1 |
pebenito 10/06/25 16:07:20 |
2 |
|
3 |
Modified: hb-install.xml hb-selinux-conv-profile.xml |
4 |
hb-selinux-conv-reboot1.xml |
5 |
hb-selinux-conv-reboot2.xml hb-selinux-overview.xml |
6 |
hb-selinux-references.xml selinux-handbook.xml |
7 |
Log: |
8 |
SELinux handbook updates from Chris Richards (gizmo). |
9 |
|
10 |
Revision Changes Path |
11 |
1.5 xml/htdocs/proj/en/hardened/selinux/hb-install.xml |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml?rev=1.5&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml?rev=1.5&content-type=text/plain |
15 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml?r1=1.4&r2=1.5 |
16 |
|
17 |
Index: hb-install.xml |
18 |
=================================================================== |
19 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v |
20 |
retrieving revision 1.4 |
21 |
retrieving revision 1.5 |
22 |
diff -u -r1.4 -r1.5 |
23 |
--- hb-install.xml 7 Sep 2006 10:37:46 -0000 1.4 |
24 |
+++ hb-install.xml 25 Jun 2010 16:07:19 -0000 1.5 |
25 |
@@ -4,11 +4,11 @@ |
26 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
27 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
28 |
|
29 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.4 2006/09/07 10:37:46 neysx Exp $ --> |
30 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ --> |
31 |
|
32 |
<sections> |
33 |
-<version>1.3</version> |
34 |
-<date>2006-04-26</date> |
35 |
+<version>1.4</version> |
36 |
+<date>2010-06-15</date> |
37 |
|
38 |
<section><title>Gentoo SELinux Installation</title> |
39 |
<subsection> |
40 |
@@ -24,6 +24,8 @@ |
41 |
keeping in mind the following notes. Then the |
42 |
system should converted to SELinux using the |
43 |
<uri link="?part=2">SELinux Conversion Guide</uri>. |
44 |
+It is recommended to use the hardened stage 3 tarball if you are building a |
45 |
+hardened Gentoo system (which is also recommended). |
46 |
</p> |
47 |
|
48 |
</body> |
49 |
@@ -34,13 +36,14 @@ |
50 |
<subsection><title>Filesystems</title> |
51 |
<body> |
52 |
<p> |
53 |
-Only ext2, ext3, JFS and XFS are supported at this time. |
54 |
+Only ext2, ext3, ext4, JFS, XFS and Btrfs are supported at this time. Reiserfs |
55 |
+ does not provide the necessary XATTR support, and Reiser4 is not well tested. |
56 |
</p> |
57 |
<p> |
58 |
-XFS users should use 512 byte inodes (the default is 256). SELinux uses extended |
59 |
-attributes for storing security labels in files. XFS stores this in the inode, |
60 |
-and if the inode is too small, an extra block has to be used, which wastes a lot |
61 |
-of space, and incurs performace penalties. |
62 |
+XFS users should use 512 byte inodes (the default is 256). SELinux keeps |
63 |
+file security lables in the extended attributes, which XFS stores in |
64 |
+the inode. If the inode is too small an extra block has to be used, which |
65 |
+wastes a lot of space and incurs performace penalties. |
66 |
</p> |
67 |
<pre caption="Example XFS filesystem creation command"> |
68 |
# <i>mkfs.xfs -i size=512 /dev/hda3</i> |
69 |
|
70 |
|
71 |
|
72 |
1.10 xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml |
73 |
|
74 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml?rev=1.10&view=markup |
75 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml?rev=1.10&content-type=text/plain |
76 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml?r1=1.9&r2=1.10 |
77 |
|
78 |
Index: hb-selinux-conv-profile.xml |
79 |
=================================================================== |
80 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v |
81 |
retrieving revision 1.9 |
82 |
retrieving revision 1.10 |
83 |
diff -u -r1.9 -r1.10 |
84 |
--- hb-selinux-conv-profile.xml 22 Jul 2009 13:38:18 -0000 1.9 |
85 |
+++ hb-selinux-conv-profile.xml 25 Jun 2010 16:07:19 -0000 1.10 |
86 |
@@ -4,16 +4,16 @@ |
87 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
88 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
