1 |
commit: 6ead14e833d7958b6f5b89c45d520be1accfa615 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Apr 1 17:44:41 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Apr 1 17:44:41 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=6ead14e8 |
7 |
|
8 |
drop unneeded files |
9 |
|
10 |
--- |
11 |
xml/selinux/hb-selinux-conv-profile.xml | 107 ------- |
12 |
xml/selinux/hb-selinux-conv-reboot1.xml | 193 ------------ |
13 |
xml/selinux/hb-selinux-conv-reboot2.xml | 213 ------------- |
14 |
xml/selinux/hb-selinux-faq.xml | 154 --------- |
15 |
xml/selinux/hb-selinux-howto.xml | 250 --------------- |
16 |
xml/selinux/hb-selinux-initpol.xml | 48 --- |
17 |
xml/selinux/hb-selinux-libsemanage.xml | 246 --------------- |
18 |
xml/selinux/hb-selinux-localmod.xml | 134 -------- |
19 |
xml/selinux/hb-selinux-loglocal.xml | 166 ---------- |
20 |
xml/selinux/hb-selinux-logremote.xml | 177 ----------- |
21 |
xml/selinux/hb-selinux-overview.xml | 521 ------------------------------- |
22 |
xml/selinux/hb-selinux-references.xml | 111 ------- |
23 |
12 files changed, 0 insertions(+), 2320 deletions(-) |
24 |
|
25 |
diff --git a/xml/selinux/hb-selinux-conv-profile.xml b/xml/selinux/hb-selinux-conv-profile.xml |
26 |
deleted file mode 100644 |
27 |
index 01f5ead..0000000 |
28 |
--- a/xml/selinux/hb-selinux-conv-profile.xml |
29 |
+++ /dev/null |
30 |
@@ -1,107 +0,0 @@ |
31 |
-<?xml version='1.0' encoding="utf-8"?> |
32 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
33 |
- |
34 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
35 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
36 |
- |
37 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ --> |
38 |
- |
39 |
-<sections> |
40 |
-<version>2.1</version> |
41 |
-<date>2010-06-15</date> |
42 |
- |
43 |
-<section><title>Change Profile</title> |
44 |
-<subsection><body> |
45 |
- |
46 |
-<warn>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems |
47 |
-lack the complete extended attribute support.</warn> |
48 |
- |
49 |
-<warn>Users should convert from a 2006.1 or newer profile otherwise |
50 |
-there may be unpredictable results.</warn> |
51 |
- |
52 |
-<impo>As always, keep a LiveCD at hand in case things go wrong.</impo> |
53 |
- |
54 |
-<p>First switch your profile to the SELinux profile for your architecture:</p> |
55 |
- |
56 |
-<pre caption="Switch profiles"> |
57 |
-# <i>rm -f /etc/make.profile</i> |
58 |
- |
59 |
- |
60 |
-<comment>x86 (server):</comment> |
61 |
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</i> |
62 |
-<comment>x86 (hardened):</comment> |
63 |
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</i> |
64 |
-<comment>AMD64:</comment> |
65 |
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</i> |
66 |
-<comment>AMD64 (hardened):</comment> |
67 |
-# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</i> |
68 |
-</pre> |
69 |
- |
70 |
-<note>You can also switch profiles with eselect if you have the gentoolkit |
71 |
- package installed. That method is not shown here because the specific options |
72 |
- available and their numbering will vary according to your system |
73 |
- configuration.</note> |
74 |
- |
75 |
-<impo>Do not use any profiles other than the ones listed above, even |
76 |
-if they seem to be out of date. SELinux profiles are not necessarily |
77 |
-created as often as default Gentoo profiles.</impo> |
78 |
- |
79 |
-<impo>The SELinux profile has significanly fewer USE flags asserted than |
80 |
-the default profile. Use <c>emerge info</c> to see if any use flags |
81 |
-need to be reenabled in make.conf.</impo> |
82 |
- |
83 |
-<note>It is not necessary to add selinux to your USE flags in make.conf. |
84 |
-The SELinux profile already does this for you. |
85 |
-</note> |
86 |
- |
87 |
-<note> |
88 |
- You may encounter this message from portage: "!!! SELinux module not found. |
89 |
- Please verify that it was installed." This is normal, and will be fixed |
90 |
- later in the conversion process. |
91 |
-</note> |
92 |
-</body> |
93 |
-</subsection> |
94 |
-</section> |
95 |
- |
96 |
-<section><title>Update Kernel Headers</title> |
97 |
-<subsection><body> |
98 |
-<p> |
99 |
- We will start by updating essential packages. First check which version |
100 |
- of linux-headers is installed. |
101 |
-</p> |
102 |
- |
103 |
-<pre caption="Check linux-headers version"> |
104 |
-# <i>emerge -s linux-headers</i> |
105 |
-<comment>or if you have gentoolkit installed:</comment> |
106 |
-# <i>equery list -i linux-headers</i> |
107 |
-</pre> |
108 |
- |
109 |
-<p> |
110 |
- If the linux-headers version is older than 2.4.20, newer headers must be merged. |
111 |
-</p> |
112 |
- |
113 |
-<pre caption="Merge newer headers"> |
114 |
-# <i>emerge \>=sys-kernel/linux-headers-2.4.20</i> |
115 |
-</pre> |
116 |
-</body> |
117 |
-</subsection> |
118 |
-</section> |
119 |
- |
120 |
-<section><title>Update Glibc</title> |
121 |
-<subsection><body> |
122 |
-<p> |
123 |
- If you have merged new headers, or you are unsure if your glibc was |
124 |
- compiled with newer headers, you must recompile glibc. |
125 |
-</p> |
126 |
- |
127 |
-<pre caption="Recompile glibc"> |
128 |
-# <i>emerge glibc</i> |
129 |
-</pre> |
130 |
- |
131 |
-<impo> |
132 |
- This is a critical operation. Glibc must be compiled with newer linux-headers, |
133 |
- otherwise some operations will malfunction. |
134 |
-</impo> |
135 |
-</body></subsection> |
136 |
-</section> |
137 |
-</sections> |
138 |
|
139 |
diff --git a/xml/selinux/hb-selinux-conv-reboot1.xml b/xml/selinux/hb-selinux-conv-reboot1.xml |
140 |
deleted file mode 100644 |
141 |
index bfc8692..0000000 |
142 |
--- a/xml/selinux/hb-selinux-conv-reboot1.xml |
143 |
+++ /dev/null |
144 |
@@ -1,193 +0,0 @@ |
145 |
-<?xml version='1.0' encoding="utf-8"?> |
146 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
147 |
- |
148 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
149 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
150 |
- |
151 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.11 2010/10/06 15:11:15 pebenito Exp $ --> |
152 |
- |
153 |
-<sections> |
154 |
-<version>2.2</version> |
155 |
-<date>2010-11-27</date> |
156 |
- |
157 |
-<section><title>Merge a SELinux Kernel</title> |
158 |
-<subsection><body> |
159 |
-<p>Merge an appropriate kernel. A 2.6 kernel is required. The |
160 |
- suggested kernel is hardened-sources. |
161 |
-</p> |
162 |
- |
163 |
-<note>2.6.28-r9 is the current hardened release version at the time of this writing, |
164 |
- and all instructions in this document assume at least this version.</note> |
165 |
- |
166 |
-<warn>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they |
167 |
- have bugs in the SELinux XFS support.</warn> |
168 |
- |
169 |
-<pre caption="Merge an appropriate kernel"> |
170 |
-<comment>Any 2.6 kernel</comment> |
171 |
-# <i>emerge hardened-sources</i> |
172 |
-</pre> |
173 |
-</body></subsection> |
174 |
-</section> |
175 |
- |
176 |
-<section><title>Compile the Kernel with SELinux Options</title> |
177 |
-<subsection><body> |
178 |
-<p>The kernel must be compiled with security module support, SELinux support, |
179 |
-devpts, and extended attribute security labels. Refer to the main installation |
180 |
-guide for futher kernel options.</p> |
181 |
- |
182 |
-<note> |
183 |
-The available options may vary slightly depending on the kernel version |
184 |
-being used. In particular, Btrfs first became available with the 2.6.29 |
185 |
-kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels |
186 |
-options were obsoleted in kernel 2.6.13 (they are now enabled by default). |
187 |
-"Default Linux Capabilies" under "Security options" was obsoleted in the |
188 |
-2.6.26 kernel (it is now enabled by default). |
189 |
- |
190 |
-XFS always enables security labeling, so there is no additional option |
191 |
-to set for this file system |
192 |
- |
193 |
-Ext4 should work, but is NOT well tested at the time of this writing! |
194 |
- |
195 |
-Any extended attribute options not specifically enabled below should be turned |
196 |
-off. |
197 |
-</note> |
198 |
- |
199 |
-<pre caption="Location and required options under menuconfig"> |
200 |
-<comment>Under "General setup"</comment> |
201 |
-[*] Prompt for development and/or incomplete code/drivers |
202 |
-[*] Auditing support |
203 |
-[*] Enable system-call auditing support |
204 |
- |
205 |
-<comment>Under "File systems"</comment> |
206 |
-<*> Second extended fs support <comment>(If using ext2)</comment> |
207 |
-[*] Ext2 extended attributes |
208 |
-[ ] Ext2 POSIX Access Control Lists |
209 |
-[*] Ext2 Security Labels |
210 |
-[ ] Ext2 Execute in place support |
211 |
-<*> Ext3 journalling file system support <comment>(If using ext3)</comment> |
212 |
-[*] Ext3 extended attributes |
213 |
-[ ] Ext3 POSIX Access Control Lists |
214 |
-[*] Ext3 Security labels |
215 |
-<*> The Extended 4 (ext4) filesystem <comment>(If using ext4)</comment> |
216 |
-[ ] Enable ext4dev compatibility |
217 |
-[*] Ext4 extended attrributes |
218 |
-[ ] Ext4 POSIX Access Control Lists |
219 |
-[*] Ext4 Security Labels |
220 |
-<*> JFS filesystem support <comment>(If using JFS)</comment> |
221 |
-[ ] JFS POSIX Access Control Lists |
222 |
-[*] JFS Security Labels |
223 |
-[ ] JFS debugging |
224 |
-[ ] JFS statistics |
225 |
-<*> XFS filesystem support <comment>(If using XFS)</comment> |
226 |
-[ ] XFS Quota support |
227 |
-[ ] XFS POSIX ACL support |
228 |
-[ ] XFS Realtime subvolume support (EXPERIMENTAL) |
229 |
-[ ] XFS Debugging Support |
230 |
-<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format <comment>(if |
231 |
-using Btrfs)</comment> |
232 |
-[ ] Btrfs POSIX Access Control Lists (NEW) |
233 |
-<comment>Under "Pseudo filesystems (via "File systems")</comment> |
234 |
-[ ] /dev file system support (EXPERIMENTAL) |
235 |
-[*] /dev/pts Extended Attributes |
236 |
-[*] /dev/pts Security Labels |
237 |
-[*] Virtual memory file system support (former shm fs) |
238 |
-[*] tmpfs Extended Attributes |
239 |
-[*] tmpfs Security Labels |
240 |
- |
241 |
-<comment>Under "Security options"</comment> |
242 |
-[*] Enable different security models |
243 |
-[*] Socket and Networking Security Hooks |
244 |
-<*> Default Linux Capabilities |
245 |
-[*] NSA SELinux Support |
246 |
-[ ] NSA SELinux boot parameter |
247 |
-[ ] NSA SELinux runtime disable |
248 |
-[*] NSA SELinux Development Support |
249 |
-[ ] NSA SELinux AVC Statistics |
250 |
-(1) NSA SELinux checkreqprot default value |
251 |
-[ ] NSA SELinux enable new secmark network controls by default |
252 |
-[ ] NSA SELinux maximum supported policy format version |
253 |
- Default security module (SELinux) ---> |
254 |
-</pre> |
255 |
- |
256 |
-<p> |
257 |
- The extended attribute security labels must be turned on for devpts and |
258 |
- your filesystem(s). Devfs is not usable in SELinux, and should be |
259 |
- turned off. Not all options exist on older 2.6 kernels, |
260 |
- such as Auditing support, and runtime disable. In newer kernels, |
261 |
- the extended attributes support for proc and the virtual memory fs (tmpfs) |
262 |
- are enabled by default; thus, no options will appear in menuconfig. |
263 |
-</p> |
264 |
- |
265 |
-<note>It is recommended to configure PaX if you are using harded-sources (also |
266 |
-recommended). More information about Pax can be found in the <uri link="/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo |
267 |
-PaX Quickstart Guide</uri>. |
268 |
-</note> |
269 |
- |
270 |
-<warn> |
271 |
- Do not enable the SELinux MLS policy option if its available, as it is |
272 |
- not supported, and will cause your machine to not start. |
273 |
-</warn> |
274 |
- |
275 |
-<p> |
276 |
- Now compile and install the kernel and modules, but do not reboot. |
277 |
-</p> |
278 |
-</body></subsection> |
279 |
-</section> |
280 |
- |
281 |
-<section><title>Update fstab</title> |
282 |
-<subsection><body> |
283 |
-<p> |
284 |
- SElinuxfs must also be enabled to mount at boot. |
285 |
- Add this to /etc/fstab: |
286 |
-</p> |
287 |
-<pre caption="Fstab settings for selinuxfs"> |
288 |
-none /selinux selinuxfs defaults 0 0 |
289 |
-</pre> |
290 |
-</body></subsection> |
291 |
-</section> |
292 |
- |
293 |
-<section><title>Configure Baselayout</title> |
294 |
-<subsection><body> |
295 |
-<p> |
296 |
-SELinux does not support devfs. You must configure baselayout to |
297 |
-use either static device nodes or udev. If using udev, the |
298 |
-device tarball must be disabled. Edit the /etc/conf.d/rc file. |
299 |
-Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no. |
300 |
-If you have several custom device nodes, static is suggested, |
301 |
-otherwise udev is suggested (udev is the default at the time of this writing). |
302 |
-For more information on udev, consult the <uri link="/doc/en/udev-guide.xml">Gentoo UDEV Guide</uri>. |
303 |
-</p> |
304 |
-<pre caption="Init script configuration"> |
305 |
-# Use this variable to control the /dev management behavior. |
306 |
