diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-05-26 21:25:20 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-05-26 21:25:20 +0200 |
| commit | cd95497c6985db348bae718ee614f15caea2f2f3 (patch) | |
| tree | 9a1aa617c0876beddb8efa358e2aa375d950162f | |
| parent | Hardened roadmap for SELinux updated (diff) | |
| download | hardened-docs-cd95497c6985db348bae718ee614f15caea2f2f3.tar.gz hardened-docs-cd95497c6985db348bae718ee614f15caea2f2f3.tar.bz2 hardened-docs-cd95497c6985db348bae718ee614f15caea2f2f3.zip | |
Attempt to document changes since installation for SELinux users
| -rw-r--r-- | xml/selinux-changes.xml | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/xml/selinux-changes.xml b/xml/selinux-changes.xml new file mode 100644 index 0000000..3474a31 --- /dev/null +++ b/xml/selinux-changes.xml @@ -0,0 +1,172 @@ +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> +<!-- $Header$ --> + +<guide lang="en"> +<title>Gentoo Hardened SELinux Change Overview</title> + +<author title="Author"> + <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail> +</author> + +<abstract> +As Gentoo is a rolling-release distribution, sometimes changes are being +introduced which are documented in the main installation instructions but should +be known by regular users as well. Not all of these changes are sufficiently +intrusive to be set in a Gentoo news item. This document will contain an +overview of all changes made in chronological order. +</abstract> + +<!-- The content of this document is licensed under the CC-BY-SA license --> +<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> +<license/> + +<version>1</version> +<date>2012-05-26</date> + +<chapter> +<title>Introduction</title> +<section> +<title>About this document</title> +<body> + +<p> +This document will give an overview of all SELinux documented changes made +on particular dates and that might be important for users to follow up through. +</p> + +<p> +Changes that only affect ~arch users will be documented below and moved up when +they are stabilized. It is possible though that these changes will be "fixed" +automatically and as such removed from this page. +</p> + +</body> +</section> +</chapter> + +<chapter> +<title>Overview of Changes for Stable Users</title> +<section> +<title>2012/05/26 - Support of initramfs</title> +<body> + +<p> +Users who boot with an initramfs will need to boot in permissive mode first, and +later on switch to enforcing mode. This can be done automatically using an +init script, as documented at <uri +link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5">Initramfs +users</uri>. +</p> + +</body> +</section> +<section> +<title>2012/05/26 - Support for graphical login managers</title> +<body> + +<p> +Users who boot into a graphical environment (such as through GDM) will need to +edit their PAM configuration files accordingly to support SELinux security +context settings. This is documented at <uri +link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap3">Users +of a graphical environment</uri>. +</p> + +</body> +</section> +<section> +<title>2012/05/18 - No more sandbox configuration needed</title> +<body> + +<p> +The previously documented editing of <path>/etc/sandbox.conf</path> to open +write access to <path>/sys/fs/selinux/context</path> can be removed as the +SELinux profile does this now automatically. +</p> + +</body> +</section> +<section> +<title>2012/04/29 - Edit of lvm-start/stop scripts no longer needed</title> +<body> + +<p> +When users install the newly stabilized 2.20120215 policies, the documented +editing of <path>/lib/rcscripts/addons/lvm-st*.sh</path> is no longer needed. +</p> + +</body> +</section> +<section> +<title>2012/02/21 - /dev mount line in fstab no longer needed</title> +<body> + +<p> +The previously documented /dev mount line in <path>/etc/fstab</path> is no +longer needed as <path>util-linux-2.20.1-r1</path> has been marked stable (which +contains the correct bug fix). +</p> + +</body> +</section> +<section> +<title>2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</title> +<body> + +<p> +The old SELinux profiles (starting with <c>selinux/v2refpolicy</c>) are not +supported anymore. Users are strongly encouraged to switch to the new profiles +(those ending with <c>/selinux</c>). +</p> + +</body> +</section> +<section> +<title>2011/07/22 - Introduction of MLS/MCS support</title> +<body> + +<p> +We now support MLS and MCS, right next to targeted and strict SELinux policy +types. When using MLS or MCS, you will need to update the <path>/tmp</path> +entry in your <path>/etc/fstab</path> to use +<c>rootcontext=system_u:object_r:tmp_t:s0</c> (note the trailing <c>:s0</c>). +</p> + +</body> +</section> +</chapter> + +<chapter> +<title>Overview of Changes for ~Arch Users</title> +<section> +<title>2012/05/26 - Definition of /run in fstab</title> +<body> + +<p> +Users that have a <path>/run</path> location will need to mark this location in their +<path>/etc/fstab</path> to make sure it gets mounted with the right SELinux +context. +</p> + +<p> +For users of the <c>strict</c> and <c>targeted</c> SELinux policy types: +</p> + +<pre caption="/etc/fstab setting for strict or targeted"> +tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 +</pre> + +<p> +For other policy types users: +</p> + +<pre caption="/etc/fstab setting for other policy type users"> +tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0 +</pre> + +</body> +</section> +</chapter> + +</guide> |