diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-29 16:20:17 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-29 16:20:17 +0200 |
commit | 15b6b45542f2faee92ba7168ec7df8e8098b71b2 (patch) | |
tree | 1945a41b9752ad4f25968422edbae79d0865e6d3 | |
parent | Fix bug #411377 - Additional details on working out corrupted policy store (diff) | |
download | hardened-docs-15b6b45542f2faee92ba7168ec7df8e8098b71b2.tar.gz hardened-docs-15b6b45542f2faee92ba7168ec7df8e8098b71b2.tar.bz2 hardened-docs-15b6b45542f2faee92ba7168ec7df8e8098b71b2.zip |
Update with 20120217 related material
-rw-r--r-- | xml/selinux/hb-intro-concepts.xml | 11 | ||||
-rw-r--r-- | xml/selinux/hb-using-install.xml | 35 | ||||
-rw-r--r-- | xml/selinux/hb-using-policies.xml | 119 | ||||
-rw-r--r-- | xml/selinux/hb-using-states.xml | 24 |
4 files changed, 157 insertions, 32 deletions
diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml index 5d4470e..bc6f4c1 100644 --- a/xml/selinux/hb-intro-concepts.xml +++ b/xml/selinux/hb-intro-concepts.xml @@ -7,8 +7,8 @@ <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ --> <sections> -<version>5</version> -<date>2011-07-21</date> +<version>6</version> +<date>2012-04-29</date> <section> <title>Introduction</title> @@ -81,6 +81,13 @@ development focuses mainly on <e>strict</e> and <e>mcs</e>. The that the <e>mls</e> policy is currently not fit yet for production use. </p> +<note> +To clear up some confusion, especially when trying to seek support outside +Gentoo: our "strict" implementation is not what was "strict" up to the year +2008. The old meaning of strict involved a different implementation of the +policy. +</note> + </body> </subsection> </section> diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml index a806009..037877e 100644 --- a/xml/selinux/hb-using-install.xml +++ b/xml/selinux/hb-using-install.xml @@ -7,8 +7,8 @@ <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ --> <sections> -<version>20</version> -<date>2012-04-10</date> +<version>21</version> +<date>2012-04-29</date> <section> <title>Installing Gentoo (Hardened)</title> @@ -91,6 +91,10 @@ Make sure to include layman's <path>make.conf</path> in your </body> </subsection> --> +<!-- +TODO Validate after 2.20120215-r8 is stable that this is no longer +necessary? Not sure about it though : check userspace ebuilds as well. +--> <subsection> <title>Switching to Python 2</title> <body> @@ -273,19 +277,6 @@ tools or configurations that apply. </p> <ul> - <!-- - TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed - anymore - --> - <li> - If you use LVM for one or more file systems, you need to edit - <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>) - and <path>lvm-stop.sh</path> and set the config location from - <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the - <path>/etc/lvm/lock</path> directory. Finally, add - <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your - <path>make.conf</path> file. - </li> <li> Check if you have <path>*.old</path> files in <path>/bin</path>. If you do, either remove those or make them a copy of their counterpart so that they @@ -411,8 +402,8 @@ Next, edit <path>/etc/fstab</path> and add the following two lines: <pre caption="Enabling selinux-specific file system options"> <comment># The udev mount is due to bug #373381</comment> -udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0 -none /selinux selinuxfs defaults 0 0 +udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0 +none /sys/fs/selinux selinuxfs defaults 0 0 </pre> <note> @@ -420,14 +411,6 @@ In case of an MLS/MCS policy, you need to have the context with sensitivity level, so <c>...:device_t:s0</c>. </note> -<p> -Make the <path>/selinux</path> mountpoint as well: -</p> - -<pre caption="Creating the /selinux mountpoint"> -~# <i>mkdir /selinux</i> -</pre> - </body> </subsection> <subsection> @@ -436,7 +419,7 @@ Make the <path>/selinux</path> mountpoint as well: <p> With the above changes made, reboot your system. Assert yourself that you are -now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file +now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file system should be mounted). Don't worry - SELinux is at this point not activated. </p> diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml index 4f76052..a67f20b 100644 --- a/xml/selinux/hb-using-policies.xml +++ b/xml/selinux/hb-using-policies.xml @@ -7,8 +7,8 @@ <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ --> <sections> -<version>3</version> -<date>2012-03-01</date> +<version>4</version> +<date>2012-04-29</date> <section> <title>SELinux Policy Language</title> @@ -341,6 +341,121 @@ optional_policy(` ') </pre> +<p> +The following table shows a few common interfaces that could be in use. We +seriously recommend to look at the available interfaces when enhancing or +creating your own modules - and be sure to pick the interface that adds just +what you need, nothing more. +</p> + +<table> +<tr> + <th colspan="3">Templates</th> +</tr> +<tr> + <th>Suffix</th> + <th>Example</th> + <th>Description</th> +</tr> +<tr> + <ti>_template</ti> + <ti>virt_domain_template(prefix)</ti> + <ti> + Not really an interface, templates create additional domains based on the + information given to them. This is usually done for fine-grained policy + templates with a common (sub)set of privileges. + </ti> +</tr> +<tr> + <th colspan="3">Transformations</th> +</tr> +<tr> + <th>Suffix</th> + <th>Example</th> + <th>Description</th> +</tr> +<tr> + <ti></ti> + <ti>miscfiles_cert_type(resource)</ti> + <ti> + Transformation interfaces generally add specific attributes to resources or + domains. Attributes "transform" the given resource into something more. In + the given example, the miscfiles_cert_type(resource) assigns the cert_type + attribute to the resource (and also marks it as a file). Interfaces, like + miscfiles_read_all_certs work on these attributes. + </ti> +</tr> +<tr> + <th colspan="3">Access interfaces</th> +</tr> +<tr> + <th>Suffix</th> + <th>Example</th> + <th>Description</th> +</tr> +<tr> + <ti>_<access>_<resource></ti> + <ti>mta_getattr_spool(domain)</ti> + <ti> + Grant the specified domain access towards the shown resource. The resource + usually defines the type too (like kudzu_getattr_exec_files: grant getattr + on the kudzu_exec_t files) unless it is obvious from the name, or when the + resource is a more specific term towards the domain. It can also include + dontaudit (like mta_dontaudit_getattr_spool). + </ti> +</tr> +<tr> + <ti>_exec</ti> + <ti>dmesg_exec(domain)</ti> + <ti> + Grant one domain the right to execute the given domains' executable file (in + the example, allow "domain" to execute dmesg_exec_t files), but without + implying that the domains transition. In other words, dmesg gets executed + but still confined by the privileges of the source domain. + </ti> +</tr> +<tr> + <ti>_domtrans</ti> + <ti>dmesg_domtrans(domain)</ti> + <ti> + Grant one domain execute and transition privileges towards the new domain. + This interface is most commonly used to allow application domains to + transition to another. In the given example, dmesg is ran with the + privileges of the dmesg_t domain. + </ti> +</tr> +<tr> + <ti>_run</ti> + <ti>netutils_run(domain, role)</ti> + <ti> + Grant a given role and domain the rights to execute and transition towards + the given domain. This is usually granted to (existing) user roles and + domains and gives them the set of privileges needed to interact safely with + the new (interactive) domain (such as terminal access). + </ti> +</tr> +<tr> + <ti>_role</ti> + <ti>xserver_role(role, domain)</ti> + <ti> + Allow the given role and domain the necessary permissions to transition and + interact with the given domain. This interface is enhanced with the + privileges to interact with the domain (and its underlying files) more + thoroughly, and is usually assigned to newly created users or roles within + the policy (rather than enhance existing user domains and roles). + </ti> +</tr> +<tr> + <ti>_admin</ti> + <ti>aide_admin(domain)</ti> + <ti> + Grant the given domain the rights to administer the target domains' + environment. This usually involves privileges to manage and relabel all + affiliated files, directories, sockets, etc. + </ti> +</tr> +</table> + </body> </subsection> </section> diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml index 9e99d9c..ee7f8e1 100644 --- a/xml/selinux/hb-using-states.xml +++ b/xml/selinux/hb-using-states.xml @@ -7,8 +7,8 @@ <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ --> <sections> -<version>1</version> -<date>2011-10-15</date> +<version>2</version> +<date>2012-04-29</date> <section> <title>SELinux States</title> @@ -191,6 +191,26 @@ in the order given above: </body> </subsection> +<subsection> +<title>Domain-permissive Mode</title> +<body> + +<p> +You can also opt to mark a single domain permissive while running the rest of +the system in an enforcing state. For instance, to mark mplayer_t as a +permissive domain (which means that SELinux does not enforce anything): +</p> + +<pre caption="Marking mplayer_t as permissive"> +# <i>semanage permissive -a mplayer_t</i> +</pre> + +<p> +With the <c>-d</c> option, you can remove the permissive mark again. +</p> + +</body> +</subsection> </section> <section> |