Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
Date: Fri, 01 Apr 2011 17:45:22
Message-Id: 6ead14e833d7958b6f5b89c45d520be1accfa615.SwifT@gentoo
1 commit: 6ead14e833d7958b6f5b89c45d520be1accfa615
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Fri Apr 1 17:44:41 2011 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Fri Apr 1 17:44:41 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ead14e8
7
8 drop unneeded files
9
10 ---
11 xml/selinux/hb-selinux-conv-profile.xml | 107 -------
12 xml/selinux/hb-selinux-conv-reboot1.xml | 193 ------------
13 xml/selinux/hb-selinux-conv-reboot2.xml | 213 -------------
14 xml/selinux/hb-selinux-faq.xml | 154 ---------
15 xml/selinux/hb-selinux-howto.xml | 250 ---------------
16 xml/selinux/hb-selinux-initpol.xml | 48 ---
17 xml/selinux/hb-selinux-libsemanage.xml | 246 ---------------
18 xml/selinux/hb-selinux-localmod.xml | 134 --------
19 xml/selinux/hb-selinux-loglocal.xml | 166 ----------
20 xml/selinux/hb-selinux-logremote.xml | 177 -----------
21 xml/selinux/hb-selinux-overview.xml | 521 -------------------------------
22 xml/selinux/hb-selinux-references.xml | 111 -------
23 12 files changed, 0 insertions(+), 2320 deletions(-)
24
25 diff --git a/xml/selinux/hb-selinux-conv-profile.xml b/xml/selinux/hb-selinux-conv-profile.xml
26 deleted file mode 100644
27 index 01f5ead..0000000
28 --- a/xml/selinux/hb-selinux-conv-profile.xml
29 +++ /dev/null
30 @@ -1,107 +0,0 @@
31 -<?xml version='1.0' encoding="utf-8"?>
32 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
33 -
34 -<!-- The content of this document is licensed under the CC-BY-SA license -->
35 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
36 -
37 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
38 -
39 -<sections>
40 -<version>2.1</version>
41 -<date>2010-06-15</date>
42 -
43 -<section><title>Change Profile</title>
44 -<subsection><body>
45 -
46 -<warn>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems
47 -lack the complete extended attribute support.</warn>
48 -
49 -<warn>Users should convert from a 2006.1 or newer profile otherwise
50 -there may be unpredictable results.</warn>
51 -
52 -<impo>As always, keep a LiveCD at hand in case things go wrong.</impo>
53 -
54 -<p>First switch your profile to the SELinux profile for your architecture:</p>
55 -
56 -<pre caption="Switch profiles">
57 -# <i>rm -f /etc/make.profile</i>
58 -
59 -
60 -<comment>x86 (server):</comment>
61 -# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</i>
62 -<comment>x86 (hardened):</comment>
63 -# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</i>
64 -<comment>AMD64:</comment>
65 -# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</i>
66 -<comment>AMD64 (hardened):</comment>
67 -# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</i>
68 -</pre>
69 -
70 -<note>You can also switch profiles with eselect if you have the gentoolkit
71 - package installed. That method is not shown here because the specific options
72 - available and their numbering will vary according to your system
73 - configuration.</note>
74 -
75 -<impo>Do not use any profiles other than the ones listed above, even
76 -if they seem to be out of date. SELinux profiles are not necessarily
77 -created as often as default Gentoo profiles.</impo>
78 -
79 -<impo>The SELinux profile has significanly fewer USE flags asserted than
80 -the default profile. Use <c>emerge info</c> to see if any use flags
81 -need to be reenabled in make.conf.</impo>
82 -
83 -<note>It is not necessary to add selinux to your USE flags in make.conf.
84 -The SELinux profile already does this for you.
85 -</note>
86 -
87 -<note>
88 - You may encounter this message from portage: "!!! SELinux module not found.
89 - Please verify that it was installed." This is normal, and will be fixed
90 - later in the conversion process.
91 -</note>
92 -</body>
93 -</subsection>
94 -</section>
95 -
96 -<section><title>Update Kernel Headers</title>
97 -<subsection><body>
98 -<p>
99 - We will start by updating essential packages. First check which version
100 - of linux-headers is installed.
101 -</p>
102 -
103 -<pre caption="Check linux-headers version">
104 -# <i>emerge -s linux-headers</i>
105 -<comment>or if you have gentoolkit installed:</comment>
106 -# <i>equery list -i linux-headers</i>
107 -</pre>
108 -
109 -<p>
110 - If the linux-headers version is older than 2.4.20, newer headers must be merged.
111 -</p>
112 -
113 -<pre caption="Merge newer headers">
114 -# <i>emerge \>=sys-kernel/linux-headers-2.4.20</i>
115 -</pre>
116 -</body>
117 -</subsection>
118 -</section>
119 -
120 -<section><title>Update Glibc</title>
121 -<subsection><body>
122 -<p>
123 - If you have merged new headers, or you are unsure if your glibc was
124 - compiled with newer headers, you must recompile glibc.
125 -</p>
126 -
127 -<pre caption="Recompile glibc">
128 -# <i>emerge glibc</i>
129 -</pre>
130 -
131 -<impo>
132 - This is a critical operation. Glibc must be compiled with newer linux-headers,
133 - otherwise some operations will malfunction.
134 -</impo>
135 -</body></subsection>
136 -</section>
137 -</sections>
138
139 diff --git a/xml/selinux/hb-selinux-conv-reboot1.xml b/xml/selinux/hb-selinux-conv-reboot1.xml
140 deleted file mode 100644
141 index bfc8692..0000000
142 --- a/xml/selinux/hb-selinux-conv-reboot1.xml
143 +++ /dev/null
144 @@ -1,193 +0,0 @@
145 -<?xml version='1.0' encoding="utf-8"?>
146 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
147 -
148 -<!-- The content of this document is licensed under the CC-BY-SA license -->
149 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
150 -
151 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.11 2010/10/06 15:11:15 pebenito Exp $ -->
152 -
153 -<sections>
154 -<version>2.2</version>
155 -<date>2010-11-27</date>
156 -
157 -<section><title>Merge a SELinux Kernel</title>
158 -<subsection><body>
159 -<p>Merge an appropriate kernel. A 2.6 kernel is required. The
160 - suggested kernel is hardened-sources.
161 -</p>
162 -
163 -<note>2.6.28-r9 is the current hardened release version at the time of this writing,
164 - and all instructions in this document assume at least this version.</note>
165 -
166 -<warn>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they
167 - have bugs in the SELinux XFS support.</warn>
168 -
169 -<pre caption="Merge an appropriate kernel">
170 -<comment>Any 2.6 kernel</comment>
171 -# <i>emerge hardened-sources</i>
172 -</pre>
173 -</body></subsection>
174 -</section>
175 -
176 -<section><title>Compile the Kernel with SELinux Options</title>
177 -<subsection><body>
178 -<p>The kernel must be compiled with security module support, SELinux support,
179 -devpts, and extended attribute security labels. Refer to the main installation
180 -guide for futher kernel options.</p>
181 -
182 -<note>
183 -The available options may vary slightly depending on the kernel version
184 -being used. In particular, Btrfs first became available with the 2.6.29
185 -kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels
186 -options were obsoleted in kernel 2.6.13 (they are now enabled by default).
187 -"Default Linux Capabilies" under "Security options" was obsoleted in the
188 -2.6.26 kernel (it is now enabled by default).
189 -
190 -XFS always enables security labeling, so there is no additional option
191 -to set for this file system
192 -
193 -Ext4 should work, but is NOT well tested at the time of this writing!
194 -
195 -Any extended attribute options not specifically enabled below should be turned
196 -off.
197 -</note>
198 -
199 -<pre caption="Location and required options under menuconfig">
200 -<comment>Under "General setup"</comment>
201 -[*] Prompt for development and/or incomplete code/drivers
202 -[*] Auditing support
203 -[*] Enable system-call auditing support
204 -
205 -<comment>Under "File systems"</comment>
206 -&lt;*&gt; Second extended fs support <comment>(If using ext2)</comment>
207 -[*] Ext2 extended attributes
208 -[ ] Ext2 POSIX Access Control Lists
209 -[*] Ext2 Security Labels
210 -[ ] Ext2 Execute in place support
211 -&lt;*&gt; Ext3 journalling file system support <comment>(If using ext3)</comment>
212 -[*] Ext3 extended attributes
213 -[ ] Ext3 POSIX Access Control Lists
214 -[*] Ext3 Security labels
215 -&lt;*&gt; The Extended 4 (ext4) filesystem <comment>(If using ext4)</comment>
216 -[ ] Enable ext4dev compatibility
217 -[*] Ext4 extended attrributes
218 -[ ] Ext4 POSIX Access Control Lists
219 -[*] Ext4 Security Labels
220 -&lt;*&gt; JFS filesystem support <comment>(If using JFS)</comment>
221 -[ ] JFS POSIX Access Control Lists
222 -[*] JFS Security Labels
223 -[ ] JFS debugging
224 -[ ] JFS statistics
225 -&lt;*&gt; XFS filesystem support <comment>(If using XFS)</comment>
226 -[ ] XFS Quota support
227 -[ ] XFS POSIX ACL support
228 -[ ] XFS Realtime subvolume support (EXPERIMENTAL)
229 -[ ] XFS Debugging Support
230 -&lt;*&gt; Btrfs filesystem (EXPERIMENTAL) Unstable disk format <comment>(if
231 -using Btrfs)</comment>
232 -[ ] Btrfs POSIX Access Control Lists (NEW)
233 -<comment>Under "Pseudo filesystems (via "File systems")</comment>
234 -[ ] /dev file system support (EXPERIMENTAL)
235 -[*] /dev/pts Extended Attributes
236 -[*] /dev/pts Security Labels
237 -[*] Virtual memory file system support (former shm fs)
238 -[*] tmpfs Extended Attributes
239 -[*] tmpfs Security Labels
240 -
241 -<comment>Under "Security options"</comment>
242 -[*] Enable different security models
243 -[*] Socket and Networking Security Hooks
244 -&lt;*&gt; Default Linux Capabilities
245 -[*] NSA SELinux Support
246 -[ ] NSA SELinux boot parameter
247 -[ ] NSA SELinux runtime disable
248 -[*] NSA SELinux Development Support
249 -[ ] NSA SELinux AVC Statistics
250 -(1) NSA SELinux checkreqprot default value
251 -[ ] NSA SELinux enable new secmark network controls by default
252 -[ ] NSA SELinux maximum supported policy format version
253 - Default security module (SELinux) --->
254 -</pre>
255 -
256 -<p>
257 - The extended attribute security labels must be turned on for devpts and
258 - your filesystem(s). Devfs is not usable in SELinux, and should be
259 - turned off. Not all options exist on older 2.6 kernels,
260 - such as Auditing support, and runtime disable. In newer kernels,
261 - the extended attributes support for proc and the virtual memory fs (tmpfs)
262 - are enabled by default; thus, no options will appear in menuconfig.
263 -</p>
264 -
265 -<note>It is recommended to configure PaX if you are using harded-sources (also
266 -recommended). More information about Pax can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo
267 -PaX Quickstart Guide</uri>.
268 -</note>
269 -
270 -<warn>
271 - Do not enable the SELinux MLS policy option if its available, as it is
272 - not supported, and will cause your machine to not start.
273 -</warn>
274 -
275 -<p>
276 - Now compile and install the kernel and modules, but do not reboot.
277 -</p>
278 -</body></subsection>
279 -</section>
280 -
281 -<section><title>Update fstab</title>
282 -<subsection><body>
283 -<p>
284 - SElinuxfs must also be enabled to mount at boot.
285 - Add this to /etc/fstab:
286 -</p>
287 -<pre caption="Fstab settings for selinuxfs">
288 -none /selinux selinuxfs defaults 0 0
289 -</pre>
290 -</body></subsection>
291 -</section>
292 -
293 -<section><title>Configure Baselayout</title>
294 -<subsection><body>
295 -<p>
296 -SELinux does not support devfs. You must configure baselayout to
297 -use either static device nodes or udev. If using udev, the
298 -device tarball must be disabled. Edit the /etc/conf.d/rc file.