-# auto - let the scripts figure out what's best at boot |
307 |
-# devfs - use devfs (requires sys-fs/devfsd) |
308 |
-# udev - use udev (requires sys-fs/udev) |
309 |
-# static - let the user manage /dev |
310 |
- |
311 |
-RC_DEVICES="<comment>udev</comment>" |
312 |
- |
313 |
-# UDEV OPTION: |
314 |
-# Set to "yes" if you want to save /dev to a tarball on shutdown |
315 |
-# and restore it on startup. This is useful if you have a lot of |
316 |
-# custom device nodes that udev does not handle/know about. |
317 |
- |
318 |
-RC_DEVICE_TARBALL="<comment>no</comment>" |
319 |
-</pre> |
320 |
-</body></subsection> |
321 |
-</section> |
322 |
- |
323 |
-<section><title>Reboot</title> |
324 |
-<subsection><body> |
325 |
-<p> |
326 |
- We need to make some directories before we reboot. |
327 |
-</p> |
328 |
-<pre caption="Making Required Directories"> |
329 |
-# <i>mkdir /selinux</i> |
330 |
-# <i>mkdir /sys</i> |
331 |
-</pre> |
332 |
-<p> |
333 |
- Now reboot. |
334 |
-</p> |
335 |
-</body></subsection> |
336 |
-</section> |
337 |
-</sections> |
338 |
|
339 |
diff --git a/xml/selinux/hb-selinux-conv-reboot2.xml b/xml/selinux/hb-selinux-conv-reboot2.xml |
340 |
deleted file mode 100644 |
341 |
index 95383da..0000000 |
342 |
--- a/xml/selinux/hb-selinux-conv-reboot2.xml |
343 |
+++ /dev/null |
344 |
@@ -1,213 +0,0 @@ |
345 |
-<?xml version='1.0' encoding="utf-8"?> |
346 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
347 |
- |
348 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
349 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
350 |
- |
351 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.11 2010/06/25 16:07:19 pebenito Exp $ --> |
352 |
- |
353 |
-<sections> |
354 |
-<version>2.3</version> |
355 |
-<date>2010-11-27</date> |
356 |
- |
357 |
-<section><title>Merge SELinux Packages</title> |
358 |
-<subsection> |
359 |
-<body> |
360 |
-<p>Merge the libraries, utilities and base-policy. The policy version may need |
361 |
- be adjusted, refer to the SELinux Overview |
362 |
- for more information on policy versions. Then load the policy.</p> |
363 |
- |
364 |
-<pre caption="Merge base SELinux packages and policy"> |
365 |
-# <i>emerge -1 checkpolicy policycoreutils</i> |
366 |
-# <i>FEATURES=-selinux emerge -1 selinux-base-policy</i> |
367 |
-</pre> |
368 |
-<note> |
369 |
-The "FEATURES=-selinux" part of the emerge command should only be used on the above command. |
370 |
-It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail. |
371 |
-</note> |
372 |
-</body></subsection> |
373 |
-</section> |
374 |
- |
375 |
-<section><title>Choose the policy type</title> |
376 |
-<body> |
377 |
-<p> |
378 |
-New in 2006.1, users now have the choice between the strict policy and the |
379 |
-targeted policy. |
380 |
-</p> |
381 |
-<p> |
382 |
-In the strict policy, all processes are confined. |
383 |
-If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy. |
384 |
-Strict policy is suggested for servers. |
385 |
-Gentoo does not support the strict policy on desktops. |
386 |
-</p> |
387 |
-<p> |
388 |
-The targeted policy differs with strict, as only network-facing services are |
389 |
-confined and local users are unconfined. Gentoo only supports desktops with |
390 |
-the targeted policy. This policy can also be used on servers. |
391 |
-</p> |
392 |
-<p> |
393 |
-Edit the /etc/selinux/config file to set the policy type. |
394 |
-</p> |
395 |
-<pre caption="/etc/selinux/config contents"> |
396 |
-# This file controls the state of SELinux on the system on boot. |
397 |
- |
398 |
-# SELINUX can take one of these three values: |
399 |
-# enforcing - SELinux security policy is enforced. |
400 |
-# permissive - SELinux prints warnings instead of enforcing. |
401 |
-# disabled - No SELinux policy is loaded. |
402 |
-SELINUX=permissive <comment>(This should be set permissive for the remainder of the install)</comment> |
403 |
- |
404 |
-# SELINUXTYPE can take one of these two values: |
405 |
-# targeted - Only targeted network daemons are protected. |
406 |
-# strict - Full SELinux protection. |
407 |
-SELINUXTYPE=strict <comment>(Set this as strict or targeted)</comment> |
408 |
-</pre> |
409 |
-</body> |
410 |
-</section> |
411 |
- |
412 |
-<section><title>Merge SELinux-patched packages</title> |
413 |
-<subsection><body> |
414 |
-<p> |
415 |
- There are several system packages that have SELinux patches. These patches |
416 |
- provide a variety of additional SELinux functionality, such as displaying |
417 |
- file contexts. |
418 |
-</p> |
419 |
-<pre caption="Remerge Packages"> |
420 |
-# <i>emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</i> |
421 |
-</pre> |
422 |
-<note> |
423 |
- If you find that you can't use portage due to a errors like these: |
424 |
- !!! 'module' object has no attribute 'secure_rename' or |
425 |
- AttributeError: 'module' object has no attribute 'getcontext', this is |
426 |
- a portage bug, where it can't handle a missing python-selinux. Merge it |
427 |
- with "FEATURES=-selinux emerge python-selinux" to fix the problem. See |
428 |
- bug <uri link="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</uri> |
429 |
- for more information. |
430 |
-</note> |
431 |
-<p>There are other packages that have SELinux patches, but are optional. These |
432 |
-should be remerged if they are already installed, so the SELinux patches are |
433 |
-applied:</p> |
434 |
-<ul> |
435 |
-<li>app-admin/logrotate</li> |
436 |
-<li>sys-apps/fcron</li> |
437 |
-<li>sys-apps/vixie-cron</li> |
438 |
-<li>sys-fs/device-mapper</li> |
439 |
-<li>sys-fs/udev</li> |
440 |
-<li>sys-libs/pwdb</li> |
441 |
-</ul> |
442 |
-<note> |
443 |
- Fcron and Vixie-cron are the only crons with SELinux support. |
444 |
-</note> |
445 |
-<note>The above packages are NOT an exhaustive list; they are only the most |
446 |
-common ones. In general, any package installed on the system which has the |
447 |
-selinux USE flag should be remerged. To see which packages may need to be |
448 |
-merged, you can: |
449 |
-emerge -upDN world |
450 |
- |
451 |
-Since changing to the selinux profile has changed your USE flags, the above |
452 |
-will get everything that is listening to the selinux USE flag. It will |
453 |
-probably also get some other stuff as well. To actually remerge everything, |
454 |
-simply remove the 'p', or manually specify the packages you want to remerge. |
455 |
-</note> |
456 |
-</body></subsection> |
457 |
-</section> |
458 |
- |
459 |
-<section><title>Merge Application Policies</title> |
460 |
-<subsection><body> |
461 |
-<p> |
462 |
- In future, when merging a package, the policy will be set as a dependency so |
463 |
- that it is merged first; however, since the system is being converted, policy |
464 |
- for currently installed packages must be merged. The selinux-base-policy |
465 |
- already covers most packages in the system profile. |
466 |
-</p> |
467 |
-<p> |
468 |
- Look in the <c>/usr/portage/sec-policy</c>, it has several entries, each which |
469 |
- represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is |
470 |
- the name of the package that the policy is associated. For example, the |
471 |
- selinux-apache package is the SELinux policy package for net-www/apache. |
472 |
- Merge each of the needed policy packages and then load the policy. |
473 |
- If you are converting a desktop, make sure to include the selinux-desktop policy package. |
474 |
-</p> |
475 |
-<pre caption="Example Merge of Apache and BIND policies"> |
476 |
-# <i>ls /usr/portage/sec-policy</i> |
477 |
-<comment>(many directories listed)</comment> |
478 |
- |
479 |
-# <i>emerge -1 selinux-apache selinux-bind</i> |
480 |
-</pre> |
481 |
-</body></subsection> |
482 |
-</section> |
483 |
- |
484 |
-<section><title>Label Filesystems</title> |
485 |
-<subsection><body> |
486 |
-<p> |
487 |
- Before you can relabel the rest of the filesystems, you need to first relabel |
488 |
- /dev. Strictly speaking, this is only necessary if you aren't using a static |
489 |
- /dev. However, as the vast majority of current and new systems are going to |
490 |
- be built with udev, this probably means you are using udev as well. There |
491 |
- are a lot of different ways to get at this problem, but the steps below are |
492 |
- easy to do and work. |
493 |
-</p> |
494 |
- <pre caption="Relabel /dev"> |
495 |
-<i># mkdir /mnt/gentoo |
496 |
-# mount -o bind / /mnt/gentoo |
497 |
-# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev |
498 |
-# umount /mnt/gentoo |
499 |
-</i> |
500 |
- </pre> |
501 |
- <note>Remember to select one of {strict,targeted} above based on your |
502 |
- enforcement mode.</note> |
503 |
-<p> |
504 |
- Now label the filesystems. This gives each of the files in the filesystems |
505 |
- a security label. Keeping these labels consistent is important. |
506 |
-</p> |
507 |
-<pre caption="Label filesystems"> |
508 |
-# <i>rlpkg -a -r</i> |
509 |
-</pre> |
510 |
-<warn> |
511 |
- There is a known issue with older versions of GRUB |
512 |
- not being able to read symlinks that have been labeled. |
513 |
- Please make sure you have at least GRUB 0.94 installed. |
514 |
- Also rerun GRUB and reinstall it into the MBR to ensure |
515 |
- the updated code is in use. |
516 |
- You do have a LiveCD handy, right? |
517 |
-</warn> |
518 |
-<pre caption="Reinstall GRUB on the MBR (GRUB users only)"> |
519 |
-# <i>grub</i> |
520 |
- |
521 |
-grub> root (hd0,0) <comment>(Your boot partition)</comment> |
522 |
-grub> setup (hd0) <comment>(Where the boot record is installed; here, it is the MBR)</comment> |
523 |
-</pre> |
524 |
-<p> |
525 |
- If you've installed Gentoo using the hardened sources, then you'll need to |
526 |
- tell SELinux that you are using the hardened tool-chain with ssp. You do |
527 |
- this by setting an SELinux global boolean |
528 |
-</p> |
529 |
-<pre caption="SELinux global_ssp"> |
530 |
-<i>setsebool -P global_ssp on</i> |
531 |
-</pre> |
532 |
-<note>Make sure you use the -P flag, or the setting won't survive the reboot, |
533 |
-and you'll likely see a lot of errors relating to /dev/null and /dev/random |
534 |
-</note> |
535 |
-</body></subsection> |
536 |
-</section> |
537 |
- |
538 |
-<section><title>Final reboot</title> |
539 |
-<subsection><body> |
540 |
-<p>Reboot. Log in, then relabel again to ensure all files |
541 |
-are labeled correctly (some files may have been created during shutdown and |
542 |
-reboot)</p> |
543 |
-<pre caption="Relabel"> |
544 |
-# <i>rlpkg -a -r</i> |
545 |
-</pre> |
546 |
-<note> |
547 |
- It is strongly suggested to <uri link="/main/en/lists.xml">subscribe</uri> |
548 |
- to the gentoo-hardened mail list. It is generally a low traffic list, and |
549 |
- SELinux announcements are made there. |
550 |
-</note> |
551 |
-<p> |
552 |
- SELinux is now installed! |
553 |
-</p> |
554 |
-</body></subsection> |
555 |
-</section> |
556 |
- |
557 |
-</sections> |
558 |
|
559 |
diff --git a/xml/selinux/hb-selinux-faq.xml b/xml/selinux/hb-selinux-faq.xml |
560 |
deleted file mode 100644 |
561 |
index dc35969..0000000 |
562 |
--- a/xml/selinux/hb-selinux-faq.xml |
563 |
+++ /dev/null |
564 |
@@ -1,154 +0,0 @@ |
565 |
-<?xml version='1.0' encoding="utf-8"?> |
566 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
567 |
- |
568 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
569 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
570 |
- |
571 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-faq.xml,v 1.4 2006/09/07 10:37:46 neysx Exp $ --> |
572 |
- |
573 |
-<sections> |
574 |
-<version>1.3</version> |
575 |
-<date>2006-05-01</date> |
576 |
- |
577 |
-<section><title>SELinux features</title> |
578 |
-<subsection><title>Does SELinux enforce resource limits?</title> |
579 |
-<body> |
580 |
-<p> |
581 |
- No, resource limits are outside the scope of an access control system. If you |
582 |
- are looking for this type of support, GRSecurity and RSBAC are better choices. |
583 |
-</p> |
584 |
-</body></subsection> |
585 |
-</section> |
586 |
- |
587 |
-<section><title>SELinux and other hardened projects</title> |
588 |
-<subsection><title>Can I use SELinux and GRSecurity (and PaX)?</title> |
589 |
-<body> |
590 |
-<p> |
591 |
- Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however, |
592 |
- it is suggested that GRACL should not be used, since it would be redundant |
593 |
- to SELinux's access control. |
594 |
-</p> |
595 |
-</body></subsection> |
596 |
-<subsection><title>Can I use SELinux and the hardened compiler (PIE-SSP)?</title> |
597 |
-<body> |
598 |
-<p> |
599 |
- Yes. It is also suggested that PaX be used to take full advantage |
600 |
- of the PIE features of the compiler. |
601 |
-</p> |
602 |
-</body></subsection> |
603 |
-<subsection><title>Can I use SELinux and RSBAC?</title> |
604 |
-<body> |
605 |
-<p> |
606 |
- Unknown. Please report your results if you try this combination. |
607 |
-</p> |
608 |
-</body></subsection> |
609 |
-</section> |
610 |
- |
611 |
-<section><title>SELinux and filesystems</title> |
