1 |
commit: ae48452f5bb0dbe181a5949c6018de93e9dc146e |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue May 3 20:23:04 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue May 3 20:23:04 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae48452f |
7 |
|
8 |
Update previews |
9 |
|
10 |
--- |
11 |
html/selinux-faq.html | 32 +++++++++++++++++++++++++++++++- |
12 |
1 files changed, 31 insertions(+), 1 deletions(-) |
13 |
|
14 |
diff --git a/html/selinux-faq.html b/html/selinux-faq.html |
15 |
index 42ccef9..cb068d4 100644 |
16 |
--- a/html/selinux-faq.html |
17 |
+++ b/html/selinux-faq.html |
18 |
@@ -49,6 +49,7 @@ as well. |
19 |
<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li> |
20 |
<li><a href="#filesystem">Can I use SELinux with any file system?</a></li> |
21 |
<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li> |
22 |
+<li><a href="#ubac">What is UBAC exactly?</a></li> |
23 |
</ul> |
24 |
<p class="secthead">Using SELinux</p> |
25 |
<ul> |
26 |
@@ -129,6 +130,35 @@ Theoretically, definitely. However, the current selinux profiles in the Portage |
27 |
tree are not no-multilib capable. Work is on the way however to make the |
28 |
profiles more flexible and support no-multilib soon. |
29 |
</p> |
30 |
+<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p> |
31 |
+<p> |
32 |
+UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints |
33 |
+when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span> |
34 |
+marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only |
35 |
+have the allowed privileges in effect if they both run with the same SELinux |
36 |
+user context. |
37 |
+</p> |
38 |
+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
39 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr> |
40 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
41 |
+<span class="code-comment"># The SELinux allow rule</span> |
42 |
+allow foo_t bar_t:file { read }; |
43 |
+ |
44 |
+<span class="code-comment"># This will succeed:</span> |
45 |
+staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t |
46 |
+ |
47 |
+<span class="code-comment"># This will be prohibited:</span> |
48 |
+user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t |
49 |
+</pre></td></tr> |
50 |
+</table> |
51 |
+<p> |
52 |
+Of course, this is not always the case. Besides the earlier mentioned |
53 |
+requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source |
54 |
+domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the |
55 |
+<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source |
56 |
+or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also |
57 |
+not be in effect. |
58 |
+</p> |
59 |
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. |
60 |
</span>Using SELinux</p> |
61 |
<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p> |
62 |
@@ -389,7 +419,7 @@ To fix this, change the user of the file to root: |
63 |
</td> |
64 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
65 |
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr> |
66 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr> |
67 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr> |
68 |
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> |
69 |
Frequently Asked Questions on SELinux integration with Gentoo Hardened. |
70 |
The FAQ is a collection of solutions found on IRC, mailinglist, forums or |