299 -Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no.
300 -If you have several custom device nodes, static is suggested,
301 -otherwise udev is suggested (udev is the default at the time of this writing).
302 -For more information on udev, consult the <uri link="/doc/en/udev-guide.xml">Gentoo UDEV Guide</uri>.
303 -</p>
304 -<pre caption="Init script configuration">
305 -# Use this variable to control the /dev management behavior.
306 -# auto - let the scripts figure out what's best at boot
307 -# devfs - use devfs (requires sys-fs/devfsd)
308 -# udev - use udev (requires sys-fs/udev)
309 -# static - let the user manage /dev
310 -
311 -RC_DEVICES="<comment>udev</comment>"
312 -
313 -# UDEV OPTION:
314 -# Set to "yes" if you want to save /dev to a tarball on shutdown
315 -# and restore it on startup. This is useful if you have a lot of
316 -# custom device nodes that udev does not handle/know about.
317 -
318 -RC_DEVICE_TARBALL="<comment>no</comment>"
319 -</pre>
320 -</body></subsection>
321 -</section>
322 -
323 -<section><title>Reboot</title>
324 -<subsection><body>
325 -<p>
326 - We need to make some directories before we reboot.
327 -</p>
328 -<pre caption="Making Required Directories">
329 -# <i>mkdir /selinux</i>
330 -# <i>mkdir /sys</i>
331 -</pre>
332 -<p>
333 - Now reboot.
334 -</p>
335 -</body></subsection>
336 -</section>
337 -</sections>
338
339 diff --git a/xml/selinux/hb-selinux-conv-reboot2.xml b/xml/selinux/hb-selinux-conv-reboot2.xml
340 deleted file mode 100644
341 index 95383da..0000000
342 --- a/xml/selinux/hb-selinux-conv-reboot2.xml
343 +++ /dev/null
344 @@ -1,213 +0,0 @@
345 -<?xml version='1.0' encoding="utf-8"?>
346 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
347 -
348 -<!-- The content of this document is licensed under the CC-BY-SA license -->
349 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
350 -
351 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.11 2010/06/25 16:07:19 pebenito Exp $ -->
352 -
353 -<sections>
354 -<version>2.3</version>
355 -<date>2010-11-27</date>
356 -
357 -<section><title>Merge SELinux Packages</title>
358 -<subsection>
359 -<body>
360 -<p>Merge the libraries, utilities and base-policy. The policy version may need
361 - be adjusted, refer to the SELinux Overview
362 - for more information on policy versions. Then load the policy.</p>
363 -
364 -<pre caption="Merge base SELinux packages and policy">
365 -# <i>emerge -1 checkpolicy policycoreutils</i>
366 -# <i>FEATURES=-selinux emerge -1 selinux-base-policy</i>
367 -</pre>
368 -<note>
369 -The "FEATURES=-selinux" part of the emerge command should only be used on the above command.
370 -It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail.
371 -</note>
372 -</body></subsection>
373 -</section>
374 -
375 -<section><title>Choose the policy type</title>
376 -<body>
377 -<p>
378 -New in 2006.1, users now have the choice between the strict policy and the
379 -targeted policy.
380 -</p>
381 -<p>
382 -In the strict policy, all processes are confined.
383 -If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy.
384 -Strict policy is suggested for servers.
385 -Gentoo does not support the strict policy on desktops.
386 -</p>
387 -<p>
388 -The targeted policy differs with strict, as only network-facing services are
389 -confined and local users are unconfined. Gentoo only supports desktops with
390 -the targeted policy. This policy can also be used on servers.
391 -</p>
392 -<p>
393 -Edit the /etc/selinux/config file to set the policy type.
394 -</p>
395 -<pre caption="/etc/selinux/config contents">
396 -# This file controls the state of SELinux on the system on boot.
397 -
398 -# SELINUX can take one of these three values:
399 -# enforcing - SELinux security policy is enforced.
400 -# permissive - SELinux prints warnings instead of enforcing.
401 -# disabled - No SELinux policy is loaded.
402 -SELINUX=permissive <comment>(This should be set permissive for the remainder of the install)</comment>
403 -
404 -# SELINUXTYPE can take one of these two values:
405 -# targeted - Only targeted network daemons are protected.
406 -# strict - Full SELinux protection.
407 -SELINUXTYPE=strict <comment>(Set this as strict or targeted)</comment>
408 -</pre>
409 -</body>
410 -</section>
411 -
412 -<section><title>Merge SELinux-patched packages</title>
413 -<subsection><body>
414 -<p>
415 - There are several system packages that have SELinux patches. These patches
416 - provide a variety of additional SELinux functionality, such as displaying
417 - file contexts.
418 -</p>
419 -<pre caption="Remerge Packages">
420 -# <i>emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</i>
421 -</pre>
422 -<note>
423 - If you find that you can't use portage due to a errors like these:
424 - !!! 'module' object has no attribute 'secure_rename' or
425 - AttributeError: 'module' object has no attribute 'getcontext', this is
426 - a portage bug, where it can't handle a missing python-selinux. Merge it
427 - with "FEATURES=-selinux emerge python-selinux" to fix the problem. See
428 - bug <uri link="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</uri>
429 - for more information.
430 -</note>
431 -<p>There are other packages that have SELinux patches, but are optional. These
432 -should be remerged if they are already installed, so the SELinux patches are
433 -applied:</p>
434 -<ul>
435 -<li>app-admin/logrotate</li>
436 -<li>sys-apps/fcron</li>
437 -<li>sys-apps/vixie-cron</li>
438 -<li>sys-fs/device-mapper</li>
439 -<li>sys-fs/udev</li>
440 -<li>sys-libs/pwdb</li>
441 -</ul>
442 -<note>
443 - Fcron and Vixie-cron are the only crons with SELinux support.
444 -</note>
445 -<note>The above packages are NOT an exhaustive list; they are only the most
446 -common ones. In general, any package installed on the system which has the
447 -selinux USE flag should be remerged. To see which packages may need to be
448 -merged, you can:
449 -emerge -upDN world
450 -
451 -Since changing to the selinux profile has changed your USE flags, the above
452 -will get everything that is listening to the selinux USE flag. It will
453 -probably also get some other stuff as well. To actually remerge everything,
454 -simply remove the 'p', or manually specify the packages you want to remerge.
455 -</note>
456 -</body></subsection>
457 -</section>
458 -
459 -<section><title>Merge Application Policies</title>
460 -<subsection><body>
461 -<p>
462 - In future, when merging a package, the policy will be set as a dependency so
463 - that it is merged first; however, since the system is being converted, policy
464 - for currently installed packages must be merged. The selinux-base-policy
465 - already covers most packages in the system profile.
466 -</p>
467 -<p>
468 - Look in the <c>/usr/portage/sec-policy</c>, it has several entries, each which
469 - represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is
470 - the name of the package that the policy is associated. For example, the
471 - selinux-apache package is the SELinux policy package for net-www/apache.
472 - Merge each of the needed policy packages and then load the policy.
473 - If you are converting a desktop, make sure to include the selinux-desktop policy package.
474 -</p>
475 -<pre caption="Example Merge of Apache and BIND policies">
476 -# <i>ls /usr/portage/sec-policy</i>
477 -<comment>(many directories listed)</comment>
478 -
479 -# <i>emerge -1 selinux-apache selinux-bind</i>
480 -</pre>
481 -</body></subsection>
482 -</section>
483 -
484 -<section><title>Label Filesystems</title>
485 -<subsection><body>
486 -<p>
487 - Before you can relabel the rest of the filesystems, you need to first relabel
488 - /dev. Strictly speaking, this is only necessary if you aren't using a static
489 - /dev. However, as the vast majority of current and new systems are going to
490 - be built with udev, this probably means you are using udev as well. There
491 - are a lot of different ways to get at this problem, but the steps below are
492 - easy to do and work.
493 -</p>
494 - <pre caption="Relabel /dev">
495 -<i># mkdir /mnt/gentoo
496 -# mount -o bind / /mnt/gentoo
497 -# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
498 -# umount /mnt/gentoo
499 -</i>
500 - </pre>
501 - <note>Remember to select one of {strict,targeted} above based on your
502 - enforcement mode.</note>
503 -<p>
504 - Now label the filesystems. This gives each of the files in the filesystems
505 - a security label. Keeping these labels consistent is important.
506 -</p>
507 -<pre caption="Label filesystems">
508 -# <i>rlpkg -a -r</i>
509 -</pre>
510 -<warn>
511 - There is a known issue with older versions of GRUB
512 - not being able to read symlinks that have been labeled.
513 - Please make sure you have at least GRUB 0.94 installed.
514 - Also rerun GRUB and reinstall it into the MBR to ensure
515 - the updated code is in use.
516 - You do have a LiveCD handy, right?
517 -</warn>
518 -<pre caption="Reinstall GRUB on the MBR (GRUB users only)">
519 -# <i>grub</i>
520 -
521 -grub> root (hd0,0) <comment>(Your boot partition)</comment>
522 -grub> setup (hd0) <comment>(Where the boot record is installed; here, it is the MBR)</comment>
523 -</pre>
524 -<p>
525 - If you've installed Gentoo using the hardened sources, then you'll need to
526 - tell SELinux that you are using the hardened tool-chain with ssp. You do
527 - this by setting an SELinux global boolean
528 -</p>
529 -<pre caption="SELinux global_ssp">
530 -<i>setsebool -P global_ssp on</i>
531 -</pre>
532 -<note>Make sure you use the -P flag, or the setting won't survive the reboot,
533 -and you'll likely see a lot of errors relating to /dev/null and /dev/random
534 -</note>
535 -</body></subsection>
536 -</section>
537 -
538 -<section><title>Final reboot</title>
539 -<subsection><body>
540 -<p>Reboot. Log in, then relabel again to ensure all files
541 -are labeled correctly (some files may have been created during shutdown and
542 -reboot)</p>
543 -<pre caption="Relabel">
544 -# <i>rlpkg -a -r</i>
545 -</pre>
546 -<note>
547 - It is strongly suggested to <uri link="/main/en/lists.xml">subscribe</uri>
548 - to the gentoo-hardened mail list. It is generally a low traffic list, and
549 - SELinux announcements are made there.
550 -</note>
551 -<p>
552 - SELinux is now installed!
553 -</p>
554 -</body></subsection>
555 -</section>
556 -
557 -</sections>
558
559 diff --git a/xml/selinux/hb-selinux-faq.xml b/xml/selinux/hb-selinux-faq.xml
560 deleted file mode 100644
561 index dc35969..0000000
562 --- a/xml/selinux/hb-selinux-faq.xml
563 +++ /dev/null
564 @@ -1,154 +0,0 @@
565 -<?xml version='1.0' encoding="utf-8"?>
566 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
567 -
568 -<!-- The content of this document is licensed under the CC-BY-SA license -->
569 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
570 -
571 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-faq.xml,v 1.4 2006/09/07 10:37:46 neysx Exp $ -->
572 -
573 -<sections>
574 -<version>1.3</version>
575 -<date>2006-05-01</date>
576 -
577 -<section><title>SELinux features</title>
578 -<subsection><title>Does SELinux enforce resource limits?</title>
579 -<body>
580 -<p>
581 - No, resource limits are outside the scope of an access control system. If you
582 - are looking for this type of support, GRSecurity and RSBAC are better choices.
583 -</p>
584 -</body></subsection>
585 -</section>
586 -
587 -<section><title>SELinux and other hardened projects</title>
588 -<subsection><title>Can I use SELinux and GRSecurity (and PaX)?</title>
589 -<body>
590 -<p>
591 - Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however,
592 - it is suggested that GRACL should not be used, since it would be redundant
593 - to SELinux's access control.
594 -</p>
595 -</body></subsection>
596 -<subsection><title>Can I use SELinux and the hardened compiler (PIE-SSP)?</title>
597 -<body>
598 -<p>
599 - Yes. It is also suggested that PaX be used to take full advantage
600 - of the PIE features of the compiler.
601 -</p>
602 -</body></subsection>
603 -<subsection><title>Can I use SELinux and RSBAC?</title>
604 -<body>
605 -<p>
606 - Unknown. Please report your results if you try this combination.