612 |
-<subsection><title>Can I use SELinux with my primary filesystems?</title> |
613 |
-<body> |
614 |
-<p> |
615 |
- SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has |
616 |
- extended attributes, but the support was never complete, and has been broken |
617 |
- since 2.6.14. Reiser4 is not supported. |
618 |
-</p> |
619 |
-</body></subsection> |
620 |
-<subsection><title>Can I use SELinux with my ancillary filesystems?</title> |
621 |
-<body> |
622 |
-<p> |
623 |
- Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660 |
624 |
- filesystems, with an important caveat. All files in each filesystem will |
625 |
- have the same SELinux type, since the filesystems do not support extended |
626 |
- attributes. Tmpfs is the only ancillary filesystem with complete extended |
627 |
- attribute support, which allows it to behave like a primary filesystem. |
628 |
-</p> |
629 |
-</body></subsection> |
630 |
-<subsection><title>Can I use SELinux with my network filesystems?</title> |
631 |
-<body> |
632 |
-<p> |
633 |
- Yes, SELinux can mount network filesystems, such as NFS and CIFS |
634 |
- filesystems, with an important caveat. All files in each filesystem will |
635 |
- have the same SELinux type, since the filesystems do not support extended |
636 |
- attributes. In the future, hopefully network filesystems will begin to |
637 |
- support extended attributes, then they will work like a primary filesystem. |
638 |
-</p> |
639 |
-</body></subsection> |
640 |
-</section> |
641 |
- |
642 |
-<section><title>Portage error messages</title> |
643 |
-<subsection><title>I get a missing SELinux module error when using emerge:</title> |
644 |
-<body> |
645 |
-<pre caption="Portage message"> |
646 |
-!!! SELinux module not found. Please verify that it was installed. |
647 |
-</pre> |
648 |
-<p> |
649 |
- This indicates that the portage SELinux module is missing or damaged. |
650 |
- Also python may have been upgraded to a new version which requires |
651 |
- python-selinux to be recompiled. Remerge dev-python/python-selinux. |
652 |
- If packages have been merged under this condition, they must be relabed |
653 |
- after fixing this condition. If the packages needing to be remerged cannot |
654 |
- be determined, a full relabel may be required. |
655 |
-</p> |
656 |
-</body></subsection> |
657 |
-</section> |
658 |
- |
659 |
-<section><title>SELinux kernel error messages</title> |
660 |
-<subsection><title>I get a register_security error message when booting:</title> |
661 |
-<body> |
662 |
-<pre caption="Kernel message"> |
663 |
-There is already a security framework initialized, register_security failed. |
664 |
-Failure registering capabilities with the kernel |
665 |
-selinux_register_security: Registering secondary module capability |
666 |
-Capability LSM initialized |
667 |
-</pre> |
668 |
-<p> |
669 |
- This means that the Capability LSM module couldn't register as the primary |
670 |
- module, since SELinux is the primary module. The third message means that it |
671 |
- registers with SELinux as a secondary module. This is normal. |
672 |
-</p> |
673 |
-</body></subsection> |
674 |
-</section> |
675 |
- |
676 |
-<section><title>Setfiles error messages</title> |
677 |
-<subsection><title>When I try to relabel, it fails with invalid contexts:</title><body> |
678 |
-<pre caption="Invalid contexts example"> |
679 |
-# make relabel |
680 |
-/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'` |
681 |
-/usr/sbin/setfiles: read 559 specifications |
682 |
-/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39 |
683 |
-/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120 |
684 |
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377 |
685 |
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378 |
686 |
-/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445 |
687 |
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478 |
688 |
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479 |
689 |
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492 |
690 |
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493 |
691 |
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494 |
692 |
-Exiting after 10 errors. |
693 |
-make: *** [relabel] Error 1 |
694 |
-</pre> |
695 |
-<p> |
696 |
- First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles |
697 |
- cannot validate any contexts, causing it to believe all contexts are |
698 |
- invalid. If /selinux is mounted, then most likely there is new policy that |
699 |
- has not yet been loaded; therefore, the contexts have not yet become valid. |
700 |
-</p> |
701 |
-</body></subsection> |
702 |
-</section> |
703 |
- |
704 |
- |
705 |
-<!-- always keep this one as the bottom FAQ :) --> |
706 |
-<!-- comment out since the demo machine is down for an indefinite period of time |
707 |
-<section><title>Gentoo SELinux Demonstration Machine</title> |
708 |
-<subsection><body> |
709 |
-<p> |
710 |
- This machine is not running user-mode linux, or in a chroot, it has SELinux |
711 |
- mandatory access control. No, you cannot install psybnc or an irc bot on the |
712 |
- machine, unless you break the SELinux security and gain higher priviledge. |
713 |
-</p> |
714 |
-</body></subsection> |
715 |
-</section> |
716 |
---> |
717 |
-<!-- dont put anything below here, this demo machine faq should be the last one --> |
718 |
-</sections> |
719 |
|
720 |
diff --git a/xml/selinux/hb-selinux-howto.xml b/xml/selinux/hb-selinux-howto.xml |
721 |
deleted file mode 100644 |
722 |
index b8f7db0..0000000 |
723 |
--- a/xml/selinux/hb-selinux-howto.xml |
724 |
+++ /dev/null |
725 |
@@ -1,250 +0,0 @@ |
726 |
-<?xml version='1.0' encoding="utf-8"?> |
727 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
728 |
- |
729 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
730 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
731 |
- |
732 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-howto.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ --> |
733 |
- |
734 |
-<sections> |
735 |
-<version>2.0</version> |
736 |
-<date>2006-10-14</date> |
737 |
- |
738 |
-<section><title>Load policy into a running SELinux kernel</title> |
739 |
-<subsection><body> |
740 |
-<p> |
741 |
- This requires you to be in the <c>sysadm_r</c> role. |
742 |
-</p> |
743 |
-<pre caption="Semodule command"> |
744 |
-# <i>semodule -B</i> |
745 |
-</pre> |
746 |
-</body></subsection> |
747 |
-</section> |
748 |
- |
749 |
-<section><title>Change roles</title> |
750 |
-<subsection><body> |
751 |
-<p> |
752 |
- This requires your user have access to the target role. This example |
753 |
- is for changing to the <c>sysadm_r</c> role. |
754 |
-</p> |
755 |
-<pre caption="Newrole"> |
756 |
-# <i>newrole -r sysadm_r</i> |
757 |
-</pre> |
758 |
-</body></subsection> |
759 |
-</section> |
760 |
- |
761 |
-<section><title>Specify available roles for a user</title> |
762 |
-<subsection><body> |
763 |
-<p> |
764 |
- There is a mapping of linux users to SELinux identities. The policy has |
765 |
- generic SELinux users for relevant configurations of roles. For example, to |
766 |
- map the user <c>pebenito</c> to the SELinux identity <c>staff_u</c>, run: |
767 |
-</p> |
768 |
-<pre caption="Map pebenito to staff_u"> |
769 |
-# <i>semanage login -a -s staff_u pebenito</i> |
770 |
-</pre> |
771 |
-<p> |
772 |
- The policy does not need to be reloaded. If the user is logged in, it |
773 |
- must log out and log in again to take effect. |
774 |
-</p> |
775 |
-</body></subsection> |
776 |
-</section> |
777 |
- |
778 |
-<section><title>Relabel filesystems</title> |
779 |
-<subsection><body> |
780 |
-<p> |
781 |
- This requires you to be in the <c>sysadm_r</c> role. |
782 |
-</p> |
783 |
-<pre caption="Relabel"> |
784 |
-# <i>rlpkg -a</i> |
785 |
-</pre> |
786 |
-</body></subsection> |
787 |
-</section> |
788 |
- |
789 |
-<section><title>Relabel an individual package</title> |
790 |
-<subsection><body> |
791 |
-<p> |
792 |
- In addition to relabeling entire filesystems, individual portage packages |
793 |
- can be relabeled. This requires you to be in the <c>sysadm_r</c> role. |
794 |
-</p> |
795 |
-<pre caption="rlpkg example"> |
796 |
-# <i>rlpkg shadow sash</i> |
797 |
-</pre> |
798 |
-<p> |
799 |
- The script rlpkg is used, and any number of packages can be specified |
800 |
- on the command line. |
801 |
-</p> |
802 |
-</body></subsection> |
803 |
-</section> |
804 |
- |
805 |
-<section><title>Scan for libraries with text relocations</title> |
806 |
-<subsection><body> |
807 |
-<p> |
808 |
- SELinux has improved memory protections. One feature supported is |
809 |
- the permission for ELF text relocations. The libraries with text relocations |
810 |
- have a special label, and the <c>rlpkg</c> tool has an option to scan for |
811 |
- these libraries. |
812 |
-</p> |
813 |
-<pre caption="TEXTREL Scan"> |
814 |
-# <i>rlpkg -t</i> |
815 |
-</pre> |
816 |
-<p> |
817 |
- This will also be done by automatically after a full relabel. |
818 |
-</p> |
819 |
-</body></subsection> |
820 |
-</section> |
821 |
- |
822 |
-<section><title>Start daemons in the correct domain</title> |
823 |
-<subsection><body> |
824 |
-<p> |
825 |
- Controlling daemons that have init scripts in /etc/init.d is slightly |
826 |
- different in SELinux. The <c>run_init</c> command must be used to run |
827 |
- the scripts, to ensure they are ran in the correct domain. The command |
828 |
- can be ran normally, except the command is prefixed with <c>run_init</c>. |
829 |
- This requires you to be in the <c>sysadm_r</c> role. |
830 |
-</p> |
831 |
-<pre caption="run_init examples"> |
832 |
-# <i>run_init /etc/init.d/ntpd start</i> |
833 |
-# <i>run_init /etc/init.d/apache2 restart</i> |
834 |
-# <i>run_init /etc/init.d/named stop</i> |
835 |
-</pre> |
836 |
-</body></subsection> |
837 |
-<subsection><title>Gentoo run_init integration</title><body> |
838 |
-<p> |
839 |
- <c>run_init</c> has been integrated into Gentoo's init script system. With |
840 |
- SELinux installed, services can be started and stopped as usual, but will |
841 |
- now authenticate the user. |
842 |
-</p> |
843 |
-<pre caption="Integrated run_init example"> |
844 |
-# <i>/etc/init.d/sshd restart</i> |
845 |
-Authenticating root. |
846 |
-Password: |
847 |
- * Stopping sshd... [ ok ] |
848 |
- * Starting sshd... [ ok ] |
849 |
-</pre> |
850 |
-</body></subsection> |
851 |
-</section> |
852 |
- |
853 |
-<section><title>Switch between enforcing and permissive modes</title> |
854 |
-<subsection><body> |
855 |
-<p> |
856 |
- Switching between modes in SELinux is very simple. Write a 1 for |
857 |
- enforcing, or 0 for permissive to /selinux/enforce to set the mode. |
858 |
- The current mode can be queried by reading /selinux/enforce; 0 means |
859 |
- permissive mode, and 1 means enforcing mode. If the kernel option |
860 |
- "NSA SELinux Development Support" is turned off, the system will always |
861 |
- be in enforcing mode, and cannot be switched to permissive mode. |
862 |
-</p> |
863 |
-<pre caption=""> |
864 |
-<comment>Query current mode</comment> |
865 |
-# <i>cat /selinux/enforce</i> |
866 |
-<comment>Switch to enforcing mode</comment> |
867 |
-# <i>echo 1 > /selinux/enforce</i> |
868 |
-<comment>Switch to permissive mode</comment> |
869 |
-# <i>echo 0 > /selinux/enforce</i> |
870 |
-</pre> |
871 |
-<p> |
872 |
- A machine with development support turned on can be started in enforcing |
873 |
- mode by adding <c>enforcing=1</c> to the kernel command line, in the |
874 |
- bootloader (GRUB, lilo, etc). |
875 |
-</p> |
876 |
-</body></subsection> |
877 |
- |
878 |
-<subsection><title>Managed policy</title><body> |
879 |
-<p> |
880 |
- In addition to the above kernel options, the mode at boot can be |
881 |
- set by the <c>/etc/selinux/config</c> file. |
882 |
-</p> |
883 |
-<pre caption="/etc/selinux/config"> |
884 |
-# SELINUX can take one of these three values: |
885 |
-# enforcing - SELinux security policy is enforced. |
886 |
-# permissive - SELinux prints warnings instead of enforcing. |
887 |
-# disabled - No SELinux policy is loaded. |
888 |
-SELINUX=<comment>permissive</comment> |
889 |
-</pre> |
890 |
-<p> |
891 |
- The setting in this file will be overridden by the kernel command line |
892 |
- options described above. |
893 |
-</p> |
894 |
-</body></subsection> |
895 |
-</section> |
896 |
- |
897 |
-<section><title>Understand sestatus output</title> |
898 |
-<subsection><body> |
899 |
-<p> |
900 |
- The <c>sestatus</c> tool can be used to determine detailed SELinux-specific |
901 |
- status information about the system. The <c>-v</c> option provides extra |
902 |
- detail about the context of processes and files. The output will be |
903 |
- divided into four sections. Sestatus only provides complete information |
904 |
- for a user logged in as root (or su/sudo), in the <c>sysadm_r</c> role. |
905 |
-</p> |
906 |
-<pre caption="Status example"> |
907 |
-SELinux status: enabled |
908 |
-SELinuxfs mount: /selinux |
