Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Chris PeBenito (pebenito)" <pebenito@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-install.xml hb-selinux-conv-profile.xml hb-selinux-conv-reboot1.xml hb-selinux-conv-reboot2.xml hb-selinux-overview.xml hb-selinux-references.xml selinux-handbook.xml
Date: Fri, 25 Jun 2010 16:07:26
Message-Id: 20100625160720.5067F2CF63@corvid.gentoo.org
1 pebenito 10/06/25 16:07:20
2
3 Modified: hb-install.xml hb-selinux-conv-profile.xml
4 hb-selinux-conv-reboot1.xml
5 hb-selinux-conv-reboot2.xml hb-selinux-overview.xml
6 hb-selinux-references.xml selinux-handbook.xml
7 Log:
8 SELinux handbook updates from Chris Richards (gizmo).
9
10 Revision Changes Path
11 1.5 xml/htdocs/proj/en/hardened/selinux/hb-install.xml
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml?rev=1.5&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml?rev=1.5&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml?r1=1.4&r2=1.5
16
17 Index: hb-install.xml
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v
20 retrieving revision 1.4
21 retrieving revision 1.5
22 diff -u -r1.4 -r1.5
23 --- hb-install.xml 7 Sep 2006 10:37:46 -0000 1.4
24 +++ hb-install.xml 25 Jun 2010 16:07:19 -0000 1.5
25 @@ -4,11 +4,11 @@
26 <!-- The content of this document is licensed under the CC-BY-SA license -->
27 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
28
29 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.4 2006/09/07 10:37:46 neysx Exp $ -->
30 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
31
32 <sections>
33 -<version>1.3</version>
34 -<date>2006-04-26</date>
35 +<version>1.4</version>
36 +<date>2010-06-15</date>
37
38 <section><title>Gentoo SELinux Installation</title>
39 <subsection>
40 @@ -24,6 +24,8 @@
41 keeping in mind the following notes. Then the
42 system should converted to SELinux using the
43 <uri link="?part=2">SELinux Conversion Guide</uri>.
44 +It is recommended to use the hardened stage 3 tarball if you are building a
45 +hardened Gentoo system (which is also recommended).
46 </p>
47
48 </body>
49 @@ -34,13 +36,14 @@
50 <subsection><title>Filesystems</title>
51 <body>
52 <p>
53 -Only ext2, ext3, JFS and XFS are supported at this time.
54 +Only ext2, ext3, ext4, JFS, XFS and Btrfs are supported at this time. Reiserfs
55 + does not provide the necessary XATTR support, and Reiser4 is not well tested.
56 </p>
57 <p>
58 -XFS users should use 512 byte inodes (the default is 256). SELinux uses extended
59 -attributes for storing security labels in files. XFS stores this in the inode,
60 -and if the inode is too small, an extra block has to be used, which wastes a lot
61 -of space, and incurs performace penalties.
62 +XFS users should use 512 byte inodes (the default is 256). SELinux keeps
63 +file security lables in the extended attributes, which XFS stores in
64 +the inode. If the inode is too small an extra block has to be used, which
65 +wastes a lot of space and incurs performace penalties.