607 -</p>
608 -</body></subsection>
609 -</section>
610 -
611 -<section><title>SELinux and filesystems</title>
612 -<subsection><title>Can I use SELinux with my primary filesystems?</title>
613 -<body>
614 -<p>
615 - SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has
616 - extended attributes, but the support was never complete, and has been broken
617 - since 2.6.14. Reiser4 is not supported.
618 -</p>
619 -</body></subsection>
620 -<subsection><title>Can I use SELinux with my ancillary filesystems?</title>
621 -<body>
622 -<p>
623 - Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660
624 - filesystems, with an important caveat. All files in each filesystem will
625 - have the same SELinux type, since the filesystems do not support extended
626 - attributes. Tmpfs is the only ancillary filesystem with complete extended
627 - attribute support, which allows it to behave like a primary filesystem.
628 -</p>
629 -</body></subsection>
630 -<subsection><title>Can I use SELinux with my network filesystems?</title>
631 -<body>
632 -<p>
633 - Yes, SELinux can mount network filesystems, such as NFS and CIFS
634 - filesystems, with an important caveat. All files in each filesystem will
635 - have the same SELinux type, since the filesystems do not support extended
636 - attributes. In the future, hopefully network filesystems will begin to
637 - support extended attributes, then they will work like a primary filesystem.
638 -</p>
639 -</body></subsection>
640 -</section>
641 -
642 -<section><title>Portage error messages</title>
643 -<subsection><title>I get a missing SELinux module error when using emerge:</title>
644 -<body>
645 -<pre caption="Portage message">
646 -!!! SELinux module not found. Please verify that it was installed.
647 -</pre>
648 -<p>
649 - This indicates that the portage SELinux module is missing or damaged.
650 - Also python may have been upgraded to a new version which requires
651 - python-selinux to be recompiled. Remerge dev-python/python-selinux.
652 - If packages have been merged under this condition, they must be relabed
653 - after fixing this condition. If the packages needing to be remerged cannot
654 - be determined, a full relabel may be required.
655 -</p>
656 -</body></subsection>
657 -</section>
658 -
659 -<section><title>SELinux kernel error messages</title>
660 -<subsection><title>I get a register_security error message when booting:</title>
661 -<body>
662 -<pre caption="Kernel message">
663 -There is already a security framework initialized, register_security failed.
664 -Failure registering capabilities with the kernel
665 -selinux_register_security: Registering secondary module capability
666 -Capability LSM initialized
667 -</pre>
668 -<p>
669 - This means that the Capability LSM module couldn't register as the primary
670 - module, since SELinux is the primary module. The third message means that it
671 - registers with SELinux as a secondary module. This is normal.
672 -</p>
673 -</body></subsection>
674 -</section>
675 -
676 -<section><title>Setfiles error messages</title>
677 -<subsection><title>When I try to relabel, it fails with invalid contexts:</title><body>
678 -<pre caption="Invalid contexts example">
679 -# make relabel
680 -/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
681 -/usr/sbin/setfiles: read 559 specifications
682 -/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39
683 -/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120
684 -/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377
685 -/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378
686 -/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445
687 -/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478
688 -/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479
689 -/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492
690 -/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493
691 -/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494
692 -Exiting after 10 errors.
693 -make: *** [relabel] Error 1
694 -</pre>
695 -<p>
696 - First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles
697 - cannot validate any contexts, causing it to believe all contexts are
698 - invalid. If /selinux is mounted, then most likely there is new policy that
699 - has not yet been loaded; therefore, the contexts have not yet become valid.
700 -</p>
701 -</body></subsection>
702 -</section>
703 -
704 -
705 -<!-- always keep this one as the bottom FAQ :) -->
706 -<!-- comment out since the demo machine is down for an indefinite period of time
707 -<section><title>Gentoo SELinux Demonstration Machine</title>
708 -<subsection><body>
709 -<p>
710 - This machine is not running user-mode linux, or in a chroot, it has SELinux
711 - mandatory access control. No, you cannot install psybnc or an irc bot on the
712 - machine, unless you break the SELinux security and gain higher priviledge.
713 -</p>
714 -</body></subsection>
715 -</section>
716 --->
717 -<!-- dont put anything below here, this demo machine faq should be the last one -->
718 -</sections>
719
720 diff --git a/xml/selinux/hb-selinux-howto.xml b/xml/selinux/hb-selinux-howto.xml
721 deleted file mode 100644
722 index b8f7db0..0000000
723 --- a/xml/selinux/hb-selinux-howto.xml
724 +++ /dev/null
725 @@ -1,250 +0,0 @@
726 -<?xml version='1.0' encoding="utf-8"?>
727 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
728 -
729 -<!-- The content of this document is licensed under the CC-BY-SA license -->
730 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
731 -
732 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-howto.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ -->
733 -
734 -<sections>
735 -<version>2.0</version>
736 -<date>2006-10-14</date>
737 -
738 -<section><title>Load policy into a running SELinux kernel</title>
739 -<subsection><body>
740 -<p>
741 - This requires you to be in the <c>sysadm_r</c> role.
742 -</p>
743 -<pre caption="Semodule command">
744 -# <i>semodule -B</i>
745 -</pre>
746 -</body></subsection>
747 -</section>
748 -
749 -<section><title>Change roles</title>
750 -<subsection><body>
751 -<p>
752 - This requires your user have access to the target role. This example
753 - is for changing to the <c>sysadm_r</c> role.
754 -</p>
755 -<pre caption="Newrole">
756 -# <i>newrole -r sysadm_r</i>
757 -</pre>
758 -</body></subsection>
759 -</section>
760 -
761 -<section><title>Specify available roles for a user</title>
762 -<subsection><body>
763 -<p>
764 - There is a mapping of linux users to SELinux identities. The policy has
765 - generic SELinux users for relevant configurations of roles. For example, to
766 - map the user <c>pebenito</c> to the SELinux identity <c>staff_u</c>, run:
767 -</p>
768 -<pre caption="Map pebenito to staff_u">
769 -# <i>semanage login -a -s staff_u pebenito</i>
770 -</pre>
771 -<p>
772 - The policy does not need to be reloaded. If the user is logged in, it
773 - must log out and log in again to take effect.
774 -</p>
775 -</body></subsection>
776 -</section>
777 -
778 -<section><title>Relabel filesystems</title>
779 -<subsection><body>
780 -<p>
781 - This requires you to be in the <c>sysadm_r</c> role.
782 -</p>
783 -<pre caption="Relabel">
784 -# <i>rlpkg -a</i>
785 -</pre>
786 -</body></subsection>
787 -</section>
788 -
789 -<section><title>Relabel an individual package</title>
790 -<subsection><body>
791 -<p>
792 - In addition to relabeling entire filesystems, individual portage packages
793 - can be relabeled. This requires you to be in the <c>sysadm_r</c> role.
794 -</p>
795 -<pre caption="rlpkg example">
796 -# <i>rlpkg shadow sash</i>
797 -</pre>
798 -<p>
799 - The script rlpkg is used, and any number of packages can be specified
800 - on the command line.
801 -</p>
802 -</body></subsection>
803 -</section>
804 -
805 -<section><title>Scan for libraries with text relocations</title>
806 -<subsection><body>
807 -<p>
808 - SELinux has improved memory protections. One feature supported is
809 - the permission for ELF text relocations. The libraries with text relocations
810 - have a special label, and the <c>rlpkg</c> tool has an option to scan for
811 - these libraries.
812 -</p>
813 -<pre caption="TEXTREL Scan">
814 -# <i>rlpkg -t</i>
815 -</pre>
816 -<p>
817 - This will also be done by automatically after a full relabel.
818 -</p>
819 -</body></subsection>
820 -</section>
821 -
822 -<section><title>Start daemons in the correct domain</title>
823 -<subsection><body>
824 -<p>
825 - Controlling daemons that have init scripts in /etc/init.d is slightly
826 - different in SELinux. The <c>run_init</c> command must be used to run
827 - the scripts, to ensure they are ran in the correct domain. The command
828 - can be ran normally, except the command is prefixed with <c>run_init</c>.
829 - This requires you to be in the <c>sysadm_r</c> role.
830 -</p>
831 -<pre caption="run_init examples">
832 -# <i>run_init /etc/init.d/ntpd start</i>
833 -# <i>run_init /etc/init.d/apache2 restart</i>
834 -# <i>run_init /etc/init.d/named stop</i>
835 -</pre>
836 -</body></subsection>
837 -<subsection><title>Gentoo run_init integration</title><body>
838 -<p>
839 - <c>run_init</c> has been integrated into Gentoo's init script system. With
840 - SELinux installed, services can be started and stopped as usual, but will
841 - now authenticate the user.
842 -</p>
843 -<pre caption="Integrated run_init example">
844 -# <i>/etc/init.d/sshd restart</i>
845 -Authenticating root.
846 -Password:
847 - * Stopping sshd... [ ok ]
848 - * Starting sshd... [ ok ]
849 -</pre>
850 -</body></subsection>
851 -</section>
852 -
853 -<section><title>Switch between enforcing and permissive modes</title>
854 -<subsection><body>
855 -<p>
856 - Switching between modes in SELinux is very simple. Write a 1 for
857 - enforcing, or 0 for permissive to /selinux/enforce to set the mode.
858 - The current mode can be queried by reading /selinux/enforce; 0 means
859 - permissive mode, and 1 means enforcing mode. If the kernel option
860 - "NSA SELinux Development Support" is turned off, the system will always
861 - be in enforcing mode, and cannot be switched to permissive mode.
862 -</p>
863 -<pre caption="">
864 -<comment>Query current mode</comment>
865 -# <i>cat /selinux/enforce</i>
866 -<comment>Switch to enforcing mode</comment>
867 -# <i>echo 1 > /selinux/enforce</i>
868 -<comment>Switch to permissive mode</comment>
869 -# <i>echo 0 > /selinux/enforce</i>
870 -</pre>
871 -<p>
872 - A machine with development support turned on can be started in enforcing
873 - mode by adding <c>enforcing=1</c> to the kernel command line, in the
874 - bootloader (GRUB, lilo, etc).
875 -</p>
876 -</body></subsection>
877 -
878 -<subsection><title>Managed policy</title><body>
879 -<p>
880 - In addition to the above kernel options, the mode at boot can be
881 - set by the <c>/etc/selinux/config</c> file.
882 -</p>
883 -<pre caption="/etc/selinux/config">
884 -# SELINUX can take one of these three values:
885 -# enforcing - SELinux security policy is enforced.
886 -# permissive - SELinux prints warnings instead of enforcing.
887 -# disabled - No SELinux policy is loaded.
888 -SELINUX=<comment>permissive</comment>
889 -</pre>
890 -<p>
891 - The setting in this file will be overridden by the kernel command line
892 - options described above.
893 -</p>
894 -</body></subsection>
895 -</section>
896 -
897 -<section><title>Understand sestatus output</title>
898 -<subsection><body>
899 -<p>
900 - The <c>sestatus</c> tool can be used to determine detailed SELinux-specific
901 - status information about the system. The <c>-v</c> option provides extra
902 - detail about the context of processes and files. The output will be
903 - divided into four sections. Sestatus only provides complete information
904 - for a user logged in as root (or su/sudo), in the <c>sysadm_r</c> role.
905 -</p>
906 -<pre caption="Status example">
907 -SELinux status: enabled
908 -SELinuxfs mount: /selinux
909 -Current mode: enforcing
910 -Policy version: 18
911 -</pre>
912 -<p>
913 - The main status information is provided in the first section. The first
914 - line shows if SELinux kernel functions exists and are enabled. If the
915 - status is disabled, either the kernel does not have SELinux support, or
916 - the policy is not loaded. The second line shows the mount point for
917 - the SELinux filesystem. During the normal use, the filesystem should be
918 - mounted at the default location of <c>/selinux</c>. The third line
919 - shows the current SELinux mode, either enforcing or permissive. The fourth
920 - line shows the policy database version supported by the currently running
921 - kernel.