909 |
-Current mode: enforcing |
910 |
-Policy version: 18 |
911 |
-</pre> |
912 |
-<p> |
913 |
- The main status information is provided in the first section. The first |
914 |
- line shows if SELinux kernel functions exists and are enabled. If the |
915 |
- status is disabled, either the kernel does not have SELinux support, or |
916 |
- the policy is not loaded. The second line shows the mount point for |
917 |
- the SELinux filesystem. During the normal use, the filesystem should be |
918 |
- mounted at the default location of <c>/selinux</c>. The third line |
919 |
- shows the current SELinux mode, either enforcing or permissive. The fourth |
920 |
- line shows the policy database version supported by the currently running |
921 |
- kernel. |
922 |
-</p> |
923 |
-<pre caption="Booleans example"> |
924 |
-Policy booleans: |
925 |
-secure_mode inactive |
926 |
-ssh_sysadm_login inactive |
927 |
-user_ping inactive |
928 |
-</pre> |
929 |
-<p> |
930 |
- The second section displays the status of the conditional policy booleans. The |
931 |
- left column is the name of boolean. The right column is the status of the |
932 |
- boolean, either active, or inactive. This section will not be shown on |
933 |
- policy version 15 kernels, as they do not support conditional policy. |
934 |
-</p> |
935 |
-<pre caption="Process context example"> |
936 |
-Process contexts: |
937 |
-Current context: pebenito:sysadm_r:sysadm_t |
938 |
-Init context: system_u:system_r:init_t |
939 |
-/sbin/agetty system_u:system_r:getty_t |
940 |
-/usr/sbin/sshd system_u:system_r:sshd_t |
941 |
-</pre> |
942 |
-<p> |
943 |
- The third section displays the context of the current process, and of several |
944 |
- key processes. If a process is running in the incorrect context, it will not |
945 |
- function correctly. |
946 |
-</p> |
947 |
-<pre caption="File context example"> |
948 |
-File contexts: |
949 |
-Controlling term: pebenito:object_r:sysadm_devpts_t |
950 |
-/sbin/init system_u:object_r:init_exec_t |
951 |
-/sbin/agetty system_u:object_r:getty_exec_t |
952 |
-/bin/login system_u:object_r:login_exec_t |
953 |
-/sbin/rc system_u:object_r:initrc_exec_t |
954 |
-/sbin/runscript.sh system_u:object_r:initrc_exec_t |
955 |
-/usr/sbin/sshd system_u:object_r:sshd_exec_t |
956 |
-/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
957 |
-/etc/passwd system_u:object_r:etc_t |
958 |
-/etc/shadow system_u:object_r:shadow_t |
959 |
-/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t |
960 |
-/bin/bash system_u:object_r:shell_exec_t |
961 |
-/bin/sash system_u:object_r:shell_exec_t |
962 |
-/usr/bin/newrole system_u:object_r:newrole_exec_t |
963 |
-/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t |
964 |
-/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:shlib_t |
965 |
-</pre> |
966 |
-<p> |
967 |
- The fourth section displays the context of the current process's controlling |
968 |
- terminal, and of several key files. For symbolic links, the context of |
969 |
- the link and then the context of the link target is displayed. If a file has |
970 |
- an incorrect context, the file may be inaccessable or have incorrect |
971 |
- permissions for a particular process. |
972 |
-</p> |
973 |
-</body></subsection> |
974 |
-</section> |
975 |
-</sections> |
976 |
|
977 |
diff --git a/xml/selinux/hb-selinux-initpol.xml b/xml/selinux/hb-selinux-initpol.xml |
978 |
deleted file mode 100644 |
979 |
index b13a0de..0000000 |
980 |
--- a/xml/selinux/hb-selinux-initpol.xml |
981 |
+++ /dev/null |
982 |
@@ -1,48 +0,0 @@ |
983 |
-<?xml version='1.0' encoding="UTF-8"?> |
984 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
985 |
- |
986 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
987 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
988 |
- |
989 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-initpol.xml,v 1.6 2008/05/20 15:45:43 pebenito Exp $ --> |
990 |
- |
991 |
-<sections> |
992 |
-<version>1.3</version> |
993 |
-<date>2004-11-16</date> |
994 |
- |
995 |
-<section><title>Verify Available Policy</title> |
996 |
-<subsection><body> |
997 |
-<p> |
998 |
- You must be in <c>sysadm_r</c> to perform this action. |
999 |
-</p> |
1000 |
-<p> |
1001 |
- A binary policy must be available in |
1002 |
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install |
1003 |
- the policy. |
1004 |
-</p> |
1005 |
-<pre caption="Install policy"> |
1006 |
-# <i>semodule -n -B</i> |
1007 |
-</pre> |
1008 |
-</body> |
1009 |
-</subsection> |
1010 |
-</section> |
1011 |
- |
1012 |
-<section><title>Verify Init Can Load the Policy</title> |
1013 |
-<subsection><body> |
1014 |
-<p> |
1015 |
- The final check is to ensure init can load the policy. Run <c>ldd</c> on |
1016 |
- init, and if libselinux is not in the output, remerge sysvinit. |
1017 |
-</p> |
1018 |
-<pre caption=""> |
1019 |
-# <i>ldd /sbin/init</i> |
1020 |
- linux-gate.so.1 => (0xffffe000) |
1021 |
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment> |
1022 |
- libc.so.6 => /lib/libc.so.6 (0x40035000) |
1023 |
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
1024 |
-</pre> |
1025 |
-<p> |
1026 |
- Now reboot so init gains the correct context, and loads the policy. |
1027 |
-</p> |
1028 |
-</body></subsection> |
1029 |
-</section> |
1030 |
-</sections> |
1031 |
|
1032 |
diff --git a/xml/selinux/hb-selinux-libsemanage.xml b/xml/selinux/hb-selinux-libsemanage.xml |
1033 |
deleted file mode 100644 |
1034 |
index a441f29..0000000 |
1035 |
--- a/xml/selinux/hb-selinux-libsemanage.xml |
1036 |
+++ /dev/null |
1037 |
@@ -1,246 +0,0 @@ |
1038 |
-<?xml version='1.0' encoding="utf-8"?> |
1039 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1040 |
- |
1041 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1042 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
1043 |
- |
1044 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-libsemanage.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ --> |
1045 |
- |
1046 |
-<sections> |
1047 |
-<version>1.0</version> |
1048 |
-<date>2006-10-15</date> |
1049 |
- |
1050 |
-<section><title>SELinux Management Infrastructure</title> |
1051 |
-<subsection><body> |
1052 |
-<p> |
1053 |
- The SElinux management infrastructure manages several aspects of SELinux |
1054 |
- policy. These management tools are based on the core library libsemanage. |
1055 |
- There are several management programs to to various tasks, including |
1056 |
- <c>semanage</c> and <c>semodule</c>. They allow you to configure aspects |
1057 |
- of the policy without requiring the policy sources. |
1058 |
-</p> |
1059 |
-</body></subsection> |
1060 |
-</section> |
1061 |
- |
1062 |
-<section><title>SELinux Policy Module Management</title> |
1063 |
-<subsection><title>What is a policy module?</title><body> |
1064 |
-<p> |
1065 |
- SELinux supports a modular policy. This means several pieces of policy |
1066 |
- are brought together to form one complete policy to be loaded in the |
1067 |
- kernel. This is a similar structure as the kernel itself and kernel modules. |
1068 |
- There is a main kernel image that is loaded, and various kernel modules can |
1069 |
- be added (assuming their dependencies are met) and removed on a running |
1070 |
- system without restarting. Similarly each policy has a base module and |
1071 |
- zero or more policy modules, all used to create a policy. |
1072 |
- Modules are built by compiling a piece of policy, and creating a policy |
1073 |
- package (*.pp) with that compiled policy, and optionally file contexts. |
1074 |
-</p> |
1075 |
-<p> |
1076 |
- The base module policy package (base.pp) contains the basic requirements of |
1077 |
- the policy. All modular policies must have a base module at minimum. |
1078 |
- In Gentoo we have these plus policies for all parts of the system profile. |
1079 |
- This is contained in the selinux-base-policy ebuild. The other policy ebuilds |
1080 |
- in portage have one or more policy modules. |
1081 |
-</p> |
1082 |
-<p> |
1083 |
- For more information on writing a policy module, in particular for managing |
1084 |
- your local customizations to the policy, please see the |
1085 |
- <uri link="selinux-handbook.xml?part=3&chap=5">policy module guide</uri>. |
1086 |
-</p> |
1087 |
-</body></subsection> |
1088 |
- |
1089 |
-<subsection><title>The SELinux module store</title><body> |
1090 |
-<p> |
1091 |
- When a policy module is inserted or removed, modules are copied into or |
1092 |
- removed from the module store. This repository has a copy of the |
1093 |
- modules that were used to create the current policy, in addition to several |
1094 |
- auxilliary files. This repository is stored in the |
1095 |
- /etc/selinux/{strict,targeted}/modules. You should never need to directly |
1096 |
- access the contents of the module store. A libsemanage-based tool should be |
1097 |
- used instead. |
1098 |
-</p> |
1099 |
-<p> |
1100 |
- Libsemanage handles the module store transactionally. This means that if |
1101 |
- a set of operations (a transaction) is performed on the store and one part |
1102 |
- fails, the entire transaction is aborted. This keeps the store in a |
1103 |
- consistent state. |
1104 |
-</p> |
1105 |
-<p> |
1106 |
- Managing the module store is accomplished with the <c>semodule</c> command. |
1107 |
- Listing the contents of the module store is done with the <c>-l</c> option. |
1108 |
-</p> |
1109 |
-<pre caption=""> |
1110 |
-# semodule -l |
1111 |
-distcc 1.1.1 |
1112 |
-</pre> |
1113 |
-<p> |
1114 |
- Since the base module is required in all cases, and is not versioned, it will |
1115 |
- not be shown in the list. All other modules will be listed, along with their |
1116 |
- versions. |
1117 |
-</p> |
1118 |
-</body></subsection> |
1119 |
- |
1120 |
-<subsection><title>Inserting a policy module</title><body> |
1121 |
-<p> |
1122 |
- The module should be referenced by its file name. |
1123 |
-</p> |
1124 |
-<pre caption=""> |
1125 |
-# <i>semodule -i module.pp</i> |
1126 |
-</pre> |
1127 |
-<p> |
1128 |
- This will insert the module into module store for the currently configured |
1129 |
- policy as specified in /etc/selinux/config. If the insert succeeds, the |
1130 |
- policy will be loaded, unless the <c>-n</c> option is used. To insert the |
1131 |
- module into an alternate module store, the <c>-s</c> option. |
1132 |
-</p> |
1133 |
-<pre caption=""> |
1134 |
-# <i>semodule -s targeted -i module.pp</i> |
1135 |
-</pre> |
1136 |
-<p> |
1137 |
- Since this refers to an alternate module store, the policy will not be loaded. |
1138 |
-</p> |
1139 |
-</body></subsection> |
1140 |
- |
1141 |
-<subsection><title>Removing a policy module</title><body> |
1142 |
-<p> |
1143 |
- The module is referenced by its name in the module store. |
1144 |
-</p> |
1145 |
-<pre caption=""> |
1146 |
-# <i>semodule -r module</i> |
1147 |
-</pre> |
1148 |
-<p> |
1149 |
- This will remove the module into module store for the currently configured |
1150 |
- policy as specified in /etc/selinux/config. If the remove succeeds, the |
1151 |
- policy will be loaded, unless the <c>-n</c> option is used. The remove |
1152 |
- command also respects the <c>-s</c> option. |
1153 |
-</p> |
1154 |
-</body></subsection> |
1155 |
-</section> |
1156 |
- |
1157 |
-<section><title>Configuring User Login Mappings</title> |
1158 |
-<subsection><body> |
1159 |
-<p> |
1160 |
- The current method of assigning sets of roles to a user is by setting |
1161 |
- up a mapping between linux users and SELinux identities. When a user |
1162 |
- logs in, the login program will set the SELinux identity based on the |
1163 |
- this map. If there is no explicit map, the <c>__default__</c> map is |
1164 |
- used. |
1165 |
-</p> |
1166 |
-<p> |
1167 |
- Managing the SELinux user login map is accomplished with the <c>semanage</c> |
1168 |
- tool. |
1169 |
-</p> |
1170 |
-<pre caption="SELinux login user map"> |
1171 |
-# <i>semanage login -l</i> |
1172 |
-Login Name SELinux User |
1173 |
- |
1174 |
-__default__ user_u |
1175 |
-root root |
1176 |
-</pre> |
1177 |
-</body></subsection> |
1178 |
- |
1179 |
-<subsection><title>Add a user login mapping</title><body> |
1180 |
-<p> |
1181 |
- To map the linux user <c>pebenito</c> to the SELinux identity <c>staff_u</c>: |
1182 |
-</p> |
1183 |
-<pre caption=""> |
1184 |
-# <i>semanage login -a -s staff_u pebenito</i> |
1185 |
-</pre> |
1186 |
-<p> |
1187 |
- For descriptions on the available SELinux identities, see the |
1188 |
- <uri link="selinux-handbook.xml?part=3&chap=1#doc_chap3">SELinux Overview</uri>. |
1189 |
-</p> |
1190 |
-</body></subsection> |
1191 |
- |
1192 |
-<subsection><title>Remove a user login mapping</title><body> |
1193 |
-<p> |
1194 |
- To remove a login map for the linux user <c>pebenito</c>: |
1195 |
-</p> |
1196 |
-<pre caption=""> |
1197 |
-# <i>semanage login -d pebenito</i> |
1198 |
-</pre> |
1199 |
-<note> |
1200 |
- User login maps specified by the policy (not by the management infrastructure) |
1201 |
- cannot be removed. |
