diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-05-26 21:26:06 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-05-26 21:26:06 +0200 |
commit | de478754690a9ed707d8bc557b29b79c0efa242b (patch) | |
tree | 9f418ea7e7752f652b39dd25907ee75c09e5d76c | |
parent | Attempt to document changes since installation for SELinux users (diff) | |
download | hardened-docs-de478754690a9ed707d8bc557b29b79c0efa242b.tar.gz hardened-docs-de478754690a9ed707d8bc557b29b79c0efa242b.tar.bz2 hardened-docs-de478754690a9ed707d8bc557b29b79c0efa242b.zip |
Update previews
-rw-r--r-- | html/roadmap.html | 9 | ||||
-rw-r--r-- | html/selinux-changes.html | 157 | ||||
-rw-r--r-- | html/selinux-faq.html | 785 | ||||
-rw-r--r-- | html/selinux/hb-intro-concepts.html | 784 | ||||
-rw-r--r-- | html/selinux/hb-intro-enhancingsecurity.html | 219 | ||||
-rw-r--r-- | html/selinux/hb-intro-referencepolicy.html | 242 | ||||
-rw-r--r-- | html/selinux/hb-intro-resources.html | 97 | ||||
-rw-r--r-- | html/selinux/hb-intro-virtualization.html | 42 | ||||
-rw-r--r-- | html/selinux/hb-using-commands.html | 452 | ||||
-rw-r--r-- | html/selinux/hb-using-configuring.html | 919 | ||||
-rw-r--r-- | html/selinux/hb-using-install.html | 632 | ||||
-rw-r--r-- | html/selinux/hb-using-policies.html | 359 | ||||
-rw-r--r-- | html/selinux/hb-using-states.html | 299 | ||||
-rw-r--r-- | html/selinux/hb-using-troubleshoot.html | 310 | ||||
-rw-r--r-- | html/selinux/index.html | 216 | ||||
-rw-r--r-- | html/selinux/selinux-handbook.html | 168 | ||||
-rw-r--r-- | pdf/selinux-handbook.pdf | bin | 302235 -> 0 bytes |
17 files changed, 158 insertions, 5532 deletions
diff --git a/html/roadmap.html b/html/roadmap.html index e35467e..c912578 100644 --- a/html/roadmap.html +++ b/html/roadmap.html @@ -270,13 +270,6 @@ of the packages and standard policies. <td class="infohead"><b>Related Bugs</b></td> </tr> <tr> - <td class="tableinfo">Stabilize 20120215 policies</td> - <td class="tableinfo">2012-04-30</td> - <td class="tableinfo"></td> - <td class="tableinfo">SwifT</td> - <td class="tableinfo"></td> -</tr> -<tr> <td class="tableinfo">Have SELinux-enabled stage3 available on the mirrors</td> <td class="tableinfo">2012-06-31</td> <td class="tableinfo"></td> @@ -288,7 +281,7 @@ of the packages and standard policies. </td> <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Page updated May 26, 2012</p></td></tr> <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> A roadmap that plots current needs and goals of the Hardened Gentoo project. diff --git a/html/selinux-changes.html b/html/selinux-changes.html new file mode 100644 index 0000000..bcd9f9b --- /dev/null +++ b/html/selinux-changes.html @@ -0,0 +1,157 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo Hardened SELinux Change Overview</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo Hardened SELinux Change Overview</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option> +<option value="#doc_chap2">2. Overview of Changes for Stable Users</option> +<option value="#doc_chap3">3. Overview of Changes for ~Arch Users</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Introduction</p> +<p class="secthead"><a name="doc_chap1_sect1">About this document</a></p> +<p> +This document will give an overview of all SELinux documented changes made +on particular dates and that might be important for users to follow up through. +</p> +<p> +Changes that only affect ~arch users will be documented below and moved up when +they are stabilized. It is possible though that these changes will be "fixed" +automatically and as such removed from this page. +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Overview of Changes for Stable Users</p> +<p class="secthead"><a name="doc_chap2_sect1">2012/05/26 - Support of initramfs</a></p> +<p> +Users who boot with an initramfs will need to boot in permissive mode first, and +later on switch to enforcing mode. This can be done automatically using an +init script, as documented at <a href="selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5">Initramfs +users</a>. +</p> +<p class="secthead"><a name="doc_chap2_sect2">2012/05/26 - Support for graphical login managers</a></p> +<p> +Users who boot into a graphical environment (such as through GDM) will need to +edit their PAM configuration files accordingly to support SELinux security +context settings. This is documented at <a href="selinux/selinux-handbook.xml?part=2&chap=2#doc_chap3">Users +of a graphical environment</a>. +</p> +<p class="secthead"><a name="doc_chap2_sect3">2012/05/18 - No more sandbox configuration needed</a></p> +<p> +The previously documented editing of <span class="path" dir="ltr">/etc/sandbox.conf</span> to open +write access to <span class="path" dir="ltr">/sys/fs/selinux/context</span> can be removed as the +SELinux profile does this now automatically. +</p> +<p class="secthead"><a name="doc_chap2_sect4">2012/04/29 - Edit of lvm-start/stop scripts no longer needed</a></p> +<p> +When users install the newly stabilized 2.20120215 policies, the documented +editing of <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-st*.sh</span> is no longer needed. +</p> +<p class="secthead"><a name="doc_chap2_sect5">2012/02/21 - /dev mount line in fstab no longer needed</a></p> +<p> +The previously documented /dev mount line in <span class="path" dir="ltr">/etc/fstab</span> is no +longer needed as <span class="path" dir="ltr">util-linux-2.20.1-r1</span> has been marked stable (which +contains the correct bug fix). +</p> +<p class="secthead"><a name="doc_chap2_sect6">2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</a></p> +<p> +The old SELinux profiles (starting with <span class="code" dir="ltr">selinux/v2refpolicy</span>) are not +supported anymore. Users are strongly encouraged to switch to the new profiles +(those ending with <span class="code" dir="ltr">/selinux</span>). +</p> +<p class="secthead"><a name="doc_chap2_sect7">2011/07/22 - Introduction of MLS/MCS support</a></p> +<p> +We now support MLS and MCS, right next to targeted and strict SELinux policy +types. When using MLS or MCS, you will need to update the <span class="path" dir="ltr">/tmp</span> +entry in your <span class="path" dir="ltr">/etc/fstab</span> to use +<span class="code" dir="ltr">rootcontext=system_u:object_r:tmp_t:s0</span> (note the trailing <span class="code" dir="ltr">:s0</span>). +</p> +<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. + </span>Overview of Changes for ~Arch Users</p> +<p class="secthead"><a name="doc_chap3_sect1">2012/05/26 - Definition of /run in fstab</a></p> +<p> +Users that have a <span class="path" dir="ltr">/run</span> location will need to mark this location in their +<span class="path" dir="ltr">/etc/fstab</span> to make sure it gets mounted with the right SELinux +context. +</p> +<p> +For users of the <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> SELinux policy types: +</p> +<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: /etc/fstab setting for strict or targeted</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 +</pre></td></tr> +</table> +<p> +For other policy types users: +</p> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: /etc/fstab setting for other policy type users</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0 +</pre></td></tr> +</table> +<br><p class="copyright"> + The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + + <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="sven.vermeulen@siphos.be?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Page updated May 26, 2012</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +As Gentoo is a rolling-release distribution, sometimes changes are being +introduced which are documented in the main installation instructions but should +be known by regular users as well. Not all of these changes are sufficiently +intrusive to be set in a Gentoo news item. This document will contain an +overview of all changes made in chronological order. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> diff --git a/html/selinux-faq.html b/html/selinux-faq.html deleted file mode 100644 index 29c7826..0000000 --- a/html/selinux-faq.html +++ /dev/null @@ -1,785 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Documentation --- - Gentoo Hardened SELinux Frequently Asked Questions</title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<br><h1>Gentoo Hardened SELinux Frequently Asked Questions</h1> -<form name="contents" action="http://www.gentoo.org"> -<b>Content</b>: - <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Questions</option> -<option value="#doc_chap2">2. General SELinux Support Questions</option> -<option value="#doc_chap3">3. Using SELinux</option> -<option value="#doc_chap4">4. SELinux Kernel Error Messages</option> -<option value="#doc_chap5">5. SELinux and Gentoo</option></select> -</form> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Questions</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Using SELinux requires administrators a more thorough knowledge of their -system and a good idea on how processes should behave. Next to the <a href="selinux/selinux-handbook.html">Gentoo Hardened SELinux -handbook</a>, a proper FAQ allows us to inform and help users in their -day-to-day SELinux experience. -</p> -<p> -The FAQ is an aggregation of solutions found on IRC, mailinglists, forums -and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but -general SELinux questions that are popping up regularly will be incorporated -as well. -</p> -<p class="secthead">General SELinux Support Questions</p> -<ul> -<li><a href="#features">Does SELinux enforce resource limits?</a></li> -<li><a href="#grsecurity">Can I use SELinux with grsecurity (and PaX)?</a></li> -<li><a href="#pie-ssp">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></li> -<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li> -<li><a href="#filesystem">Can I use SELinux with any file system?</a></li> -<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li> -<li><a href="#ubac">What is UBAC exactly?</a></li> -</ul> -<p class="secthead">Using SELinux</p> -<ul> -<li><a href="#enable_selinux">How do I enable SELinux?</a></li> -<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li> -<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li> -<li><a href="#matchcontext">How do I know which file context rule is used for a particular file?</a></li> -<li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li> -</ul> -<p class="secthead">SELinux Kernel Error Messages</p> -<ul> -<li><a href="#register_security">I get a register_security error message when booting</a></li> -<li><a href="#permission_not_defined">I get a 'Permission ... in class ... not defined' message during booting</a></li> -</ul> -<p class="secthead">SELinux and Gentoo</p> -<ul> -<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li> -<li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li> -<li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li> -<li><a href="#portage_libsandbox">During package installation, ld.so complains 'object 'libsandbox.so' -from LD_PRELOAD cannot be preloaded: ignored'</a></li> -<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li> -<li><a href="#cronfails">Cron fails to load in root's crontab with message '(root) ENTRYPOINT -FAILED (crontabs/root)'</a></li> -<li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li> -<li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li> -<li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li> -<li><a href="#auth-run_init">Why do I always need to re-authenticate when operating init scripts?</a></li> -<li><a href="#initramfs">How do I use SELinux with initramfs?</a></li> -<li><a href="#xdm">Logons through xdm (or similar) fail</a></li> -</ul> -<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. - </span>General SELinux Support Questions</p> -<p class="secthead"><a name="features"></a><a name="doc_chap2_sect1">Does SELinux enforce resource limits?</a></p> -<p> -No, resource limits are outside the scope of an access control system. If you -are looking for this type of support, take a look at technologies like -grsecurity, cgroups, pam and the like. -</p> -<p class="secthead"><a name="grsecurity"></a><a name="doc_chap2_sect2">Can I use SELinux with grsecurity (and PaX)?</a></p> -<p> -Definitely, we even recommend it. However, it is suggested that grsecurity's -ACL support is not used as it would be redundant to SELinux's access control. -</p> -<p class="secthead"><a name="pie-ssp"></a><a name="doc_chap2_sect3">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></p> -<p> -Definitely. We also suggest to use PaX to take full advantage of the PIE -features of the compiler. -</p> -<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">Can I use SELinux and RSBAC?</a></p> -<p> -Yes, SELinux and RSBAC can be used together, but it is not recommended. -Both frameworks (RSBAC and the SELinux implementation on top of Linux' Linux -Security Modules framework) have a slight impact on system performance. -Enabling them both only hinders performance more, for little added value since -they both offer similar functionality. -</p> -<p> -In most cases, it makes more sense to use RSBAC without SELinux, or SELinux -without RSBAC. -</p> -<p class="secthead"><a name="filesystem"></a><a name="doc_chap2_sect5">Can I use SELinux with any file system?</a></p> -<p> -SELinux requires access to a file's security context to operate properly. -To do so, SELinux uses <span class="emphasis">extended file attributes</span> which needs to be -properly supported by the underlying file system. If the file system supports -extended file attributes and you have configured your kernel to enable this -support, then SELinux will work on those file systems. -</p> -<p> -General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs -support extended attributes (but don't forget to enable it in the kernel -configuration) as well as tmpfs (for instance used by udev). If your file -system collection is limited to this set, then you should have no issues. -</p> -<p> -Ancillary file systems such as vfat and iso9660 are supported too, but with -an important caveat: all files in each file system will have the same SELinux -security context information since these file systems do not support extended -file attributes. -</p> -<p> -Network file systems can be supported in the same manner as ancillary file -systems (all files share the same security context). However, some development -has been made in supported extended file attributes on the more popular file -systems such as NFS. Although this is far from production-ready, it does look -like we will eventually support these file systems on SELinux fully as well. -</p> -<p class="secthead"><a name="nomultilib"></a><a name="doc_chap2_sect6">Can I use SELinux with AMD64 no-multilib?</a></p> -<p> -Yes, just use the <span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> profile -and you're all set. -</p> -<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p> -<p> -UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints -when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span> -marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only -have the allowed privileges in effect if they both run with the same SELinux -user context. -</p> -<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># The SELinux allow rule</span> -allow foo_t bar_t:file { read }; - -<span class="code-comment"># This will succeed:</span> -staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t - -<span class="code-comment"># This will be prohibited:</span> -user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t -</pre></td></tr> -</table> -<p> -Of course, this is not always the case. Besides the earlier mentioned -requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source -domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the -<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source -or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also -not be in effect. -</p> -<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. - </span>Using SELinux</p> -<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p> -<p> -This is explained in the <a href="selinux/selinux-handbook.html">SELinux Handbook</a> -in the chapter on <span class="emphasis">Using Gentoo/Hardened SELinux</span>. -</p> -<p class="secthead"><a name="switch_status"></a><a name="doc_chap3_sect2">How do I switch between permissive and enforcing?</a></p> -<p> -The easiest way is to use the <span class="code" dir="ltr">setenforce</span> command. With <span class="code" dir="ltr">setenforce -0</span> you tell SELinux to run in permissive mode. Similarly, with -<span class="code" dir="ltr">setenforce 1</span> you tell SELinux to run in enforcing mode. -</p> -<p> -You can also add a kernel option <span class="code" dir="ltr">enforcing=0</span> or <span class="code" dir="ltr">enforcing=1</span> -in the bootloader configuration (or during the startup routine of the system). -This allows you to run SELinux in permissive or enforcing mode from the start -of the system. -</p> -<p> -The default state of the system is kept in <span class="path" dir="ltr">/etc/selinux/config</span>. -</p> -<p class="secthead"><a name="disable_selinux"></a><a name="doc_chap3_sect3">How do I disable SELinux completely?</a></p> -<p> -It might be possible that running SELinux in permissive mode is not sufficient -to properly fix any issue you have. To disable SELinux completely, you need to -edit <span class="path" dir="ltr">/etc/selinux/config</span> and set <span class="code" dir="ltr">SELINUX=disabled</span>. Next, -reboot your system. -</p> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> -When you have been running your system with SELinux disabled, you must boot -in permissive mode first and relabel your entire file system. Activities ran -while SELinux was disabled might have created new files or removed the labels -from existing files, causing these files to be available without security -context. -</p></td></tr></table> -<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">How do I know which file context rule is used for a particular file?</a></p> -<p> -If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security -context for the given path (file or directory) should be, but it doesn't tell -you which rule it used to deduce this. To do that, you can use <span class="code" dir="ltr">findcon</span>: -</p> -<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Using findcon</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</span> -/.* system_u:object_r:default_t -/lib64/rc/init\.d(/.*)? system_u:object_r:initrc_state_t -/lib64/.