| 1 |
Hi all, |
| 2 |
|
| 3 |
One of the "difficulties" of working with SELinux is that the policy that is |
| 4 |
pushed by default is tailored towards a default installation using |
| 5 |
unmodified locations and such. |
| 6 |
|
| 7 |
The moment users start configuring their system (different PORTDIR for |
| 8 |
Portage, other DocumentRoot for Apache, etc.) which, with Gentoo, is |
| 9 |
considered common practice, people need to start configuring and tweaking |
| 10 |
SELinux as well. |
| 11 |
|
| 12 |
I've been thinking about how to proceed on this and came up with the idea of |
| 13 |
having module information. An example for Apache can be found at |
| 14 |
http://xrl.us/bkqkkp (image at http://xrl.us/bkqkk5 since g.o.g.o doesn't |
| 15 |
use the regular location syntax for embedded files), another one is |
| 16 |
available for Portage too (http://xrl.us/bkqkk7). Images are created through |
| 17 |
docs.google.com and created to SVG (also in git), but converted to PNG for |
| 18 |
rendering purposes (only <img .../> tag is supported). |
| 19 |
|
| 20 |
Such a module information gives a general overview of the module structure |
| 21 |
(picture with allowed domain transitions plus overview of the domains and |
| 22 |
files) and then talks about hwo to use the module to suit your needs (file |
| 23 |
contexts, booleans, semanage commands where needed, ...) |
| 24 |
|
| 25 |
I have chosen separate guides for each module due to the large amount of |
| 26 |
information. Another option was to create a huge book, but I think this is |
| 27 |
easier as it will provide a simple URL syntax |
| 28 |
(http://www.gentoo.org/proj/en/selinux/modules/MODULENAME.xml) instead of |
| 29 |
the handbook one. |
| 30 |
|
| 31 |
Comments, feedback, ... always appreciated. |
| 32 |
|
| 33 |
Wkr, |
| 34 |
Sven Vermeulen |
Archives