1202 |
-</note> |
1203 |
-</body></subsection> |
1204 |
-</section> |
1205 |
- |
1206 |
-<section><title>Configuring Initial Boolean States</title> |
1207 |
-<subsection><body> |
1208 |
-<p> |
1209 |
- The <c>setsebool</c> program is now a libsemanage tool. This tool's basic |
1210 |
- function is to set the state of a Boolean. However, if the machine is |
1211 |
- restarted, the Booelans will be set using the initial state as specified in |
1212 |
- the policy. To set the Boolean state, and make that the new initial state |
1213 |
- in the policy, the <c>-P</c> option of <c>setsebool</c> is used. |
1214 |
-</p> |
1215 |
-<pre caption="Set Boolean default state"> |
1216 |
-# <i>setsebool -P fcron_crond 1</i> |
1217 |
-</pre> |
1218 |
-<p> |
1219 |
- This will set the fcron_crond Boolean to true and also make the initial state |
1220 |
- for the Boolean true. |
1221 |
-</p> |
1222 |
-</body></subsection> |
1223 |
-</section> |
1224 |
- |
1225 |
-<section><title>Configuring SELinux Identities</title> |
1226 |
-<subsection><body> |
1227 |
-<p> |
1228 |
- Generally SELinux identities need not be added to the policy, as user |
1229 |
- login mappings are sufficient. However, one reason to add them is for |
1230 |
- improved auditing, since the SELinux identity is part of the scontext of a |
1231 |
- denial message. |
1232 |
-</p> |
1233 |
-<p> |
1234 |
- Managing the SELinux identities is accomplished with the <c>semanage</c> tool. |
1235 |
-</p> |
1236 |
-<pre caption="SELinux identity list"> |
1237 |
-# <i>semanage user -l</i> |
1238 |
-SELinux User SELinux Roles |
1239 |
- |
1240 |
-root sysadm_r staff_r |
1241 |
-staff_u sysadm_r staff_r |
1242 |
-sysadm_u sysadm_r |
1243 |
-system_u system_r |
1244 |
-user_u user_r |
1245 |
-</pre> |
1246 |
-</body></subsection> |
1247 |
- |
1248 |
-<subsection><title>Add a SELinux identity</title><body> |
1249 |
-<p> |
1250 |
- In addition to specifying the roles for an identity, a prefix must |
1251 |
- also be specified. This prefix should match a role, for example |
1252 |
- <c>staff</c> or <c>sysadm</c>, and it is used for home directory |
1253 |
- entries. So if <c>staff</c> is used for the prefix, linux users that |
1254 |
- are mapped to this identity will have their home directory labeled |
1255 |
- <c>staff_home_dir_t</c>. |
1256 |
-</p> |
1257 |
-<p> |
1258 |
- To add the <c>test_u</c> identity with the roles <c>staff_r</c> and |
1259 |
- <c>sysadm_r</c> with the prefix <c>staff</c>: |
1260 |
-</p> |
1261 |
-<pre caption=""> |
1262 |
-# <i>semanage user -a -R 'staff_r sysadm_r' -P staff test_u</i> |
1263 |
-</pre> |
1264 |
-<note> |
1265 |
- To use the SELinux identity, a user login map still must be added. |
1266 |
-</note> |
1267 |
-</body></subsection> |
1268 |
- |
1269 |
-<subsection><title>Remove a SELinux user identity</title><body> |
1270 |
-<p> |
1271 |
- To remove the test_u SELinux identity: |
1272 |
-</p> |
1273 |
-<pre caption=""> |
1274 |
-# <i>semanage user -d test_u</i> |
1275 |
-</pre> |
1276 |
-<note> |
1277 |
- SELinux identities specified by the policy (not by the management |
1278 |
- infrastructure) cannot be removed. |
1279 |
-</note> |
1280 |
-</body></subsection> |
1281 |
-</section> |
1282 |
- |
1283 |
-</sections> |
1284 |
|
1285 |
diff --git a/xml/selinux/hb-selinux-localmod.xml b/xml/selinux/hb-selinux-localmod.xml |
1286 |
deleted file mode 100644 |
1287 |
index 8674b9f..0000000 |
1288 |
--- a/xml/selinux/hb-selinux-localmod.xml |
1289 |
+++ /dev/null |
1290 |
@@ -1,134 +0,0 @@ |
1291 |
-<?xml version='1.0' encoding='UTF-8'?> |
1292 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1293 |
- |
1294 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1295 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
1296 |
- |
1297 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-localmod.xml,v 1.1 2006/10/15 20:32:39 pebenito Exp $ --> |
1298 |
- |
1299 |
-<sections> |
1300 |
-<version>1.0</version> |
1301 |
-<date>2006-10-15</date> |
1302 |
- |
1303 |
-<section><title>Introduction</title> |
1304 |
-<subsection><body> |
1305 |
-<p> |
1306 |
- This guide discusses how to set up a policy module for local additions |
1307 |
- of rules to the policy. |
1308 |
-</p> |
1309 |
-</body></subsection> |
1310 |
-</section> |
1311 |
- |
1312 |
-<section><title>Preparation</title> |
1313 |
-<subsection><body> |
1314 |
-<p> |
1315 |
- Copy the example Makefile from the selinux-base-policy doc directory to the |
1316 |
- directory that will be used for building the policy. It is suggested that |
1317 |
- /root be used. The places that the <c>semodule</c> tool can read policy |
1318 |
- modules includes sysadm home directories. |
1319 |
-</p> |
1320 |
-<pre caption=""> |
1321 |
-# <i>zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile</i> |
1322 |
-</pre> |
1323 |
-</body></subsection> |
1324 |
-</section> |
1325 |
- |
1326 |
-<section><title>Write a TE file</title> |
1327 |
-<subsection><body> |
1328 |
-<p> |
1329 |
- In a policy module, most policy statements are usable in modules. |
1330 |
- There are a few extra statements that must be added for proper operation. |
1331 |
-</p> |
1332 |
-<pre caption="Example local.te"> |
1333 |
-policy_module(local,1.0) |
1334 |
- |
1335 |
-require { |
1336 |
- type sysadm_su_t, newrole_t; |
1337 |
-} |
1338 |
-allow sysadm_su_t newrole_t:process sigchld; |
1339 |
-</pre> |
1340 |
-<p> |
1341 |
- In addition to the basic allow rule, it has a couple statements required |
1342 |
- by policy modules. The first is a policy_module() macro that has the |
1343 |
- name of the module, and the module's version. It also has a require |
1344 |
- block. This block specifies all types that are required for this module |
1345 |
- to function. All types used in the module must either be declared in the |
1346 |
- module or required by this module. |
1347 |
-</p> |
1348 |
-</body></subsection> |
1349 |
-</section> |
1350 |
- |
1351 |
-<section><title>Write a FC File (optional)</title> |
1352 |
-<subsection><body> |
1353 |
-<p> |
1354 |
- The file contexts file is optional and has the same syntax as as always. |
1355 |
-</p> |
1356 |
-<pre caption="Example local.fc"> |
1357 |
-/opt/myprogs/mybin -- system_u:object_r:bin_t |
1358 |
-</pre> |
1359 |
-<p> |
1360 |
- Types used in the file context file should be required or declared in |
1361 |
- the TE file. |
1362 |
-</p> |
1363 |
-</body></subsection> |
1364 |
-</section> |
1365 |
- |
1366 |
-<section><title>Compile Policy Modules</title> |
1367 |
-<subsection><body> |
1368 |
-<p> |
1369 |
- Simply run <c>make</c> to build all modules in the directory. The module |
1370 |
- will be compiled for the current policy as specified by /etc/selinux/config. |
1371 |
-</p> |
1372 |
-<pre caption=""> |
1373 |
-# <i>make</i> |
1374 |
-Compiling strict local module |
1375 |
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp |
1376 |
-/usr/bin/checkmodule: policy configuration loaded |
1377 |
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod |
1378 |
-Creating strict local.pp policy package |
1379 |
-</pre> |
1380 |
-<p> |
1381 |
- To build the module for a policy other than the configured policy, use the |
1382 |
- <c>NAME=</c> option. |
1383 |
-</p> |
1384 |
-<pre caption=""> |
1385 |
-# <i>make NAME=targeted</i> |
1386 |
-Compiling targeted local module |
1387 |
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp |
1388 |
-/usr/bin/checkmodule: policy configuration loaded |
1389 |
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod |
1390 |
-Creating targeted local.pp policy package |
1391 |
-</pre> |
1392 |
-</body></subsection> |
1393 |
-</section> |
1394 |
- |
1395 |
-<section><title>Load the Modules</title> |
1396 |
-<subsection><body> |
1397 |
-<p> |
1398 |
- The modules can be loaded into the currently configured policy simply |
1399 |
- by using the load target of the Makefile. |
1400 |
-</p> |
1401 |
-<pre caption=""> |
1402 |
-# <i>make load</i> |
1403 |
-</pre> |
1404 |
-<p> |
1405 |
- The load target also respects the <c>NAME=</c> option. Alternatively, |
1406 |
- the <c>semodule</c> command can be used to load individual modules. |
1407 |
-</p> |
1408 |
-<pre caption=""> |
1409 |
-# <i>semodule -i local.pp</i> |
1410 |
-</pre> |
1411 |
-</body></subsection> |
1412 |
-</section> |
1413 |
- |
1414 |
-<section><title>Building Reference Policy Modules</title> |
1415 |
-<subsection><body> |
1416 |
-<p> |
1417 |
-The new Gentoo policy is based on the <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri>. |
1418 |
-For more information on building a complete Reference Policy module, see the |
1419 |
-<uri link="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Reference Policy Wiki</uri>. |
1420 |
-</p> |
1421 |
-</body></subsection> |
1422 |
-</section> |
1423 |
- |
1424 |
-</sections> |
1425 |
|
1426 |
diff --git a/xml/selinux/hb-selinux-loglocal.xml b/xml/selinux/hb-selinux-loglocal.xml |
1427 |
deleted file mode 100644 |
1428 |
index 7cc5506..0000000 |
1429 |
--- a/xml/selinux/hb-selinux-loglocal.xml |
1430 |
+++ /dev/null |
1431 |
@@ -1,166 +0,0 @@ |
1432 |
-<?xml version='1.0' encoding="UTF-8"?> |
1433 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1434 |
- |
1435 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1436 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
1437 |
- |
1438 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-loglocal.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ --> |
1439 |
- |
1440 |
-<sections> |
1441 |
-<version>1.4</version> |
1442 |
-<date>2004-11-16</date> |
1443 |
- |
1444 |
-<section><title>Begin Here</title> |
1445 |
-<subsection><body> |
1446 |
-<p> |
1447 |
- You must be in <c>sysadm_r</c> to perform these actions. |
1448 |
-</p> |
1449 |
-<p> |
1450 |
- Run <c>sestatus -v</c>. Click the first context that doesn't match: |
1451 |
-</p> |
1452 |
-<table> |
1453 |
-<tr><th>Process</th><th>Context</th></tr> |
1454 |
-<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr> |
1455 |
-<tr><ti>/sbin/agetty</ti><ti><uri link="#doc_chap3">system_u:system_r:getty_t</uri></ti></tr> |
1456 |
-<tr><th>File</th><th>Context</th></tr> |
1457 |
-<tr><ti>/bin/login</ti><ti><uri link="#doc_chap4">system_u:object_r:login_exec_t</uri></ti></tr> |
1458 |
-<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap5">system_u:object_r:chkpwd_exec_t</uri></ti></tr> |
1459 |
-<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap6">system_u:object_r:etc_t</uri></ti></tr> |
1460 |
-<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap6">system_u:object_r:shadow_t</uri></ti></tr> |
1461 |
-<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap7">system_u:object_r:shell_exec_t</uri></ti></tr> |
1462 |
-</table> |
1463 |
-</body></subsection> |
1464 |
-</section> |
1465 |
- |
1466 |
-<section><title>Incorrect Init Context</title> |
1467 |
-<subsection><title>Verify Init Label</title> |
1468 |
-<body> |
1469 |
-<p> |
1470 |
- There are several possible reasons why init may have the wrong context. |
1471 |
- First, verify that init is labeled correctly, refer to the sestatus's output |
1472 |
- for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit. |
1473 |
-</p> |
1474 |
-<pre caption="Fix init context"> |
1475 |
-# <i>rlpkg sysvinit</i> |
1476 |
-</pre> |
1477 |
-</body></subsection> |
1478 |
-<subsection><title>Verify Available Policy</title><body> |
1479 |
-<p> |
1480 |
- You must be in <c>sysadm_r</c> to perform this action. |
1481 |
-</p> |
1482 |
-<p> |
1483 |
- A binary policy must be available in /etc/selinux/{strict,targeted}/policy. |
1484 |
- If it is missing, then install the policy. |
1485 |
-</p> |
1486 |
-<pre caption="Install binary policy"> |
1487 |
-# <i>semodule -n -B</i> |
1488 |
-</pre> |
1489 |
-</body> |
1490 |
-</subsection> |
1491 |
- |
1492 |
-<subsection><title>Verify Init Can Load the Policy</title><body> |
1493 |
-<p> |
1494 |
- The final check is to ensure init can load the policy. Run <c>ldd</c> on |
1495 |
- init, and if libselinux is not in the output, remerge sysvinit. |
1496 |
-</p> |
1497 |
-<pre caption="Check init linking"> |
1498 |
-# <i>ldd /sbin/init</i> |
1499 |
- linux-gate.so.1 => (0xffffe000) |
1500 |
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment> |
1501 |
- libc.so.6 => /lib/libc.so.6 (0x40035000) |
1502 |
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
1503 |
-</pre> |
1504 |
-<p> |
1505 |
- Now reboot so init gains the correct context, and loads the policy. |
1506 |
-</p> |
1507 |
-</body></subsection> |
1508 |
-</section> |
1509 |
- |
1510 |
-<section><title>Incorrect agetty Context</title> |
1511 |
-<subsection><body> |
1512 |
-<p> |
1513 |
- Verify that agetty is labeled correctly. Refer to the sestatus's output |
1514 |
- for /sbin/agetty. If it is not <c>system_u:object_r:getty_exec_t</c>, relabel |
1515 |
- util-linux. Then restart all gettys. |
1516 |
-</p> |
1517 |
-<pre caption="Fix agetty context"> |
1518 |
-# <i>rlpkg util-linux</i> |
1519 |
-# <i>killall agetty</i> <comment>(they will respawn)</comment> |