* system_u:object_r:lib_t -</pre></td></tr> -</table> -<p> -When the SELinux utilities try to apply a context, they try to match the rule -that is the most specific, so in the above case, it is the one that leads to the -initrc_state_t context. -</p> -<p> -The most specific means, in order of tests: -</p> -<ol> - <li> - If line A has a regular expression, and line B doesn't, then line B is more - specific. - </li> - <li> - If the number of characters before the first regular expression in line A is - less than the number of characters before the first regular expression in - line B, then line B is more specific - </li> - <li> - If the number of characters in line A is less than in line B, then line B is - more specific - </li> - <li> - If line A does not map to a specific SELinux type, and line B does, then - line B is more specific - </li> -</ol> -<p> -However, when you add your own file contexts (using <span class="code" dir="ltr">semanage</span>), this does -not apply. Instead, tools like <span class="code" dir="ltr">restorecon</span> will take the <span class="emphasis">last</span> hit -within the locally added file contexts! You can check the content of the -locally added rules in <span class="path" dir="ltr">/etc/selinux/strict/contexts/files/file_contexts.local</span> -(substitute <span class="path" dir="ltr">strict</span> with your SELinux type). -</p> -<p class="secthead"><a name="localpolicy"></a><a name="doc_chap3_sect5">How do I make small changes (additions) to the policy?</a></p> -<p> -If you are interested in the Gentoo Hardened SELinux development itself, please -have a look at the <a href="selinux-development.html">SELinux -Development Guide</a> and other documentation linked from the <a href="selinux/index.html">SELinux project page</a>. -</p> -<p> -However, you will eventually need to keep some changes on your policy, due to -how you have configured your system or when you need to allow something that is -not going to be accepted as a distribution-wide policy change. In that case, -read on. -</p> -<p> -Updates on the policy are only possible as long as you need to <span class="emphasis">allow</span> -additional privileges. It is not possible to remove rules from the policy, only -enhance it. To maintain your own set of additional rules, create a file in which -you will keep your changes. In the next example, I will use the term -<span class="path" dir="ltr">fixlocal</span>, substitute with whatever name you like - but keep it -consistent. In the file (<span class="path" dir="ltr">fixlocal.te</span>) put in the following text -(again, substitute <span class="path" dir="ltr">fixlocal</span> with your chosen name): -</p> -<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: fixlocal.te content</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -policy_module(fixlocal, 1.0) - -require { -<span class="code-comment"># Declarations of types, classes and permissions used</span> - -} - -<span class="code-comment"># Declaration of policy rules</span> -</pre></td></tr> -</table> -<p> -In this file, you can add rules as you like. In the next example, we add three -rules: -</p> -<ol> - <li> - Allow <span class="code" dir="ltr">mozilla_t</span> the <span class="code" dir="ltr">execmem</span> privilege (based on a denial that - occurs when mozilla fails to start) - </li> - <li> - Allow <span class="code" dir="ltr">ssh_t</span> to connect to any port rather than just the SSH port - </li> - <li> - Allows the <span class="code" dir="ltr">user_t</span> domain to send messages directly to the system - logger - </li> -</ol> -<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: fixlocal.te content</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -policy_module(fixlocal, 1.0) - -require { - type mozilla_t; - type ssh_t; - type user_t; - - class process { execmem }; -} - -<span class="code-comment"># Grant mozilla the execmem privilege</span> -allow mozilla_t self:process { execmem }; - -<span class="code-comment"># Allow SSH client to connect to any port (as provided by the user through the -# "ssh -p <portnum> ..." command)</span> -corenet_tcp_connect_all_ports(ssh_t) - -<span class="code-comment"># Allow the user_t domain to send messages to the system logger</span> -logging_send_syslog_msg(user_t) -</pre></td></tr> -</table> -<p> -If you need to provide raw allow statements (like the one above for the -<span class="code" dir="ltr">mozilla_t</span> domain), make sure that the type (<span class="code" dir="ltr">mozilla_t</span>), -class (<span class="code" dir="ltr">process</span>) and privilege (<span class="code" dir="ltr">execmem</span>) are mentioned in -the <span class="code" dir="ltr">require { ... }</span> paragraph. -</p> -<p> -When using interface names, make sure that the types (<span class="code" dir="ltr">ssh_t</span> and -<span class="code" dir="ltr">user_t</span>) are mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph. -</p> -<p> -To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span> -above), you can either look for it in the <a href="http://oss.tresys.com/docs/refpolicy/api/">SELinux Reference Policy -API</a> online or, if <span class="code" dir="ltr">sec-policy/selinux-base-policy</span> is built with the -<span class="emphasis">doc</span> USE flag, in <span class="path" dir="ltr">/usr/share/doc/selinux-base-policy-.*/html</span>. -Of course, you can also ask for help in <span class="code" dir="ltr">#gentoo-hardened</span> on -irc.freenode.net, the mailinglist, forums, etc. to find the proper rules and -statements for your case. -</p> -<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. - </span>SELinux Kernel Error Messages</p> -<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p> -<p> -During boot-up, the following message pops up: -</p> -<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel message on register_security</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -There is already a security framework initialized, register_security failed. -Failure registering capabilities with the kernel -selinux_register_security: Registering secondary module capability -Capability LSM initialized -</pre></td></tr> -</table> -<p> -This is nothing to worry about (and perfectly normal). -</p> -<p> -This means that the Capability LSM module couldn't register as the primary -module, since SELinux is the primary module. The third message means that it -registers with SELinux as a secondary module. -</p> -<p class="secthead"><a name="permission_not_defined"></a><a name="doc_chap4_sect2">I get a 'Permission ... in class ... not defined' message during booting</a></p> -<p> -During boot-up, the following message is shown: -</p> -<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Kernel message on undefined permission(s)</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -SELinux: 2048 avtab hash slots, 16926 rules. -SELinux: 2048 avtab hash slots, 16926 rules. -SELinux: 6 users, 6 roles, 1083 types, 34 bools -SELinux: 77 classes, 16926 rules -SELinux: Permission read_policy in class security not defined in policy. -SELinux: Permission audit_access in class file not defined in policy. -SELinux: Permission audit_access in class dir not defined in policy. -SELinux: Permission execmod in class dir not defined in policy. -... -SELinux: the above unknown classes and permissions will be denied -SELinux: Completing initialization. -</pre></td></tr> -</table> -<p> -This means that the Linux kernel that you are booting supports permissions that -are not defined in the policy (as offered through the -<span class="code" dir="ltr">sec-policy/selinux-base-policy</span> package). If you do not notice any errors -during regular operations, then this can be ignored (the permissions will be -made part of upcoming policy definitions). -</p> -<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. - </span>SELinux and Gentoo</p> -<p class="secthead"><a name="no_module"></a><a name="doc_chap5_sect1">I get a missing SELinux module error when using emerge</a></p> -<p> -When trying to use <span class="code" dir="ltr">emerge</span>, the following error message is displayed: -</p> -<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Error message from emerge on the SELinux module</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -!!! SELinux module not found. Please verify that it was installed. -</pre></td></tr> -</table> -<p> -This indicates that the portage SELinux module is missing or damaged. Recent -Portage versions provide this module out-of-the-box, but the security contexts -of the necessary files might be wrong on your system. Try relabelling the files -of the portage package: -</p> -<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Relabel all portage files</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">rlpkg portage</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="loadpolicy"></a><a name="doc_chap5_sect2">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></p> -<p> -When running emerge, the following error is shown: -</p> -<a name="doc_chap5_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.3: Emerge error on loadpolicy</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -FEATURES variable contains unknown value(s): loadpolicy -</pre></td></tr> -</table> -<p> -This is a remnant of the older SELinux policy module set where policy packages -might require this FEATURE to be available. This has however since long been -removed from the tree. -</p> -<p> -Please update your profile to a recent SELinux profile (one ending with -<span class="path" dir="ltr">/selinux</span>) and make sure that <span class="path" dir="ltr">/etc/make.conf</span> does not -have <span class="code" dir="ltr">FEATURES="loadpolicy"</span> set. -</p> -<p class="secthead"><a name="conflicting_types"></a><a name="doc_chap5_sect3">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></p> -<p> -When trying to relabel a package (<span class="code" dir="ltr">rlpkg packagename</span>) or system (<span class="code" dir="ltr">rlpkg --a -r</span>) you get a message similar to the following: -</p> -<a name="doc_chap5_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.4: rlpkg complaining about conflicting specifications</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -filespec_add: conflicting specifications for /usr/bin/getconf and -/usr/lib64/misc/glibc/getconf/XBS5_LP64_OFF64, using -system_u:object_r:lib_t -</pre></td></tr> -</table> -<p> -This is most likely caused by hard linked files. Remember, SELinux uses the -extended attributes in the file system to store the security context of a file. -If two separate paths point to the same file using hard links (i.e. the files -share the same inode) then both files will have the same security context. -</p> -<p> -The solution depends on the particular case; in order of most likely to happen -and resolve: -</p> -<ol> - <li> - Although both files are the same, they are not used in the same context. - In such cases, it is recommended to remove one of the files and then copy - the other file back to the first (<span class="code" dir="ltr">rm B; cp A B</span>). This way, both - files have different inodes and can be labelled accordingly. - </li> - <li> - Both files are used for the same purpose; in this case, it might be better - to label the file which would not be labelled correctly (say a binary - somewhere in a <span class="path" dir="ltr">/usr/lib64</span> location) using <span class="code" dir="ltr">semanage</span> - (<span class="code" dir="ltr">semanage fcontext -a -t correct_domain_t /usr/lib64/path/to/file</span>) - </li> -</ol> -<p> -It is also not a bad idea to report (after verifying if it hasn't been reported -first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so -that the default policies are updated accordingly. -</p> -<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">During package installation, ld.so complains 'object 'libsandbox.so' -from LD_PRELOAD cannot be preloaded: ignored'</a></p> -<p> -During installation of a package, you might see the following error message: -</p> -<a name="doc_chap5_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.5: Error message during package installation</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> ->> Installing (1 of 1) net-dns/host-991529 ->>> Setting SELinux security labels -ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. -</pre></td></tr> -</table> -<p> -This message should <span class="emphasis">only</span> occur after the <span class="emphasis">Setting SELinux security -labels</span> message. It happens because SELinux tells glibc to disable -<span class="code" dir="ltr">LD_PRELOAD</span> (and other environment variables that are considered -potentially harmful) during domain transitions. Here, portage calls the -<span class="code" dir="ltr">setfiles</span> command (part of a SELinux installation) and as such -transitions from portage_t to setfiles_t, which clears the environment -variable. -</p> -<p> -We believe that it is safer to trust the SELinux policy here (as setfiles runs -in its own confined domain anyhow) rather than updating the policy to allow -transitioning between portage_t to setfiles_t without clearing these -environment variables. Note that <span class="emphasis">libsandbox.so is not disabled during builds -and merges</span>, only during the activity where Portage labels the files it -just merged. -</p> -<p> -So the error is in our opinion cosmetic and can be ignored (but sadly not -hidden). -</p> -<p class="secthead"><a name="emergefails"></a><a name="doc_chap5_sect5">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></p> -<p> -This is to be expected if you are not using the <span class="code" dir="ltr">sysadm_r</span> role. Any -Portage related activity requires that you are in the <span class="code" dir="ltr">sysadm_r</span> role. To -transition to the role, first validate if you are currently known as -<span class="code" dir="ltr">staff_u</span> (or, if you added your own SELinux identities, a user that has -the permission to transition to the <span class="code" dir="ltr">sysadm_r</span> role). Then run <span class="code" dir="ltr">newrole --r sysadm_r</span> to transition. -</p> -<a name="doc_chap5_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.6: Transitioning to sysadm_r</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">emerge --info</span> -Permission denied: '/etc/make.conf' -~$ <span class="code-input">id -Z</span> -staff_u:staff_r:staff_t -~$ <span class="code-input">newrole -r sysadm_r</span> -Password: <span class="code-comment"># Enter your users' password</span> -</pre></td></tr> -</table> -<p> -This is also necessary if you logged on to your system as root but through SSH. -The default behavior is that SSH sets the lowest role for the particular user -when logged on. And you shouldn't allow remote root logins anyhow. -</p> -<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">Cron fails to load in root's crontab with message '(root) ENTRYPOINT -FAILED (crontabs/root)'</a></p> -<p> -When you hit the mentioned error with a root crontab or an administrative -users' crontab, but not with a regular users' crontab, then check the context of -the crontab file: -</p> -<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span> -staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root -</pre></td></tr> -</table> -<p> -Next, check what the default context is for the given user (in this case, root) -when originating from the <span class="code" dir="ltr">crond_t</span> domain: -</p> -<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">getseuser root system_u:system_r:crond_t</span> -seuser: root, level (null) -Context 0 root:sysadm_r:cronjob_t -Context 1 root:staff_r:cronjob_t -</pre></td></tr> -</table> -<p> -As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user. -However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the -above example is for the SELinux user staff_u. Hence, cron will not be able to -read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one). -</p> -<p> -To fix this, change the user of the file to root: -</p> -<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span> -</pre></td></tr> -</table> -<p> -Another fix would be to disable UBAC completely. This is accomplished with -<span class="code" dir="ltr">USE="-ubac"</span>. -</p> -<p class="secthead"><a name="missingdatum"></a><a name="doc_chap5_sect7">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></p> -<p> -When using <span class="code" dir="ltr">seinfo</span> or <span class="code" dir="ltr">sesearch</span> to query the policy on the system, -you get errors similar to: -</p> -<a name="doc_chap5_pre10"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.10: Triggering the 'could not find datum' error</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">seinfo -tasterisk_t</span> -ERROR: could not find datum for type asterisk_t -</pre></td></tr> -</table> -<p> -This is most likely because your tools are using a newer binary policy to -enforce policy, but an older binary for querying. You can verify if this is the -case by listing the last modification time on the files: -</p> -<a name="doc_chap5_pre11"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.11: Checking last modification time of the policy files</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">ls -ltr /etc/selinux/strict/policy/policy.