66 </p>
67 <pre caption="Example XFS filesystem creation command">
68 # <i>mkfs.xfs -i size=512 /dev/hda3</i>
69
70
71
72 1.10 xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml
73
74 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml?rev=1.10&view=markup
75 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml?rev=1.10&content-type=text/plain
76 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml?r1=1.9&r2=1.10
77
78 Index: hb-selinux-conv-profile.xml
79 ===================================================================
80 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v
81 retrieving revision 1.9
82 retrieving revision 1.10
83 diff -u -r1.9 -r1.10
84 --- hb-selinux-conv-profile.xml 22 Jul 2009 13:38:18 -0000 1.9
85 +++ hb-selinux-conv-profile.xml 25 Jun 2010 16:07:19 -0000 1.10
86 @@ -4,16 +4,16 @@
87 <!-- The content of this document is licensed under the CC-BY-SA license -->
88 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
89
90 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.9 2009/07/22 13:38:18 pebenito Exp $ -->
91 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
92
93 <sections>
94 -<version>2.0</version>
95 -<date>2007-07-22</date>
96 +<version>2.1</version>
97 +<date>2010-06-15</date>
98
99 <section><title>Change Profile</title>
100 <subsection><body>
101
102 -<warn>SELinux is only supported on ext2/3, XFS, and JFS. Other filesystems
103 +<warn>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems
104 lack the complete extended attribute support.</warn>
105
106 <warn>Users should convert from a 2006.1 or newer profile otherwise
107 @@ -26,16 +26,22 @@
108 <pre caption="Switch profiles">
109 # <i>rm -f /etc/make.profile</i>
110
111 -<comment>x86:</comment>
112 -# <i>ln -sf /usr/portage/profiles/selinux/2007.0/x86 /etc/make.profile</i>
113 +
114 +<comment>x86 (server):</comment>
115 +# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</i>
116 <comment>x86 (hardened):</comment>
117 -# <i>ln -sf /usr/portage/profiles/selinux/2007.0/x86/hardened /etc/make.profile</i>
118 +# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</i>
119 <comment>AMD64:</comment>
120 -# <i>ln -sf /usr/portage/profiles/selinux/2007.0/amd64 /etc/make.profile</i>
121 +# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</i>
122 <comment>AMD64 (hardened):</comment>
123 -# <i>ln -sf /usr/portage/profiles/selinux/2007.0/amd64/hardened /etc/make.profile</i>
124 +# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</i>
125 </pre>
126
127 +<note>You can also switch profiles with eselect if you have the gentoolkit
128 + package installed. That method is not shown here because the specific options
129 + available and their numbering will vary according to your system
130 + configuration.</note>
131 +
132 <impo>Do not use any profiles other than the ones listed above, even
133 if they seem to be out of date. SELinux profiles are not necessarily
134 created as often as default Gentoo profiles.</impo>
135
136
137
138 1.10 xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml
139
140 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml?rev=1.10&view=markup
141 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml?rev=1.10&content-type=text/plain
142 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml?r1=1.9&r2=1.10
143
144 Index: hb-selinux-conv-reboot1.xml
145 ===================================================================
146 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v
147 retrieving revision 1.9
148 retrieving revision 1.10
149 diff -u -r1.9 -r1.10
150 --- hb-selinux-conv-reboot1.xml 23 Jul 2007 02:34:30 -0000 1.9
151 +++ hb-selinux-conv-reboot1.xml 25 Jun 2010 16:07:19 -0000 1.10
152 @@ -4,7 +4,7 @@
153 <!-- The content of this document is licensed under the CC-BY-SA license -->
154 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
155
156 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.9 2007/07/23 02:34:30 pebenito Exp $ -->
157 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
158
159 <sections>
160 <version>2.0</version>
161 @@ -16,8 +16,11 @@
162 suggested kernel is hardened-sources.
163 </p>
164
165 +<note>2.6.28-r9 is the current hardened release version at the time of this writing,
166 + and all instructions in this document assume at least this version.</note>
167 +
168 <warn>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they
169 -have bugs in the SELinux XFS support.</warn>
170 + have bugs in the SELinux XFS support.</warn>
171
172 <pre caption="Merge an appropriate kernel">
173 <comment>Any 2.6 kernel</comment>
174 @@ -32,11 +35,26 @@
175 devpts, and extended attribute security labels. Refer to the main installation
176 guide for futher kernel options.</p>
177
178 -<pre caption="Location and required options under menuconfig">
179 -<comment>Under "Code maturity level options"</comment>
180 -[*] Prompt for development and/or incomplete code/drivers
181 +<note>
182 +The available options may vary slightly depending on the kernel version
183 +being used. In particular, Btrfs first became available with the 2.6.29
184 +kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels
185 +options were obsoleted in kernel 2.6.13 (they are now enabled by default).
186 +"Default Linux Capabilies" under "Security options" was obsoleted in the
187 +2.6.26 kernel (it is now enabled by default).
188 +
189 +XFS always enables security labeling, so there is no additional option
190 +to set for this file system
191 +
192 +Ext4 should work, but is NOT well tested at the time of this writing!
193 +
194 +Any extended attribute options not specifically enabled below should be turned
195 +off.