89 |
|
90 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.9 2009/07/22 13:38:18 pebenito Exp $ --> |
91 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-profile.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ --> |
92 |
|
93 |
<sections> |
94 |
-<version>2.0</version> |
95 |
-<date>2007-07-22</date> |
96 |
+<version>2.1</version> |
97 |
+<date>2010-06-15</date> |
98 |
|
99 |
<section><title>Change Profile</title> |
100 |
<subsection><body> |
101 |
|
102 |
-<warn>SELinux is only supported on ext2/3, XFS, and JFS. Other filesystems |
103 |
+<warn>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems |
104 |
lack the complete extended attribute support.</warn> |
105 |
|
106 |
<warn>Users should convert from a 2006.1 or newer profile otherwise |
107 |
@@ -26,16 +26,22 @@ |
108 |
<pre caption="Switch profiles"> |
109 |
# <i>rm -f /etc/make.profile</i> |
110 |
|
111 |
-<comment>x86:</comment> |
112 |
-# <i>ln -sf /usr/portage/profiles/selinux/2007.0/x86 /etc/make.profile</i> |
113 |
+ |
114 |
+<comment>x86 (server):</comment> |
115 |
+# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</i> |
116 |
<comment>x86 (hardened):</comment> |
117 |
-# <i>ln -sf /usr/portage/profiles/selinux/2007.0/x86/hardened /etc/make.profile</i> |
118 |
+# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</i> |
119 |
<comment>AMD64:</comment> |
120 |
-# <i>ln -sf /usr/portage/profiles/selinux/2007.0/amd64 /etc/make.profile</i> |
121 |
+# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</i> |
122 |
<comment>AMD64 (hardened):</comment> |
123 |
-# <i>ln -sf /usr/portage/profiles/selinux/2007.0/amd64/hardened /etc/make.profile</i> |
124 |
+# <i>ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</i> |
125 |
</pre> |
126 |
|
127 |
+<note>You can also switch profiles with eselect if you have the gentoolkit |
128 |
+ package installed. That method is not shown here because the specific options |
129 |
+ available and their numbering will vary according to your system |
130 |
+ configuration.</note> |
131 |
+ |
132 |
<impo>Do not use any profiles other than the ones listed above, even |
133 |
if they seem to be out of date. SELinux profiles are not necessarily |
134 |
created as often as default Gentoo profiles.</impo> |
135 |
|
136 |
|
137 |
|
138 |
1.10 xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml |
139 |
|
140 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml?rev=1.10&view=markup |
141 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml?rev=1.10&content-type=text/plain |
142 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml?r1=1.9&r2=1.10 |
143 |
|
144 |
Index: hb-selinux-conv-reboot1.xml |
145 |
=================================================================== |
146 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v |
147 |
retrieving revision 1.9 |
148 |
retrieving revision 1.10 |
149 |
diff -u -r1.9 -r1.10 |
150 |
--- hb-selinux-conv-reboot1.xml 23 Jul 2007 02:34:30 -0000 1.9 |
151 |
+++ hb-selinux-conv-reboot1.xml 25 Jun 2010 16:07:19 -0000 1.10 |
152 |
@@ -4,7 +4,7 @@ |
153 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
154 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
155 |
|
156 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.9 2007/07/23 02:34:30 pebenito Exp $ --> |
157 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot1.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ --> |
158 |
|
159 |
<sections> |
160 |
<version>2.0</version> |
161 |
@@ -16,8 +16,11 @@ |
162 |
suggested kernel is hardened-sources. |
163 |
</p> |
164 |
|
165 |
+<note>2.6.28-r9 is the current hardened release version at the time of this writing, |
166 |
+ and all instructions in this document assume at least this version.</note> |
167 |
+ |
168 |
<warn>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they |
169 |
-have bugs in the SELinux XFS support.</warn> |
170 |