922 -</p>
923 -<pre caption="Booleans example">
924 -Policy booleans:
925 -secure_mode inactive
926 -ssh_sysadm_login inactive
927 -user_ping inactive
928 -</pre>
929 -<p>
930 - The second section displays the status of the conditional policy booleans. The
931 - left column is the name of boolean. The right column is the status of the
932 - boolean, either active, or inactive. This section will not be shown on
933 - policy version 15 kernels, as they do not support conditional policy.
934 -</p>
935 -<pre caption="Process context example">
936 -Process contexts:
937 -Current context: pebenito:sysadm_r:sysadm_t
938 -Init context: system_u:system_r:init_t
939 -/sbin/agetty system_u:system_r:getty_t
940 -/usr/sbin/sshd system_u:system_r:sshd_t
941 -</pre>
942 -<p>
943 - The third section displays the context of the current process, and of several
944 - key processes. If a process is running in the incorrect context, it will not
945 - function correctly.
946 -</p>
947 -<pre caption="File context example">
948 -File contexts:
949 -Controlling term: pebenito:object_r:sysadm_devpts_t
950 -/sbin/init system_u:object_r:init_exec_t
951 -/sbin/agetty system_u:object_r:getty_exec_t
952 -/bin/login system_u:object_r:login_exec_t
953 -/sbin/rc system_u:object_r:initrc_exec_t
954 -/sbin/runscript.sh system_u:object_r:initrc_exec_t
955 -/usr/sbin/sshd system_u:object_r:sshd_exec_t
956 -/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
957 -/etc/passwd system_u:object_r:etc_t
958 -/etc/shadow system_u:object_r:shadow_t
959 -/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
960 -/bin/bash system_u:object_r:shell_exec_t
961 -/bin/sash system_u:object_r:shell_exec_t
962 -/usr/bin/newrole system_u:object_r:newrole_exec_t
963 -/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
964 -/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:shlib_t
965 -</pre>
966 -<p>
967 - The fourth section displays the context of the current process's controlling
968 - terminal, and of several key files. For symbolic links, the context of
969 - the link and then the context of the link target is displayed. If a file has
970 - an incorrect context, the file may be inaccessable or have incorrect
971 - permissions for a particular process.
972 -</p>
973 -</body></subsection>
974 -</section>
975 -</sections>
976
977 diff --git a/xml/selinux/hb-selinux-initpol.xml b/xml/selinux/hb-selinux-initpol.xml
978 deleted file mode 100644
979 index b13a0de..0000000
980 --- a/xml/selinux/hb-selinux-initpol.xml
981 +++ /dev/null
982 @@ -1,48 +0,0 @@
983 -<?xml version='1.0' encoding="UTF-8"?>
984 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
985 -
986 -<!-- The content of this document is licensed under the CC-BY-SA license -->
987 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
988 -
989 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-initpol.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ -->
990 -
991 -<sections>
992 -<version>1.3</version>
993 -<date>2004-11-16</date>
994 -
995 -<section><title>Verify Available Policy</title>
996 -<subsection><body>
997 -<p>
998 - You must be in <c>sysadm_r</c> to perform this action.
999 -</p>
1000 -<p>
1001 - A binary policy must be available in
1002 - /etc/selinux/{strict,targeted}/policy. If it is missing, then install
1003 - the policy.
1004 -</p>
1005 -<pre caption="Install policy">
1006 -# <i>semodule -n -B</i>
1007 -</pre>
1008 -</body>
1009 -</subsection>
1010 -</section>
1011 -
1012 -<section><title>Verify Init Can Load the Policy</title>
1013 -<subsection><body>
1014 -<p>
1015 - The final check is to ensure init can load the policy. Run <c>ldd</c> on
1016 - init, and if libselinux is not in the output, remerge sysvinit.
1017 -</p>
1018 -<pre caption="">
1019 -# <i>ldd /sbin/init</i>
1020 - linux-gate.so.1 => (0xffffe000)
1021 - <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
1022 - libc.so.6 => /lib/libc.so.6 (0x40035000)
1023 - /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
1024 -</pre>
1025 -<p>
1026 - Now reboot so init gains the correct context, and loads the policy.
1027 -</p>
1028 -</body></subsection>
1029 -</section>
1030 -</sections>
1031
1032 diff --git a/xml/selinux/hb-selinux-libsemanage.xml b/xml/selinux/hb-selinux-libsemanage.xml
1033 deleted file mode 100644
1034 index a441f29..0000000
1035 --- a/xml/selinux/hb-selinux-libsemanage.xml
1036 +++ /dev/null
1037 @@ -1,246 +0,0 @@
1038 -<?xml version='1.0' encoding="utf-8"?>
1039 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1040 -
1041 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1042 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
1043 -
1044 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-libsemanage.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ -->
1045 -
1046 -<sections>
1047 -<version>1.0</version>
1048 -<date>2006-10-15</date>
1049 -
1050 -<section><title>SELinux Management Infrastructure</title>
1051 -<subsection><body>
1052 -<p>
1053 - The SElinux management infrastructure manages several aspects of SELinux
1054 - policy. These management tools are based on the core library libsemanage.
1055 - There are several management programs to to various tasks, including
1056 - <c>semanage</c> and <c>semodule</c>. They allow you to configure aspects
1057 - of the policy without requiring the policy sources.
1058 -</p>
1059 -</body></subsection>
1060 -</section>
1061 -
1062 -<section><title>SELinux Policy Module Management</title>
1063 -<subsection><title>What is a policy module?</title><body>
1064 -<p>
1065 - SELinux supports a modular policy. This means several pieces of policy
1066 - are brought together to form one complete policy to be loaded in the
1067 - kernel. This is a similar structure as the kernel itself and kernel modules.
1068 - There is a main kernel image that is loaded, and various kernel modules can
1069 - be added (assuming their dependencies are met) and removed on a running
1070 - system without restarting. Similarly each policy has a base module and
1071 - zero or more policy modules, all used to create a policy.
1072 - Modules are built by compiling a piece of policy, and creating a policy
1073 - package (*.pp) with that compiled policy, and optionally file contexts.
1074 -</p>
1075 -<p>
1076 - The base module policy package (base.pp) contains the basic requirements of
1077 - the policy. All modular policies must have a base module at minimum.
1078 - In Gentoo we have these plus policies for all parts of the system profile.
1079 - This is contained in the selinux-base-policy ebuild. The other policy ebuilds
1080 - in portage have one or more policy modules.
1081 -</p>
1082 -<p>
1083 - For more information on writing a policy module, in particular for managing
1084 - your local customizations to the policy, please see the
1085 - <uri link="selinux-handbook.xml?part=3&amp;chap=5">policy module guide</uri>.
1086 -</p>
1087 -</body></subsection>
1088 -
1089 -<subsection><title>The SELinux module store</title><body>
1090 -<p>
1091 - When a policy module is inserted or removed, modules are copied into or
1092 - removed from the module store. This repository has a copy of the
1093 - modules that were used to create the current policy, in addition to several
1094 - auxilliary files. This repository is stored in the
1095 - /etc/selinux/{strict,targeted}/modules. You should never need to directly
1096 - access the contents of the module store. A libsemanage-based tool should be
1097 - used instead.
1098 -</p>
1099 -<p>
1100 - Libsemanage handles the module store transactionally. This means that if
1101 - a set of operations (a transaction) is performed on the store and one part
1102 - fails, the entire transaction is aborted. This keeps the store in a
1103 - consistent state.
1104 -</p>
1105 -<p>
1106 - Managing the module store is accomplished with the <c>semodule</c> command.
1107 - Listing the contents of the module store is done with the <c>-l</c> option.
1108 -</p>
1109 -<pre caption="">
1110 -# semodule -l
1111 -distcc 1.1.1
1112 -</pre>
1113 -<p>
1114 - Since the base module is required in all cases, and is not versioned, it will
1115 - not be shown in the list. All other modules will be listed, along with their
1116 - versions.
1117 -</p>
1118 -</body></subsection>
1119 -
1120 -<subsection><title>Inserting a policy module</title><body>
1121 -<p>
1122 - The module should be referenced by its file name.
1123 -</p>
1124 -<pre caption="">
1125 -# <i>semodule -i module.pp</i>
1126 -</pre>
1127 -<p>
1128 - This will insert the module into module store for the currently configured
1129 - policy as specified in /etc/selinux/config. If the insert succeeds, the
1130 - policy will be loaded, unless the <c>-n</c> option is used. To insert the
1131 - module into an alternate module store, the <c>-s</c> option.
1132 -</p>
1133 -<pre caption="">
1134 -# <i>semodule -s targeted -i module.pp</i>
1135 -</pre>
1136 -<p>
1137 - Since this refers to an alternate module store, the policy will not be loaded.
1138 -</p>
1139 -</body></subsection>
1140 -
1141 -<subsection><title>Removing a policy module</title><body>
1142 -<p>
1143 - The module is referenced by its name in the module store.
1144 -</p>
1145 -<pre caption="">
1146 -# <i>semodule -r module</i>
1147 -</pre>
1148 -<p>
1149 - This will remove the module into module store for the currently configured
1150 - policy as specified in /etc/selinux/config. If the remove succeeds, the
1151 - policy will be loaded, unless the <c>-n</c> option is used. The remove
1152 - command also respects the <c>-s</c> option.
1153 -</p>
1154 -</body></subsection>
1155 -</section>
1156 -
1157 -<section><title>Configuring User Login Mappings</title>
1158 -<subsection><body>
1159 -<p>
1160 - The current method of assigning sets of roles to a user is by setting
1161 - up a mapping between linux users and SELinux identities. When a user
1162 - logs in, the login program will set the SELinux identity based on the
1163 - this map. If there is no explicit map, the <c>__default__</c> map is
1164 - used.
1165 -</p>
1166 -<p>
1167 - Managing the SELinux user login map is accomplished with the <c>semanage</c>
1168 - tool.
1169 -</p>
1170 -<pre caption="SELinux login user map">
1171 -# <i>semanage login -l</i>
1172 -Login Name SELinux User
1173 -
1174 -__default__ user_u
1175 -root root
1176 -</pre>
1177 -</body></subsection>
1178 -
1179 -<subsection><title>Add a user login mapping</title><body>
1180 -<p>
1181 - To map the linux user <c>pebenito</c> to the SELinux identity <c>staff_u</c>:
1182 -</p>
1183 -<pre caption="">
1184 -# <i>semanage login -a -s staff_u pebenito</i>
1185 -</pre>
1186 -<p>
1187 - For descriptions on the available SELinux identities, see the
1188 - <uri link="selinux-handbook.xml?part=3&amp;chap=1#doc_chap3">SELinux Overview</uri>.
1189 -</p>
1190 -</body></subsection>
1191 -
1192 -<subsection><title>Remove a user login mapping</title><body>
1193 -<p>
1194 - To remove a login map for the linux user <c>pebenito</c>:
1195 -</p>
1196 -<pre caption="">
1197 -# <i>semanage login -d pebenito</i>
1198 -</pre>
1199 -<note>
1200 - User login maps specified by the policy (not by the management infrastructure)
1201 - cannot be removed.
1202 -</note>
1203 -</body></subsection>
1204 -</section>
1205 -
1206 -<section><title>Configuring Initial Boolean States</title>
1207 -<subsection><body>
1208 -<p>
1209 - The <c>setsebool</c> program is now a libsemanage tool. This tool's basic
1210 - function is to set the state of a Boolean. However, if the machine is
1211 - restarted, the Booelans will be set using the initial state as specified in
1212 - the policy. To set the Boolean state, and make that the new initial state
1213 - in the policy, the <c>-P</c> option of <c>setsebool</c> is used.
1214 -</p>
1215 -<pre caption="Set Boolean default state">
1216 -# <i>setsebool -P fcron_crond 1</i>
1217 -</pre>
1218 -<p>
1219 - This will set the fcron_crond Boolean to true and also make the initial state
1220 - for the Boolean true.
1221 -</p>
1222 -</body></subsection>
1223 -</section>
1224 -
1225 -<section><title>Configuring SELinux Identities</title>
1226 -<subsection><body>
1227 -<p>
1228 - Generally SELinux identities need not be added to the policy, as user
1229 - login mappings are sufficient. However, one reason to add them is for
1230 - improved auditing, since the SELinux identity is part of the scontext of a
1231 - denial message.