196 +</note>
197
198 +<pre caption="Location and required options under menuconfig">
199 <comment>Under "General setup"</comment>
200 +[*] Prompt for development and/or incomplete code/drivers
201 [*] Auditing support
202 [*] Enable system-call auditing support
203
204 @@ -45,25 +63,33 @@
205 [*] Ext2 extended attributes
206 [ ] Ext2 POSIX Access Control Lists
207 [*] Ext2 Security Labels
208 +[ ] Ext2 Execute in place support
209 &lt;*&gt; Ext3 journalling file system support <comment>(If using ext3)</comment>
210 [*] Ext3 extended attributes
211 [ ] Ext3 POSIX Access Control Lists
212 [*] Ext3 Security labels
213 +&lt;*&gt; The Extended 4 (ext4) filesystem <comment>(If using ext4)</comment>
214 +[ ] Enable ext4dev compatibility
215 +[*] Ext4 extended attrributes
216 +[ ] Ext4 POSIX Access Control Lists
217 +[*] Ext4 Security Labels
218 &lt;*&gt; JFS filesystem support <comment>(If using JFS)</comment>
219 [ ] JFS POSIX Access Control Lists
220 [*] JFS Security Labels
221 [ ] JFS debugging
222 [ ] JFS statistics
223 &lt;*&gt; XFS filesystem support <comment>(If using XFS)</comment>
224 -[ ] Realtime support (EXPERIMENTAL)
225 -[ ] Quota support
226 -[ ] ACL support
227 -[*] Security Labels
228 -
229 +[ ] XFS Quota support
230 +[ ] XFS POSIX ACL support
231 +[ ] XFS Realtime subvolume support (EXPERIMENTAL)
232 +[ ] XFS Debugging Support
233 +&lt;*&gt; Btrfs filesystem (EXPERIMENTAL) Unstable disk format <comment>(if
234 +using Btrfs)</comment>
235 +[ ] Btrfs POSIX Access Control Lists (NEW)
236 <comment>Under "Pseudo filesystems (via "File systems")</comment>
237 [ ] /dev file system support (EXPERIMENTAL)
238 [*] /dev/pts Extended Attributes
239 -[*] /dev/pts Security Labels
240 +[*] /dev/pts Security Labels
241 [*] Virtual memory file system support (former shm fs)
242 [*] tmpfs Extended Attributes
243 [*] tmpfs Security Labels
244 @@ -82,11 +108,6 @@
245 [ ] NSA SELinux maximum supported policy format version
246 </pre>
247
248 -<note>
249 - The available options may vary slightly depending on the kernel version
250 - being used. The other extended attribute options should be turned off.
251 -</note>
252 -
253 <p>
254 The extended attribute security labels must be turned on for devpts and
255 your filesystem(s). Devfs is not usable in SELinux, and should be
256 @@ -96,6 +117,11 @@
257 are enabled by default; thus, no options will appear in menuconfig.
258 </p>
259
260 +<note>It is recommended to configure PaX if you are using harded-sources (also
261 +recommended). More information about Pax can be found in the <uri link="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo
262 +PaX Quickstart Guide</uri>.
263 +</note>
264 +
265 <warn>
266 Do not enable the SELinux MLS policy option if its available, as it is
267 not supported, and will cause your machine to not start.
268 @@ -127,7 +153,8 @@
269 device tarball must be disabled. Edit the /etc/conf.d/rc file.
270 Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no.
271 If you have several custom device nodes, static is suggested,
272 -otherwise udev is suggested.
273 +otherwise udev is suggested (udev is the default at the time of this writing).
274 +For more information on udev, consult the <uri link="/doc/en/udev-guide.xml">Gentoo UDEV Guide</uri>.
275 </p>
276 <pre caption="Init script configuration">
277 # Use this variable to control the /dev management behavior.
278
279
280
281 1.11 xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml
282
283 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml?rev=1.11&view=markup
284 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml?rev=1.11&content-type=text/plain
285 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml?r1=1.10&r2=1.11
286
287 Index: hb-selinux-conv-reboot2.xml
288 ===================================================================
289 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v
290 retrieving revision 1.10
291 retrieving revision 1.11
292 diff -u -r1.10 -r1.11
293 --- hb-selinux-conv-reboot2.xml 16 Dec 2009 01:14:42 -0000 1.10
294 +++ hb-selinux-conv-reboot2.xml 25 Jun 2010 16:07:19 -0000 1.11
295 @@ -4,7 +4,7 @@
296 <!-- The content of this document is licensed under the CC-BY-SA license -->
297 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
298
299 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.10 2009/12/16 01:14:42 pebenito Exp $ -->
300 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.11 2010/06/25 16:07:19 pebenito Exp $ -->