+ have bugs in the SELinux XFS support.</warn> |
171 |
|
172 |
<pre caption="Merge an appropriate kernel"> |
173 |
<comment>Any 2.6 kernel</comment> |
174 |
@@ -32,11 +35,26 @@ |
175 |
devpts, and extended attribute security labels. Refer to the main installation |
176 |
guide for futher kernel options.</p> |
177 |
|
178 |
-<pre caption="Location and required options under menuconfig"> |
179 |
-<comment>Under "Code maturity level options"</comment> |
180 |
-[*] Prompt for development and/or incomplete code/drivers |
181 |
+<note> |
182 |
+The available options may vary slightly depending on the kernel version |
183 |
+being used. In particular, Btrfs first became available with the 2.6.29 |
184 |
+kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels |
185 |
+options were obsoleted in kernel 2.6.13 (they are now enabled by default). |
186 |
+"Default Linux Capabilies" under "Security options" was obsoleted in the |
187 |
+2.6.26 kernel (it is now enabled by default). |
188 |
+ |
189 |
+XFS always enables security labeling, so there is no additional option |
190 |
+to set for this file system |
191 |
+ |
192 |
+Ext4 should work, but is NOT well tested at the time of this writing! |
193 |
+ |
194 |
+Any extended attribute options not specifically enabled below should be turned |
195 |
+off. |
196 |
+</note> |
197 |
|
198 |
+<pre caption="Location and required options under menuconfig"> |
199 |
<comment>Under "General setup"</comment> |
200 |
+[*] Prompt for development and/or incomplete code/drivers |
201 |
[*] Auditing support |
202 |
[*] Enable system-call auditing support |
203 |
|
204 |
@@ -45,25 +63,33 @@ |
205 |
[*] Ext2 extended attributes |
206 |
[ ] Ext2 POSIX Access Control Lists |
207 |
[*] Ext2 Security Labels |
208 |
+[ ] Ext2 Execute in place support |
209 |
<*> Ext3 journalling file system support <comment>(If using ext3)</comment> |
210 |
[*] Ext3 extended attributes |
211 |
[ ] Ext3 POSIX Access Control Lists |
212 |
[*] Ext3 Security labels |
213 |
+<*> The Extended 4 (ext4) filesystem <comment>(If using ext4)</comment> |
214 |
+[ ] Enable ext4dev compatibility |
215 |
+[*] Ext4 extended attrributes |
216 |
+[ ] Ext4 POSIX Access Control Lists |
217 |
+[*] Ext4 Security Labels |
218 |
<*> JFS filesystem support <comment>(If using JFS)</comment> |
219 |
[ ] JFS POSIX Access Control Lists |
220 |
[*] JFS Security Labels |
221 |
[ ] JFS debugging |
222 |
[ ] JFS statistics |
223 |
<*> XFS filesystem support <comment>(If using XFS)</comment> |
224 |
-[ ] Realtime support (EXPERIMENTAL) |
225 |
-[ ] Quota support |
226 |
-[ ] ACL support |
227 |
-[*] Security Labels |
228 |
- |
229 |
+[ ] XFS Quota support |
230 |
+[ ] XFS POSIX ACL support |
231 |
+[ ] XFS Realtime subvolume support (EXPERIMENTAL) |
232 |
+[ ] XFS Debugging Support |
233 |
+<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format <comment>(if |
234 |
+using Btrfs)</comment> |
235 |
+[ ] Btrfs POSIX Access Control Lists (NEW) |
236 |
<comment>Under "Pseudo filesystems (via "File systems")</comment> |
237 |
[ ] /dev file system support (EXPERIMENTAL) |
238 |
[*] /dev/pts Extended Attributes |
239 |
-[*] /dev/pts Security Labels |
240 |
+[*] /dev/pts Security Labels |
241 |
[*] Virtual memory file system support (former shm fs) |
242 |
[*] tmpfs Extended Attributes |
243 |
[*] tmpfs Security Labels |
244 |
@@ -82,11 +108,6 @@ |
245 |
[ ] NSA SELinux maximum supported policy format version |
246 |
</pre> |
247 |
|
248 |
-<note> |
249 |
- The available options may vary slightly depending on the kernel version |
250 |
- being used. The other extended attribute options should be turned off. |
251 |
-</note> |
252 |
- |
253 |
<p> |
254 |
The extended attribute security labels must be turned on for devpts and |
255 |
your filesystem(s). Devfs is not usable in SELinux, and should be |
256 |
@@ -96,6 +117,11 @@ |
257 |
are enabled by default; thus, no options will appear in menuconfig. |