*</span> -</pre></td></tr> -</table> -<p> -The file modified last should be the same one as returned by checking -<span class="path" dir="ltr">/selinux/policyvers</span>: -</p> -<a name="doc_chap5_pre12"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.12: Checking the runtime policy version</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">cat /selinux/policyvers; echo</span> -24 -</pre></td></tr> -</table> -<p> -If this is not the case (which is very likely since you are reading this FAQ -entry) then try forcing the utilities policy version to the correct version: -</p> -<a name="doc_chap5_pre13"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.13: Editing semanage.conf</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">vim /etc/selinux/semanage.conf</span> -<span class="code-comment"># Look for and uncomment the policy-version line and set it to the right version</span> -policy-version = <span class="code-input">24</span> -</pre></td></tr> -</table> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> -If your system is upgrading its kernel, higher version(s) can be supported. In -this case, either unset the value again to automatically "jump" to a higher -version, or force set it to the higher version. -</p></td></tr></table> -<p class="secthead"><a name="recoverportage"></a><a name="doc_chap5_sect8">Portage fails to label files because "setfiles" does not work anymore</a></p> -<p> -Portage uses the <span class="code" dir="ltr">setfiles</span> command to set the labels of the files it -installs. However, that command is a dynamically linked executable, so any -update in its depending libraries (<span class="path" dir="ltr">libselinux.so</span>, -<span class="path" dir="ltr">libsepol.so</span>, <span class="path" dir="ltr">libaudit.so</span> and of course -<span class="path" dir="ltr">libc.so</span>) might cause for the application to fail. Gentoo's standard -solution (<span class="code" dir="ltr">revdep-rebuild</span>) will not work, since the tool will try to -rebuild policycoreutils, which will fail to install because Portage cannot set -the file labels. -</p> -<p> -The solution is to rebuild policycoreutils while disabling Portage's selinux -support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on -the feedback received from <span class="code" dir="ltr">matchpathcon</span>. -</p> -<a name="doc_chap5_pre14"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.14: Recovering from Portage installation failures</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span> -# <span class="code-input">for FILE in $(qlist policycoreutils); do \ -CONTEXT=$(matchpathcon -n ${FILE}); chcon ${CONTEXT} ${FILE}; done</span> -</pre></td></tr> -</table> -<p> -Now Portage will function properly again, labeling files as they should. -</p> -<p class="secthead"><a name="nosuid"></a><a name="doc_chap5_sect9">Applications do not transition on a nosuid-mounted partition</a></p> -<p> -If you have file systems mounted with the <span class="code" dir="ltr">nosuid</span> option, then -applications started from these file systems will not transition into their -appropriate domain. This is intentional. -</p> -<p> -So, a <span class="code" dir="ltr">passwd</span> binary, although correctly labeled <span class="emphasis">passwd_exec_t</span>, -will not transition into the <span class="emphasis">passwd_t</span> domain if the binary is stored on a -file system mounted with <span class="code" dir="ltr">nosuid</span>. -</p> -<p class="secthead"><a name="auth-run_init"></a><a name="doc_chap5_sect10">Why do I always need to re-authenticate when operating init scripts?</a></p> -<p> -When you, as an administrator, wants to launch or stop daemons, these activities -need to be done as <span class="code" dir="ltr">system_u:system_r</span>. Switching to this context set is a -highly privileged operation (since you are effectively leaving the user context -and entering a system context) and hence the default setup requires the user to -re-authenticate. -</p> -<p> -You can ask not to re-authenticate if you use PAM by editing -<span class="path" dir="ltr">/etc/pam.d/run_init</span> and adding the following line on top: -</p> -<a name="doc_chap5_pre15"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.15: Setup run_init pam configuration to allow root not to re-authenticate</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -auth sufficient pam_rootok.so -</pre></td></tr> -</table> -<p> -With this in place, you can now prepend your init script activities with -<span class="code" dir="ltr">run_init</span> and it will not ask for your password anymore: -</p> -<a name="doc_chap5_pre16"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.16: Using run_init</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">run_init rc-service local status</span> -Authenticating swift. - * status: started -</pre></td></tr> -</table> -<p class="secthead"><a name="initramfs"></a><a name="doc_chap5_sect11">How do I use SELinux with initramfs?</a></p> -<p> -We currently do not support booting in enforcing mode with an initramfs image -(but we are working on it). For the time being, boot in permissive mode. Once -booted, switch to enforcing mode (<span class="code" dir="ltr">setenforce 1</span>). -</p> -<p> -If you run SELinux on a production system and would not like to have attackers -be able to switch back to permissive mode (even when they would have the -necessary privileges otherwise), set the <span class="code" dir="ltr">secure_mode_policyload</span> boolean. -When enabled, enforcing mode cannot be disabled anymore (until you reboot). -</p> -<a name="doc_chap5_pre17"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.17: Toggling secure_mode_policyload</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">setsebool secure_mode_policyload on</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="xdm"></a><a name="doc_chap5_sect12">Logons through xdm (or similar) fail</a></p> -<p> -If you log on through xdm, gdm, kdm, slim or any other graphical logon manager, -you might notice in permissive mode that your context is off, and in enforcing -mode that you just cannot log on. -</p> -<p> -The reason of this is that PAM needs to be configured to include SELinux -awareness in your session handling: -</p> -<a name="doc_chap5_pre18"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.18: Updating pam setting for gdm</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -... -session required pam_loginuid.so -session optional pam_console.so -<span class="code-input">session optional pam_selinux.so</span> -</pre></td></tr> -</table> -<p> -Replicate the calls towards <span class="path" dir="ltr">pam_selinux.so</span> in the various -<span class="path" dir="ltr">/etc/pam.d/gdm*</span> files (or similar depending on your graphical -logon manager). -</p> -<br><br> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr> -<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> -Frequently Asked Questions on SELinux integration with Gentoo Hardened. -The FAQ is a collection of solutions found on IRC, mailinglist, forums or -elsewhere -</p></td></tr> -<tr><td align="left" class="topsep"><p class="alttext"> - <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a> -<br><i>Author</i><br><br> - <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a> -<br><i>Author</i><br></p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-concepts.html deleted file mode 100644 index 51626aa..0000000 --- a/html/selinux/hb-intro-concepts.html +++ /dev/null @@ -1,784 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Introduction</p> -<p class="secthead"><a name="doc_chap1_sect1">SELinux Concepts</a></p> -<p> -Since SELinux is a MAC system, you should already figure out that managing -SELinux-based permissions and rights might be a bit more challenging than -managing the discretionary access control rights generally used on a Linux -system. What is more is that SELinux works <b>on top of</b> the DAC system -everybody is used from Linux. As a system administrator, you will need to be -acquainted with some of the concepts and structures that SELinux has put in -place in order to manage the access on the SELinux system. -</p> -<p> -Describing those concepts is the purpose of this particular chapter. We will -give examples on the various concepts from a SELinux enabled Gentoo Hardened -system. However, do not fear if the use of particular commands is not explained -sufficiently. They are currently meant as examples (their output is more -important) and will be discussed further in this document. -</p> -<p class="secthead"><a name="doc_chap1_sect1">SELinux Policies</a></p> -<p> -Within Gentoo (and other distributions as well), SELinux is supported through -several policy levels. These are, in climbing order of complexity (meaning they -can offer more security, but are harder to manage): -</p> -<ol> - <li> - <b>targeted</b> is a policy where network-facing services (daemons) are - confined (the processes can only execute those actions that are defined - in the policy), but other applications are running what is called - <span class="emphasis">unconfined</span>, meaning that there are little to no restrictions for - those processes. - </li> - <li> - <b>strict</b> is a policy where all processes are confined. There are no - unconfined domains. In other distributions, this is still considered the - <span class="emphasis">targeted</span> policy but without the unconfined domain definition. - </li> - <li> - <b>multi-category security</b> is a policy where the (confined) domains can - be categorized (split up), allowing for multiple processes running in - different instances of a confined domain - </li> - <li> - <b>multi-level security</b> is a policy where rules exist regarding the - sensitivity of domains and resources. This allows for a "proper" - information flow policy (make sure that sensitive data isn't leaked - to less privileged domains). Conceptually, one can understand this best - if one considers sensitivity levels of Public, Internal, Confidential, - Strictly Confidential, etc. - </li> -</ol> -<p> -When using Gentoo Hardened, all these policies are available. However, -development focuses mainly on <span class="emphasis">strict</span> and <span class="emphasis">mcs</span>. The -<span class="emphasis">targeted</span> policy is assumed to work if strict works whereas we know -that the <span class="emphasis">mls</span> policy is currently not fit yet for production use. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Security Contexts</p> -<p class="secthead"><a name="doc_chap1_sect1">Users, Roles, Domains, Sensitivities and Categories</a></p> -<p> -One of the first concepts you will need to be acquainted with is the concept of -a <span class="emphasis">security context</span>. This is a state given to a resource that uniquely -identifies which grants (permissions) are applicable to the resource. This -context is extremely important for SELinux as it is the definition on which it -bases its permissions (grants or denials). When a resource has no security -context assigned, SELinux will try to give it a default security context which - -in the spirit of lowest privilege - has little permissions to perform any actions. -</p> -<p> -Within SELinux, such a security context is displayed using three to five -definitions, depending on the type of policy you are running: -</p> -<dl> - <dt>user</dt> - <dd> - This is the <span class="emphasis">SELinux user</span> (which is not the same as the Linux/Unix - technical user) assigned to the resource - </dd> - <dt>role</dt> - <dd> - This is the SELinux role in which the resource currently works - </dd> - <dt>type</dt> - <dd> - This is the type assigned to the resource and is the key to SELinux' - enforcement rules - </dd> - <dt>sensitivity</dt> - <dd> - This is a level given to a resource informing the system about the - sensitivity of this resource. A sensitivity is something akin to - Public, Internal, Restricted, Confidential, Strictly Confidential, ... - Sensitivity levels are only supported in MLS policies. - </dd> - <dt>category</dt> - <dd> - This is a specific instantiation of a resource. It allows segregation of - resources even if they are of the same type. More about categories later - - categories are supported in MLS and MCS policies. - </dd> -</dl> -<p> -More information on these particular definitions is given throughout the -remainder of this chapter. -</p> -<p> -As an example let's take a look at the security context of a logged on user: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the security context of a logged on user</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">id -Z</span> -staff_u:staff_r:staff_t -</pre></td></tr> -</table> -<p> -In this case, the user is identified as the SELinux user <span class="emphasis">staff_u</span>, -currently in the <span class="emphasis">staff_r</span> role and assigned to the <span class="emphasis">staff_t</span> -type. The actions the user is allowed to do are based upon this security -context. Also, you notice that only three identifiers are shown. This is -because the example is taken on a <span class="emphasis">strict</span> (or <span class="emphasis">targeted</span>) policy -system. The next example gives the same result, but on an <span class="emphasis">MCS</span> policy -system. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the security context of a logged on user on an MCS policy system</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">id -Z</span> -staff_u:staff_r:staff_t:s0-s0:c0.c1023 -</pre></td></tr> -</table> -<p> -Here, the user is running with sensitivity level of s0 (which, in an MCS policy -system, is the only available sensitivity) and with a category set of c0 up to -and including c1023. However, note that in an MCS policy system categories are -optional, so you might just see an output of <span class="emphasis">staff_u:staff_r:staff_t:s0</span>. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Access Control Policy</a></p> -<p> -As mentioned before, these security contexts are used as the base for the -permission rules. What SELinux does is check the security context of the source -(for instance a process) and the destination (for instance a file that that -process wants to read). It then checks if the requested operation (read) is -allowed between those two contexts. Keep in mind though that SELinux works on -top of the standard permission system used by Linux. If a process is not able to -read a file to begin with, SELinux is not even consulted. -</p> -<p> -Now, where the security context defines the state of a resource, we have not -spoken about the resources themselves. Within SELinux, the resource types are -defined as <span class="emphasis">object classes</span>. Common examples are <span class="emphasis">file</span> or <span class="emphasis">dir</span>, -but SELinux also manages classes such as <span class="emphasis">filesystem</span>, <span class="emphasis">tcp_socket</span>, -<span class="emphasis">process</span>, <span class="emphasis">sem</span> (semaphores) and more. -</p> -<p> -On each object class, a set of <span class="emphasis">permissions</span> is declared which are possible -against a resource within this object class. For instance, the <span class="emphasis">process</span> -object class supports at least the following permissions: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Supported permissions against a 'process' resource</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">ls /selinux/class/process/perms</span> -dyntransition getcap rlimitinh setpgid siginh -execheap getpgid setcap setrlimit sigkill -execmem getsched setcurrent setsched signal -execstack getsession setexec setsockcreate signull -fork noatsecure setfscreate share sigstop -getattr ptrace setkeycreate sigchld transition -</pre></td></tr> -</table> -<p> -The most common SELinux access control rule (<span class="emphasis">allow</span>) is described as -follows: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux allow statement</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -allow ACTOR TARGET:CLASS PRIVILEGE; - +-+-+ +-+--+ +-+-+ +---+---+ - | | | `- Permission to be granted (like "write") - | | `- Class on which permission is given (like "file") - | `- Resource (label) on which permission is valid (like "portage_conf_t") - `- Actor (domain) which gets the privilege (like "sysadm_t") -</pre></td></tr> -</table> -<p> -Let's take a look at a small example to explain the permission rules and how -SELinux uses them. The example user is in the <span class="emphasis">staff_u:staff_r:staff_t</span> -context and wants to write to its own home directory. As we can expect, this -should be allowed. Don't worry about the commands here, we'll discuss them more -properly further in this document. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Seeing if a user can write to its own home directory</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(Show the security context for the users' home directory)</span> -~$ <span class="code-input">ls -dZ ${HOME}</span> -staff_u:object_r:user_home_dir_t /home/swift - -<span class="code-comment">(Find the allow-rule which allows the staff_t type to write into a - directory with the user_home_dir_t type)</span> -~$ <span class="code-input">sesearch -s staff_t -t user_home_dir_t -c dir -p write -A</span> -Found 1 semantic av rules: - allow staff_t user_home_dir_t : dir { ioctl read write create ... }; -</pre></td></tr> -</table> -<p> -As expected, the security context of the user (to be more specific, the domain -in which it resides) has write access to the domain of the target's directories. -The notion of <span class="emphasis">domain</span> is frequently used in SELinux documentation and -refers to the type assigned to a process. BTW, as files do not have roles, -they are given the default <span class="emphasis">object_r</span> role by SELinux. -</p> -<p> -Now take a look at the following example. Our user, who is inside the portage -group, wants to write to the <span class="path" dir="ltr">/var/tmp/portage</span> directory: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Seeing if a user can write to the /var/tmp/portage directory</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">id -a</span> -uid=1001(swift) gid=100(users) groups=100(users),...,250(portage),... -~$ <span class="code-input">ls -ldZ /var/tmp/portage</span> -drwxrwxr-x. 3 portage portage system_u:object_r:portage_tmp_t 4096 Dec 6 21:08 /var/tmp/portage -</pre></td></tr> -</table> -<p> -From the standard Linux permissions, the user has write access. But does SELinux -also grant it? -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Trying to write into /var/tmp/portage</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">sesearch -s staff_t -t portage_tmp_t -c dir -p write -A</span> -~$ -<span class="code-comment">(Notice that there is no output given here)</span> -~$ <span class="code-input">touch /var/tmp/portage/foo</span> -touch: cannot touch '/var/tmp/portage/foo': Permission denied -</pre></td></tr> -</table> -<p> -As SELinux could not find a rule that allows the staff_t domain to write to any -directory labeled with the portage_tmp_t type, the permission was denied. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Type Enforcements / Domain Types</p> -<p class="secthead"><a name="doc_chap1_sect1">Types and Domains</a></p> -<p> -To explain how the permission rules work and how this is enforced through the -security contexts, let's start from the last definition in the context (the -<span class="emphasis">type</span>) and work our way forward through the roles and users. -</p> -<ul> - <li> - A <span class="emphasis">SELinux type</span> is a particular label assigned to a resource. The - <span class="code" dir="ltr">passwd</span> command for instance is labeled with the passwd_exec_t type. - </li> - <li> - A <span class="emphasis">SELinux domain</span> is the security state of a process and identifies the rights - and permissions it has. It is most often referred to by its type declaration. - For instance, for a running <span class="code" dir="ltr">passwd</span> command, its domain is passwd_t. - </li> -</ul> -<p> -The rules that identify the allowed actions for a domain have been described earlier. Again: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Standard SELinux policy rules</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -allow <src_domain> <dst_type> : <class> { permission [ permission [ ... ] ] } ; -</pre></td></tr> -</table> -<p> -An example for the <span class="emphasis">passwd_t</span> domain would be the permissions granted -between the <span class="emphasis">passwd_t</span> domain and the <span class="emphasis">shadow_t</span> type (used by the -<span class="path" dir="ltr">/etc/shadow</span> file). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Grants between passwd_t and shadow_t</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -allow passwd_t shadow_t : file { ioctl read write create ... } ; -</pre></td></tr> -</table> -<p> -This permission syntax is very powerful, but also difficult. To have a secure -system where normal behavior is allowed, you need to seriously fine-tune these -rules for each and every application (and thus domain) that your system wants to -host. Giving too broad permissions to a domain on a particular type might result -in unauthorized activity being granted. Giving too few permissions might result -in loss of efficiency or even effectiveness. -</p> -<p> -To support easier grant rules, SELinux allows grouping of types using type -attributes. For instance, the attribute <span class="emphasis">exec_type</span> bundles all types -that are assigned to executable files (such as <span class="emphasis">bin_t</span>, <span class="emphasis">ssh_exec_t</span>, -...), whereas the <span class="emphasis">file_type</span> attribute bundles all types that are -assigned to regular files. Although this can simplify rule management, it makes -it easier to grant too many permissions. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Domain Transitions</a></p> -<p> -So far for types, domain definitions and their permissions. We have stated before -that permissions are based on the domain in which a process resides. But how -does a process become part of the domain? You might think that this happens by -default (starting the <span class="code" dir="ltr">passwd</span> command would automatically bring the -process in the <span class="emphasis">passwd_t</span> domain), but this is in fact a combination of -three specific privileges that need to be granted: -</p> -<ol> - <li> - The current domain must be allowed to transition to a domain - </li> - <li> - The target domain should have an <span class="emphasis">entry point</span>, which is an executable - that is allowed to start in the domain - </li> - <li> - The source domain should have <span class="emphasis">execute</span> rights on (the domain of) that - executable - </li> -</ol> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> -Not being allowed to transition does not mean that you cannot -execute the binary. The binary can still be executed, but will not run inside -the target domain. Instead, it will inherit the domain of the executor and hence -the rights and permissions of this domain. -</p></td></tr></table> -<p> -Through these rules, the security administrator of a system can more -specifically control who and under which conditions particular actions can be -taken. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Roles and Rights</p> -<p class="secthead"><a name="doc_chap1_sect1">The Role of a Role</a></p> -<p> -The previously discussed domains and domain rules is quite powerful. However, -this is not where SELinux stops. After all, you want to be able to deny access -towards particular domains from unauthorized users. One requirement is of course -not to allow transitions from the user domain to that restricted domain, but how -can you enforce one set of users to be allowed and another to be denied? -</p> -<p> -Enter the roles. By using roles, you can tell SELinux which domains are allowed -for a role and which aren't. An example would be the <span class="emphasis">ifconfig_t</span> domain. -This domain has the rights to change the networking interface definitions - not -something you want to allow your users. And in fact, if you would verify, -SELinux does not allow the user role <span class="emphasis">user_r</span> to be assigned with the -<span class="emphasis">ifconfig_t</span> domain. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: ifconfig_t domain and user_r versus sysadm_r</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">seinfo -ruser_r -x</span> - user_r - Dominated Roles: - user_r - Types: - ... -~$ <span class="code-input">seinfo -rsysadm_r -x</span> - sysadm_r - Dominated Roles: - sysadm_r - Types: - ... - ifconfig_t - ... -</pre></td></tr> -</table> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> -Again, not being able to be associated with a domain does not mean that the -<span class="emphasis">user_r</span> role cannot <span class="emphasis">execute</span> the <span class="code" dir="ltr">ifconfig</span> binary. It can, but -it will execute the binary within its own domain (<span class="emphasis">user_t</span>) and as such -will not have the rights to manipulate the networking interface (but will still -be able to read the interface information albeit with limited output). -</p></td></tr></table> -<p> -Roles are often used in access control systems to group permissions to a single -functional set (the role) which can then be assigned to individuals (accounts). -For instance, such access control systems create roles for accountants, -operators, managers, ... and grant the appropriate privileges to these roles. -Then, their users are assigned one (or sometimes multiple) roles and the users -inherit the permissions assigned to these roles. -</p> -<p> -With SELinux, the idea remains the same (use roles to functionally differentiate -privileges) but is implemented differently: roles are assigned target domains -in which a role is allowed to "be in". The permissions remain assigned to the -domains. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Role Transitions</a></p> -<p> -Users (and processes) have the ability to switch roles. This is allowed by -SELinux, but of course only when the switch itself is granted. By default, -the SELinux policy used by Gentoo Hardened offers five roles on a SELinux -system: -</p> -<dl> - <dt>object_r</dt> - <dd> - The <span class="emphasis">object_r</span> role is the only role by default available through - SELinux. It is usually only assigned to resources where roles have no - benefit or value (such as files and directories). - </dd> - <dt>system_r</dt> - <dd> - The <span class="emphasis">system_r</span> role is used for highly privileged system services. - The <span class="emphasis">system_r</span> role is allowed to switch to any other "default" role. - No role exception <span class="emphasis">sysadm_r</span> can switch to the <span class="emphasis">system_r</span> role. - </dd> - <dt>sysadm_r</dt> - <dd> - The <span class="emphasis">sysadm_r</span> role is used for system administration activities. The - <span class="emphasis">sysadm_r</span> role is allowed to switch to any other "default" role. Only - the <span class="emphasis">system_r</span> and <span class="emphasis">staff_r</span> roles are allowed to switch to the - <span class="emphasis">sysadm_r</span> role. - </dd> - <dt>staff_r</dt> - <dd> - The <span class="emphasis">staff_r</span> role is used for system operators who might have the - rights to perform system administration tasks. The <span class="emphasis">staff_r</span> role is - only allowed to switch to the <span class="emphasis">sysadm_r</span> role. Only <span class="emphasis">sysadm_r</span> and - <span class="emphasis">system_r</span> can switch to the <span class="emphasis">staff_r</span> role. - </dd> - <dt>user_r</dt> - <dd> - The <span class="emphasis">user_r</span> role is used for standard, unprivileged users. It is not - allowed to transition towards any other role; only <span class="emphasis">sysadm_r</span> and - <span class="emphasis">system_r</span> roles are allowed to switch to the <span class="emphasis">user_r</span> role. - </dd> -</dl> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> -A "default" role is any of <span class="emphasis">user_r</span>, <span class="emphasis">staff_r</span>, <span class="emphasis">sysadm_r</span> or -<span class="emphasis">system_r</span>. If you create additional roles yourself, they are not part of -the "default" roles. -</p></td></tr></table> -<p> -Using these definitions, a user inside the <span class="emphasis">user_r</span> role will never be able -to execute <span class="code" dir="ltr">ifconfig</span> within the <span class="emphasis">ifconfig_t</span> domain. The use of the -word <span class="emphasis">never</span> here is important: not even if the user is able to become -root using <span class="code" dir="ltr">sudo</span> or any other command will he be able to run the -<span class="code" dir="ltr">ifconfig</span> command in the <span class="emphasis">ifconfig_t</span> domain because, even after -running <span class="code" dir="ltr">sudo</span>, he is still inside the <span class="emphasis">user_r</span> role. -</p> -<p class="secthead"><a name="doc_chap1_sect1">SELinux Users</a></p> -<p> -A SELinux user is not the same as the Linux user. Whereas standard Linux user -accounts can be switched using commands such as <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span>, a -SELinux user can not be changed. Even when you successfully execute <span class="code" dir="ltr">sudo</span>, -your SELinux user will remain the same. -</p> -<p> -When you look at a SELinux powered system, you might notice that that system -doesn't use many SELinux users. For instance, Gentoo Hardened's default setup -defines the users <span class="emphasis">root</span>, <span class="emphasis">user_u</span>, <span class="emphasis">staff_u</span>, <span class="emphasis">sysadm_u</span> and -<span class="emphasis">system_u</span> and some systems never introduce any other SELinux user. But if -that is the case, is the above advantage of SELinux users (once a user is logged -on, he cannot change his SELinux user) the only one? -</p> -<p> -Well, no. SELinux users are also used to categorize accounts which have the -permission to use a particular role. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux users and their associated roles</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semanage user -l</span> -SELinux User SELinux Roles - -root staff_r sysadm_r -staff_u staff_r sysadm_r -sysadm_u sysadm_r -system_u system_r -user_u user_r -</pre></td></tr> -</table> -<p> -Standard Linux users are mapped to these SELinux users: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Linux users and their SELinux user mappings</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semanage login -l</span> -Login Name SELinux User - -__default__ user_u -root root -swift staff_u -</pre></td></tr> -</table> -<p> -In this example, only logins of the Linux user <span class="emphasis">swift</span> (through -<span class="emphasis">staff_u</span>) and <span class="emphasis">root</span> (through the <span class="emphasis">root</span> SELinux user) -will be able to eventually run inside the <span class="emphasis">sysadm_r</span> role. All other -Linux accounts will be by default mapped to the <span class="emphasis">user_u</span> user (and -this <span class="emphasis">user_r</span> role). -</p> -<p> -This is <span class="emphasis">only</span> applicable for interactive logins. Processes that are -launched through an init script or otherwise do not automatically become part of -the SELinux user <span class="emphasis">user_u</span>: depending on the security context of whatever -process is starting them, they can become anything. Of course, if the security -context of the process that is starting them is <span class="emphasis">user_u:user_r:user_t</span> then -they will not be able to transform into anything other than -<span class="emphasis">user_u:user_r:*</span> with <span class="emphasis">*</span> a domain supported by the <span class="emphasis">user_r</span> -role. -</p> -<p> -SELinux users are also used to implement <span class="emphasis">User Based Access Control</span> or -<span class="emphasis">UBAC</span>. This SELinux functionality allows for domains to be SELinux user -aware: a process running in the context of a particular SELinux user can then - -for instance - only work with files of the same SELinux user. This offers a -finer grained access method, because that process might run within a domain -which has write access to the domain of the file, but can still not write to the -file because the SELinux users' differ. -</p> -<p> -At this moment, Gentoo Hardened SELinux' supports both policies with and -without UBAC, although we strongly recommend to use UBAC. This is controlled -through the <span class="code" dir="ltr">ubac</span> USE flag. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Multi Level Security / Multi Category Security</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Next to the type enforcement feature, SELinux also offers MLS and MCS support. -This allows administrators to define a hierarchical confidentiality policy. -For instance, you can ensure that a user or process within a certain -security domain and level can write to files with the same level (or higher), or -read files with the same level (or lower), but not write files to a lower level. -This allows administrators to implement some sort of -public/internal/confidential/strictly confidential hierarchical security level -for files. -</p> -<p> -Although implementation of MLS is possible with the type enforcement rules we -have previously explained, it would lead to an unmanageable collection of types -and permissions. The MLS implementation simplifies this. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Multi-Level Security</a></p> -<p> -The most flexible - but also most challenging to manage - method offered by -SELinux is MLS, or <span class="emphasis">Multi-Level Security</span>. When using this policy type, -security administrators can assign sensitivity labels to resources and define -which domains (and which sensitivity levels) are able to read/write to which -level. A level is always given as a range, showing the lowest and highest level -that a particular domain is running in. -</p> -<p> -Next to the sensitivity level, MLS supports categories on a per-level basis. -These categories allow the security administrator to make different, possibly -independent "containers" for sensitive resources. To give an example, the -administrator can support the levels Public up to Strictly Confidential, and -categories of "Finance", "Risk Analysis", "Acquisitions", "IT Systems", ... -</p> -<p> -With such categories, one can then allow one role to have access to all -sensitivity levels for a particular category (say "IT Systems") but still only -have access to the Public and Internal documents of all other categories. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Multi-Category Security</a></p> -<p> -The MCS or <span class="emphasis">Multi-Category Security</span> policy is a subset of the MLS policy. -It supports the various categories, but without using the multiple security -levels for the resources. -</p> -<p> -The use of MCS has become popular because it is far less difficult to manage -while still retaining some of the flexibilities offered by the MLS policy. -Where MLS is more chosen for business purposes (and as such has some influence -on the organization of the business), MCS is often used for <span class="emphasis">multitenancy</span> -architectures. In a multi-tenant architecture, systems are running processes for -various clients simultaneously. Categorisation allows for separation of -privileges across these processes without introducing multiple domains (which -would require the development of new policies for each new client that a system -wants to serve). -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Reference Policy</p> -<p class="secthead"><a name="doc_chap1_sect1">About refpolicy</a></p> -<p> -As described previously, SELinux uses type enforcement to describe the state of -your system. This is done by giving each resource on your system (be it a -process, a network port, a file or directory) a specific type and describe the -rules how types can work with each other. -</p> -<p> -Managing such a policy is not easy. Unlike some other MAC systems, which rely -on a learning mode and do not use domain definitions (they rather keep track of -which commands a process is allowed to execute), a proper SELinux definition -requires lots (thousands and thousands) of permission lines. -</p> -<p> -To ensure that no duplicate effort is made, and to help distributions like -Gentoo, Fedora, RedHat, Debian, ... with their SELinux integration efforts, a -project is launched called <span class="emphasis">The Reference Policy</span>. -</p> -<p> -This project, managed by <a href="http://oss.tresys.com/projects/refpolicy">Tresys</a>, is used by almost -all SELinux supporting distributions, including Gentoo Hardened, Fedora, RedHat -Enterprise Linux, Debian, Ubuntu and more. This implementation not only offers -the modular policies that users are looking for, but also enhances the SELinux -experience with additional development tools that make it easier to work with -the SELinux policies on your system. Updates in the reference policy eventually -make it in all supported distributions. The same goes for Gentoo Hardened, which -aims to use a policy as close as possible to the reference policy, and submits -its own patches to the reference policy as well, which benefits the entire -community. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Reference Policy API</a></p> -<p> -One major advantage of the reference policy is its API. To help policy writers, -the reference policy uses a macro language which generates the necessary allow -(and other) rules. This macro language makes it a lot easier to add rights to -particular domains. You can find the API documented <a href="http://oss.tresys.com/docs/refpolicy/api/">online</a>, but if you have -USE="doc" set, it will be stored on your system as well the moment you install -and configure SELinux. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Modular Approach</a></p> -<p> -Another feature of the reference policy is its use of <span class="emphasis">modules</span>. If you -would build all rules in a single policy (a binary file readable by the Linux -kernel, allowing it to interpret and enforce SELinux rules), the file would -quickly become too huge and inefficient. -</p> -<p> -Instead, the reference policy defines the rules in what it calls modules, which -define one domain (like <span class="code" dir="ltr">portage_t</span>) or more (if they are all tightly -related) and the rights and privileges that that domain would need in order to -function properly. Any right that the domain needs with respect to another -domain needs to be defined through that domains' interfaces (see earlier), -forcing the modules to be specific and manageable. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example overview of installed SELinux modules</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semodule -l</span> -alsa 1.11.0 -apache 2.3.0 -audioentropy 1.6.0 -dbus 1.15.0 -dmidecode 1.4.0 -<span class="code-comment">(...)