[gentoo-commits] proj/hardened-docs:master commit in: html/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-docs:master commit in: html/
Date:	Tue, 03 May 2011 20:23:52
Message-Id:	`ae48452f5bb0dbe181a5949c6018de93e9dc146e.SwifT@gentoo`

1

commit:     ae48452f5bb0dbe181a5949c6018de93e9dc146e

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Tue May  3 20:23:04 2011 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue May  3 20:23:04 2011 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae48452f

7

8

Update previews

9

10

---

11

 html/selinux-faq.html |   32 +++++++++++++++++++++++++++++++-

12

 1 files changed, 31 insertions(+), 1 deletions(-)

13

14

diff --git a/html/selinux-faq.html b/html/selinux-faq.html

15

index 42ccef9..cb068d4 100644

16

--- a/html/selinux-faq.html

17

+++ b/html/selinux-faq.html

18

@@ -49,6 +49,7 @@ as well.

19

 <li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>

20

 <li><a href="#filesystem">Can I use SELinux with any file system?</a></li>

21

 <li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>

22

+<li><a href="#ubac">What is UBAC exactly?</a></li>

23

 </ul>

24

 <p class="secthead">Using SELinux</p>

25

 <ul>

26

@@ -129,6 +130,35 @@ Theoretically, definitely. However, the current selinux profiles in the Portage

27

 tree are not no-multilib capable. Work is on the way however to make the

28

 profiles more flexible and support no-multilib soon.

29

 </p>

30

+<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>

31

+<p>

32

+UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints

33

+when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span>

34

+marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only

35

+have the allowed privileges in effect if they both run with the same SELinux

36

+user context.

37

+</p>

38

+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">

39

+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr>

40

+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>

41

+<span class="code-comment"># The SELinux allow rule</span>

42

+allow foo_t bar_t:file { read };

43

+

44

+<span class="code-comment"># This will succeed:</span>

45

+staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t

46

+

47

+<span class="code-comment"># This will be prohibited:</span>

48

+user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t

49

+</pre></td></tr>

50

+</table>

51

+<p>

52

+Of course, this is not always the case. Besides the earlier mentioned

53

+requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source

54

+domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the 

55

+<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source

56

+or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also

57

+not be in effect. 

58

+</p>

59

 <p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.

60

             </span>Using SELinux</p>

61

 <p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>

62

@@ -389,7 +419,7 @@ To fix this, change the user of the file to root:

63

 </td>

64

 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">

65

 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>

66

-<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>

67

+<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>

68

 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>

69

 Frequently Asked Questions on SELinux integration with Gentoo Hardened.

70

 The FAQ is a collection of solutions found on IRC, mailinglist, forums or

1	commit: ae48452f5bb0dbe181a5949c6018de93e9dc146e
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Tue May 3 20:23:04 2011 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue May 3 20:23:04 2011 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=ae48452f
7
8	Update previews
9
10	---
11	html/selinux-faq.html \| 32 +++++++++++++++++++++++++++++++-
12	1 files changed, 31 insertions(+), 1 deletions(-)
13
14	diff --git a/html/selinux-faq.html b/html/selinux-faq.html
15	index 42ccef9..cb068d4 100644
16	--- a/html/selinux-faq.html
17	+++ b/html/selinux-faq.html
18	@@ -49,6 +49,7 @@ as well.
19	<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>
20	<li><a href="#filesystem">Can I use SELinux with any file system?</a></li>
21	<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>
22	+<li><a href="#ubac">What is UBAC exactly?</a></li>
23	</ul>
24	<p class="secthead">Using SELinux</p>
25	<ul>
26	@@ -129,6 +130,35 @@ Theoretically, definitely. However, the current selinux profiles in the Portage
27	tree are not no-multilib capable. Work is on the way however to make the
28	profiles more flexible and support no-multilib soon.
29	</p>
30	+<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>
31	+<p>
32	+UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints
33	+when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span>
34	+marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only
35	+have the allowed privileges in effect if they both run with the same SELinux
36	+user context.
37	+</p>
38	+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
39	+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr>
40	+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
41	+<span class="code-comment"># The SELinux allow rule</span>
42	+allow foo_t bar_t:file { read };
43	+
44	+<span class="code-comment"># This will succeed:</span>
45	+staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t
46	+
47	+<span class="code-comment"># This will be prohibited:</span>
48	+user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t
49	+</pre></td></tr>
50	+</table>
51	+<p>
52	+Of course, this is not always the case. Besides the earlier mentioned
53	+requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source
54	+domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the
55	+<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source
56	+or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also
57	+not be in effect.
58	+</p>
59	<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
60	</span>Using SELinux</p>
61	<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>
62	@@ -389,7 +419,7 @@ To fix this, change the user of the file to root:
63	</td>
64	<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
65	<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
66	-<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2011</p></td></tr>
67	+<tr><td class="topsep" align="center"><p class="alttext">Updated May 3, 2011</p></td></tr>
68	<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
69	Frequently Asked Questions on SELinux integration with Gentoo Hardened.
70	The FAQ is a collection of solutions found on IRC, mailinglist, forums or

Gentoo Archives: gentoo-commits