1232 -</p>
1233 -<p>
1234 - Managing the SELinux identities is accomplished with the <c>semanage</c> tool.
1235 -</p>
1236 -<pre caption="SELinux identity list">
1237 -# <i>semanage user -l</i>
1238 -SELinux User SELinux Roles
1239 -
1240 -root sysadm_r staff_r
1241 -staff_u sysadm_r staff_r
1242 -sysadm_u sysadm_r
1243 -system_u system_r
1244 -user_u user_r
1245 -</pre>
1246 -</body></subsection>
1247 -
1248 -<subsection><title>Add a SELinux identity</title><body>
1249 -<p>
1250 - In addition to specifying the roles for an identity, a prefix must
1251 - also be specified. This prefix should match a role, for example
1252 - <c>staff</c> or <c>sysadm</c>, and it is used for home directory
1253 - entries. So if <c>staff</c> is used for the prefix, linux users that
1254 - are mapped to this identity will have their home directory labeled
1255 - <c>staff_home_dir_t</c>.
1256 -</p>
1257 -<p>
1258 - To add the <c>test_u</c> identity with the roles <c>staff_r</c> and
1259 - <c>sysadm_r</c> with the prefix <c>staff</c>:
1260 -</p>
1261 -<pre caption="">
1262 -# <i>semanage user -a -R 'staff_r sysadm_r' -P staff test_u</i>
1263 -</pre>
1264 -<note>
1265 - To use the SELinux identity, a user login map still must be added.
1266 -</note>
1267 -</body></subsection>
1268 -
1269 -<subsection><title>Remove a SELinux user identity</title><body>
1270 -<p>
1271 - To remove the test_u SELinux identity:
1272 -</p>
1273 -<pre caption="">
1274 -# <i>semanage user -d test_u</i>
1275 -</pre>
1276 -<note>
1277 - SELinux identities specified by the policy (not by the management
1278 - infrastructure) cannot be removed.
1279 -</note>
1280 -</body></subsection>
1281 -</section>
1282 -
1283 -</sections>
1284
1285 diff --git a/xml/selinux/hb-selinux-localmod.xml b/xml/selinux/hb-selinux-localmod.xml
1286 deleted file mode 100644
1287 index 8674b9f..0000000
1288 --- a/xml/selinux/hb-selinux-localmod.xml
1289 +++ /dev/null
1290 @@ -1,134 +0,0 @@
1291 -<?xml version='1.0' encoding='UTF-8'?>
1292 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1293 -
1294 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1295 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
1296 -
1297 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-localmod.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ -->
1298 -
1299 -<sections>
1300 -<version>1.0</version>
1301 -<date>2006-10-15</date>
1302 -
1303 -<section><title>Introduction</title>
1304 -<subsection><body>
1305 -<p>
1306 - This guide discusses how to set up a policy module for local additions
1307 - of rules to the policy.
1308 -</p>
1309 -</body></subsection>
1310 -</section>
1311 -
1312 -<section><title>Preparation</title>
1313 -<subsection><body>
1314 -<p>
1315 - Copy the example Makefile from the selinux-base-policy doc directory to the
1316 - directory that will be used for building the policy. It is suggested that
1317 - /root be used. The places that the <c>semodule</c> tool can read policy
1318 - modules includes sysadm home directories.
1319 -</p>
1320 -<pre caption="">
1321 -# <i>zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile</i>
1322 -</pre>
1323 -</body></subsection>
1324 -</section>
1325 -
1326 -<section><title>Write a TE file</title>
1327 -<subsection><body>
1328 -<p>
1329 - In a policy module, most policy statements are usable in modules.
1330 - There are a few extra statements that must be added for proper operation.
1331 -</p>
1332 -<pre caption="Example local.te">
1333 -policy_module(local,1.0)
1334 -
1335 -require {
1336 - type sysadm_su_t, newrole_t;
1337 -}
1338 -allow sysadm_su_t newrole_t:process sigchld;
1339 -</pre>
1340 -<p>
1341 - In addition to the basic allow rule, it has a couple statements required
1342 - by policy modules. The first is a policy_module() macro that has the
1343 - name of the module, and the module's version. It also has a require
1344 - block. This block specifies all types that are required for this module
1345 - to function. All types used in the module must either be declared in the
1346 - module or required by this module.
1347 -</p>
1348 -</body></subsection>
1349 -</section>
1350 -
1351 -<section><title>Write a FC File (optional)</title>
1352 -<subsection><body>
1353 -<p>
1354 - The file contexts file is optional and has the same syntax as as always.
1355 -</p>
1356 -<pre caption="Example local.fc">
1357 -/opt/myprogs/mybin -- system_u:object_r:bin_t
1358 -</pre>
1359 -<p>
1360 - Types used in the file context file should be required or declared in
1361 - the TE file.
1362 -</p>
1363 -</body></subsection>
1364 -</section>
1365 -
1366 -<section><title>Compile Policy Modules</title>
1367 -<subsection><body>
1368 -<p>
1369 - Simply run <c>make</c> to build all modules in the directory. The module
1370 - will be compiled for the current policy as specified by /etc/selinux/config.
1371 -</p>
1372 -<pre caption="">
1373 -# <i>make</i>
1374 -Compiling strict local module
1375 -/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
1376 -/usr/bin/checkmodule: policy configuration loaded
1377 -/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
1378 -Creating strict local.pp policy package
1379 -</pre>
1380 -<p>
1381 - To build the module for a policy other than the configured policy, use the
1382 - <c>NAME=</c> option.
1383 -</p>
1384 -<pre caption="">
1385 -# <i>make NAME=targeted</i>
1386 -Compiling targeted local module
1387 -/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
1388 -/usr/bin/checkmodule: policy configuration loaded
1389 -/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
1390 -Creating targeted local.pp policy package
1391 -</pre>
1392 -</body></subsection>
1393 -</section>
1394 -
1395 -<section><title>Load the Modules</title>
1396 -<subsection><body>
1397 -<p>
1398 - The modules can be loaded into the currently configured policy simply
1399 - by using the load target of the Makefile.
1400 -</p>
1401 -<pre caption="">
1402 -# <i>make load</i>
1403 -</pre>
1404 -<p>
1405 - The load target also respects the <c>NAME=</c> option. Alternatively,
1406 - the <c>semodule</c> command can be used to load individual modules.
1407 -</p>
1408 -<pre caption="">
1409 -# <i>semodule -i local.pp</i>
1410 -</pre>
1411 -</body></subsection>
1412 -</section>
1413 -
1414 -<section><title>Building Reference Policy Modules</title>
1415 -<subsection><body>
1416 -<p>
1417 -The new Gentoo policy is based on the <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri>.
1418 -For more information on building a complete Reference Policy module, see the
1419 -<uri link="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Reference Policy Wiki</uri>.
1420 -</p>
1421 -</body></subsection>
1422 -</section>
1423 -
1424 -</sections>
1425
1426 diff --git a/xml/selinux/hb-selinux-loglocal.xml b/xml/selinux/hb-selinux-loglocal.xml
1427 deleted file mode 100644
1428 index 7cc5506..0000000
1429 --- a/xml/selinux/hb-selinux-loglocal.xml
1430 +++ /dev/null
1431 @@ -1,166 +0,0 @@
1432 -<?xml version='1.0' encoding="UTF-8"?>
1433 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1434 -
1435 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1436 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
1437 -
1438 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-loglocal.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ -->
1439 -
1440 -<sections>
1441 -<version>1.4</version>
1442 -<date>2004-11-16</date>
1443 -
1444 -<section><title>Begin Here</title>
1445 -<subsection><body>
1446 -<p>
1447 - You must be in <c>sysadm_r</c> to perform these actions.
1448 -</p>
1449 -<p>
1450 - Run <c>sestatus -v</c>. Click the first context that doesn't match:
1451 -</p>
1452 -<table>
1453 -<tr><th>Process</th><th>Context</th></tr>
1454 -<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr>
1455 -<tr><ti>/sbin/agetty</ti><ti><uri link="#doc_chap3">system_u:system_r:getty_t</uri></ti></tr>
1456 -<tr><th>File</th><th>Context</th></tr>
1457 -<tr><ti>/bin/login</ti><ti><uri link="#doc_chap4">system_u:object_r:login_exec_t</uri></ti></tr>
1458 -<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap5">system_u:object_r:chkpwd_exec_t</uri></ti></tr>
1459 -<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap6">system_u:object_r:etc_t</uri></ti></tr>
1460 -<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap6">system_u:object_r:shadow_t</uri></ti></tr>
1461 -<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap7">system_u:object_r:shell_exec_t</uri></ti></tr>
1462 -</table>
1463 -</body></subsection>
1464 -</section>
1465 -
1466 -<section><title>Incorrect Init Context</title>
1467 -<subsection><title>Verify Init Label</title>
1468 -<body>
1469 -<p>
1470 - There are several possible reasons why init may have the wrong context.
1471 - First, verify that init is labeled correctly, refer to the sestatus's output
1472 - for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit.
1473 -</p>
1474 -<pre caption="Fix init context">
1475 -# <i>rlpkg sysvinit</i>
1476 -</pre>
1477 -</body></subsection>
1478 -<subsection><title>Verify Available Policy</title><body>
1479 -<p>
1480 - You must be in <c>sysadm_r</c> to perform this action.
1481 -</p>
1482 -<p>
1483 - A binary policy must be available in /etc/selinux/{strict,targeted}/policy.
1484 - If it is missing, then install the policy.
1485 -</p>
1486 -<pre caption="Install binary policy">
1487 -# <i>semodule -n -B</i>
1488 -</pre>
1489 -</body>
1490 -</subsection>
1491 -
1492 -<subsection><title>Verify Init Can Load the Policy</title><body>
1493 -<p>
1494 - The final check is to ensure init can load the policy. Run <c>ldd</c> on
1495 - init, and if libselinux is not in the output, remerge sysvinit.
1496 -</p>
1497 -<pre caption="Check init linking">
1498 -# <i>ldd /sbin/init</i>
1499 - linux-gate.so.1 => (0xffffe000)
1500 - <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
1501 - libc.so.6 => /lib/libc.so.6 (0x40035000)
1502 - /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
1503 -</pre>
1504 -<p>
1505 - Now reboot so init gains the correct context, and loads the policy.
1506 -</p>
1507 -</body></subsection>
1508 -</section>
1509 -
1510 -<section><title>Incorrect agetty Context</title>
1511 -<subsection><body>
1512 -<p>
1513 - Verify that agetty is labeled correctly. Refer to the sestatus's output
1514 - for /sbin/agetty. If it is not <c>system_u:object_r:getty_exec_t</c>, relabel
1515 - util-linux. Then restart all gettys.
1516 -</p>
1517 -<pre caption="Fix agetty context">
1518 -# <i>rlpkg util-linux</i>
1519 -# <i>killall agetty</i> <comment>(they will respawn)</comment>
1520 -</pre>
1521 -<p>
1522 - All of the agettys should now be in the correct <c>system_u:object_r:getty_exec_t</c>
1523 - context. Try logging in again.
1524 -</p>
1525 -</body>
1526 -</subsection>
1527 -</section>
1528 -
1529 -<section><title>Incorrect Login Context</title>
1530 -<subsection><body>
1531 -<p>
1532 - The login program (/bin/login) is not labeled correctly. Relabel shadow.
1533 -</p>
1534 -<pre caption="Relabel shadow">
1535 -# <i>rlpkg shadow</i>
1536 -</pre>
1537 -<p>
1538 - /bin/login should now be <c>system_u:object_r:login_exec_t</c>.
1539 - Try logging in again.
1540 -</p>
1541 -</body>
1542 -</subsection>
1543 -</section>
1544 -
1545 -<section><title>Incorrect PAM Context</title>
1546 -<subsection><body>
1547 -<p>
1548 - Sshd must be able to use PAM for authenticating the user. The PAM password
1549 - checking program (/sbin/unix_chkpwd) must be labeled correctly so
1550 - sshd can transition to the password checking context. Relabel PAM.
1551 -</p>
1552 -<pre caption="Fix unix_chkpwd context">
1553 -# <i>rlpkg pam</i>
1554 -</pre>
1555 -<p>
1556 - The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>.