1520 |
-</pre> |
1521 |
-<p> |
1522 |
- All of the agettys should now be in the correct <c>system_u:object_r:getty_exec_t</c> |
1523 |
- context. Try logging in again. |
1524 |
-</p> |
1525 |
-</body> |
1526 |
-</subsection> |
1527 |
-</section> |
1528 |
- |
1529 |
-<section><title>Incorrect Login Context</title> |
1530 |
-<subsection><body> |
1531 |
-<p> |
1532 |
- The login program (/bin/login) is not labeled correctly. Relabel shadow. |
1533 |
-</p> |
1534 |
-<pre caption="Relabel shadow"> |
1535 |
-# <i>rlpkg shadow</i> |
1536 |
-</pre> |
1537 |
-<p> |
1538 |
- /bin/login should now be <c>system_u:object_r:login_exec_t</c>. |
1539 |
- Try logging in again. |
1540 |
-</p> |
1541 |
-</body> |
1542 |
-</subsection> |
1543 |
-</section> |
1544 |
- |
1545 |
-<section><title>Incorrect PAM Context</title> |
1546 |
-<subsection><body> |
1547 |
-<p> |
1548 |
- Sshd must be able to use PAM for authenticating the user. The PAM password |
1549 |
- checking program (/sbin/unix_chkpwd) must be labeled correctly so |
1550 |
- sshd can transition to the password checking context. Relabel PAM. |
1551 |
-</p> |
1552 |
-<pre caption="Fix unix_chkpwd context"> |
1553 |
-# <i>rlpkg pam</i> |
1554 |
-</pre> |
1555 |
-<p> |
1556 |
- The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>. |
1557 |
- Try loggin in again. |
1558 |
-</p> |
1559 |
-</body></subsection> |
1560 |
-</section> |
1561 |
- |
1562 |
-<section><title>Incorrect Password File Contexts</title> |
1563 |
-<subsection><body> |
1564 |
-<p> |
1565 |
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must |
1566 |
- be labeled correctly, otherwise PAM will not be able to |
1567 |
- authenticate your user. Relabel the files. |
1568 |
-</p> |
1569 |
-<pre caption="Fix shadow context"> |
1570 |
-# <i>restorecon /etc/passwd /etc/shadow</i> |
1571 |
-</pre> |
1572 |
-<p> |
1573 |
- The password and shadow files should now be <c>system_u:object_r:etc_t</c> |
1574 |
- and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again. |
1575 |
-</p> |
1576 |
-</body> |
1577 |
-</subsection> |
1578 |
-</section> |
1579 |
- |
1580 |
-<section><title>Incorrect Bash File Context</title> |
1581 |
-<subsection><body> |
1582 |
-<p> |
1583 |
- Bash must be labeled correctly so the user can transition into the user |
1584 |
- domain when logging in. Relabel bash. |
1585 |
-</p> |
1586 |
-<pre caption="Fix bash context"> |
1587 |
-# <i>rlpkg bash</i> |
1588 |
-</pre> |
1589 |
-<p> |
1590 |
- Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>. |
1591 |
- Try logging in again. |
1592 |
-</p> |
1593 |
-</body> |
1594 |
-</subsection> |
1595 |
-</section> |
1596 |
- |
1597 |
-</sections> |
1598 |
|
1599 |
diff --git a/xml/selinux/hb-selinux-logremote.xml b/xml/selinux/hb-selinux-logremote.xml |
1600 |
deleted file mode 100644 |
1601 |
index 1a95f7b..0000000 |
1602 |
--- a/xml/selinux/hb-selinux-logremote.xml |
1603 |
+++ /dev/null |
1604 |
@@ -1,177 +0,0 @@ |
1605 |
-<?xml version='1.0' encoding="UTF-8"?> |
1606 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1607 |
- |
1608 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1609 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
1610 |
- |
1611 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-logremote.xml,v 1.7 2008/05/20 15:45:43 pebenito Exp $ --> |
1612 |
- |
1613 |
-<sections> |
1614 |
-<version>1.4</version> |
1615 |
-<date>2004-11-16</date> |
1616 |
- |
1617 |
-<section><title>Begin Here</title> |
1618 |
-<subsection><body> |
1619 |
-<p> |
1620 |
- You must be in <c>sysadm_r</c> to perform these actions. |
1621 |
-</p> |
1622 |
-<p> |
1623 |
- Run <c>sestatus -v</c>. Click the first context that doesn't match: |
1624 |
-</p> |
1625 |
-<table> |
1626 |
-<tr><th>Process</th><th>Context</th></tr> |
1627 |
-<tr><ti>Init context</ti><ti><uri link="#doc_chap2">system_u:system_r:init_t</uri></ti></tr> |
1628 |
-<tr><ti>/usr/sbin/sshd</ti><ti><uri link="#doc_chap3">system_u:system_r:sshd_t</uri></ti></tr> |
1629 |
-<tr><th>File</th><th>Context</th></tr> |
1630 |
-<tr><ti>/sbin/unix_chkpwd</ti><ti><uri link="#doc_chap4">system_u:object_r:chkpwd_exec_t</uri></ti></tr> |
1631 |
-<tr><ti>/etc/passwd</ti><ti><uri link="#doc_chap5">system_u:object_r:etc_t</uri></ti></tr> |
1632 |
-<tr><ti>/etc/shadow</ti><ti><uri link="#doc_chap5">system_u:object_r:shadow_t</uri></ti></tr> |
1633 |
-<tr><ti>/bin/bash</ti><ti><uri link="#doc_chap6">system_u:object_r:shell_exec_t</uri></ti></tr> |
1634 |
-</table> |
1635 |
-</body></subsection> |
1636 |
-</section> |
1637 |
- |
1638 |
-<section><title>Incorrect Init Context</title> |
1639 |
-<subsection><title>Verify Init Label</title> |
1640 |
-<body> |
1641 |
-<p> |
1642 |
- There are several possible reasons why init may have the wrong context. |
1643 |
- First, verify that init is labeled correctly, refer to the sestatus's output |
1644 |
- for /sbin/init. If it is not <c>system_u:object_r:init_exec_t</c>, relabel sysvinit. |
1645 |
-</p> |
1646 |
-<pre caption=""> |
1647 |
-# <i>rlpkg sysvinit</i> |
1648 |
-</pre> |
1649 |
-</body></subsection> |
1650 |
- |
1651 |
-<subsection><title>Verify Available Policy</title><body> |
1652 |
-<p> |
1653 |
- You must be in <c>sysadm_r</c> to perform this action. |
1654 |
-</p> |
1655 |
-<p> |
1656 |
- A binary policy must be available in |
1657 |
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install |
1658 |
- the policy. |
1659 |
-</p> |
1660 |
-<pre caption="Install policy"> |
1661 |
-# <i>semodule -n -B</i> |
1662 |
-</pre> |
1663 |
-</body> |
1664 |
-</subsection> |
1665 |
- |
1666 |
-<subsection><title>Verify Init Can Load the Policy</title><body> |
1667 |
-<p> |
1668 |
- The final check is to ensure init can load the policy. Run <c>ldd</c> on |
1669 |
- init, and if libselinux is not in the output, remerge sysvinit. |
1670 |
-</p> |
1671 |
-<pre caption=""> |
1672 |
-# <i>ldd /sbin/init</i> |
1673 |
- linux-gate.so.1 => (0xffffe000) |
1674 |
- <comment>libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</comment> |
1675 |
- libc.so.6 => /lib/libc.so.6 (0x40035000) |
1676 |
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
1677 |
-</pre> |
1678 |
-<p> |
1679 |
- Now reboot so init gains the correct context, and loads the policy. |
1680 |
-</p> |
1681 |
-</body></subsection> |
1682 |
-</section> |
1683 |
- |
1684 |
-<section><title>Incorrect sshd Context</title> |
1685 |
-<subsection><body> |
1686 |
-<p> |
1687 |
- Another possibility is sshd is not labeled correctly, meaning it is not running |
1688 |
- in the right context. Relabel openssh, then restart sshd. |
1689 |
-</p> |
1690 |
-<pre caption=""> |
1691 |
-# <i>rlpkg openssh</i> |
1692 |
-# <i>/etc/init.d/sshd restart</i> |
1693 |
-</pre> |
1694 |
-</body></subsection> |
1695 |
-</section> |
1696 |
- |
1697 |
-<section><title>Incorrect PAM Context</title> |
1698 |
-<subsection><body> |
1699 |
-<p> |
1700 |
- Sshd must be able to use PAM for authenticating the user. The PAM password |
1701 |
- checking program (/sbin/unix_chkpwd) must be labeled correctly so |
1702 |
- sshd can transition to the password checking context. Relabel PAM. |
1703 |
-</p> |
1704 |
-<pre caption=""> |
1705 |
-# <i>rlpkg pam</i> |
1706 |
-</pre> |
1707 |
-<p> |
1708 |
- The password checking program should now be <c>system_u:object_r:chkpwd_exec_t</c>. |
1709 |
- Try loggin in again. |
1710 |
-</p> |
1711 |
-</body></subsection> |
1712 |
-</section> |
1713 |
- |
1714 |
-<section><title>Incorrect Password File Contexts</title> |
1715 |
-<subsection><body> |
1716 |
-<p> |
1717 |
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must |
1718 |
- be labeled correctly, otherwise PAM will not be able to |
1719 |
- authenticate your user. Relabel the files. |
1720 |
-</p> |
1721 |
-<pre caption=""> |
1722 |
-# <i>restorecon /etc/passwd /etc/shadow</i> |
1723 |
-</pre> |
1724 |
-<p> |
1725 |
- The password and shadow files should now be <c>system_u:object_r:etc_t</c> |
1726 |
- and <c>system_u:object_r:shadow_t</c>, respectively. Try logging in again. |
1727 |
-</p> |
1728 |
-</body> |
1729 |
-</subsection> |
1730 |
-</section> |
1731 |
- |
1732 |
-<section><title>Incorrect Bash File Context</title> |
1733 |
-<subsection><body> |
1734 |
-<p> |
1735 |
- Bash must be labeled correctly so the user can transition into the user |
1736 |
- domain when logging in. Relabel bash. |
1737 |
-</p> |
1738 |
-<pre caption=""> |
1739 |
-# <i>rlpkg bash</i> |
1740 |
-</pre> |
1741 |
-<p> |
1742 |
- Bash (/bin/bash) should now be <c>system_u:object_r:shell_exec_t</c>. |
1743 |
- Try logging in again. |
1744 |
-</p> |
1745 |
-</body> |
1746 |
-</subsection> |
1747 |
-</section> |
1748 |
- |
1749 |
-<section><title>Other sshd Issues</title> |
1750 |
-<subsection><title>Valid Shell</title><body> |
1751 |
-<p> |
1752 |
- First, make sure the user has a valid shell. |
1753 |
-</p> |
1754 |
-<pre caption=""> |
1755 |
-# <i>grep</i> <comment>username</comment> <i>/etc/passwd | cut -d: -f7</i> |
1756 |
-/bin/bash <comment>(or your shell of choice)</comment> |
1757 |
-</pre> |
1758 |
-<p> |
1759 |
- If the above command does not return anything, or the shell is wrong, |
1760 |
- set the user's shell. |
1761 |
-</p> |
1762 |
-<pre caption=""> |
1763 |
-# <i>usermod -s /bin/bash</i> <comment>username</comment> |
1764 |
-</pre> |
1765 |
-</body></subsection> |
1766 |
-<subsection><title>PAM enabled</title><body> |
1767 |
-<p> |
1768 |
- PAM also must be enabled in sshd. Make sure this line |
1769 |
- in <c>/etc/ssh/sshd_config</c> is uncommented: |
1770 |
-</p> |
1771 |
-<pre caption=""> |
1772 |
-UsePAM yes |
1773 |
-</pre> |
1774 |
-<p> |
1775 |
- SELinux currently only allows PAM and a select few programs direct access |
1776 |
- to <c>/etc/shadow</c>; therefore, openssh must now |
1777 |
- use PAM for password authentication (public key still works). |
1778 |
-</p> |
1779 |
-</body></subsection> |
1780 |
-</section> |
1781 |
-</sections> |
1782 |
|
1783 |
diff --git a/xml/selinux/hb-selinux-overview.xml b/xml/selinux/hb-selinux-overview.xml |
1784 |
deleted file mode 100644 |
1785 |
index d02943d..0000000 |
1786 |
--- a/xml/selinux/hb-selinux-overview.xml |
1787 |
+++ /dev/null |
1788 |
@@ -1,521 +0,0 @@ |
1789 |
-<?xml version='1.0' encoding="UTF-8"?> |
1790 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1791 |
- |
1792 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
1793 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
1794 |
- |
1795 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ --> |
1796 |
- |
1797 |
-<sections> |
1798 |
-<version>1.5</version> |
1799 |
-<date>2009-07-13</date> |
1800 |
- |
1801 |
-<!-- |
1802 |
-<section><title>Mandatory Access Control</title> |
1803 |
-<subsection><body> |
1804 |
-<p> |
1805 |
- Security Enhanced Linux is an implementation of mandatory access control |
1806 |
- (MAC) using type enforcement. In Linux, the regular security permissions |
1807 |
- are a discretionary access control system (DAC). In DAC, the permissions |
1808 |
- for a particular object, such as a file, are set at the discrection of the |
1809 |
- owner and can be changed at any time by the owner. In MAC, the access a |
1810 |
- process or user has to an object is defined by the operating system |
1811 |
- security policy, and cannot be bypassed. |
1812 |
-!!! still need to update other links in the handbook |
1813 |
-</p> |
1814 |
-</body></subsection> |
1815 |
-</section> |
1816 |
---> |
1817 |
-<section><title>SELinux Types</title> |
1818 |
-<subsection><body> |
1819 |
-<p> |
1820 |
- A type is a security attribute given to objects such as files, and network |
1821 |
- ports, etc. The type of a process is commonly referred to as its domain. |
1822 |
- The SELinux policy is primarily composed of type enforcement rules, which |
1823 |
- describe how domains are allowed to interact with objects, and how domains |
1824 |
- are allowed to interact with other domains. A type is generally suffixed |
1825 |
- with a '_t', such as <c>sysadm_t</c>. This is the most important |
1826 |
- attribute for a process or object, as most policy decisions are based on |
1827 |
- the source and target types. |
1828 |
-</p> |
1829 |
-</body></subsection> |
1830 |
-</section> |
1831 |
- |
1832 |
-<section><title>SELinux Roles</title> |
1833 |
-<subsection><body> |
1834 |
-<p> |
1835 |
- SELinux is type enforcement, so the SELinux role is not the same as those |
1836 |
- in a role-based access control system. Permissions are not given to roles. |
1837 |
- A role describes the set of types a user can use. For example, a system |
1838 |
- administrator that is using the system for regular user tasks should be |
1839 |
- in the <c>staff_r</c> role. If they need to administrate the system, then |
1840 |
- a role change to <c>sysadm_r</c> is required. In SELinux terms, the |
1841 |
- domains that a user can be in is determined by their role. If a role is not |
1842 |
- allowed to have a certain domain, a transition to that domain will be denied, |
1843 |
