1718 -
1719 -<table>
1720 -<tr>
1721 - <th>Type</th>
1722 - <th>Function</th>
1723 - <th>Description</th>
1724 -</tr>
1725 -<tr>
1726 - <ti>slapd_exec_t</ti>
1727 - <ti>Entrypoint</ti>
1728 - <ti>Executable entry point for the slapd daemon binaries</ti>
1729 -</tr>
1730 -<tr>
1731 - <ti>slapd_etc_t</ti>
1732 - <ti>Configuration</ti>
1733 - <ti>Label for OpenLDAP configuration files</ti>
1734 -</tr>
1735 -<tr>
1736 - <ti>slapd_cert_t</ti>
1737 - <ti>Configuration</ti>
1738 - <ti>Label for certificate keystores used by OpenLDAP</ti>
1739 -</tr>
1740 -<tr>
1741 - <ti>slapd_db_t</ti>
1742 - <ti>Configuration</ti>
1743 - <ti>Label for the OpenLDAP database files (backend content)</ti>
1744 -</tr>
1745 -<tr>
1746 - <ti>slapd_replog_t</ti>
1747 - <ti>Configuration</ti>
1748 - <ti>Label for the slurpd replication log location</ti>
1749 -</tr>
1750 -<tr>
1751 - <ti>slapd_lock_t</ti>
1752 - <ti></ti>
1753 - <ti>Label for the lock files (runtime)</ti>
1754 -</tr>
1755 -<tr>
1756 - <ti>slapd_tmp_t</ti>
1757 - <ti></ti>
1758 - <ti>Label for the temporary files</ti>
1759 -</tr>
1760 -<tr>
1761 - <ti>slapd_var_run_t</ti>
1762 - <ti></ti>
1763 - <ti>Label for the runtime variable data</ti>
1764 -</tr>
1765 -<tr>
1766 - <ti>slapd_initrc_exec_t</ti>
1767 - <ti></ti>
1768 - <ti>Label for non-Gentoo init script</ti>
1769 -</tr>
1770 -</table>
1771 -
1772 -</body>
1773 -</section>
1774 -</chapter>
1775 -</guide>
Report Message
Find on MARC Find on Google Groups