1557 - Try loggin in again.
1558 -</p>
1559 -</body></subsection>
1560 -</section>
1561 -
1562 -<section><title>Incorrect Password File Contexts</title>
1563 -<subsection><body>
1564 -<p>
1565 - The password file (/etc/passwd), and the shadow file (/etc/shadow) must
1566 - be labeled correctly, otherwise PAM will not be able to
1567 - authenticate your user. Relabel the files.
1568 -</p>
1569 -<pre caption="Fix shadow context">
1570 -# <i>restorecon /etc/passwd /etc/shadow</i>
1571 -</pre>
1572 -<p>
1573 - The password and shadow files should now be <c>system_u:object_r:etc_t</c>
1574 - and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again.
1575 -</p>
1576 -</body>
1577 -</subsection>
1578 -</section>
1579 -
1580 -<section><title>Incorrect Bash File Context</title>
1581 -<subsection><body>
1582 -<p>
1583 - Bash must be labeled correctly so the user can transition into the user
1584 - domain when logging in. Relabel bash.
1585 -</p>
1586 -<pre caption="Fix bash context">
1587 -# <i>rlpkg bash</i>
1588 -</pre>
1589 -<p>
1590 - Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>.
1591 - Try logging in again.
1592 -</p>
1593 -</body>
1594 -</subsection>
1595 -</section>
1596 -
1597 -</sections>
1598
1599 diff --git a/xml/selinux/hb-selinux-logremote.xml b/xml/selinux/hb-selinux-logremote.xml
1600 deleted file mode 100644
1601 index 1a95f7b..0000000
1602 --- a/xml/selinux/hb-selinux-logremote.xml
1603 +++ /dev/null
1604 @@ -1,177 +0,0 @@
1605 -<?xml version='1.0' encoding="UTF-8"?>
1606 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1607 -
1608 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1609 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
1610 -
1611 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-logremote.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ -->
1612 -
1613 -<sections>
1614 -<version>1.4</version>
1615 -<date>2004-11-16</date>
1616 -
1617 -<section><title>Begin Here</title>
1618 -<subsection><body>
1619 -<p>
1620 - You must be in <c>sysadm_r</c> to perform these actions.
1621 -</p>
1622 -<p>
1623 - Run <c>sestatus -v</c>. Click the first context that doesn't match:
1624 -</p>
1625 -<table>
1626 -<tr><th>Process</th><th>Context</th></tr>
1627 -<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr>
1628 -<tr><ti>/usr/sbin/sshd</ti><ti><uri link="#doc_chap3">system_u:system_r:sshd_t</uri></ti></tr>
1629 -<tr><th>File</th><th>Context</th></tr>
1630 -<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap4">system_u:object_r:chkpwd_exec_t</uri></ti></tr>
1631 -<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap5">system_u:object_r:etc_t</uri></ti></tr>
1632 -<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap5">system_u:object_r:shadow_t</uri></ti></tr>
1633 -<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap6">system_u:object_r:shell_exec_t</uri></ti></tr>
1634 -</table>
1635 -</body></subsection>
1636 -</section>
1637 -
1638 -<section><title>Incorrect Init Context</title>
1639 -<subsection><title>Verify Init Label</title>
1640 -<body>
1641 -<p>
1642 - There are several possible reasons why init may have the wrong context.
1643 - First, verify that init is labeled correctly, refer to the sestatus's output
1644 - for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit.
1645 -</p>
1646 -<pre caption="">
1647 -# <i>rlpkg sysvinit</i>
1648 -</pre>
1649 -</body></subsection>
1650 -
1651 -<subsection><title>Verify Available Policy</title><body>
1652 -<p>
1653 - You must be in <c>sysadm_r</c> to perform this action.
1654 -</p>
1655 -<p>
1656 - A binary policy must be available in
1657 - /etc/selinux/{strict,targeted}/policy. If it is missing, then install
1658 - the policy.
1659 -</p>
1660 -<pre caption="Install policy">
1661 -# <i>semodule -n -B</i>
1662 -</pre>
1663 -</body>
1664 -</subsection>
1665 -
1666 -<subsection><title>Verify Init Can Load the Policy</title><body>
1667 -<p>
1668 - The final check is to ensure init can load the policy. Run <c>ldd</c> on
1669 - init, and if libselinux is not in the output, remerge sysvinit.
1670 -</p>
1671 -<pre caption="">
1672 -# <i>ldd /sbin/init</i>
1673 - linux-gate.so.1 => (0xffffe000)
1674 - <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment>
1675 - libc.so.6 => /lib/libc.so.6 (0x40035000)
1676 - /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
1677 -</pre>
1678 -<p>
1679 - Now reboot so init gains the correct context, and loads the policy.
1680 -</p>
1681 -</body></subsection>
1682 -</section>
1683 -
1684 -<section><title>Incorrect sshd Context</title>
1685 -<subsection><body>
1686 -<p>
1687 - Another possibility is sshd is not labeled correctly, meaning it is not running
1688 - in the right context. Relabel openssh, then restart sshd.
1689 -</p>
1690 -<pre caption="">
1691 -# <i>rlpkg openssh</i>
1692 -# <i>/etc/init.d/sshd restart</i>
1693 -</pre>
1694 -</body></subsection>
1695 -</section>
1696 -
1697 -<section><title>Incorrect PAM Context</title>
1698 -<subsection><body>
1699 -<p>
1700 - Sshd must be able to use PAM for authenticating the user. The PAM password
1701 - checking program (/sbin/unix_chkpwd) must be labeled correctly so
1702 - sshd can transition to the password checking context. Relabel PAM.
1703 -</p>
1704 -<pre caption="">
1705 -# <i>rlpkg pam</i>
1706 -</pre>
1707 -<p>
1708 - The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>.
1709 - Try loggin in again.
1710 -</p>
1711 -</body></subsection>
1712 -</section>
1713 -
1714 -<section><title>Incorrect Password File Contexts</title>
1715 -<subsection><body>
1716 -<p>
1717 - The password file (/etc/passwd), and the shadow file (/etc/shadow) must
1718 - be labeled correctly, otherwise PAM will not be able to
1719 - authenticate your user. Relabel the files.
1720 -</p>
1721 -<pre caption="">
1722 -# <i>restorecon /etc/passwd /etc/shadow</i>
1723 -</pre>
1724 -<p>
1725 - The password and shadow files should now be <c>system_u:object_r:etc_t</c>
1726 - and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again.
1727 -</p>
1728 -</body>
1729 -</subsection>
1730 -</section>
1731 -
1732 -<section><title>Incorrect Bash File Context</title>
1733 -<subsection><body>
1734 -<p>
1735 - Bash must be labeled correctly so the user can transition into the user
1736 - domain when logging in. Relabel bash.
1737 -</p>
1738 -<pre caption="">
1739 -# <i>rlpkg bash</i>
1740 -</pre>
1741 -<p>
1742 - Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>.
1743 - Try logging in again.
1744 -</p>
1745 -</body>
1746 -</subsection>
1747 -</section>
1748 -
1749 -<section><title>Other sshd Issues</title>
1750 -<subsection><title>Valid Shell</title><body>
1751 -<p>
1752 - First, make sure the user has a valid shell.
1753 -</p>
1754 -<pre caption="">
1755 -# <i>grep</i> <comment>username</comment> <i>/etc/passwd | cut -d: -f7</i>
1756 -/bin/bash <comment>(or your shell of choice)</comment>
1757 -</pre>
1758 -<p>
1759 - If the above command does not return anything, or the shell is wrong,
1760 - set the user's shell.
1761 -</p>
1762 -<pre caption="">
1763 -# <i>usermod -s /bin/bash</i> <comment>username</comment>
1764 -</pre>
1765 -</body></subsection>
1766 -<subsection><title>PAM enabled</title><body>
1767 -<p>
1768 - PAM also must be enabled in sshd. Make sure this line
1769 - in <c>/etc/ssh/sshd_config</c> is uncommented:
1770 -</p>
1771 -<pre caption="">
1772 -UsePAM yes
1773 -</pre>
1774 -<p>
1775 - SELinux currently only allows PAM and a select few programs direct access
1776 - to <c>/etc/shadow</c>; therefore, openssh must now
1777 - use PAM for password authentication (public key still works).
1778 -</p>
1779 -</body></subsection>
1780 -</section>
1781 -</sections>
1782
1783 diff --git a/xml/selinux/hb-selinux-overview.xml b/xml/selinux/hb-selinux-overview.xml
1784 deleted file mode 100644
1785 index d02943d..0000000
1786 --- a/xml/selinux/hb-selinux-overview.xml
1787 +++ /dev/null
1788 @@ -1,521 +0,0 @@
1789 -<?xml version='1.0' encoding="UTF-8"?>
1790 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1791 -
1792 -<!-- The content of this document is licensed under the CC-BY-SA license -->
1793 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
1794 -
1795 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
1796 -
1797 -<sections>
1798 -<version>1.5</version>
1799 -<date>2009-07-13</date>
1800 -
1801 -<!--
1802 -<section><title>Mandatory Access Control</title>
1803 -<subsection><body>
1804 -<p>
1805 - Security Enhanced Linux is an implementation of mandatory access control
1806 - (MAC) using type enforcement. In Linux, the regular security permissions
1807 - are a discretionary access control system (DAC). In DAC, the permissions
1808 - for a particular object, such as a file, are set at the discrection of the
1809 - owner and can be changed at any time by the owner. In MAC, the access a
1810 - process or user has to an object is defined by the operating system
1811 - security policy, and cannot be bypassed.
1812 -!!! still need to update other links in the handbook
1813 -</p>
1814 -</body></subsection>
1815 -</section>
1816 --->
1817 -<section><title>SELinux Types</title>
1818 -<subsection><body>
1819 -<p>
1820 - A type is a security attribute given to objects such as files, and network
1821 - ports, etc. The type of a process is commonly referred to as its domain.
1822 - The SELinux policy is primarily composed of type enforcement rules, which
1823 - describe how domains are allowed to interact with objects, and how domains
1824 - are allowed to interact with other domains. A type is generally suffixed
1825 - with a &#39;_t&#39;, such as <c>sysadm_t</c>. This is the most important
1826 - attribute for a process or object, as most policy decisions are based on
1827 - the source and target types.
1828 -</p>
1829 -</body></subsection>
1830 -</section>
1831 -
1832 -<section><title>SELinux Roles</title>
1833 -<subsection><body>
1834 -<p>
1835 - SELinux is type enforcement, so the SELinux role is not the same as those
1836 - in a role-based access control system. Permissions are not given to roles.
1837 - A role describes the set of types a user can use. For example, a system
1838 - administrator that is using the system for regular user tasks should be
1839 - in the <c>staff_r</c> role. If they need to administrate the system, then
1840 - a role change to <c>sysadm_r</c> is required. In SELinux terms, the
1841 - domains that a user can be in is determined by their role. If a role is not
1842 - allowed to have a certain domain, a transition to that domain will be denied,
1843 - even if the type enforcement rules allow the domain transition. A role is
1844 - generally suffixed with a &#39;_r&#39;, such as <c>system_r</c>.
1845 -</p>
1846 -</body></subsection>
1847 -</section>
1848 -
1849 -<section><title>SELinux Identities</title>
1850 -<subsection><title>What is a SELinux Identity?</title><body>
1851 -<p>
1852 - The SELinux identity is similar to a Linux username. The change of identity
1853 - should be limited to very specific cases, since the role-based access control
1854 - relies on the SELinux identity. Therfore, in general, a user&#8217;s SELinux
1855 - identity will not change during a session. The user ID in Linux can be
1856 - changed by set(e)uid, making it inappropriate for a SELinux identity.
1857 - If a user is given a SELinux identity, it must match the Linux username. Each
1858 - SELinux identity is allowed a set of roles.
1859 -</p>
1860 -</body></subsection>
1861 -
1862 -<subsection><title>Configure SELinux Identity Mapping</title><body>
1863 -<p>
1864 - The SELinux policy has several generic SELinux identities that should
1865 - be sufficient for all users. This mapping only needs to be configured
1866 - on the strict policy. The identity mapping for the targeted policy
1867 - need not be configured, as the default identity (user_u) is sufficient
1868 - in all cases.