301
302 <sections>
303 <version>2.2</version>
304 @@ -98,6 +98,17 @@
305 <note>
306 Fcron and Vixie-cron are the only crons with SELinux support.
307 </note>
308 +<note>The above packages are NOT an exhaustive list; they are only the most
309 +common ones. In general, any package installed on the system which has the
310 +selinux USE flag should be remerged. To see which packages may need to be
311 +merged, you can:
312 +emerge -upDN world
313 +
314 +Since changing to the selinux profile has changed your USE flags, the above
315 +will get everything that is listening to the selinux USE flag. It will
316 +probably also get some other stuff as well. To actually remerge everything,
317 +simply remove the 'p', or manually specify the packages you want to remerge.
318 +</note>
319 </body></subsection>
320 </section>
321
322 @@ -129,6 +140,23 @@
323 <section><title>Label Filesystems</title>
324 <subsection><body>
325 <p>
326 + Before you can relabel the rest of the filesystems, you need to first relabel
327 + /dev. Strictly speaking, this is only necessary if you aren't using a static
328 + /dev. However, as the vast majority of current and new systems are going to
329 + be built with udev, this probably means you are using udev as well. There
330 + are a lot of different ways to get at this problem, but the steps below are
331 + easy to do and work.
332 +</p>
333 + <pre caption="Relabel /dev">
334 +<i># mkdir /mnt/gentoo
335 +# mount -o bind / /mnt/gentoo
336 +# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
337 +# umount /mnt/gentoo
338 +</i>
339 + </pre>
340 + <note>Remember to select one of {strict,targeted} above based on your
341 + enforcement mode.</note>
342 +<p>
343 Now label the filesystems. This gives each of the files in the filesystems
344 a security label. Keeping these labels consistent is important.
345 </p>
346 @@ -149,6 +177,17 @@
347 grub> root (hd0,0) <comment>(Your boot partition)</comment>
348 grub> setup (hd0) <comment>(Where the boot record is installed; here, it is the MBR)</comment>
349 </pre>
350 +<p>
351 + If you've installed Gentoo using the hardened sources, then you'll need to
352 + tell SELinux that you are using the hardened tool-chain with ssp. You do
353 + this by setting an SELinux global boolean
354 +</p>
355 +<pre caption="SELinux global_ssp">
356 +<i>setsebool -P global_ssp on</i>
357 +</pre>
358 +<note>Make sure you use the -P flag, or the setting won't survive the reboot,
359 +and you'll likely see a lot of errors relating to /dev/null and /dev/random
360 +</note>
361 </body></subsection>
362 </section>
363
364
365
366
367 1.10 xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml
368
369 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml?rev=1.10&view=markup
370 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml?rev=1.10&content-type=text/plain
371 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml?r1=1.9&r2=1.10
372
373 Index: hb-selinux-overview.xml
374 ===================================================================
375 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v
376 retrieving revision 1.9
377 retrieving revision 1.10
378 diff -u -r1.9 -r1.10
379 --- hb-selinux-overview.xml 13 Jul 2009 14:40:28 -0000 1.9
380 +++ hb-selinux-overview.xml 25 Jun 2010 16:07:19 -0000 1.10
381 @@ -4,7 +4,7 @@
382 <!-- The content of this document is licensed under the CC-BY-SA license -->
383 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
384
385 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.9 2009/07/13 14:40:28 pebenito Exp $ -->
386 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ -->
387
388 <sections>
389 <version>1.5</version>
390 @@ -281,7 +281,7 @@
391 <tr><ti>23</ti>
392 <ti>Per-domain permissive mode.</ti>
393 <ti>2.6.26 - 2.6.27</ti></tr>
394 -<tr><ti>23</ti>
395 +<tr><ti>24</ti>
396 <ti>Explicit hierarchy (type bounds).</ti>
397 <ti>2.6.28 - current</ti></tr>
398 </table>
399
400
401
402 1.5 xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml
403
404 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml?rev=1.5&view=markup
405 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml?rev=1.5&content-type=text/plain
406 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml?r1=1.4&r2=1.5
407
408 Index: hb-selinux-references.xml