- even if the type enforcement rules allow the domain transition. A role is |
1844 |
- generally suffixed with a '_r', such as <c>system_r</c>. |
1845 |
-</p> |
1846 |
-</body></subsection> |
1847 |
-</section> |
1848 |
- |
1849 |
-<section><title>SELinux Identities</title> |
1850 |
-<subsection><title>What is a SELinux Identity?</title><body> |
1851 |
-<p> |
1852 |
- The SELinux identity is similar to a Linux username. The change of identity |
1853 |
- should be limited to very specific cases, since the role-based access control |
1854 |
- relies on the SELinux identity. Therfore, in general, a user’s SELinux |
1855 |
- identity will not change during a session. The user ID in Linux can be |
1856 |
- changed by set(e)uid, making it inappropriate for a SELinux identity. |
1857 |
- If a user is given a SELinux identity, it must match the Linux username. Each |
1858 |
- SELinux identity is allowed a set of roles. |
1859 |
-</p> |
1860 |
-</body></subsection> |
1861 |
- |
1862 |
-<subsection><title>Configure SELinux Identity Mapping</title><body> |
1863 |
-<p> |
1864 |
- The SELinux policy has several generic SELinux identities that should |
1865 |
- be sufficient for all users. This mapping only needs to be configured |
1866 |
- on the strict policy. The identity mapping for the targeted policy |
1867 |
- need not be configured, as the default identity (user_u) is sufficient |
1868 |
- in all cases. |
1869 |
-</p> |
1870 |
-<p> |
1871 |
- When a user logs in, the SELinux identity used is determined by this mapping. |
1872 |
-</p> |
1873 |
-<table> |
1874 |
-<tr><th>SELinux Identity</th> |
1875 |
- <th>Roles</th> |
1876 |
- <th>Description</th></tr> |
1877 |
-<tr><ti>system_u</ti> |
1878 |
- <ti>system_r</ti> |
1879 |
- <ti>System (non-interactive) processes. Should not be used on users.</ti></tr> |
1880 |
-<tr><ti>user_u</ti> |
1881 |
- <ti>user_r</ti> |
1882 |
- <ti>Generic unprivileged users. The default identity mapping.</ti></tr> |
1883 |
-<tr><ti>staff_u</ti> |
1884 |
- <ti>staff_r, sysadm_r</ti> |
1885 |
- <ti>System administrators that also log in to do regular user activties.</ti></tr> |
1886 |
-<tr><ti>sysadm_u</ti> |
1887 |
- <ti>sysadm_r</ti> |
1888 |
- <ti>System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</ti></tr> |
1889 |
-<tr><ti>root</ti> |
1890 |
- <ti>staff_r, sysadm_r</ti> |
1891 |
- <ti>Special identity for root. Other users should use staff_u instead.</ti></tr> |
1892 |
-</table> |
1893 |
-<p> |
1894 |
- See the <uri link="selinux-handbook.xml?part=3&chap=2#doc_chap3">SELinux HOWTO</uri> |
1895 |
- for semanage syntax for configuring SELinux identity mappings. |
1896 |
-</p> |
1897 |
-</body></subsection> |
1898 |
- |
1899 |
-</section> |
1900 |
- |
1901 |
-<section><title>SELinux Contexts</title> |
1902 |
-<subsection><body> |
1903 |
-<p> |
1904 |
- Using the above three security models together is called a SELinux |
1905 |
- context. A context takes the form <c>identity</c>:<c>role</c>:<c>type</c>. |
1906 |
- The SELinux context is the most important value for determining access. |
1907 |
-</p> |
1908 |
-</body></subsection> |
1909 |
- |
1910 |
-<subsection><title>Object Contexts</title><body> |
1911 |
-<p> |
1912 |
- A typical <c>ls -Z</c> may have an output similar to this: |
1913 |
-</p> |
1914 |
-<pre caption="Example ls -Z output"> |
1915 |
-drwxr-xr-x root root system_u:object_r:bin_t bin |
1916 |
-drwxr-xr-x root root system_u:object_r:boot_t boot |
1917 |
-drwxr-xr-x root root system_u:object_r:device_t dev |
1918 |
-drwxr-xr-x root root system_u:object_r:etc_t etc |
1919 |
-</pre> |
1920 |
-<p> |
1921 |
- The first three columns are the typical linux permissions, user and group. |
1922 |
- The fourth column is the file or directory's security context. Objects |
1923 |
- are given the generic <c>object_r</c> role. From the other two fields of |
1924 |
- the context, it can be seen that the files are in the system identity, |
1925 |
- and have four different types, <c>bin_t</c>, <c>boot_t</c>, <c>device_t</c>, |
1926 |
- and <c>etc_t</c>. |
1927 |
-</p> |
1928 |
-</body></subsection> |
1929 |
- |
1930 |
-<subsection><title>Process Contexts</title><body> |
1931 |
-<p> |
1932 |
- A typical <c>ps ax -Z</c> may have an output similar to this: |
1933 |
-</p> |
1934 |
-<pre caption="Example ps ax -Z output"> |
1935 |
- PID CONTEXT COMMAND |
1936 |
- 1 system_u:system_r:init_t [init] |
1937 |
- 2 system_u:system_r:kernel_t [keventd] |
1938 |
- 3 system_u:system_r:kernel_t [ksoftirqd_CPU0] |
1939 |
- 4 system_u:system_r:kernel_t [kswapd] |
1940 |
- 5 system_u:system_r:kernel_t [bdflush] |
1941 |
- 6 system_u:system_r:kernel_t [kupdated] |
1942 |
- 706 system_u:system_r:syslogd_t [syslog-ng] |
1943 |
- 712 system_u:system_r:httpd_t [apache] |
1944 |
- 791 system_u:system_r:sshd_t [sshd] |
1945 |
- 814 system_u:system_r:crond_t [cron] |
1946 |
- 826 system_u:system_r:getty_t [agetty] |
1947 |
- 827 system_u:system_r:getty_t [agetty] |
1948 |
- 828 system_u:system_r:getty_t [agetty] |
1949 |
- 829 system_u:system_r:getty_t [agetty] |
1950 |
- 830 system_u:system_r:getty_t [agetty] |
1951 |
- 831 system_u:system_r:httpd_t [apache] |
1952 |
- 832 system_u:system_r:httpd_t [apache] |
1953 |
- 833 system_u:system_r:httpd_t [apache] |
1954 |
-23093 system_u:system_r:sshd_t [sshd] |
1955 |
-23095 user_u:user_r:user_t [bash] |
1956 |
-23124 system_u:system_r:sshd_t [sshd] |
1957 |
-23126 user_u:user_r:user_t [bash] |
1958 |
-23198 system_u:system_r:sshd_t [sshd] |
1959 |
-23204 user_u:user_r:user_t [bash] |
1960 |
-23274 system_u:system_r:sshd_t [sshd] |
1961 |
-23275 pebenito:staff_r:staff_t [bash] |
1962 |
-23290 pebenito:staff_r:staff_t ps ax -Z |
1963 |
-</pre> |
1964 |
-<p> |
1965 |
- In this example, the typical process information is displayed, in addition |
1966 |
- to the process's context. By inspection, all of the system's kernel |
1967 |
- processes and daemons run under the <c>system_u</c> identity, and |
1968 |
- <c>system_r</c> role. The individual domains depend on the program. |
1969 |
- There are a few users logged in over ssh, using the generic <c>user_u</c> |
1970 |
- identity. Finally there is a user with the identity <c>pebenito</c> logged in |
1971 |
- with the <c>staff_r</c> role, running in the <c>staff_t</c> domain. |
1972 |
-</p> |
1973 |
-</body></subsection> |
1974 |
- |
1975 |
-</section> |
1976 |
- |
1977 |
-<section> |
1978 |
-<title>SELinux Policy Files</title> |
1979 |
-<subsection><body> |
1980 |
-<p> |
1981 |
- The SELinux policy source files are no longer installed onto the system. |
1982 |
- In the <c>/usr/share/selinux/{strict,targeted}</c> directory there are a |
1983 |
- collection of policy packages and headers for building local modules. |
1984 |
- The policy files are processed by m4, and then the policy compiler <c>checkmodule</c> |
1985 |
- verifies that there are no syntactic errors, and a policy module is created. |
1986 |
- Then a policy package is created with with the <c>semodule_package</c> |
1987 |
- program, using the policy module and the module file contexts. |
1988 |
- The policy packaged then can be loaded into a running SELinux kernel |
1989 |
- by inserting it into the module store. |
1990 |
-</p> |
1991 |
-</body></subsection> |
1992 |
- |
1993 |
-<subsection><title>*.pp</title><body> |
1994 |
-<p> |
1995 |
- Policy packages for this policy. These must be inserted into the module |
1996 |
- store so they can be loaded into the policy. Inside the package |
1997 |
- there is a loadable policy module, and optionally a file context file. |
1998 |
-</p> |
1999 |
-</body></subsection> |
2000 |
- |
2001 |
-<subsection><title>include/</title><body> |
2002 |
-<p> |
2003 |
- Policy headers for this policy. |
2004 |
-</p> |
2005 |
-</body></subsection> |
2006 |
- |
2007 |
-</section> |
2008 |
- |
2009 |
-<section> |
2010 |
-<title>Binary Policy Versions</title> |
2011 |
-<subsection><body> |
2012 |
-<p> |
2013 |
- When compiling the policy, the resultant binary policy is versioned. |
2014 |
- The first version that was merged into 2.6 was version 15. |
2015 |
- The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy. |
2016 |
- For example, in 2.6.5, conditional policy extensions were added. |
2017 |
- This required the policy version to be incremented to version 16. |
2018 |
-</p> |
2019 |
-</body></subsection> |
2020 |
-<subsection><title>What Policy Version Does My Kernel Use?</title> |
2021 |
-<body> |
2022 |
-<p> |
2023 |
- The policy version of a running kernel can be determined by executing |
2024 |
- <c>sestatus</c> or <c>policyvers</c>. Current kernels can load |
2025 |
- the previous version policy for compatibility. For example a version 17 |
2026 |
- kernel can also load a version 16 policy. However, this compatibility |
2027 |
- code may be removed in the future. |
2028 |
-</p> |
2029 |
-<note> |
2030 |
- The policy management infrastructure (libsemanage) will automatically |
2031 |
- create and use the correct version policies. No extra steps need be taken. |
2032 |
-</note> |
2033 |
-</body></subsection> |
2034 |
-<subsection><title>Policy Versions</title> |
2035 |
-<body> |
2036 |
-<p> |
2037 |
- The following table contains the policy versions in 2.6 kernels. |
2038 |
-</p> |
2039 |
-<table> |
2040 |
-<tr><th>Version</th> |
2041 |
- <th>Description</th> |
2042 |
- <th>Kernel Versions</th></tr> |
2043 |
-<tr><ti>12</ti> |
2044 |
- <ti>"Old API" SELinux (deprecated).</ti></tr> |
2045 |
-<tr><ti>15</ti> |
2046 |
- <ti>"New API" SELinux merged into 2.6.</ti> |
2047 |
- <ti>2.6.0 - 2.6.4</ti></tr> |
2048 |
-<tr><ti>16</ti> |
2049 |
- <ti>Conditional policy extensions added.</ti> |
2050 |
- <ti>2.6.5</ti></tr> |
2051 |
-<tr><ti>17</ti> |
2052 |
- <ti>IPV6 support added.</ti> |
2053 |
- <ti>2.6.6 - 2.6.7</ti></tr> |
2054 |
-<tr><ti>18</ti> |
2055 |
- <ti>Fine-grained netlink socket support added.</ti> |
2056 |
- <ti>2.6.8 - 2.6.11</ti></tr> |
2057 |
-<tr><ti>19</ti> |
2058 |
- <ti>Enhanced multi-level security.</ti> |
2059 |
- <ti>2.6.12 - 2.6.13</ti></tr> |
2060 |
-<tr><ti>20</ti> |
2061 |
- <ti>Access vector table size optimizations.</ti> |
2062 |
- <ti>2.6.14 - 2.6.18</ti></tr> |
2063 |
-<tr><ti>21</ti> |
2064 |
- <ti>Object classes in range transitions.</ti> |
2065 |
- <ti>2.6.19 - 2.6.24</ti></tr> |
2066 |
-<tr><ti>22</ti> |
2067 |
- <ti>Policy capabilities (features).</ti> |
2068 |
- <ti>2.6.25</ti></tr> |
2069 |
-<tr><ti>23</ti> |
2070 |
- <ti>Per-domain permissive mode.</ti> |
2071 |
- <ti>2.6.26 - 2.6.27</ti></tr> |
2072 |
-<tr><ti>24</ti> |
2073 |
- <ti>Explicit hierarchy (type bounds).</ti> |
2074 |
- <ti>2.6.28 - current</ti></tr> |
2075 |
-</table> |
2076 |
-</body></subsection> |
2077 |
-</section> |
2078 |
- |
2079 |
-<section> |
2080 |
-<title>Conditional Policy Extensions</title> |
2081 |
-<subsection><body> |
2082 |
-<p> |
2083 |
- The conditional policy extensions allow the enabling and disabling of policy |
2084 |
- rules at runtime, without loading a modified policy. Using policy booleans |
2085 |
- and expressions, policy rules can be conditionally applied. |
2086 |
-</p> |
2087 |
-</body></subsection> |
2088 |
- |
2089 |
-<subsection><title>Determine Boolean Values</title> |
2090 |
-<body> |
2091 |
-<p> |
2092 |
- The status of policy booleans in the current running policy can be determined |
2093 |
- two ways. The first is by using <c>sestatus</c>. |
2094 |
-</p> |
2095 |
-<pre caption="Example sestatus output"> |
2096 |
-# sestatus |
2097 |
-SELinux status: enabled |
2098 |
-SELinuxfs mount: /selinux |
2099 |
-Current mode: enforcing |
2100 |
-Policy version: 17 |
2101 |
- |
2102 |
-Policy booleans: |
2103 |
-user_ping inactive |
2104 |
-</pre> |
2105 |
-<p> |
2106 |
- The second is <c>getsebool</c> which is a simple tool that displays |
2107 |
- the status of policy booleans, and if a value change is pending. |
2108 |
-</p> |
2109 |
-<pre caption="Example getsebool command"> |
2110 |
-# getsebool -a |
2111 |
-user_ping --> active: 0 pending: 0 |
2112 |
-</pre> |
2113 |
-</body></subsection> |
2114 |
- |
2115 |
-<subsection><title>Changing Boolean Values</title> |
2116 |
-<body> |
2117 |
-<p> |
2118 |
- The value of a boolean can be toggled by using the <c>togglesebool</c> |
2119 |
- command. Multiple booleans can be specified on the command line. The |
2120 |
- new value of the boolean will be displayed. |
2121 |
-</p> |
2122 |
-<pre caption="Example togglesebool command"> |
2123 |
-# togglesebool user_ping |
2124 |
-user_ping: active |
2125 |
-</pre> |
2126 |
-<p> |
2127 |
- The value of a boolean can be set specifically by using the <c>setsebool</c> |
2128 |
- command. |
2129 |
-</p> |
2130 |
-<pre caption="Example setsebool command"> |
2131 |
-# setsebool user_ping 0 |
2132 |
-</pre> |
2133 |
-<p> |
2134 |
- To set the value of a boolean, and make it the devault value, use the <c>-P</c> option. |
2135 |
-</p> |
2136 |
-<pre caption="Change default value"> |
2137 |
-# setsebool -P user_ping 1 |
2138 |
-</pre> |
2139 |
-</body></subsection> |
2140 |
-</section> |
2141 |
- |