1869 -</p>
1870 -<p>
1871 - When a user logs in, the SELinux identity used is determined by this mapping.
1872 -</p>
1873 -<table>
1874 -<tr><th>SELinux Identity</th>
1875 - <th>Roles</th>
1876 - <th>Description</th></tr>
1877 -<tr><ti>system_u</ti>
1878 - <ti>system_r</ti>
1879 - <ti>System (non-interactive) processes. Should not be used on users.</ti></tr>
1880 -<tr><ti>user_u</ti>
1881 - <ti>user_r</ti>
1882 - <ti>Generic unprivileged users. The default identity mapping.</ti></tr>
1883 -<tr><ti>staff_u</ti>
1884 - <ti>staff_r, sysadm_r</ti>
1885 - <ti>System administrators that also log in to do regular user activties.</ti></tr>
1886 -<tr><ti>sysadm_u</ti>
1887 - <ti>sysadm_r</ti>
1888 - <ti>System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</ti></tr>
1889 -<tr><ti>root</ti>
1890 - <ti>staff_r, sysadm_r</ti>
1891 - <ti>Special identity for root. Other users should use staff_u instead.</ti></tr>
1892 -</table>
1893 -<p>
1894 - See the <uri link="selinux-handbook.xml?part=3&amp;chap=2#doc_chap3">SELinux HOWTO</uri>
1895 - for semanage syntax for configuring SELinux identity mappings.
1896 -</p>
1897 -</body></subsection>
1898 -
1899 -</section>
1900 -
1901 -<section><title>SELinux Contexts</title>
1902 -<subsection><body>
1903 -<p>
1904 - Using the above three security models together is called a SELinux
1905 - context. A context takes the form <c>identity</c>:<c>role</c>:<c>type</c>.
1906 - The SELinux context is the most important value for determining access.
1907 -</p>
1908 -</body></subsection>
1909 -
1910 -<subsection><title>Object Contexts</title><body>
1911 -<p>
1912 - A typical <c>ls -Z</c> may have an output similar to this:
1913 -</p>
1914 -<pre caption="Example ls -Z output">
1915 -drwxr-xr-x root root system_u:object_r:bin_t bin
1916 -drwxr-xr-x root root system_u:object_r:boot_t boot
1917 -drwxr-xr-x root root system_u:object_r:device_t dev
1918 -drwxr-xr-x root root system_u:object_r:etc_t etc
1919 -</pre>
1920 -<p>
1921 - The first three columns are the typical linux permissions, user and group.
1922 - The fourth column is the file or directory&#39;s security context. Objects
1923 - are given the generic <c>object_r</c> role. From the other two fields of
1924 - the context, it can be seen that the files are in the system identity,
1925 - and have four different types, <c>bin_t</c>, <c>boot_t</c>, <c>device_t</c>,
1926 - and <c>etc_t</c>.
1927 -</p>
1928 -</body></subsection>
1929 -
1930 -<subsection><title>Process Contexts</title><body>
1931 -<p>
1932 - A typical <c>ps ax -Z</c> may have an output similar to this:
1933 -</p>
1934 -<pre caption="Example ps ax -Z output">
1935 - PID CONTEXT COMMAND
1936 - 1 system_u:system_r:init_t [init]
1937 - 2 system_u:system_r:kernel_t [keventd]
1938 - 3 system_u:system_r:kernel_t [ksoftirqd_CPU0]
1939 - 4 system_u:system_r:kernel_t [kswapd]
1940 - 5 system_u:system_r:kernel_t [bdflush]
1941 - 6 system_u:system_r:kernel_t [kupdated]
1942 - 706 system_u:system_r:syslogd_t [syslog-ng]
1943 - 712 system_u:system_r:httpd_t [apache]
1944 - 791 system_u:system_r:sshd_t [sshd]
1945 - 814 system_u:system_r:crond_t [cron]
1946 - 826 system_u:system_r:getty_t [agetty]
1947 - 827 system_u:system_r:getty_t [agetty]
1948 - 828 system_u:system_r:getty_t [agetty]
1949 - 829 system_u:system_r:getty_t [agetty]
1950 - 830 system_u:system_r:getty_t [agetty]
1951 - 831 system_u:system_r:httpd_t [apache]
1952 - 832 system_u:system_r:httpd_t [apache]
1953 - 833 system_u:system_r:httpd_t [apache]
1954 -23093 system_u:system_r:sshd_t [sshd]
1955 -23095 user_u:user_r:user_t [bash]
1956 -23124 system_u:system_r:sshd_t [sshd]
1957 -23126 user_u:user_r:user_t [bash]
1958 -23198 system_u:system_r:sshd_t [sshd]
1959 -23204 user_u:user_r:user_t [bash]
1960 -23274 system_u:system_r:sshd_t [sshd]
1961 -23275 pebenito:staff_r:staff_t [bash]
1962 -23290 pebenito:staff_r:staff_t ps ax -Z
1963 -</pre>
1964 -<p>
1965 - In this example, the typical process information is displayed, in addition
1966 - to the process&#39;s context. By inspection, all of the system&#39;s kernel
1967 - processes and daemons run under the <c>system_u</c> identity, and
1968 - <c>system_r</c> role. The individual domains depend on the program.
1969 - There are a few users logged in over ssh, using the generic <c>user_u</c>
1970 - identity. Finally there is a user with the identity <c>pebenito</c> logged in
1971 - with the <c>staff_r</c> role, running in the <c>staff_t</c> domain.
1972 -</p>
1973 -</body></subsection>
1974 -
1975 -</section>
1976 -
1977 -<section>
1978 -<title>SELinux Policy Files</title>
1979 -<subsection><body>
1980 -<p>
1981 - The SELinux policy source files are no longer installed onto the system.
1982 - In the <c>/usr/share/selinux/{strict,targeted}</c> directory there are a
1983 - collection of policy packages and headers for building local modules.
1984 - The policy files are processed by m4, and then the policy compiler <c>checkmodule</c>
1985 - verifies that there are no syntactic errors, and a policy module is created.
1986 - Then a policy package is created with with the <c>semodule_package</c>
1987 - program, using the policy module and the module file contexts.
1988 - The policy packaged then can be loaded into a running SELinux kernel
1989 - by inserting it into the module store.
1990 -</p>
1991 -</body></subsection>
1992 -
1993 -<subsection><title>*.pp</title><body>
1994 -<p>
1995 - Policy packages for this policy. These must be inserted into the module
1996 - store so they can be loaded into the policy. Inside the package
1997 - there is a loadable policy module, and optionally a file context file.
1998 -</p>
1999 -</body></subsection>
2000 -
2001 -<subsection><title>include/</title><body>
2002 -<p>
2003 - Policy headers for this policy.
2004 -</p>
2005 -</body></subsection>
2006 -
2007 -</section>
2008 -
2009 -<section>
2010 -<title>Binary Policy Versions</title>
2011 -<subsection><body>
2012 -<p>
2013 - When compiling the policy, the resultant binary policy is versioned.
2014 - The first version that was merged into 2.6 was version 15.
2015 - The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy.
2016 - For example, in 2.6.5, conditional policy extensions were added.
2017 - This required the policy version to be incremented to version 16.
2018 -</p>
2019 -</body></subsection>
2020 -<subsection><title>What Policy Version Does My Kernel Use?</title>
2021 -<body>
2022 -<p>
2023 - The policy version of a running kernel can be determined by executing
2024 - <c>sestatus</c> or <c>policyvers</c>. Current kernels can load
2025 - the previous version policy for compatibility. For example a version 17
2026 - kernel can also load a version 16 policy. However, this compatibility
2027 - code may be removed in the future.
2028 -</p>
2029 -<note>
2030 - The policy management infrastructure (libsemanage) will automatically
2031 - create and use the correct version policies. No extra steps need be taken.
2032 -</note>
2033 -</body></subsection>
2034 -<subsection><title>Policy Versions</title>
2035 -<body>
2036 -<p>
2037 - The following table contains the policy versions in 2.6 kernels.
2038 -</p>
2039 -<table>
2040 -<tr><th>Version</th>
2041 - <th>Description</th>
2042 - <th>Kernel Versions</th></tr>
2043 -<tr><ti>12</ti>
2044 - <ti>"Old API" SELinux (deprecated).</ti></tr>
2045 -<tr><ti>15</ti>
2046 - <ti>"New API" SELinux merged into 2.6.</ti>
2047 - <ti>2.6.0 - 2.6.4</ti></tr>
2048 -<tr><ti>16</ti>
2049 - <ti>Conditional policy extensions added.</ti>
2050 - <ti>2.6.5</ti></tr>
2051 -<tr><ti>17</ti>
2052 - <ti>IPV6 support added.</ti>
2053 - <ti>2.6.6 - 2.6.7</ti></tr>
2054 -<tr><ti>18</ti>
2055 - <ti>Fine-grained netlink socket support added.</ti>
2056 - <ti>2.6.8 - 2.6.11</ti></tr>
2057 -<tr><ti>19</ti>
2058 - <ti>Enhanced multi-level security.</ti>
2059 - <ti>2.6.12 - 2.6.13</ti></tr>
2060 -<tr><ti>20</ti>
2061 - <ti>Access vector table size optimizations.</ti>
2062 - <ti>2.6.14 - 2.6.18</ti></tr>
2063 -<tr><ti>21</ti>
2064 - <ti>Object classes in range transitions.</ti>
2065 - <ti>2.6.19 - 2.6.24</ti></tr>
2066 -<tr><ti>22</ti>
2067 - <ti>Policy capabilities (features).</ti>
2068 - <ti>2.6.25</ti></tr>
2069 -<tr><ti>23</ti>
2070 - <ti>Per-domain permissive mode.</ti>
2071 - <ti>2.6.26 - 2.6.27</ti></tr>
2072 -<tr><ti>24</ti>
2073 - <ti>Explicit hierarchy (type bounds).</ti>
2074 - <ti>2.6.28 - current</ti></tr>
2075 -</table>
2076 -</body></subsection>
2077 -</section>
2078 -
2079 -<section>
2080 -<title>Conditional Policy Extensions</title>
2081 -<subsection><body>
2082 -<p>
2083 - The conditional policy extensions allow the enabling and disabling of policy
2084 - rules at runtime, without loading a modified policy. Using policy booleans
2085 - and expressions, policy rules can be conditionally applied.
2086 -</p>
2087 -</body></subsection>
2088 -
2089 -<subsection><title>Determine Boolean Values</title>
2090 -<body>
2091 -<p>
2092 - The status of policy booleans in the current running policy can be determined
2093 - two ways. The first is by using <c>sestatus</c>.
2094 -</p>
2095 -<pre caption="Example sestatus output">
2096 -# sestatus
2097 -SELinux status: enabled
2098 -SELinuxfs mount: /selinux
2099 -Current mode: enforcing
2100 -Policy version: 17
2101 -
2102 -Policy booleans:
2103 -user_ping inactive
2104 -</pre>
2105 -<p>
2106 - The second is <c>getsebool</c> which is a simple tool that displays
2107 - the status of policy booleans, and if a value change is pending.
2108 -</p>
2109 -<pre caption="Example getsebool command">
2110 -# getsebool -a
2111 -user_ping --> active: 0 pending: 0
2112 -</pre>
2113 -</body></subsection>
2114 -
2115 -<subsection><title>Changing Boolean Values</title>
2116 -<body>
2117 -<p>
2118 - The value of a boolean can be toggled by using the <c>togglesebool</c>
2119 - command. Multiple booleans can be specified on the command line. The
2120 - new value of the boolean will be displayed.
2121 -</p>
2122 -<pre caption="Example togglesebool command">
2123 -# togglesebool user_ping
2124 -user_ping: active
2125 -</pre>
2126 -<p>
2127 - The value of a boolean can be set specifically by using the <c>setsebool</c>
2128 - command.
2129 -</p>
2130 -<pre caption="Example setsebool command">
2131 -# setsebool user_ping 0
2132 -</pre>
2133 -<p>
2134 - To set the value of a boolean, and make it the devault value, use the <c>-P</c> option.