409 ===================================================================
410 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v
411 retrieving revision 1.4
412 retrieving revision 1.5
413 diff -u -r1.4 -r1.5
414 --- hb-selinux-references.xml 11 Oct 2006 04:48:51 -0000 1.4
415 +++ hb-selinux-references.xml 25 Jun 2010 16:07:19 -0000 1.5
416 @@ -4,7 +4,7 @@
417 <!-- The content of this document is licensed under the CC-BY-SA license -->
418 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
419
420 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.4 2006/10/11 04:48:51 pebenito Exp $ -->
421 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
422
423 <sections>
424 <version>1.2</version>
425 @@ -15,15 +15,15 @@
426 <subsection><body>
427 <ul>
428 <li>
429 - <uri link="http://www.nsa.gov/selinux/papers/inevit-abs.cfm">The Inevitability of Failure:
430 + <uri link="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure:
431 The Flawed Assumption of Security in Modern Computing Environments</uri>
432 explains the need for mandatory access controls.</li>
433 <li>
434 - <uri link="http://www.nsa.gov/selinux/papers/flask-abs.cfm">The Flask Security Architecture:
435 + <uri link="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture:
436 System Support for Diverse Security Policies</uri>
437 explains the security architecture of Flask, the architecture used by SELinux.</li>
438 <li>
439 - <uri link="http://www.nsa.gov/selinux/papers/module-abs.cfm">Implementing SELinux as a Linux Security Module</uri>
440 + <uri link="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</uri>
441 has specifics about SELinux access checks in the kernel.</li>
442 </ul>
443 </body>
444 @@ -34,14 +34,11 @@
445 <subsection><body>
446 <ul>
447 <li>
448 - <uri link="http://www.nsa.gov/selinux/papers/policy2-abs.cfm">Configuring the SELinux Policy</uri></li>
449 + <uri link="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</uri></li>
450 <li>
451 <uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri></li>
452 <li>
453 - <uri link="http://www.tresys.com/selinux/selinux-course-outline.shtml">SELinux Policy Development Course</uri>
454 - (slides available at the bottom of the page)</li>
455 -<li>
456 - SELinux <uri link="http://www.tresys.com/selinux/obj_perms_help.shtml">Object Classes and Permissions</uri>
457 + SELinux <uri link="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</uri>
458 Overview</li>
459 </ul>
460 </body>
461 @@ -89,8 +86,8 @@
462 <subsection><title>2005 SELinux Symposium</title><body>
463 <ul>
464 <li>
465 - <uri link="http://www.nsa.gov/selinux/papers/selsymp2005-abs.cfm">SELinux Overview</uri>,
466 - Stephen Smalley, National Security Agency</li>
467 + <uri link="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</uri>,
468 + NSA</li>
469 <li>
470 <uri link="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</uri>,
471 Karl MacMillan, Tresys Technology</li>
472
473
474
475 1.9 xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml
476
477 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml?rev=1.9&view=markup
478 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml?rev=1.9&content-type=text/plain
479 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml?r1=1.8&r2=1.9
480
481 Index: selinux-handbook.xml
482 ===================================================================
483 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v
484 retrieving revision 1.8
485 retrieving revision 1.9
486 diff -u -r1.8 -r1.9
487 --- selinux-handbook.xml 15 Oct 2006 20:32:39 -0000 1.8
488 +++ selinux-handbook.xml 25 Jun 2010 16:07:19 -0000 1.9
489 @@ -1,7 +1,7 @@
490 <?xml version='1.0' encoding='UTF-8'?>
491 <!DOCTYPE book SYSTEM "/dtd/book.dtd">
492
493 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.8 2006/10/15 20:32:39 pebenito Exp $ -->
494 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.9 2010/06/25 16:07:19 pebenito Exp $ -->
495
496 <book link="selinux-handbook.xml">
497 <title>Gentoo SELinux Handbook</title>
498 @@ -10,6 +10,10 @@
499 <mail link="pebenito@g.o">Chris PeBenito</mail>
500 </author>
501
502 +<author title="Author">
503 + Chris Richards
504 +</author>
505 +
506 <abstract>
507 This is the Gentoo SELinux Handbook.
508 </abstract>
Report Message
Find on MARC Find on Google Groups