258 |
</p> |
259 |
|
260 |
+<note>It is recommended to configure PaX if you are using harded-sources (also |
261 |
+recommended). More information about Pax can be found in the <uri link="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml">Hardened Gentoo |
262 |
+PaX Quickstart Guide</uri>. |
263 |
+</note> |
264 |
+ |
265 |
<warn> |
266 |
Do not enable the SELinux MLS policy option if its available, as it is |
267 |
not supported, and will cause your machine to not start. |
268 |
@@ -127,7 +153,8 @@ |
269 |
device tarball must be disabled. Edit the /etc/conf.d/rc file. |
270 |
Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no. |
271 |
If you have several custom device nodes, static is suggested, |
272 |
-otherwise udev is suggested. |
273 |
+otherwise udev is suggested (udev is the default at the time of this writing). |
274 |
+For more information on udev, consult the <uri link="/doc/en/udev-guide.xml">Gentoo UDEV Guide</uri>. |
275 |
</p> |
276 |
<pre caption="Init script configuration"> |
277 |
# Use this variable to control the /dev management behavior. |
278 |
|
279 |
|
280 |
|
281 |
1.11 xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml |
282 |
|
283 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml?rev=1.11&view=markup |
284 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml?rev=1.11&content-type=text/plain |
285 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml?r1=1.10&r2=1.11 |
286 |
|
287 |
Index: hb-selinux-conv-reboot2.xml |
288 |
=================================================================== |
289 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v |
290 |
retrieving revision 1.10 |
291 |
retrieving revision 1.11 |
292 |
diff -u -r1.10 -r1.11 |
293 |
--- hb-selinux-conv-reboot2.xml 16 Dec 2009 01:14:42 -0000 1.10 |
294 |
+++ hb-selinux-conv-reboot2.xml 25 Jun 2010 16:07:19 -0000 1.11 |
295 |
@@ -4,7 +4,7 @@ |
296 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
297 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
298 |
|
299 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.10 2009/12/16 01:14:42 pebenito Exp $ --> |
300 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-conv-reboot2.xml,v 1.11 2010/06/25 16:07:19 pebenito Exp $ --> |
301 |
|
302 |
<sections> |
303 |
<version>2.2</version> |
304 |
@@ -98,6 +98,17 @@ |
305 |
<note> |
306 |
Fcron and Vixie-cron are the only crons with SELinux support. |
307 |
</note> |
308 |
+<note>The above packages are NOT an exhaustive list; they are only the most |
309 |
+common ones. In general, any package installed on the system which has the |
310 |
+selinux USE flag should be remerged. To see which packages may need to be |
311 |
+merged, you can: |
312 |
+emerge -upDN world |
313 |
+ |
314 |
+Since changing to the selinux profile has changed your USE flags, the above |
315 |
+will get everything that is listening to the selinux USE flag. It will |
316 |
+probably also get some other stuff as well. To actually remerge everything, |
317 |
+simply remove the 'p', or manually specify the packages you want to remerge. |
318 |
+</note> |
319 |
</body></subsection> |
320 |
</section> |
321 |
|
322 |
@@ -129,6 +140,23 @@ |
323 |
<section><title>Label Filesystems</title> |
324 |
<subsection><body> |
325 |
<p> |
326 |
+ Before you can relabel the rest of the filesystems, you need to first relabel |
327 |
+ /dev. Strictly speaking, this is only necessary if you aren't using a static |
328 |
+ /dev. However, as the vast majority of current and new systems are going to |
329 |
+ be built with udev, this probably means you are using udev as well. There |
330 |
+ are a lot of different ways to get at this problem, but the steps below are |
331 |
+ easy to do and work. |
332 |
+</p> |
333 |
+ <pre caption="Relabel /dev"> |
334 |
+<i># mkdir /mnt/gentoo |
335 |
+# mount -o bind / /mnt/gentoo |
336 |
+# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev |
337 |
+# umount /mnt/gentoo |
338 |
+</i> |
339 |
+ </pre> |
340 |
+ <note>Remember to select one of {strict,targeted} above based on your |
341 |
+ enforcement mode.</note> |
342 |
+<p> |
343 |
Now label the filesystems. This gives each of the files in the filesystems |
344 |
a security label. Keeping these labels consistent is important. |
345 |
</p> |
346 |
@@ -149,6 +177,17 @@ |
347 |
grub> root (hd0,0) <comment>(Your boot partition)</comment> |
348 |
grub> setup (hd0) <comment>(Where the boot record is installed; here, it is the MBR)</comment> |
349 |
</pre> |
350 |
+<p> |
351 |
+ If you've installed Gentoo using the hardened sources, then you'll need to |
352 |
+ tell SELinux that you are using the hardened tool-chain with ssp. You do |
353 |
+ this by setting an SELinux global boolean |
354 |
+</p> |
355 |
+<pre caption="SELinux global_ssp"> |
356 |
+<i>setsebool -P global_ssp on</i> |
357 |
+</pre> |
358 |
+<note>Make sure you use the -P flag, or the setting won't survive the reboot, |
359 |
+and you'll likely see a lot of errors relating to /dev/null and /dev/random |
360 |
+</note> |
361 |
</body></subsection> |
362 |
</section> |
363 |
|
364 |
|
365 |
|
366 |
|
367 |
1.10 xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml |
368 |
|
369 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml?rev=1.10&view=markup |
370 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml?rev=1.10&content-type=text/plain |
371 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml?r1=1.9&r2=1.10 |
372 |
|
373 |
Index: hb-selinux-overview.xml |
374 |
=================================================================== |
375 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v |
376 |
retrieving revision 1.9 |
377 |
retrieving revision 1.10 |
378 |
diff -u -r1.9 -r1.10 |
379 |
--- hb-selinux-overview.xml 13 Jul 2009 14:40:28 -0000 1.9 |
380 |
+++ hb-selinux-overview.xml 25 Jun 2010 16:07:19 -0000 1.10 |
381 |
@@ -4,7 +4,7 @@ |
382 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
383 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
384 |
|
385 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.9 2009/07/13 14:40:28 pebenito Exp $ --> |
386 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-overview.xml,v 1.10 2010/06/25 16:07:19 pebenito Exp $ --> |
387 |
|
388 |
<sections> |
389 |
<version>1.5</version> |
390 |
@@ -281,7 +281,7 @@ |
391 |
<tr><ti>23</ti> |
392 |
<ti>Per-domain permissive mode.</ti> |
393 |
<ti>2.6.26 - 2.6.27</ti></tr> |
394 |
-<tr><ti>23</ti> |
395 |
+<tr><ti>24</ti> |
396 |
<ti>Explicit hierarchy (type bounds).</ti> |
397 |
<ti>2.6.28 - current</ti></tr> |
398 |
</table> |
399 |
|
400 |
|
401 |
|
402 |
1.5 xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml |
403 |
|
404 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml?rev=1.5&view=markup |
405 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml?rev=1.5&content-type=text/plain |
406 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml?r1=1.4&r2=1.5 |
407 |
|
408 |
Index: hb-selinux-references.xml |
409 |
=================================================================== |
410 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v |
411 |
retrieving revision 1.4 |
412 |
retrieving revision 1.5 |
413 |
diff -u -r1.4 -r1.5 |
414 |
--- hb-selinux-references.xml 11 Oct 2006 04:48:51 -0000 1.4 |
415 |
+++ hb-selinux-references.xml 25 Jun 2010 16:07:19 -0000 1.5 |
416 |
@@ -4,7 +4,7 @@ |
417 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
418 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
419 |
|
420 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.4 2006/10/11 04:48:51 pebenito Exp $ --> |
421 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-selinux-references.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ --> |
422 |
|
423 |
<sections> |
424 |
<version>1.2</version> |
425 |
