Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/html/selinux-changes.html
blob: bcd9f9b97e15e44abddb9a7fabdc54d37b7b28db (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
  Gentoo Hardened SELinux Change Overview</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Gentoo Hardened SELinux Change Overview</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
<option value="#doc_chap2">2. Overview of Changes for Stable Users</option>
<option value="#doc_chap3">3. Overview of Changes for ~Arch Users</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Introduction</p>
<p class="secthead"><a name="doc_chap1_sect1">About this document</a></p>
<p>
This document will give an overview of all SELinux documented changes made
on particular dates and that might be important for users to follow up through.
</p>
<p>
Changes that only affect ~arch users will be documented below and moved up when
they are stabilized. It is possible though that these changes will be "fixed"
automatically and as such removed from this page.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
            </span>Overview of Changes for Stable Users</p>
<p class="secthead"><a name="doc_chap2_sect1">2012/05/26 - Support of initramfs</a></p>
<p>
Users who boot with an initramfs will need to boot in permissive mode first, and
later on switch to enforcing mode. This can be done automatically using an
init script, as documented at <a href="selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap5">Initramfs
users</a>.
</p>
<p class="secthead"><a name="doc_chap2_sect2">2012/05/26 - Support for graphical login managers</a></p>
<p>
Users who boot into a graphical environment (such as through GDM) will need to
edit their PAM configuration files accordingly to support SELinux security
context settings. This is documented at <a href="selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap3">Users
of a graphical environment</a>.
</p>
<p class="secthead"><a name="doc_chap2_sect3">2012/05/18 - No more sandbox configuration needed</a></p>
<p>
The previously documented editing of <span class="path" dir="ltr">/etc/sandbox.conf</span> to open
write access to <span class="path" dir="ltr">/sys/fs/selinux/context</span> can be removed as the
SELinux profile does this now automatically.
</p>
<p class="secthead"><a name="doc_chap2_sect4">2012/04/29 - Edit of lvm-start/stop scripts no longer needed</a></p>
<p>
When users install the newly stabilized 2.20120215 policies, the documented
editing of <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-st*.sh</span> is no longer needed.
</p>
<p class="secthead"><a name="doc_chap2_sect5">2012/02/21 - /dev mount line in fstab no longer needed</a></p>
<p>
The previously documented /dev mount line in <span class="path" dir="ltr">/etc/fstab</span> is no
longer needed as <span class="path" dir="ltr">util-linux-2.20.1-r1</span> has been marked stable (which
contains the correct bug fix).
</p>
<p class="secthead"><a name="doc_chap2_sect6">2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</a></p>
<p>
The old SELinux profiles (starting with <span class="code" dir="ltr">selinux/v2refpolicy</span>) are not
supported anymore. Users are strongly encouraged to switch to the new profiles
(those ending with <span class="code" dir="ltr">/selinux</span>).
</p>
<p class="secthead"><a name="doc_chap2_sect7">2011/07/22 - Introduction of MLS/MCS support</a></p>
<p>
We now support MLS and MCS, right next to targeted and strict SELinux policy
types. When using MLS or MCS, you will need to update the <span class="path" dir="ltr">/tmp</span>
entry in your <span class="path" dir="ltr">/etc/fstab</span> to use
<span class="code" dir="ltr">rootcontext=system_u:object_r:tmp_t:s0</span> (note the trailing <span class="code" dir="ltr">:s0</span>).
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
            </span>Overview of Changes for ~Arch Users</p>
<p class="secthead"><a name="doc_chap3_sect1">2012/05/26 - Definition of /run in fstab</a></p>
<p>
Users that have a <span class="path" dir="ltr">/run</span> location will need to mark this location in their
<span class="path" dir="ltr">/etc/fstab</span> to make sure it gets mounted with the right SELinux
context.
</p>
<p>
For users of the <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> SELinux policy types:
</p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: /etc/fstab setting for strict or targeted</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
</pre></td></tr>
</table>
<p>
For other policy types users:
</p>
<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: /etc/fstab setting for other policy type users</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0
</pre></td></tr>
</table>
<br><p class="copyright">
	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
  </p>
<!--
  <rdf:RDF xmlns="http://web.resource.org/cc/"
      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
  
  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
    
     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
     <requires rdf:resource="http://web.resource.org/cc/Notice" />
     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
  </License>
  </rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="sven.vermeulen@siphos.be?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Page updated May 26, 2012</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
As Gentoo is a rolling-release distribution, sometimes changes are being
introduced which are documented in the main installation instructions but should
be known by regular users as well. Not all of these changes are sufficiently
intrusive to be set in a Gentoo news item. This document will contain an
overview of all changes made in chronological order.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>