1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="css/main.css" type="text/css">
<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux features</p>
<p class="secthead"><a name="doc_chap1_sect1">Does SELinux enforce resource limits?</a></p>
<p>
No, resource limits are outside the scope of an access control system. If you
are looking for this type of support, GRSecurity and RSBAC are better choices.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux and other hardened projects</p>
<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and GRSecurity (and PaX)?</a></p>
<p>
Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however,
it is suggested that GRACL should not be used, since it would be redundant
to SELinux's access control.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and the hardened compiler (PIE-SSP)?</a></p>
<p>
Yes. It is also suggested that PaX be used to take full advantage
of the PIE features of the compiler.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and RSBAC?</a></p>
<p>
Unknown. Please report your results if you try this combination.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux and filesystems</p>
<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my primary filesystems?</a></p>
<p>
SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has
extended attributes, but the support was never complete, and has been broken
since 2.6.14. Reiser4 is not supported.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my ancillary filesystems?</a></p>
<p>
Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660
filesystems, with an important caveat. All files in each filesystem will
have the same SELinux type, since the filesystems do not support extended
attributes. Tmpfs is the only ancillary filesystem with complete extended
attribute support, which allows it to behave like a primary filesystem.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my network filesystems?</a></p>
<p>
Yes, SELinux can mount network filesystems, such as NFS and CIFS
filesystems, with an important caveat. All files in each filesystem will
have the same SELinux type, since the filesystems do not support extended
attributes. In the future, hopefully network filesystems will begin to
support extended attributes, then they will work like a primary filesystem.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Portage error messages</p>
<p class="secthead"><a name="doc_chap1_sect1">I get a missing SELinux module error when using emerge:</a></p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Portage message</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
!!! SELinux module not found. Please verify that it was installed.
</pre></td></tr>
</table>
<p>
This indicates that the portage SELinux module is missing or damaged.
Also python may have been upgraded to a new version which requires
python-selinux to be recompiled. Remerge dev-python/python-selinux.
If packages have been merged under this condition, they must be relabed
after fixing this condition. If the packages needing to be remerged cannot
be determined, a full relabel may be required.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux kernel error messages</p>
<p class="secthead"><a name="doc_chap1_sect1">I get a register_security error message when booting:</a></p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Kernel message</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
There is already a security framework initialized, register_security failed.
Failure registering capabilities with the kernel
selinux_register_security: Registering secondary module capability
Capability LSM initialized
</pre></td></tr>
</table>
<p>
This means that the Capability LSM module couldn't register as the primary
module, since SELinux is the primary module. The third message means that it
registers with SELinux as a secondary module. This is normal.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Setfiles error messages</p>
<p class="secthead"><a name="doc_chap1_sect1">When I try to relabel, it fails with invalid contexts:</a></p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Invalid contexts example</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# make relabel
/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
/usr/sbin/setfiles: read 559 specifications
/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39
/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120
/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377
/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378
/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493
/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494
Exiting after 10 errors.
make: *** [relabel] Error 1
</pre></td></tr>
</table>
<p>
First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles
cannot validate any contexts, causing it to believe all contexts are
invalid. If /selinux is mounted, then most likely there is new policy that
has not yet been loaded; therefore, the contexts have not yet become valid.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2006</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb