Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/html/selinux-changes.html
diff options
context:
space:
mode:
Diffstat (limited to 'html/selinux-changes.html')
-rw-r--r--html/selinux-changes.html157
1 files changed, 157 insertions, 0 deletions
diff --git a/html/selinux-changes.html b/html/selinux-changes.html
new file mode 100644
index 0000000..bcd9f9b
--- /dev/null
+++ b/html/selinux-changes.html
@@ -0,0 +1,157 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+ Gentoo Hardened SELinux Change Overview</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Gentoo Hardened SELinux Change Overview</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+ <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
+<option value="#doc_chap2">2. Overview of Changes for Stable Users</option>
+<option value="#doc_chap3">3. Overview of Changes for ~Arch Users</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Introduction</p>
+<p class="secthead"><a name="doc_chap1_sect1">About this document</a></p>
+<p>
+This document will give an overview of all SELinux documented changes made
+on particular dates and that might be important for users to follow up through.
+</p>
+<p>
+Changes that only affect ~arch users will be documented below and moved up when
+they are stabilized. It is possible though that these changes will be "fixed"
+automatically and as such removed from this page.
+</p>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+ </span>Overview of Changes for Stable Users</p>
+<p class="secthead"><a name="doc_chap2_sect1">2012/05/26 - Support of initramfs</a></p>
+<p>
+Users who boot with an initramfs will need to boot in permissive mode first, and
+later on switch to enforcing mode. This can be done automatically using an
+init script, as documented at <a href="selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap5">Initramfs
+users</a>.
+</p>
+<p class="secthead"><a name="doc_chap2_sect2">2012/05/26 - Support for graphical login managers</a></p>
+<p>
+Users who boot into a graphical environment (such as through GDM) will need to
+edit their PAM configuration files accordingly to support SELinux security
+context settings. This is documented at <a href="selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap3">Users
+of a graphical environment</a>.
+</p>
+<p class="secthead"><a name="doc_chap2_sect3">2012/05/18 - No more sandbox configuration needed</a></p>
+<p>
+The previously documented editing of <span class="path" dir="ltr">/etc/sandbox.conf</span> to open
+write access to <span class="path" dir="ltr">/sys/fs/selinux/context</span> can be removed as the
+SELinux profile does this now automatically.
+</p>
+<p class="secthead"><a name="doc_chap2_sect4">2012/04/29 - Edit of lvm-start/stop scripts no longer needed</a></p>
+<p>
+When users install the newly stabilized 2.20120215 policies, the documented
+editing of <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-st*.sh</span> is no longer needed.
+</p>
+<p class="secthead"><a name="doc_chap2_sect5">2012/02/21 - /dev mount line in fstab no longer needed</a></p>
+<p>
+The previously documented /dev mount line in <span class="path" dir="ltr">/etc/fstab</span> is no
+longer needed as <span class="path" dir="ltr">util-linux-2.20.1-r1</span> has been marked stable (which
+contains the correct bug fix).
+</p>
+<p class="secthead"><a name="doc_chap2_sect6">2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</a></p>
+<p>
+The old SELinux profiles (starting with <span class="code" dir="ltr">selinux/v2refpolicy</span>) are not
+supported anymore. Users are strongly encouraged to switch to the new profiles
+(those ending with <span class="code" dir="ltr">/selinux</span>).
+</p>
+<p class="secthead"><a name="doc_chap2_sect7">2011/07/22 - Introduction of MLS/MCS support</a></p>
+<p>
+We now support MLS and MCS, right next to targeted and strict SELinux policy
+types. When using MLS or MCS, you will need to update the <span class="path" dir="ltr">/tmp</span>
+entry in your <span class="path" dir="ltr">/etc/fstab</span> to use
+<span class="code" dir="ltr">rootcontext=system_u:object_r:tmp_t:s0</span> (note the trailing <span class="code" dir="ltr">:s0</span>).
+</p>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
+ </span>Overview of Changes for ~Arch Users</p>
+<p class="secthead"><a name="doc_chap3_sect1">2012/05/26 - Definition of /run in fstab</a></p>
+<p>
+Users that have a <span class="path" dir="ltr">/run</span> location will need to mark this location in their
+<span class="path" dir="ltr">/etc/fstab</span> to make sure it gets mounted with the right SELinux
+context.
+</p>
+<p>
+For users of the <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> SELinux policy types:
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: /etc/fstab setting for strict or targeted</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
+</pre></td></tr>
+</table>
+<p>
+For other policy types users:
+</p>
+<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: /etc/fstab setting for other policy type users</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0
+</pre></td></tr>
+</table>
+<br><p class="copyright">
+ The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
+ </p>
+<!--
+ <rdf:RDF xmlns="http://web.resource.org/cc/"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+
+ <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+
+ <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+ <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+ <requires rdf:resource="http://web.resource.org/cc/Notice" />
+ <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+ <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+ <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+ </License>
+ </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="sven.vermeulen@siphos.be?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated May 26, 2012</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+As Gentoo is a rolling-release distribution, sometimes changes are being
+introduced which are documented in the main installation instructions but should
+be known by regular users as well. Not all of these changes are sufficiently
+intrusive to be set in a Gentoo news item. This document will contain an
+overview of all changes made in chronological order.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+ <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+ </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>