2142 |
-<section> |
2143 |
-<title>Policy Kernel Messages</title> |
2144 |
-<subsection><body> |
2145 |
-<p> |
2146 |
- While a system is running, a program or user may attempt to do something |
2147 |
- that violates the security policy. If the system is enforcing the policy, |
2148 |
- the access will be denied, and there will be a message in the kernel log. |
2149 |
- If the system is not enforcing (permissive mode), the access will be allowed, |
2150 |
- but there will still be a kernel message. |
2151 |
-</p> |
2152 |
-</body></subsection> |
2153 |
- |
2154 |
-<subsection><title>AVC Messages</title><body> |
2155 |
-<p> |
2156 |
- Most kernel messages from SELinux come from the access vector cache (AVC). |
2157 |
- Understanding denials is important to understand if an attack is happening, |
2158 |
- or if the program is requiring unexpected accesses. An example denial |
2159 |
- may look like this: |
2160 |
-</p> |
2161 |
- |
2162 |
-<pre caption="Example AVC Message"> |
2163 |
-avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554 |
2164 |
-scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file |
2165 |
-</pre> |
2166 |
- |
2167 |
-<p> |
2168 |
- While most AVC messages are denials, occasionally there might be an audit |
2169 |
- message for an access that was granted: |
2170 |
-</p> |
2171 |
-<pre caption="Example AVC Message 2"> |
2172 |
-avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy |
2173 |
-scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security |
2174 |
-</pre> |
2175 |
-<p> |
2176 |
- In this case, the ability to load the policy was granted. This is a critical |
2177 |
- security event, and thus is always audited. Another event that is always |
2178 |
- audited is switching between enforcing and permissive modes. |
2179 |
-</p> |
2180 |
- |
2181 |
-<p> |
2182 |
- SELinux will supress logging of denials if many are received in a short |
2183 |
- amount of time. However, This does not always imply there is an attack |
2184 |
- in progress. A program may be doing something that could cause |
2185 |
- many denials in a short time, such as doing a stat() on device nodes in |
2186 |
- /dev. To protect from filling up the system logs, SELinux has rate limiting |
2187 |
- for its messages: |
2188 |
-</p> |
2189 |
- |
2190 |
-<pre caption="Example AVC Message 3"> |
2191 |
-AVC: 12 messages suppressed. |
2192 |
-</pre> |
2193 |
- |
2194 |
-<p> |
2195 |
- The policy would have to be modified to not audit these accesses if they |
2196 |
- are normal program behavior, but still need to be denied. |
2197 |
-</p> |
2198 |
- |
2199 |
-</body></subsection> |
2200 |
- |
2201 |
-<subsection><title>Other kernel messages</title> |
2202 |
-<body> |
2203 |
-<pre caption="inode_doinit_with_dentry"> |
2204 |
-inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610 |
2205 |
-</pre> |
2206 |
-<p> |
2207 |
- This means that the file on /dev/hda3 with inode number 517610 has the context |
2208 |
- system_u:object_r:bar_t, which is invalid. Objects with an invalid context |
2209 |
- are treated as if they had the system_u:object_r:unlabeled_t context. |
2210 |
-</p> |
2211 |
-</body></subsection> |
2212 |
- |
2213 |
-</section> |
2214 |
- |
2215 |
-<section><title>Dissecting a Denial</title> |
2216 |
-<subsection><body> |
2217 |
-<p> |
2218 |
- Denials contain varying amounts of information, depending on the access type. |
2219 |
-</p> |
2220 |
- |
2221 |
-<pre caption="Example Denials"> |
2222 |
-avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406 |
2223 |
-scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file |
2224 |
- |
2225 |
-avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t |
2226 |
-tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket |
2227 |
- |
2228 |
-avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7 |
2229 |
-scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability |
2230 |
- |
2231 |
-</pre> |
2232 |
- |
2233 |
-<p> |
2234 |
- The most common denial relates to access of files. For better understanding, |
2235 |
- the first denial message will be broken down: |
2236 |
-</p> |
2237 |
-<table> |
2238 |
-<tr><th>Component</th><th>Description</th></tr> |
2239 |
-<tr><ti>avc: denied</ti> |
2240 |
- <ti>SELinux has denied this access.</ti></tr> |
2241 |
-<tr><ti>{ lock }</ti> |
2242 |
- <ti>The attempted access is a lock.</ti></tr> |
2243 |
-<tr><ti>pid=28341</ti> |
2244 |
- <ti>The process ID performing this access is 28341.</ti></tr> |
2245 |
-<tr><ti>exec=/sbin/agetty</ti> |
2246 |
- <ti>The full path and name of the process's executable is /sbin/agetty.</ti></tr> |
2247 |
-<tr><ti>path=/var/log/wtmp</ti> |
2248 |
- <ti>The path and name of the target object is /var/log/wtmp. Note: a complete |
2249 |
- path is not always available.</ti></tr> |
2250 |
-<tr><ti>dev=03:03</ti> |
2251 |
- <ti>The target object resides on device 03:03 (major:minor number). |
2252 |
- On 2.6 kernels this may resolve to a name, hda3 in this example.</ti></tr> |
2253 |
-<tr><ti>ino=475406</ti> |
2254 |
- <ti>The inode number of the target object is 475406.</ti></tr> |
2255 |
-<tr><ti>scontext=system_u:system_r:getty_t</ti> |
2256 |
- <ti>The context of the program is system_u:system_r:getty_t.</ti></tr> |
2257 |
-<tr><ti>tcontext=system_u:object_r:var_log_t</ti> |
2258 |
- <ti>The context of the target object is system_u:object_r:var_log_t.</ti></tr> |
2259 |
-<tr><ti>tclass=file</ti> |
2260 |
- <ti>The target object is a normal file.</ti></tr> |
2261 |
-</table> |
2262 |
- |
2263 |
-<p> |
2264 |
- Not all AVC messages will have all of these fields, as shown in the other |
2265 |
- two denials. The fields vary depending on the target object's class. |
2266 |
- However, the most important fields: access type, source and target contexts, |
2267 |
- and the target object's class will always be in an AVC message. |
2268 |
-</p> |
2269 |
-</body></subsection> |
2270 |
- |
2271 |
-<subsection><title>Understanding the Denial</title><body> |
2272 |
-<p> |
2273 |
- Denials can be very confusing since they can be triggered for several reasons. |
2274 |
- The key to understanding what is happening is to know the behavior of the |
2275 |
- program, and to correctly interpret the denial message. The target is not |
2276 |
- limited to files; it could also be related to network sockets, |
2277 |
- interprocess communications, or others. |
2278 |
-</p> |
2279 |
-<p> |
2280 |
- In the above example, the agetty is denied locking of a file. The file's type |
2281 |
- is var_log_t, therefore it is implied that the target file is in /var/log. |
2282 |
- With the extra information from the path= field in the denial message, it is |
2283 |
- confirmed to be the file /var/log/wtmp. If path information was unavailable, |
2284 |
- this could be further confirmed by searching for the inode. Wtmp is a file that has |
2285 |
- information about users currently logged in, and agetty handles logins on |
2286 |
- ttys. It can be concluded that this is an expected access of agetty, for |
2287 |
- updating wtmp. However, why is this access being denied? Is there a flaw |
2288 |
- in the policy by not allowing agetty to update wtmp? It turns out that wtmp |
2289 |
- has the incorrect context. It should be system_u:object_r:wtmp_t, rather |
2290 |
- than system_u:object_r:var_log_t. |
2291 |
-</p> |
2292 |
-<p> |
2293 |
- If this access was not understood, an administrator might mistakenly allow getty_t |
2294 |
- read/write access to var_log_t files, which would be incorrect, since agetty |
2295 |
- only needs to modify /var/log/wtmp. This underscores how critical keeping |
2296 |
- file contexts consistent is. |
2297 |
-</p> |
2298 |
-</body></subsection> |
2299 |
-</section> |
2300 |
- |
2301 |
-<section><title>References</title> |
2302 |
-<subsection><body> |
2303 |
-<p> |
2304 |
- <uri link="http://www.nsa.gov/selinux">U.S. National Security Agency</uri>, |
2305 |
- SELinux Policy README |
2306 |
-</p> |
2307 |
-</body></subsection> |
2308 |
-</section> |
2309 |
-</sections> |
2310 |
|
2311 |
diff --git a/xml/selinux/hb-selinux-references.xml b/xml/selinux/hb-selinux-references.xml |
2312 |
deleted file mode 100644 |
2313 |
index 5bceac4..0000000 |
2314 |
--- a/xml/selinux/hb-selinux-references.xml |
2315 |
+++ /dev/null |
2316 |
@@ -1,111 +0,0 @@ |
2317 |
-<?xml version='1.0' encoding="UTF-8"?> |
2318 |
-<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
2319 |
- |
2320 |
-<!-- The content of this document is licensed under the CC-BY-SA license --> |
2321 |
-<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
2322 |
- |
2323 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ --> |
2324 |
- |
2325 |
-<sections> |
2326 |
-<version>1.2</version> |
2327 |
-<date>2006-05-07</date> |
2328 |
- |
2329 |
- |
2330 |
-<section><title>Background</title> |
2331 |
-<subsection><body> |
2332 |
-<ul> |
2333 |
-<li> |
2334 |
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure: |
2335 |
- The Flawed Assumption of Security in Modern Computing Environments</uri> |
2336 |
- explains the need for mandatory access controls.</li> |
2337 |
-<li> |
2338 |
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture: |
2339 |
- System Support for Diverse Security Policies</uri> |
2340 |
- explains the security architecture of Flask, the architecture used by SELinux.</li> |
2341 |
-<li> |
2342 |
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</uri> |
2343 |
- has specifics about SELinux access checks in the kernel.</li> |
2344 |
-</ul> |
2345 |
-</body> |
2346 |
-</subsection> |
2347 |
-</section> |
2348 |
- |
2349 |
-<section><title>Policy</title> |
2350 |
-<subsection><body> |
2351 |
-<ul> |
2352 |
-<li> |
2353 |
- <uri link="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</uri></li> |
2354 |
-<li> |
2355 |
- <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri></li> |
2356 |
-<li> |
2357 |
- SELinux <uri link="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</uri> |
2358 |
- Overview</li> |
2359 |
-</ul> |
2360 |
-</body> |
2361 |
-</subsection> |
2362 |
-</section> |
2363 |
- |
2364 |
-<section><title>Books</title> |
2365 |
-<subsection><body> |
2366 |
-<ul> |
2367 |
-<li> |
2368 |
- <c>SELinux by Example: Using Security Enhanced Linux</c>, Frank Mayer, |
2369 |
- Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694</li> |
2370 |
-<li> |
2371 |
- <c>SELinux: NSA's Open Source Security Enhanced Linux</c>, Bill McCarty, |
2372 |
- O'Reilly Media, 2004; ISBN 0596007167</li> |
2373 |
-</ul> |
2374 |
-</body> |
2375 |
-</subsection> |
2376 |
-</section> |
2377 |
- |
2378 |
-<section><title>Meeting Notes</title> |
2379 |
-<subsection><body> |
2380 |
-<ul> |
2381 |
-<li> |
2382 |
- <uri link="http://www.selinux-symposium.org/2006/summit.php">March 3rd, 2006 SELinux Developer Summit</uri></li> |
2383 |
-<li> |
2384 |
- <uri link="http://www.selinux-symposium.org/meeting.php">May 6th, 2004 Informal Meeting</uri></li> |
2385 |
-</ul> |
2386 |
-</body> |
2387 |
-</subsection> |
2388 |
-</section> |
2389 |
- |
2390 |
-<section><title>Presentations</title> |
2391 |
-<subsection><title>2006 SELinux Symposium</title><body> |
2392 |
-<ul> |
2393 |
-<li> |
2394 |
- <uri link="http://www.nsa.gov/selinux/papers/selsymp2006-abs.cfm">SELinux Year in Review</uri>, |
2395 |
- Stephen Smalley, National Security Agency</li> |
2396 |
-<li> |
2397 |
- <uri link="http://www.selinux-symposium.org/2006/slides/03-refpolicy-slides.pdf">Reference Policy for Security Enhanced Linux</uri>, |
2398 |
- Karl MacMillan, Tresys Technology (<uri link="http://www.selinux-symposium.org/2006/papers/05-refpol.pdf">Paper</uri>)</li> |
2399 |
-</ul> |
2400 |
-</body> |
2401 |
-</subsection> |
2402 |
-<subsection><title>2005 SELinux Symposium</title><body> |
2403 |
-<ul> |
2404 |
-<li> |
2405 |
- <uri link="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</uri>, |
2406 |
- NSA</li> |
2407 |
-<li> |
2408 |
- <uri link="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</uri>, |
2409 |
- Karl MacMillan, Tresys Technology</li> |
2410 |
-<li> |
2411 |
- <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf">Targeted vs. Strict Policy History and Strategy</uri>, |
2412 |
- Dan Walsh, Red Hat</li> |
2413 |
-<li> |
2414 |
- <uri link="http://www.selinux-symposium.org/2005/presentations/session4/4-4-mayer.pdf">Tresys SETools: Tools and Libraries for Policy Analysis and Management</uri>, |
2415 |
- Frank Mayer, Tresys Technology</li> |
2416 |
-<li> |
2417 |
- <uri link="http://www.selinux-symposium.org/2005/presentations/session5/5-3-macmillan.pdf">Information Flow Analysis for Type Enforcement Policies</uri>, |
2418 |
- Karl MacMillan, Tresys Technology</li> |
2419 |
-<li> |
2420 |
- <uri link="http://www.selinux-symposium.org/2005/presentations/session6/6-2-mayer.pdf">SELinux Policy Analysis Concepts and Techniques</uri>, |
2421 |
- David Caplan, Frank Mayer, Tresys Technology</li> |
2422 |
-</ul> |
2423 |
-</body> |
2424 |
-</subsection> |
2425 |
-</section> |
2426 |
- |
2427 |
-</sections> |