@@ -15,15 +15,15 @@ |
426 |
<subsection><body> |
427 |
<ul> |
428 |
<li> |
429 |
- <uri link="http://www.nsa.gov/selinux/papers/inevit-abs.cfm">The Inevitability of Failure: |
430 |
+ <uri link="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure: |
431 |
The Flawed Assumption of Security in Modern Computing Environments</uri> |
432 |
explains the need for mandatory access controls.</li> |
433 |
<li> |
434 |
- <uri link="http://www.nsa.gov/selinux/papers/flask-abs.cfm">The Flask Security Architecture: |
435 |
+ <uri link="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture: |
436 |
System Support for Diverse Security Policies</uri> |
437 |
explains the security architecture of Flask, the architecture used by SELinux.</li> |
438 |
<li> |
439 |
- <uri link="http://www.nsa.gov/selinux/papers/module-abs.cfm">Implementing SELinux as a Linux Security Module</uri> |
440 |
+ <uri link="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</uri> |
441 |
has specifics about SELinux access checks in the kernel.</li> |
442 |
</ul> |
443 |
</body> |
444 |
@@ -34,14 +34,11 @@ |
445 |
<subsection><body> |
446 |
<ul> |
447 |
<li> |
448 |
- <uri link="http://www.nsa.gov/selinux/papers/policy2-abs.cfm">Configuring the SELinux Policy</uri></li> |
449 |
+ <uri link="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</uri></li> |
450 |
<li> |
451 |
<uri link="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</uri></li> |
452 |
<li> |
453 |
- <uri link="http://www.tresys.com/selinux/selinux-course-outline.shtml">SELinux Policy Development Course</uri> |
454 |
- (slides available at the bottom of the page)</li> |
455 |
-<li> |
456 |
- SELinux <uri link="http://www.tresys.com/selinux/obj_perms_help.shtml">Object Classes and Permissions</uri> |
457 |
+ SELinux <uri link="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</uri> |
458 |
Overview</li> |
459 |
</ul> |
460 |
</body> |
461 |
@@ -89,8 +86,8 @@ |
462 |
<subsection><title>2005 SELinux Symposium</title><body> |
463 |
<ul> |
464 |
<li> |
465 |
- <uri link="http://www.nsa.gov/selinux/papers/selsymp2005-abs.cfm">SELinux Overview</uri>, |
466 |
- Stephen Smalley, National Security Agency</li> |
467 |
+ <uri link="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</uri>, |
468 |
+ NSA</li> |
469 |
<li> |
470 |
<uri link="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</uri>, |
471 |
Karl MacMillan, Tresys Technology</li> |
472 |
|
473 |
|
474 |
|
475 |
1.9 xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml |
476 |
|
477 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml?rev=1.9&view=markup |
478 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml?rev=1.9&content-type=text/plain |
479 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml?r1=1.8&r2=1.9 |
480 |
|
481 |
Index: selinux-handbook.xml |
482 |
=================================================================== |
483 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v |
484 |
retrieving revision 1.8 |
485 |
retrieving revision 1.9 |
486 |
diff -u -r1.8 -r1.9 |
487 |
--- selinux-handbook.xml 15 Oct 2006 20:32:39 -0000 1.8 |
488 |
+++ selinux-handbook.xml 25 Jun 2010 16:07:19 -0000 1.9 |
489 |
@@ -1,7 +1,7 @@ |
490 |
<?xml version='1.0' encoding='UTF-8'?> |
491 |
<!DOCTYPE book SYSTEM "/dtd/book.dtd"> |
492 |
|
493 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.8 2006/10/15 20:32:39 pebenito Exp $ --> |
494 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/selinux-handbook.xml,v 1.9 2010/06/25 16:07:19 pebenito Exp $ --> |
495 |
|
496 |
<book link="selinux-handbook.xml"> |
497 |
<title>Gentoo SELinux Handbook</title> |
498 |
@@ -10,6 +10,10 @@ |
499 |
<mail link="pebenito@g.o">Chris PeBenito</mail> |
500 |
</author> |
501 |
|
502 |
+<author title="Author"> |
503 |
+ Chris Richards |
504 |
+</author> |
505 |
+ |
506 |
<abstract> |
507 |
This is the Gentoo SELinux Handbook. |
508 |
</abstract> |