2135 -</p>
2136 -<pre caption="Change default value">
2137 -# setsebool -P user_ping 1
2138 -</pre>
2139 -</body></subsection>
2140 -</section>
2141 -
2142 -<section>
2143 -<title>Policy Kernel Messages</title>
2144 -<subsection><body>
2145 -<p>
2146 - While a system is running, a program or user may attempt to do something
2147 - that violates the security policy. If the system is enforcing the policy,
2148 - the access will be denied, and there will be a message in the kernel log.
2149 - If the system is not enforcing (permissive mode), the access will be allowed,
2150 - but there will still be a kernel message.
2151 -</p>
2152 -</body></subsection>
2153 -
2154 -<subsection><title>AVC Messages</title><body>
2155 -<p>
2156 - Most kernel messages from SELinux come from the access vector cache (AVC).
2157 - Understanding denials is important to understand if an attack is happening,
2158 - or if the program is requiring unexpected accesses. An example denial
2159 - may look like this:
2160 -</p>
2161 -
2162 -<pre caption="Example AVC Message">
2163 -avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554
2164 -scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file
2165 -</pre>
2166 -
2167 -<p>
2168 - While most AVC messages are denials, occasionally there might be an audit
2169 - message for an access that was granted:
2170 -</p>
2171 -<pre caption="Example AVC Message 2">
2172 -avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy
2173 -scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
2174 -</pre>
2175 -<p>
2176 - In this case, the ability to load the policy was granted. This is a critical
2177 - security event, and thus is always audited. Another event that is always
2178 - audited is switching between enforcing and permissive modes.
2179 -</p>
2180 -
2181 -<p>
2182 - SELinux will supress logging of denials if many are received in a short
2183 - amount of time. However, This does not always imply there is an attack
2184 - in progress. A program may be doing something that could cause
2185 - many denials in a short time, such as doing a stat() on device nodes in
2186 - /dev. To protect from filling up the system logs, SELinux has rate limiting
2187 - for its messages:
2188 -</p>
2189 -
2190 -<pre caption="Example AVC Message 3">
2191 -AVC: 12 messages suppressed.
2192 -</pre>
2193 -
2194 -<p>
2195 - The policy would have to be modified to not audit these accesses if they
2196 - are normal program behavior, but still need to be denied.
2197 -</p>
2198 -
2199 -</body></subsection>
2200 -
2201 -<subsection><title>Other kernel messages</title>
2202 -<body>
2203 -<pre caption="inode_doinit_with_dentry">
2204 -inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610
2205 -</pre>
2206 -<p>
2207 - This means that the file on /dev/hda3 with inode number 517610 has the context
2208 - system_u:object_r:bar_t, which is invalid. Objects with an invalid context
2209 - are treated as if they had the system_u:object_r:unlabeled_t context.
2210 -</p>
2211 -</body></subsection>
2212 -
2213 -</section>
2214 -
2215 -<section><title>Dissecting a Denial</title>
2216 -<subsection><body>
2217 -<p>
2218 - Denials contain varying amounts of information, depending on the access type.
2219 -</p>
2220 -
2221 -<pre caption="Example Denials">
2222 -avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406
2223 -scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file
2224 -
2225 -avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t
2226 -tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket
2227 -
2228 -avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7
2229 -scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability
2230 -
2231 -</pre>
2232 -
2233 -<p>
2234 - The most common denial relates to access of files. For better understanding,
2235 - the first denial message will be broken down:
2236 -</p>
2237 -<table>
2238 -<tr><th>Component</th><th>Description</th></tr>
2239 -<tr><ti>avc: denied</ti>
2240 - <ti>SELinux has denied this access.</ti></tr>
2241 -<tr><ti>{ lock }</ti>
2242 - <ti>The attempted access is a lock.</ti></tr>
2243 -<tr><ti>pid=28341</ti>
2244 - <ti>The process ID performing this access is 28341.</ti></tr>
2245 -<tr><ti>exec=/sbin/agetty</ti>
2246 - <ti>The full path and name of the process&#39;s executable is /sbin/agetty.</ti></tr>
2247 -<tr><ti>path=/var/log/wtmp</ti>
2248 - <ti>The path and name of the target object is /var/log/wtmp. Note: a complete
2249 - path is not always available.</ti></tr>
2250 -<tr><ti>dev=03:03</ti>
2251 - <ti>The target object resides on device 03:03 (major:minor number).
2252 - On 2.6 kernels this may resolve to a name, hda3 in this example.</ti></tr>
2253 -<tr><ti>ino=475406</ti>
2254 - <ti>The inode number of the target object is 475406.</ti></tr>
2255 -<tr><ti>scontext=system_u:system_r:getty_t</ti>
2256 - <ti>The context of the program is system_u:system_r:getty_t.</ti></tr>
2257 -<tr><ti>tcontext=system_u:object_r:var_log_t</ti>
2258 - <ti>The context of the target object is system_u:object_r:var_log_t.</ti></tr>
2259 -<tr><ti>tclass=file</ti>
2260 - <ti>The target object is a normal file.</ti></tr>
2261 -</table>
2262 -
2263 -<p>
2264 - Not all AVC messages will have all of these fields, as shown in the other
2265 - two denials. The fields vary depending on the target object&#39;s class.
2266 - However, the most important fields: access type, source and target contexts,
2267 - and the target object&#39;s class will always be in an AVC message.
2268 -</p>
2269 -</body></subsection>
2270 -
2271 -<subsection><title>Understanding the Denial</title><body>
2272 -<p>
2273 - Denials can be very confusing since they can be triggered for several reasons.
2274 - The key to understanding what is happening is to know the behavior of the
2275 - program, and to correctly interpret the denial message. The target is not
2276 - limited to files; it could also be related to network sockets,
2277 - interprocess communications, or others.
2278 -</p>
2279 -<p>
2280 - In the above example, the agetty is denied locking of a file. The file&#39;s type
2281 - is var_log_t, therefore it is implied that the target file is in /var/log.
2282 - With the extra information from the path= field in the denial message, it is
2283 - confirmed to be the file /var/log/wtmp. If path information was unavailable,
2284 - this could be further confirmed by searching for the inode. Wtmp is a file that has
2285 - information about users currently logged in, and agetty handles logins on
2286 - ttys. It can be concluded that this is an expected access of agetty, for
2287 - updating wtmp. However, why is this access being denied? Is there a flaw
2288 - in the policy by not allowing agetty to update wtmp? It turns out that wtmp
2289 - has the incorrect context. It should be system_u:object_r:wtmp_t, rather
2290 - than system_u:object_r:var_log_t.
2291 -</p>
2292 -<p>
2293 - If this access was not understood, an administrator might mistakenly allow getty_t
2294 - read/write access to var_log_t files, which would be incorrect, since agetty
2295 - only needs to modify /var/log/wtmp. This underscores how critical keeping
2296 - file contexts consistent is.
2297 -</p>
2298 -</body></subsection>
2299 -</section>
2300 -
2301 -<section><title>References</title>
2302 -<subsection><body>
2303 -<p>
2304 - <uri link="http://www.nsa.gov/selinux">U.S. National Security Agency</uri>,
2305 - SELinux Policy README
2306 -</p>
2307 -</body></subsection>
2308 -</section>
2309 -</sections>
2310
2311 diff --git a/xml/selinux/hb-selinux-references.xml b/xml/selinux/hb-selinux-references.xml
2312 deleted file mode 100644
2313 index 5bceac4..0000000
2314 --- a/xml/selinux/hb-selinux-references.xml
2315 +++ /dev/null
2316 @@ -1,111 +0,0 @@
2317 -<?xml version='1.0' encoding="UTF-8"?>
2318 -<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
2319 -
2320 -<!-- The content of this document is licensed under the CC-BY-SA license -->
2321 -<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
2322 -
2323 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
2324 -
2325 -<sections>
2326 -<version>1.2</version>
2327 -<date>2006-05-07</date>
2328 -
2329 -
2330 -<section><title>Background</title>
2331 -<subsection><body>
2332 -<ul>
2333 -<li>
2334 - <uri link="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure:
2335 - The Flawed Assumption of Security in Modern Computing Environments</uri>
2336 - explains the need for mandatory access controls.</li>
2337 -<li>
2338 - <uri link="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture:
2339 - System Support for Diverse Security Policies</uri>
2340 - explains the security architecture of Flask, the architecture used by SELinux.</li>
2341 -<li>
2342 - <uri link="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</uri>
2343 - has specifics about SELinux access checks in the kernel.</li>
2344 -</ul>
2345 -</body>
2346 -</subsection>
2347 -</section>
2348 -
2349 -<section><title>Policy</title>
2350 -<subsection><body>
2351 -<ul>
2352 -<li>
2353 - <uri link="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</uri></li>
2354 -<li>
2355 - <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri></li>
2356 -<li>
2357 - SELinux <uri link="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</uri>
2358 - Overview</li>
2359 -</ul>
2360 -</body>
2361 -</subsection>
2362 -</section>
2363 -
2364 -<section><title>Books</title>
2365 -<subsection><body>
2366 -<ul>
2367 -<li>
2368 - <c>SELinux by Example: Using Security Enhanced Linux</c>, Frank Mayer,
2369 - Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694</li>
2370 -<li>
2371 - <c>SELinux: NSA's Open Source Security Enhanced Linux</c>, Bill McCarty,
2372 - O'Reilly Media, 2004; ISBN 0596007167</li>
2373 -</ul>
2374 -</body>
2375 -</subsection>
2376 -</section>
2377 -
2378 -<section><title>Meeting Notes</title>
2379 -<subsection><body>
2380 -<ul>
2381 -<li>
2382 - <uri link="http://www.selinux-symposium.org/2006/summit.php">March 3rd, 2006 SELinux Developer Summit</uri></li>
2383 -<li>
2384 - <uri link="http://www.selinux-symposium.org/meeting.php">May 6th, 2004 Informal Meeting</uri></li>
2385 -</ul>
2386 -</body>
2387 -</subsection>
2388 -</section>
2389 -
2390 -<section><title>Presentations</title>
2391 -<subsection><title>2006 SELinux Symposium</title><body>
2392 -<ul>
2393 -<li>
2394 - <uri link="http://www.nsa.gov/selinux/papers/selsymp2006-abs.cfm">SELinux Year in Review</uri>,
2395 - Stephen Smalley, National Security Agency</li>
2396 -<li>
2397 - <uri link="http://www.selinux-symposium.org/2006/slides/03-refpolicy-slides.pdf">Reference Policy for Security Enhanced Linux</uri>,
2398 - Karl MacMillan, Tresys Technology (<uri link="http://www.selinux-symposium.org/2006/papers/05-refpol.pdf">Paper</uri>)</li>
2399 -</ul>
2400 -</body>
2401 -</subsection>
2402 -<subsection><title>2005 SELinux Symposium</title><body>
2403 -<ul>
2404 -<li>
2405 - <uri link="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</uri>,
2406 - NSA</li>
2407 -<li>
2408 - <uri link="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</uri>,
2409 - Karl MacMillan, Tresys Technology</li>
2410 -<li>
2411 - <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf">Targeted vs. Strict Policy History and Strategy</uri>,
2412 - Dan Walsh, Red Hat</li>
2413 -<li>
2414 - <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-4-mayer.pdf">Tresys SETools: Tools and Libraries for Policy Analysis and Management</uri>,
2415 - Frank Mayer, Tresys Technology</li>
2416 -<li>
2417 - <uri link="http://www.selinux-symposium.org/2005/presentations/session5/5-3-macmillan.pdf">Information Flow Analysis for Type Enforcement Policies</uri>,
2418 - Karl MacMillan, Tresys Technology</li>
2419 -<li>
2420 - <uri link="http://www.selinux-symposium.org/2005/presentations/session6/6-2-mayer.pdf">SELinux Policy Analysis Concepts and Techniques</uri>,
2421 - David Caplan, Frank Mayer, Tresys Technology</li>
2422 -</ul>
2423 -</body>
2424 -</subsection>
2425 -</section>
2426 -
2427 -</sections>
Report Message
Find on MARC Find on Google Groups