</span> -</pre></td></tr> -</table> -<p> -By using a modular approach, one only needs to load the base policy (kernel -layer as well as other, core definitions) and the modules related to his system. -You can then safely ignore the other modules. This improves performance (smaller -policy, which also causes rebuilds to be a lot less painful) and manageability -(properly defined boundaries for policy rules). -</p> -<p class="secthead"><a name="doc_chap1_sect1">Tunables and Conditionals</a></p> -<p> -But wait, there's more. The reference policy also supports <span class="emphasis">booleans</span>. -Those are flags that a security administrator can enable or disable to change -the active policy. Properly defined booleans allow security administrators to -fine-tune the policy for their system. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Overview of available booleans</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">getsebool -a</span> -allow_execheap --> off -allow_execmem --> off -allow_execmod --> off -allow_execstack --> off -allow_gssd_read_tmp --> on -allow_httpd_anon_write --> off -</pre></td></tr> -</table> -<p> -Booleans are an important part to make a generic reference policy which is still -usable for the majority of SELinux users. Although they have specific -requirements (such as allowing ptrace, or disallowing execmem) they can still -use the same reference policy and only need to toggle the booleans they need. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Versions</a></p> -<p> -The SELinux policy infrastructure that is used (i.e. the capabilities and -functionalities that it offers) isn't in its first version. Currently, SELinux -deployments use a binary version of 24 or 26 (depending on the kernel version -used). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the binary policy version</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">sestatus</span> -SELinux status: enabled -SELinuxfs mount: /selinux -Current mode: enforcing -Mode from config file: enforcing -Policy version: 24 -Policy from config file: strict -</pre></td></tr> -</table> -<p> -Every time functionalities or capabilities are added which require -changes to the internal structure of the compiled policy, this version is -incremented. The following is an overview of the policy versions' history. -</p> -<dl> - <dt>Version 12</dt> - <dd>"Old API" for SELinux, which is now deprecated</dd> - <dt>Version 15</dt> - <dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd> - <dt>Version 16</dt> - <dd>Conditional policy extensions added (2.6.5)</dd> - <dt>Version 17</dt> - <dd>IPV6 support added (2.6.6 - 2.6.7)</dd> - <dt>Version 18</dt> - <dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd> - <dt>Version 19</dt> - <dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd> - <dt>Version 20</dt> - <dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd> - <dt>Version 21</dt> - <dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd> - <dt>Version 22</dt> - <dd>Policy capabilities (features) (2.6.25)</dd> - <dt>Version 23</dt> - <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd> - <dt>Version 24</dt> - <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd> - <dt>Version 25</dt> - <dd>Filename based transition support (2.6.39)</dd> - <dt>Version 26</dt> - <dd>Role transition support for non-process classes (3.0)</dd> -</dl> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Next Steps</p> -<p class="secthead"><a name="doc_chap1_sect1">What Next</a></p> -<p> -It might be difficult to understand now, but the concepts are important because, -if something fails on your system when SELinux is enabled, but it doesn't fail -when SELinux is disabled, then you will need to dive into the security contexts, -rules, types and domain transitions to find out why. -</p> -<p> -The next chapter in line will give you some background resource information -(online resources, books, FAQs, etc.) After that, we'll dive into the -installation and configuration of SELinux on your Gentoo Hardened system. Then, -we'll configure and tune the SELinux policy to our needs. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated July 21, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-intro-enhancingsecurity.html b/html/selinux/hb-intro-enhancingsecurity.html deleted file mode 100644 index 09b8c12..0000000 --- a/html/selinux/hb-intro-enhancingsecurity.html +++ /dev/null @@ -1,219 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Introduction</p> -<p class="secthead"><a name="doc_chap1_sect1">A Warm Welcome</a></p> -<p> -Welcome to the Gentoo SELinux handbook. In this resource, we will bring you up -to speed with Gentoo Hardened's implementation of SELinux and the policies -involved. Part of this exercise is to help you understand why SELinux was -brought to life and which concept is behind the development of the SELinux -patches. We will cover the SELinux concepts, the reference policy that Gentoo -Hardened uses and elaborate on how to work with the various SELinux tools. -</p> -<p> -The purpose of this book is not to explain SELinux itself in great detail. There -are many references available on the Internet and in the better bookstores that -help you with the SELinux topic. Instead, we will focus on SELinux integration -within Gentoo Hardened. Of course, we will give a quick introduction to SELinux -to allow you to understand how it works, what it is and help you identify which -actions you will need to take in order to properly secure your system using the -SELinux tools. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Securing Linux</p> -<p class="secthead"><a name="doc_chap1_sect1">Security In General</a></p> -<p> -Security is often seen as a vague concept. What is security in general? How do -you measure security? What is the benefit and how do you make sure you do not -put too much effort in securing your system? -</p> -<p> -Well, security zealots will tell you that there is no such thing as too much -security. If properly implemented, security does not restrict functionality or -performance. It does not give you too much overhead in order to do your tasks. -But implementing security properly is a different and time-consuming task. That -is also why you often hear that security is as good as its administrator. -</p> -<p> -So, how can you look at security? A good practice on security is to define your -security goals. List what you want to achieve and why. By tracking the threats -that you want to minimize, you build up a security model that is appropriate for -your environment. Such threats can be very broad, such as "Ensure no-one is able -to work around our security measures". -</p> -<p> -In case of a Linux system powered with SELinux, this would at least mean that -you want to protect critical system files, such as kernel image(s) and boot -loader configuration, passwords and the SELinux policy binary itself from being -written by anyone or anything except trusted processes. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Access Control</a></p> -<p> -A decent access control system (or group of systems) ensures that only -authorized individuals or processes are granted access to the resources they are -tring to work with. -</p> -<p> -Before one can implement an access control system, you first need to have proper -authentication in place. If your authentication schemes are flawed, your access -control system might not be able to differentiate legitimate users from -malicious ones. -</p> -<p> -Authenticating users within Linux is often done through PAM (<span class="emphasis">Pluggable -Authentication Modules</span>), a powerful mechanism to integrate multiple -low-level authentication schemes into a high-level interface. -</p> -<p> -Authorizing access to resources however is often done through a simple -permission scheme. Most resources are not hidden by default, although -patches and updates exist (such as those offered by Gentoo Hardened's -kernel sources with grSecurity patches which includes support for this -kind of measures). File-system wise, you can hide the existence of files -by ensuring the directory in which the file resides is not readable nor -"executable" by unauthorized accounts. -</p> -<p> -This default permission scheme has major drawbacks. It does not allow you to -define very flexible authorizations (it only allows permissions on three levels: -owner, group-owner and everybody else) and is limited to read/write/execute -rights (although a few additional attributes are supported nowadays as well). -</p> -<p> -Another drawback is that the permission scheme is <span class="emphasis">discretionary</span>, meaning -that users and processes are able to change the security policy in place. -</p> -<p> -For the majority of uses, this permission scheme is sufficient and has proven to -offer a decent method for managing access authorizations. But the drawbacks have -shown to be a major hole in the Linux' offering. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Mandatory Access Control</p> -<p class="secthead"><a name="doc_chap1_sect1">Enter SELinux</a></p> -<p> -If the above mentioned discretionary access control, abbreviated to <span class="emphasis">DAC</span>, -is not sufficient (and if you are keen on security, you will not find it -sufficient), you need a <span class="emphasis">Mandatory</span> Access Control, or <span class="emphasis">MAC</span> system. -</p> -<p> -When using a MAC system, activities that a process wants to perform on another -resource need to be explicitly allowed. It offers a higher granularity on -permissions as well as resources. They often support not only files, but also -sockets, ports, memory segments, queues, processes, kernel services, system -calls, devices, file systems and more. The granularity of activities supported -is also quite large. For files, this can be append, create, execute, write, -link, ioctl, get- and setattr, read, rename, lock, ... whereas for sockets this -might be append, bind, connect, create, write, sendto, accept, ... Also, when -using a MAC system, no user or process can manipulate the security policy -itself: what the security administrator has defined cannot be overturned. -</p> -<p> -This is where SELinux comes to play. SELinux is a Linux kernel feature which -implements, amongst other things, a MAC system for controlling and governing -access to various resources. It uses a deny-by-default permission scheme, so any -access that a process wants to perform needs to be explicitly granted. -</p> -<p> -SELinux also allows you to put a finer-grained permission model <b>on top -of</b> the traditional DAC system (which is still in use when using SELinux -- in other words, if the traditional system does not allow certain activities, -it will not be allowed even if there are SELinux policies granting the -permission). -</p> -<p class="secthead"><a name="doc_chap1_sect1">What is SELinux</a></p> -<p> -To support this finer-grained permission model, you would think that changes -are needed to the Linux kernel. Yet thanks to the Linux kernel <span class="emphasis">LSM</span> -interface (<span class="emphasis">Linux Security Modules</span>), support for SELinux was easily added -and since the 2.6 kernel series, SELinux has been integrated in the mainstream -kernel release. But supporting SELinux and using SELinux are very different topics. -</p> -<p> -In order to properly identify resources, SELinux needs to assign labels to these -resources. When the resources are in-memory, this is mostly supported by the -Linux kernel itself, but for persistent resources such as files, these labels -need to be placed somewhere. SELinux has chosen to use a file's extended -attributes (which is stored on the file system itself). The advantage here is -that a label remains on the file even if the file is renamed. A disadvantage of -this approach is that the file system must support <span class="emphasis">extended attributes</span>, -which not all file systems do (or have activated). -</p> -<p> -SELinux also uses roles to govern resource access. A user that does not have -access to the system administration role should never be allowed to execute any -system administration activities even if he is able to escalate its privileges -(say through a set-uid application). To support roles, SELinux requires changes -to the authentication services (PAM) and needs to store role definitions and -authorizations somewhere. -</p> -<p> -Next to the kernel support and labels assigned to the resources and support -within the authorization system, SELinux also requires particular tools to -support the SELinux features. Examples are administrative tools to view and -manipulate labels, privilege management tools (like <span class="code" dir="ltr">sudo</span>), system -services (like SysVInit) etc. This is reflected in a set of patches -against these (and more) tools which are not always part of the applications' -main source code. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Gentoo Hardened and SELinux</a></p> -<p> -What Gentoo Hardened offers is SELinux integrated in the distribution. When you -select SELinux support, Gentoo Hardened will apply the necessary patches against -the applications and help you (re)label your files and other resources to become -SELinux-manageable. Gentoo Hardened also integrates SELinux support inside -Portage, allowing for newly installed files to be automatically labeled and to -use a SELinux-supporting sandbox environment for -safe package building. -</p> -<p> -Next to the pure technological support, we hope that you will also find the -necessary supporting documents, guides, experience and on-line support for using -SELinux within Gentoo. Never hesitate to come and say hi on the -<span class="code" dir="ltr">#gentoo-hardened</span> chat channel in the Freenode IRC network or on our -mailing lists. -</p> -<p> -If you believe that SELinux is the right thing for you and you want to try it -out using Gentoo Hardened, please read on. The next chapter will inform you how -SELinux security is "designed" and how it is conceptually structured. Further -chapters will then help you with the authorization language and the "base" -policies that most distributions start from, and finally help you install, -run and manage a SELinux hardened Gentoo system. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated May 25, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html deleted file mode 100644 index acfd4b9..0000000 --- a/html/selinux/hb-intro-referencepolicy.html +++ /dev/null @@ -1,242 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>About SELinux Policies</p> -<p class="secthead"><a name="doc_chap1_sect1">SELinux Policy Language</a></p> -<p> -As described previously, SELinux uses type enforcement to describe the state of -your system. This is done by giving each resource on your system (be it a -process, a network port, a file or directory) a specific type and describe the -rules how types can work with each other. -</p> -<p> -For instance, the allow-rule to allow all regular users (which are in the -user_t domain) to execute files with the bin_t label: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Allow rule to execute bin_t files</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -allow user_t bin_t:file { read execute open }; -</pre></td></tr> -</table> -<p> -Other supported rules are -</p> -<ul> - <li> - <span class="emphasis">dontaudit</span> will disable the logging of the denial message(s) - </li> - <li> - <span class="emphasis">auditallow</span> will allow the access but will also log it (by default, - allowances are not logged) - </li> - <li> - <span class="emphasis">neverallow</span> forces that a certain allow rule cannot be granted. Even - though SELinux is a positive security model (white listing), sometimes - neverallow rules might be needed. But generally you will not often see them. - </li> -</ul> -<p> -As you can imagine, defining the rules for an entire system is very -resource-intensive if you want to do it right. It not only requires a deep -insight in how the system works, but also a lot of rule writing and testing. But -even more time consuming is that you will write the same rules over and over -again for different domains. To help developers with policy writing, a -<span class="emphasis">reference policy</span> has been brought to life with the following required -functionalities: -</p> -<ul> - <li> - development of SELinux policy rules should be centralized even for different - distributions - </li> - <li> - a macro language should be supported that makes it easier to write new - policies - </li> - <li> - the policies should be modular, allowing for additional rules to be added or - removed - </li> -</ul> -<p> -By centralizing the SELinux policy rule development, SELinux users will have the -same domain naming conventions as on other distributions. This makes debugging a -lot easier, documenting a lot less distribution-specific and makes it a bit -easier for end users to get acquainted with SELinux. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Tresys Reference Policy</a></p> -<p> -The reference policy by choice is the <a href="http://oss.tresys.com/projects/refpolicy">Tresys SELinux Reference -Policy</a>. This reference policy - currently at major version 2 - is used by -almost all SELinux supporting distributions, including Gentoo Hardened, Fedora, -RedHat Enterprise Linux, Debian, Ubuntu and more. This implementation not only -offers the modular policies that users are looking for, but also enhances the -SELinux experience with additional development tools that make it easier to -work with the SELinux policies on your system. -</p> -<p> -The reference policy starts off with a <span class="emphasis">base</span> policy called -<span class="path" dir="ltr">base.pp</span>. This is a collection of policies needed to get a system up -and running and also offers the necessary functions towards the policy modules. -In Gentoo Hardened, this base policy is offered by <span class="code" dir="ltr">selinux-base-policy</span>. -</p> -<p> -The policy modules themselves also use the <span class="path" dir="ltr">.pp</span> extension, but are -named more appropriately towards their content. For instance, the policy module -that contains all policy rules for the <span class="code" dir="ltr">screen</span> application is called -<span class="path" dir="ltr">screen.pp</span>. However, don't count on all policy modules to be named -after the tool: the policy module that contains the <span class="code" dir="ltr">wpa_supplicant</span> -specific rules is called <span class="path" dir="ltr">networkmanager.pp</span>. In Gentoo Hardened, the -modular policies are available in the <span class="path" dir="ltr">sec-policy</span> category and are -named <span class="path" dir="ltr">selinux-<module></span>. -</p> -<p> -To get a list of running modules, run <span class="code" dir="ltr">semodule</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the running SELinux policy modules</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semodule -l</span> -dbus 1.14.0 -dnsmasq 1.9.0 -hal 1.13.0 -[...] -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Toggle Policy States</a></p> -<p> -As policies are built off from a "deny all" perspective, you can imagine that -there are thousands of rules already available in the reference policy. -Sometimes the developers know that particular rules will be active on one system -and inactive on another. Although this can be accomplished by developing two -different modules, SELinux development has opted to support <span class="emphasis">SELinux -booleans</span>. -</p> -<p> -SELinux booleans allow for rules to be conditionally applied, based on the -administrator's requirements. You can get a list of supported booleans through -<span class="code" dir="ltr">getsebool</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a list of supported booleans and their current state</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">getsebool -a</span> -allow_execheap --> off -allow_execmem --> off -[...] -fcron_crond --> off -global_ssp --> on -[...] -</pre></td></tr> -</table> -<p> -If you need to change a boolean, you can use <span class="code" dir="ltr">togglesebool</span> to switch its -value, or <span class="code" dir="ltr">setsebool</span> so explicitly set its state: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Toggling boolean states</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">getsebool user_dmesg</span> -user_dmesg --> off -~# <span class="code-input">togglesebool user_dmesg</span> -user_dmesg: active -<span class="code-comment">(Now, the state is set to 'on')</span> -~# <span class="code-input">getsebool user_dmesg</span> -user_dmesg --> on -<span class="code-comment">(Explicitly set the value to 'off')</span> -~# <span class="code-input">setsebool user_dmesg off</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Locations</a></p> -<p> -On Gentoo Hardened, the SELinux policy files are stored in -<span class="path" dir="ltr">/usr/share/selinux/strict</span> or -<span class="path" dir="ltr">/usr/share/selinux/targeted</span> (depending on your SELinux -configuration). Within this location, you will find: -</p> -<ul> - <li> - a file called <span class="path" dir="ltr">base.pp</span>, which is the SELinux base policy, - </li> - <li> - one or more files with extension <span class="path" dir="ltr">.pp</span>, which are the SELinux - policy modules, and - </li> - <li> - an <span class="path" dir="ltr">include/</span> folder which contains the necessary files for - SELinux module developers to build additional modules for this system - </li> -</ul> -<p class="secthead"><a name="doc_chap1_sect1">Policy Versions</a></p> -<p> -The SELinux policy infrastructure that is used (i.e. the capabilities and -functionalities that it offers) isn't in its first version. If you would run -<span class="code" dir="ltr">sestatus</span> now, you'll notice that we are using policy version 24. Every -time functionalities or capabilities are added which require changes to the -internal structure of the compiled policy, this version is incremented. The -following is an overview of the policy versions' history. -</p> -<dl> - <dt>Version 12</dt> - <dd>"Old API" for SELinux, which is now deprecated</dd> - <dt>Version 15</dt> - <dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd> - <dt>Version 16</dt> - <dd>Conditional policy extensions added (2.6.5)</dd> - <dt>Version 17</dt> - <dd>IPV6 support added (2.6.6 - 2.6.7)</dd> - <dt>Version 18</dt> - <dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd> - <dt>Version 19</dt> - <dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd> - <dt>Version 20</dt> - <dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd> - <dt>Version 21</dt> - <dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd> - <dt>Version 22</dt> - <dd>Policy capabilities (features) (2.6.25)</dd> - <dt>Version 23</dt> - <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd> - <dt>Version 24</dt> - <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd> - <dt>Version 25</dt> - <dd>Filename based transition support (2.6.39)</dd> - <dt>Version 26</dt> - <dd>Role transition support for non-process classes (3.0)</dd> -</dl> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated June 2, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-intro-resources.html b/html/selinux/hb-intro-resources.html deleted file mode 100644 index ff88fae..0000000 --- a/html/selinux/hb-intro-resources.html +++ /dev/null @@ -1,97 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../../css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/../../../favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Background</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction to SELinux</a></p> -<ul> - <li> - <a href="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure: - The Flawed Assumption of Security in Modern Computing Environments</a> - explains the need for mandatory access controls. - </li> - <li> - <a href="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture: - System Support for Diverse Security Policies</a> - explains the security architecture of Flask, the architecture used by SELinux. - </li> - <li> - <a href="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</a> - has specifics about SELinux access checks in the kernel. - </li> -</ul> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux Policy</p> -<p class="secthead"><a name="doc_chap1_sect1">Policy Related References</a></p> -<ul> - <li> - <a href="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</a> - </li> - <li> - <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a> - </li> - <li> - SELinux <a href="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</a> Overview - </li> -</ul> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Books</p> -<p class="secthead"><a name="doc_chap1_sect1">Paper Books</a></p> -<ul> - <li> - <span class="code" dir="ltr">SELinux by Example: Using Security Enhanced Linux</span>, Frank Mayer, - Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694 - </li> - <li> - <span class="code" dir="ltr">SELinux: NSA's Open Source Security Enhanced Linux</span>, Bill McCarty, - O'Reilly Media, 2004; ISBN 0596007167 - </li> -</ul> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Gentoo Specific Resources</p> -<p class="secthead"><a name="doc_chap1_sect1">Gentoo Hardened</a></p> -<p> -The following resources are specific towards Gentoo Hardened's SELinux -implementation. -</p> -<ul> - <li> - <a href="selinux-faq.html">SELinux Frequently Asked - Questions</a> - </li> - -</ul> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated May 31, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-intro-virtualization.html b/html/selinux/hb-intro-virtualization.html deleted file mode 100644 index 46ffa48..0000000 --- a/html/selinux/hb-intro-virtualization.html +++ /dev/null @@ -1,42 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>TODO</p> -<p> -This is a place-holder for future expansion. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated December 1, 2010</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html deleted file mode 100644 index 468df7a..0000000 --- a/html/selinux/hb-using-commands.html +++ /dev/null @@ -1,452 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux Information Commands</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -You should currently have a SELinux enabled system (but running in permissive -mode, so it will not enforce its policy rules). So before we introduce you to -the world of SELinux and how you can add more rules to make sure your system -remains functional when you switch to enforcing mode, we first give a quick -overview of the various SELinux related commands. -</p> -<p> -We start off with state commands where you can get global information on SELinux -state (is it running in enforcing mode or not, versions etc.) -</p> -<p class="secthead"><a name="doc_chap1_sect1">Getting SELinux Status</a></p> -<p> -The first command we will talk about is <span class="code" dir="ltr">sestatus</span>. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running sestatus</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">sestatus</span> -SELinux status: enabled -SELinuxfs mount: /selinux -Current mode: permissive -Mode from config file: permissive -Policy version: 24 -Policy from config file: strict -</pre></td></tr> -</table> -<p> -The output of this command shows you that SELinux is enabled and is currently in -the <span class="emphasis">permissive</span> mode. It also tells you that the system is configured to -run in <span class="emphasis">strict</span> mode - so no unconfined_t domain here. -</p> -<p> -The <span class="code" dir="ltr">sestatus</span> command also has an extended output if you run it with the -<span class="code" dir="ltr">-v</span> option. When this is done, the command returns the contexts of -important processes and files: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running sestatus -v</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">sestatus -v</span> -SELinux status: enabled -SELinuxfs mount: /selinux -Current mode: enforcing -Mode from config file: enforcing -Policy version: 24 -Policy from config file: strict - -Process contexts: -Current context: staff_u:sysadm_r:sysadm_t -Init context: system_u:system_r:init_t -/sbin/agetty system_u:system_r:getty_t -/usr/sbin/sshd system_u:system_r:sshd_t - -File contexts: -Controlling term: staff_u:object_r:user_devpts_t -/sbin/init system_u:object_r:init_exec_t -/sbin/agetty system_u:object_r:getty_exec_t -/bin/login system_u:object_r:login_exec_t -/sbin/rc system_u:object_r:rc_exec_t -/usr/sbin/sshd system_u:object_r:sshd_exec_t -/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t -/etc/passwd system_u:object_r:etc_t -/etc/shadow system_u:object_r:shadow_t -/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t -/bin/bash system_u:object_r:shell_exec_t -/usr/bin/newrole system_u:object_r:newrole_exec_t -/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t -/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t -</pre></td></tr> -</table> -<p> -Another general SELinux status command is <span class="code" dir="ltr">getenforce</span>, which allows you to -quickly see if your SELinux is running in enforcing mode (SELinux policies are -enforced), permissive (SELinux policies are checked and logged, but not -enforced) or disabled (SELinux policy is not loaded and thus not checked). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using the getenforce command</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">getenforce</span> -Enforcing -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Getting SELinux Object Information</a></p> -<p> -Next on the table is the <span class="code" dir="ltr">seinfo</span> command. This command allows you to query -the running policy for all objects (types, roles, attributes, users, booleans -...) defined. -</p> -<p> -Common usages are: -</p> -<ul> - <li> - checking if a specific domain is defined on your system (in case you're - wondering if you need to load an additional SELinux policy module or not) - </li> - <li> - checking which domains a particular role can be in (in case you're wondering - if your regular users are allowed by SELinux policies to even be - transitioned towards a specific domain) - </li> - <li> - checking which attributes are assigned to a specific domain (or vice versa, - which domains have a specific attribute set) as some SELinux policy rules - work on attributes rather than domains - </li> -</ul> -<p> -As an example, we query if the crontab_t domain is known, if the user_r role can -use the contab_t domain and finally which domains have the cron_spool_type -attribute set. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using seinfo</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">seinfo -tcrontab_t</span> - crontab_t -# <span class="code-input">seinfo -ruser_r -x</span> - user_r - Dominated Roles: - user_r - Types: - [...] - crontab_t - [...] -# <span class="code-input">seinfo -acron_spool_type -x</span> - cron_spool_type - user_cron_spool_t - system_cron_spool_t -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Querying SELinux Policy Rules</a></p> -<p> -A command which you will often use is <span class="code" dir="ltr">sesearch</span>. This command allows you -to query the current policy allow rules and is a huge help when trying to find -out if something is allowed (or why something isn't allowed). -</p> -<p> -The <span class="code" dir="ltr">sesearch</span> command is most often used with a source domain (<span class="code" dir="ltr">-s</span>), -target domain (<span class="code" dir="ltr">-t</span>) or both, the class for which you want to query allow -rules for (file, dir, socket, process ...) and the privilege you want to query -for (read, write, open, transition, execute ...). -</p> -<p> -For instance, to find out which domains can write the files that have the -shadow_t domain: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying allow rules with sesearch</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">sesearch -t shadow_t -c file -p write -A</span> -Found 8 semantic av rules: - [...] - allow portage_t shadow_t : file { ioctl read write ... }; - allow useradd_t shadow_t : file { ioctl read write ... }; - ... -</pre></td></tr> -</table> -<p> -You will notice that there are sometimes results based on attributes rather than -domains: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Allow rule based on attribute</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> - allow portage_t file_type : file { ioctl read write ... }; -</pre></td></tr> -</table> -<p> -In this case, the source domain (portage_t) is allowed to write to files whose -domain have the file_type attribute set. If you get the feeling of these things, -you'll wonder if the above rule is not a flagrant security issue as almost all -domains for files have the file_type set. Yes and no - if we take a look at -which domains have file write privileges to file_type domains, you'll notice -that this is only portage: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying domains with file-write privileges to file_type domains</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">sesearch -t file_type -c file -p write -A -d</span> -Found 1 semantic av rules: - allow portage_t file_type : file { ioctl read write ... }; -</pre></td></tr> -</table> -<p> -Note that we had one command without the <span class="code" dir="ltr">-d</span> option and one with. When -<span class="code" dir="ltr">-d</span> is given, the search will perform an exact search without resolving -the attributes. When <span class="code" dir="ltr">-d</span> is not given, it will resolve the attribute. In -the last command example, dropping <span class="code" dir="ltr">-d</span> would result in hundreds of allow -rules: for each domain that has file_type set, the search tries to find rules -that allow file-write access to that particular domain. -</p> -<p> -Another interesting functionality of the <span class="code" dir="ltr">sesearch</span> command is to show you -the rules that are applicable depending on the state of a boolean. If you want -to query on a particular boolean, use <span class="code" dir="ltr">-b</span>. If you want to see the logic -that the policy uses, use <span class="code" dir="ltr">-C</span> (and yes, both can be combined). -</p> -<p> -As an example, we'll check what we allow (or deny) when the <span class="code" dir="ltr">global_ssp</span> -boolean is set: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the policy regarding the global_ssp boolean</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">sesearch -b global_ssp -A -C -d</span> -Found 2 semantic av rules: -ET allow domain device_t : dir { getattr search open } ; [ global_ssp ] -ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ] -</pre></td></tr> -</table> -<p> -The prefix you see shows two letters, relating to two important definitions: -</p> -<ul> - <li> - Is the rule currently <b>E</b>nabled or <b>D</b>isabled? - </li> - <li> - Does the boolean need to be set to <b>T</b>rue or <b>F</b>alse to enable the rule? - </li> -</ul> -<p class="secthead"><a name="doc_chap1_sect1">Getting Security Context Information</a></p> -<p> -During administrative tasks, and especially when you are checking if a SELinux -denial could be made, it is important to find out what the security context is -for a particular resource. Luckily, Gentoo Hardened - if properly installed - -has already patched some tools to allow you to get this information using your -standard tools. -</p> -<p> -To get the security context of a file, use <span class="code" dir="ltr">ls -Z</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file security context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">ls -Z /etc/make.conf</span> -system_u:object_r:portage_conf_t /etc/make.conf -</pre></td></tr> -</table> -<p> -To get the security context of a process, use <span class="code" dir="ltr">ps -Z</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a process security context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">ps -Z $(pidof init)</span> -LABEL PID TTY STAT TIME COMMAND -system_u:system_r:init_t 1 ? Ss 0:00 init [3] -</pre></td></tr> -</table> -<p> -To get the security context of the current user, use <span class="code" dir="ltr">id -Z</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a user security context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">id -Z</span> -staff_u:staff_r:staff_t -</pre></td></tr> -</table> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Managing SELinux</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Managing SELinux objects (booleans, users, ports, contexts ...) is most often -done using <span class="code" dir="ltr">semanage</span>. As this application offers the interface towards -various SELinux configurations, we dedicate an entire section on it, but will -also cover the commands that offer similar functionality (and are sometimes -easier to remember). -</p> -<p class="secthead"><a name="doc_chap1_sect1">Booleans</a></p> -<p> -We have already covered SELinux booleans earlier in this book as well as the -<span class="code" dir="ltr">getsebool</span> and <span class="code" dir="ltr">setsebool</span> commands. With <span class="code" dir="ltr">semanage</span> you can too -manage the booleans and, as an added bonus, listing the booleans will also show -the description of the boolean (even though there is still work to be done in -this area). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the available SELinux booleans</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage boolean -l</span> -SELinux boolean Description - -allow_ptrace -> off allow_ptrace -rsync_export_all_ro -> off rsync_export_all_ro -</pre></td></tr> -</table> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> -As you will notice, most descriptions are just the boolean name, but you will -find more and more booleans with a better description as you get acquainted with -- and install more - SELinux policy modules. -</p></td></tr></table> -<p> -You can set a boolean with both <span class="code" dir="ltr">setsebool</span> and <span class="code" dir="ltr">semanage</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting SELinux boolean values</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage boolean -m --on -F user_dmesg</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="users"></a><a name="doc_chap1_sect1">SELinux Users and Logins</a></p> -<p> -SELinux users and logins are different from Unix accounts. SELinux logins allow -you to map a Unix account to a SELinux user: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the SELinux logins</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage login -l</span> -Login Name SELinux User - -__default__ user_u -root root -swift staff_u -system_u system_u -</pre></td></tr> -</table> -<p> -The default behavior is that users are logged on as the <span class="emphasis">user_u</span> SELinux -user. This SELinux user is a non-administrator user: it has no specific -privileges and should be used for every account that never requires elevated -privileges (so no <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> rights for anything). -</p> -<p> -The account you use to administer your system should be mapped to the -<span class="code" dir="ltr">staff_u</span> SELinux user (or its own user with the appropriate roles). This -can be accomplished as follows (example with the Unix account <span class="emphasis">anna</span>): -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Letting 'anna' log on as 'staff_u'</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage login -a -s staff_u anna</span> -</pre></td></tr> -</table> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> -Make sure that whatever account you use to administer your system is mapped to -the <span class="code" dir="ltr">staff_u</span> user, or has the ability to switch to the <span class="code" dir="ltr">sysadm_r</span> -role. Portage only works from within the <span class="code" dir="ltr">sysadm_r</span> role. -</p></td></tr></table> -<p> -As mentioned, SELinux users are configured to be able to join in on one or more -roles. To list the available roles, you can use <span class="code" dir="ltr">semanage user -l</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing login / role mappings</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage user -l</span> -SELinux User SELinux Roles - -root staff_r sysadm_r -staff_u staff_r sysadm_r -[...] -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Managing Ports</a></p> -<p> -Even network ports (like port 22 for SSH) are 'protected' by SELinux. To get an -overview of which domains are assigned to which ports (or port ranges) use -<span class="code" dir="ltr">semanage port -l</span>. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing SELinux managed ports</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage port -l | grep '22$'</span> -ssh_port_t tcp 22 -</pre></td></tr> -</table> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Using SELinux</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Up until now we've covered getting SELinux related information as well as -managing SELinux settings. However, users on a SELinux hardened system will also -need to know a few things about working with SELinux, including (but not limited -to) roles and role transitions. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Switching Roles</a></p> -<p> -As a type enforcement access control system, SELinux allows particular roles to -be within a set of domains. If you are using a role which is not allowed within -a particular domain, you will not be successful in using that domain and will be -denied the actions assigned to that domain. -</p> -<p> -If your standard users are all SELinux user_u users (with the only supported -role being user_r) then those users will never need to switch roles (nor are -they allowed to). But users that are staff_u (or other users that have multiple -roles) those users should be made clear how they switch between roles. We have -already covered how to map such users to the correct SELinux user (see <a href="#users">SELinux Users and Logins</a>). -</p> -<p> -The command that accomplishes switching roles is called <span class="code" dir="ltr">newrole</span>. It's -use is pretty straight forward. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using newrole</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">newrole -r sysadm_r</span> -Password: <span class="code-comment">(Enter the users' password - not root's!)</span> -</pre></td></tr> -</table> -<p> -When performing a role transition, SELinux will ask the user to re-authenticate -through its users' password. If you are logged on as a regular user and used -<span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> to become the root user, then <span class="code" dir="ltr">newrole</span> will still -require you to enter the regular users' password. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-using-configuring.html b/html/selinux/hb-using-configuring.html deleted file mode 100644 index d583184..0000000 --- a/html/selinux/hb-using-configuring.html +++ /dev/null @@ -1,919 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Administering Users</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -During the installation, we already covered how to map a Linux user to a SELinux -user. In the example, we used a hypothetical user "john" and mapped him to the -SELinux user "staff_u". If you are running a multi-user system, managing the -right mappings is important. A user that is mapped to the SELinux user "user_u" -will not get any additional rights. Even if you would give that user additional -rights through commands such as <span class="code" dir="ltr">sudo</span>, the SELinux policy will not allow -this user to do anything that is administration related. -</p> -<p> -For this reason, it is important to go over the SELinux user mappings and the -Linux users on your system. -</p> -<p class="secthead"><a name="doc_chap1_sect1">User Mappings</a></p> -<p> -Run <span class="code" dir="ltr">semanage login -l</span> to show the current mappings between Linux logins -and SELinux users. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running semanage login -l</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage login -l</span> - -Login Name SELinux User - -__default__ user_u -root root -john staff_u -system_u system_u -</pre></td></tr> -</table> -<p> -The "user_u" SELinux user is for regular accounts. As such, the special -<span class="emphasis">__default__</span> mapping is defined by SELinux to denote every login that is -not defined otherwise. This makes sure that a newly defined account does not get -elevated privileges by default. -</p> -<p> -The next table gives an overview of the standard SELinux users available after -an installation. -</p> -<table class="ntable"> -<tr> - <td class="infohead"><b>SELinux User</b></td> - <td class="infohead"><b>Description</b></td> -</tr> -<tr> - <td class="tableinfo">user_u</td> - <td class="tableinfo"> - Default regular SELinux user, which should be used by end-user accounts that - are not going to administer any service(s) on the system - </td> -</tr> -<tr> - <td class="tableinfo">staff_u</td> - <td class="tableinfo"> - SELinux user for administrators. This user has the right to switch roles and - as such gain elevated privileges - </td> -</tr> -<tr> - <td class="tableinfo">root</td> - <td class="tableinfo"> - SELinux user for the root account. It differs little from the staff_u - account beyond being a different ID. This ensures that files protected by - the user based access control for root cannot be handled by the staff_u - (and other) users - </td> -</tr> -<tr> - <td class="tableinfo">sysadm_u</td> - <td class="tableinfo"> - SELinux user for system administration. By default, this account is not - immediately used as this user immediately gets the administrative role - (whereas staff_u and root still need to switch roles). - </td> -</tr> -<tr> - <td class="tableinfo">system_u</td> - <td class="tableinfo"> - SELinux user for system services. It should never be used for end users or - administrators as it provides direct access to the system role (and - privileges) - </td> -</tr> -<tr> - <td class="tableinfo">unconfined_u</td> - <td class="tableinfo"> - Used when the policy is <span class="emphasis">targeted</span>, this SELinux user has many - privileges (it is essentially not limited in its actions, although it is - still handled through SELinux - just through a "wide open" policy). - </td> -</tr> -</table> -<p> -To map a user to a specific SELinux user, use <span class="code" dir="ltr">semanage login -a</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping a user 'sophie' to the staff_u user</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage login -a -s staff_u sophie</span> -</pre></td></tr> -</table> -<p> -However, when you update such mapping, the files in that users' home directory -will be owned by a wrong SELinux user. It is therefor important to relabel the -files of that user: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling sophie's files</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">restorecon -R -F /home/sophie</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Additional SELinux Accounts</a></p> -<p> -It is perfectly possible to create additional SELinux accounts, and then map the -Linux logins to these new accounts. This can be necessary when you want a more -thorough auditing (on end user level) or when you will be enhancing the policy -with additional roles. Also, if you want to use the User Based Access Control -feature, using different SELinux users is important to enforce the control on -different users (if they all use the same SELinux user, then UBAC has little to -no effect). -</p> -<p> -Managing the SELinux accounts is done through <span class="code" dir="ltr">semanage user</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a SELinux user</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage user -a -R "staff_r sysadm_r" sophie</span> -</pre></td></tr> -</table> -<p> -Let's verify how the SELinux users are currently configured: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the SELinux user identities</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage user -l</span> -SELinux User SELinux Roles - -root staff_r sysadm_r -sophie staff_r sysadm_r -staff_u staff_r sysadm_r -sysadm_u sysadm_r -system_u system_r -unconfined_u unconfined_r -user_u user_r - -# <span class="code-input">semanage login -l</span> -Login Name SELinux User - -__default__ user_u -root root -sophie staff_u -swift staff_u -system_u system_u -</pre></td></tr> -</table> -<p> -Now that a new SELinux user called "sophie" exists, we can now update the Linux -user mapping for "sophie" towards the new SELinux user "sophie": -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Updating the Linux user mapping</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage login -m -s sophie sophie</span> -# <span class="code-input">semanage login -l</span> -Login Name SELinux User - -__default__ user_u -root root -sophie sophie -swift staff_u -system_u system_u -</pre></td></tr> -</table> -<p> -Again, do not forget to relabel this users' files. -</p> -<p> -As you can see, managing SELinux users means defining the roles to which the -user has access to. We already gave a high-level introduction to the default -roles in <span title="Link to other book part not available"><font color="#404080">(SELinux Concepts)</font></span>, but as roles are -important when using a Mandatory Access Control system, let's refresh our memory -again: -</p> -<table class="ntable"> -<tr> - <td class="infohead"><b>SELinux Role</b></td> - <td class="infohead"><b>Description</b></td> -</tr> -<tr> - <td class="tableinfo">user_r</td> - <td class="tableinfo"> - Default end-user role. This role provides access to regular applications and - activities, but does not allow any system or service administration beyond - what is expected for a regular user. - </td> -</tr> -<tr> - <td class="tableinfo">staff_r</td> - <td class="tableinfo"> - Default administration role for day-to-day activities. This role has some - additional privileges beyond what is offered through user_r, but is not a - full system administrative role. It is meant for the non-administrative - activities done by operators and administrators - </td> -</tr> -<tr> - <td class="tableinfo">sysadm_r</td> - <td class="tableinfo"> - System administration role. This role is highly privileged (since it also - contains the privileges to update the policy) and should only be given to - fully trusted administrators. It is almost never immediately granted to - users (they first need to switch roles) except for direct root access (for - instance through the console) - </td> -</tr> -<tr> - <td class="tableinfo">system_r</td> - <td class="tableinfo"> - System service role, which is used for the runtime services (processes). It - is never granted to users directly. - </td> -</tr> -<tr> - <td class="tableinfo">unconfined_r</td> - <td class="tableinfo"> - The unconfined role is used when the <span class="emphasis">targeted</span> policy is supported. - This role is given to unconfined users (such as the SELinux unconfined_u - user) which have very wide privileges (they almost run without constraints). - </td> -</tr> -</table> -<p> -It should be noted that these roles are the default ones, but the security -administrator - yes, that means you - can create additional roles and add -particular privileges to it. We will discuss this later in this book as it means -you'll need to update the Gentoo Hardened SELinux policy. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Reading Audit Logs</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -When working with a SELinux-enabled system, you will eventually notice that -things behave differently, but without giving any meaningful error message. -Usually, when SELinux "denies" a particular access, it logs it into the audit -log of the system, but for the application itself, it is perfectly possible that -it just silently dies. If not, you're most likely to get a <span class="emphasis">permission -denied</span> error message. -</p> -<p> -Initially, SELinux is running in <span class="code" dir="ltr">permissive</span> mode, which means that -SELinux will log what it <span class="emphasis">would</span> deny, but still let it through. -This mode is perfect for getting the system in shape without having too -much problems keeping it running. Once you think your security settings are -in order, then this mode can be switched from <span class="code" dir="ltr">permissive</span> to -<span class="code" dir="ltr">enforcing</span>. We'll talk about these modes later. -</p> -<p> -First, let's take a look at the audit log and see what it is saying... -</p> -<p class="secthead"><a name="doc_chap1_sect1">Audit Log Location(s)</a></p> -<p> -The SELinux kernel code writes its denials (and sometimes even allowed but -audited activities) into the audit log. If you are running on a Gentoo Hardened -installation with the <span class="code" dir="ltr">syslog-ng</span> system logger, then the logger is already -configured to place these audit lines in <span class="path" dir="ltr">/var/log/avc.log</span>. However, -different system loggers or system logger configurations might put the entries -in a different log location (such as <span class="path" dir="ltr">/var/log/audit.log</span>). -</p> -<p> -Below, you'll find the appropriate lines for the syslog-ng system logger -configuration for writing the events in <span class="path" dir="ltr">/var/log/avc.log</span>. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng.conf excerpt for SELinux AVC entries</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># The following lines are only /part/ of the configuration file!</span> -source kernsrc { file("http://www.gentoo.org/proc/kmsg"); }; -destination avc { file("http://www.gentoo.org/var/log/avc.log"); }; -filter f_avc { message(".*avc: .*"); }; - -log { - source(kernsrc); - filter(f_avc); - destination(avc); -}; -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p> -<p> -As we mentioned, SELinux writes its entries in the audit log. These entries are -called <span class="emphasis">avc messages</span> or <span class="emphasis">avc log entries</span>. The abbreviation AVC -stands for <span class="emphasis">Access Vector Cache</span> and, like the name sais, is a caching -system. -</p> -<p> -Using an access vector cache improves performance on dealing with (and -enforcing) activities and privileges. Since SELinux offers a very detailed -approach on privileges and permissions, it would become quite painful -(performance-wise) if each call means that the SELinux code needs to look up the -domain, the target resource label, the privilege and if it is allowed or not -over and over again. Instead, SELinux uses the Access Vector Cache to store past -requests/responses. It is the AVC subsystem that is responsible for checking -accesses and (if necessary) logging it. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Reading an AVC Denial Message</a></p> -<p> -Below you'll find a typical AVC denial message. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC denial message</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): - avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10" - scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system -</pre></td></tr> -</table> -<p> -Let's analyze each part of this message one by one. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: Timestamp and location information</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-input">Oct 15 13:04:54 hpl kernel: [963185.177043]</span> type=1400 audit(1318676694.660:2472): - avc: denied { module_request } for pid=14561 comm="firefox" kmod="net-pf-10" - scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system -</pre></td></tr> -</table> -<p> -This first part of the message informs you when the message was written (Oct 15 -13:04:54), on which host (hpl) and how many seconds since the system was booted -(963185.177043). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: source information</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): - avc: denied { module_request } for <span class="code-input">pid=14561 comm="firefox"</span> kmod="net-pf-10" - <span class="code-input">scontext=staff_u:staff_r:mozilla_t</span> tcontext=system_u:system_r:kernel_t tclass=system -</pre></td></tr> -</table> -<p> -Next is the source of the denial, i.e. what process is trying to do something. -In this case, the process is firefox, with PID 14561, which is running in the -source domain staff_u:staff_r:mozilla_t. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: target resource</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): - avc: denied { module_request } for pid=14561 comm="firefox" <span class="code-input">kmod="net-pf-10"</span> - scontext=staff_u:staff_r:mozilla_t <span class="code-input">tcontext=system_u:system_r:kernel_t</span> tclass=system -</pre></td></tr> -</table> -<p> -The target of the activity is a kernel module (net-pf-10, which is the internal -name given for IPv6), labeled system_u:system_r:kernel_t -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: denied action</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): - avc: denied { <span class="code-input">module_request</span> } for pid=14561 comm="firefox" kmod="net-pf-10" - scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t <span class="code-input">tclass=system</span> -</pre></td></tr> -</table> -<p> -Finally, the action that is denied (module_request) and its class (system). -These classes help you to identify what is denied, because a read on a file is -different from a read on a directory. -</p> -<p> -For instance, in the following case, a process <span class="code" dir="ltr">gorg</span> with PID 13935 is -trying to read a file called <span class="path" dir="ltr">localtime</span> with inode 130867 which -resides on the device <span class="path" dir="ltr">/dev/md3</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial example</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -Oct 15 14:40:30 hpl kernel: [968909.807802] type=1400 audit(1318682430.323:2614): - avc: denied { read } for pid=13935 comm="gorg" name="localtime" dev=md3 ino=130867 - scontext=staff_u:sysadm_r:gorg_t tcontext=system_u:object_r:locale_t tclass=file -</pre></td></tr> -</table> -<p> -In this case, it might be obvious that the file is <span class="path" dir="ltr">/etc/localtime</span>, -but when that isn't the case, then you can find the following two commands -useful: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding out the target resource based on inode and device</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(Find out which device /dev/md3 is)</span> -# <span class="code-input">mount | grep /dev/md3</span> -/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=1,nodelalloc,data=journal) - -<span class="code-comment">(Find out what file has inode 130867)</span> -# <span class="code-input">find / -xdev -inum 130867</span> -/etc/localtime -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Handling AVC denials</a></p> -<p> -The major part of configuring SELinux is reading the denials, finding out what -needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully, the -rest of this handbook will help you figure out what is causing a denial. -</p> -<p> -Denials can be cosmetic (an activity that is denied, but has no effect on the -application's functional behaviour). If that is the case, the denial can be -marked as <span class="emphasis">dontaudit</span>, meaning that the denial is not logged by default -anymore. If you think that a denial is occurring but you do not see it in the -logs, try disabling the <span class="emphasis">dontaudit</span> rules: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disabling dontaudit</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(The command can also be abbreviated to "semodule -DB")</span> -# <span class="code-input">semodule --build --disable_dontaudit</span> -</pre></td></tr> -</table> -<p> -In most cases though, denials need to be acted upon. Actions that might need to -happen are: -</p> -<ul> - <li> - relabeling the target resource (wrong labels might cause legitimate actions - to be denied) - </li> - <li> - relabeling the source (process' binary file) as a wrong label might cause - the application to run in the wrong domain - </li> - <li> - loading a necessary SELinux module, since the modules contain the rules to - allow (and label) resources. Without the appropriate module loaded, you will - notice denials since no other module gives the necessary grants (allow - statements) - </li> - <li> - granting the right role to the user executing the application. We have - covered users and their roles initially but we will go deeper into this - subject later in the handbook. - </li> - <li> - adding your own SELinux policy statements, most likely because no SELinux - policy module exists for the application you are trying to run - </li> -</ul> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Using (File) Labels</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Within SELinux, access privileges are based on the label given on the -originating part (called the <span class="emphasis">domain</span>) and its target resource. For -instance, a process running in the passwd_t domain wants to read (= privilege) -the file <span class="path" dir="ltr">/etc/shadow</span> which is labeled shadow_t (= the target -resource). It comes to no surprise then that the majority of SELinux -administration is (re)labeling the resources correctly (and ensuring their label -stays correct). -</p> -<p class="secthead"><a name="doc_chap1_sect1">Getting File Label(s)</a></p> -<p> -There are many ways to relabel commands, and none of them are equal to another. -But before we explain this in more detail, let's first take a look at a few file -labels (and how you can query them). -</p> -<p> -In SELinux, labels are given on a file level through the file systems' ability -to keep <span class="emphasis">extended attributes</span>. For SELinux, the attribute is called -<span class="code" dir="ltr">security.selinux</span> and can be obtained through <span class="code" dir="ltr">getfattr</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file's extended attribute for SELinux</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">getfattr -n security.selinux /etc/hosts</span> -# file: etc/hosts -security.selinux="system_u:object_r:net_conf_t" -</pre></td></tr> -</table> -<p> -Of course, getting the file attribute this way is time consuming and not that -flexible. For this purpose, most important applications (including -<span class="code" dir="ltr">coreutils</span>) are made SELinux-aware. These applications mostly use the -<span class="code" dir="ltr">-Z</span> option to display the SELinux context information. In case of files, -this means the extended attribute content: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the context of a file</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">ls -Z /etc/hosts</span> -system_u:object_r:net_conf_t /etc/hosts -</pre></td></tr> -</table> -<p> -Other commands exist that display the context as it should be, like -<span class="code" dir="ltr">matchpathcon</span>. However, their purpose is to query the SELinux policy on -your system to find out what the policy ought to be, not what it is: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Difference between context and matchpathcon result</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">ls -Z /etc/make.conf</span> -staff_u:object_r:etc_t /etc/make.conf -$ <span class="code-input">matchpathcon /etc/make.conf</span> -/etc/make.conf system_u:object_r:portage_conf_t -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Setting File Label(s)</a></p> -<p> -Now how can you manipulate file labels? Well, first of all: you will not be -allowed to change the file labels of any possible file (not even if you are the -owner of that file) unless the SELinux policy allows you to. These allow rules -are made on two privilege types: which labels are you allowed to change -(<span class="code" dir="ltr">relabelfrom</span>) and to which labels are you allowed to change -(<span class="code" dir="ltr">relabelto</span>). You can query these rules through <span class="code" dir="ltr">sesearch</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying the relabelto/relabelfrom types</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># From which label on files (-c) is user_t (-s) allowed (-A) to relabel from (-p)?</span> -$ <span class="code-input">sesearch -s user_t -c file -p relabelfrom -A</span> -<span class="code-comment">[...]</span> -allow user_t mozilla_home_t : file { <span class="code-comment">...</span> relabelfrom relabelto } ; -</pre></td></tr> -</table> -<p> -If you have the permission, then you can use <span class="code" dir="ltr">chcon</span> to <span class="emphasis">ch</span>ange the -<span class="emphasis">con</span>text of a file: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing a file context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">ls -Z strace.log</span> -staff_u:object_r:user_home_t strace.log -$ <span class="code-input">chcon -t mutt_home_t strace.log</span> -$ <span class="code-input">ls -Z strace.log</span> -staff_u:object_r:mutt_home_t strace.log -</pre></td></tr> -</table> -<p> -If you do not hold the right privileges, you will get a descriptive error -message: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Trying to change file context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">chcon -t shadow_t strace.log</span> -chcon: failed to change context of `strace.log' to `staff_u:object_r:shadow_t': Permission denied -</pre></td></tr> -</table> -<p> -Now, if you now think that <span class="code" dir="ltr">chcon</span> is all you need, you're wrong. The -<span class="code" dir="ltr">chcon</span> command does nothing more than what it sais - change context. But -when the system relabels files, these changes are gone. Relabeling files is -often done to ensure that the file labels are correct (as in: the labels match -what the SELinux policy sais they ought to be). The SELinux policy contains, for -each policy module, the list of files, directories, sockets, ... and their -appropriate file context (label). -</p> -<p> -We will look at SELinux policy modules later, but below you'll find an excerpt -from such a definition, for the <span class="code" dir="ltr">mozilla</span> module: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Excerpt of the mozilla module file contexts</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/usr/lib64/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -</pre></td></tr> -</table> -<p> -To put the right label on a file, you can use the <span class="code" dir="ltr">setfiles</span> or -<span class="code" dir="ltr">restorecon</span> commands. Since they are both the same command (but with a -slightly different way of using) we'll only talk about <span class="code" dir="ltr">restorecon</span> for now -- more information on the <span class="code" dir="ltr">setfiles</span> command can be found in its man page. -</p> -<p> -When you use <span class="code" dir="ltr">restorecon</span>, the application will query the SELinux policy to -find out what the right label of the file should be. If it differs, it will -change the label to the right setting. That means that you do not need to -provide the label for a file in order for the command to work. Also, -<span class="code" dir="ltr">restorecon</span> supports recursivity, so you do not need to relabel files one -by one. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using restorecon</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">ls -Z /etc/make.conf</span> -staff_u:object_r:etc_t /etc/make.conf -$ <span class="code-input">restorecon /etc/make.conf</span> -$ <span class="code-input">ls -Z /etc/make.conf</span> -system_u:object_r:portage_conf_t /etc/make.conf -</pre></td></tr> -</table> -<p> -Finally, Gentoo also provides a useful application: <span class="code" dir="ltr">rlpkg</span>. This script -relabels the files of a Gentoo package (<span class="code" dir="ltr">rlpkg <packagename></span>) or, -given the right arguments, all files on the file system: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using rlpkg</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># Relabel the files of the firefox-bin package:</span> -# <span class="code-input">rlpkg firefox</span> - -<span class="code-comment"># Relabel all files on the file system:</span> -# <span class="code-input">rlpkg -a -r</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Overriding the SELinux Policy File Labels</a></p> -<p> -You might not always agree with the label that the SELinux policy enforces on -the files: you might have your files located elsewhere (a different location for -your Portage tree is a nice example) or you need to label them differently in -order for other applications to work. To not have to <span class="code" dir="ltr">chcon</span> these files -over and over again, you can enhance the SELinux policy on your system with -additional file context rules. These rules are used when you call -<span class="code" dir="ltr">restorecon</span> as well and override the rules provided by the SELinux policy. -</p> -<p> -To add additional file context rules, you need to use the <span class="code" dir="ltr">semanage</span> -command. This command is used to manage, manipulate and update the local SELinux -policy on your system. In this particular case, we will use the <span class="code" dir="ltr">semanage -fcontext</span> command: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using semanage to add a file context rule</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># Mark /mnt/gentoo/etc/make.conf as a portage_conf_t type</span> -# <span class="code-input">semanage fcontext -a -t portage_conf_t /mnt/gentoo/etc/make.conf</span> - -<span class="code-comment"># Mark /mnt/gentoo/usr/portage as portage_ebuild_t</span> -# <span class="code-input">semanage fcontext -a -t portage_ebuild_t "http://www.gentoo.org/mnt/gentoo/usr/portage(/.*)?"</span> -</pre></td></tr> -</table> -<p> -As you can see from the example, you can use wildcards. But beware about using -wildcards: when a rule holds a wildcard, it has a lower priority than a rule -without a wildcard. And the priority on rules with a wildcard is based on how -"down" the string the first occurance of a wildcard is. For more information, -please check out our <a href="../selinux-faq.xml#matchcontext">FAQ on "How do -I know which file context rule is used for a particular file?."</a> -</p> -<p> -If you want to delete a file context definition, you use <span class="code" dir="ltr">semanage fcontext --d</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Deleting a file context definition</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage fcontext -d -t portage_ebuild_t /mnt/gentoo/etc/make.conf</span> -</pre></td></tr> -</table> -<p> -Finally, to view all file context definitions (both user-set and SELinux policy -provided), you can use <span class="code" dir="ltr">semanage fcontext -l</span>. To only see the locally set, -add <span class="code" dir="ltr">-C</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Viewing user-set file context enhancements</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semanage fcontext -C -l</span> -SELinux fcontext type Context -/opt/xxe/bin/.*\.jar all files system_u:object_r:lib_t -/srv/virt/gentoo(/.*)? all files system_u:object_r:qemu_image_t -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Customizable types</a></p> -<p> -Labels on files are not that hard to understand, but you might come into some -surprises if you do not know that there are also customizable types. -</p> -<p> -A <span class="emphasis">customizable type</span> is a specific type which is not touched by the -SELinux administration tools by default. If you want to relabel a file that -currently holds a customizable type, you will need to force this through the -commands (such as <span class="code" dir="ltr">restorecon -F</span>). -</p> -<p> -There are not that many customizable types by default. The list of types that -SELinux considers as customizable are mentioned in the -<span class="path" dir="ltr">customizable_types</span> file within the -<span class="path" dir="ltr">/etc/selinux/*/contexts</span> location: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the customizable types</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">cat /etc/selinux/strict/contexts/customizable_types</span> -mount_loopback_t -public_content_rw_t -public_content_t -swapfile_t -textrel_shlib_t -</pre></td></tr> -</table> -<p> -Such types exist because these types are used for files whose location is known -not to be fixed (and as such, the SELinux policy cannot without a doubt know if -the label on the files is correct or not). The <span class="code" dir="ltr">public_content_t</span> one, -which is used for files that are readable by several services (like FTP, web -server, ...), might give you a nice example for such a case. -</p> -<p> -If you look at the <span class="code" dir="ltr">restorecon</span> man page, it mentions both customizable -types as well as the user section. The latter is for rules that are identified -in the SELinux policy as being files for an end user, like the following -definitions in the <span class="code" dir="ltr">mozilla</span> policy module: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: User section definition within mozilla module</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -</pre></td></tr> -</table> -<p> -Although in the above example, forcing <span class="code" dir="ltr">restorecon</span> on the files is -probably correct, there are examples where you do not want this. For instance, -the firefox policy by default only allows the application to write to -directories labeled <span class="code" dir="ltr">mozilla_home_t</span>. If you want to download something, -this isn't possible (unless you download it into <span class="path" dir="ltr">~/.mozilla</span>). The -solution there is to label a directory (say <span class="path" dir="ltr">~/Downloads</span>) as -<span class="code" dir="ltr">mozilla_home_t</span>. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux Policy and Booleans</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -We have dealt with users and labels now, but there is still a third aspect that -we haven't touched: the SELinux policy itself. -</p> -<p> -The SELinux policy as offered by Gentoo Hardened is a carefully tuned SELinux -policy, based on the reference policy (a distribution-agnostic SELinux policy) -with minor changes. Hopefully, you will not need to rewrite the policy to suit -it for your needs, but changes are very likely to occur here and there. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Changing the SELinux Policy Behavior: Booleans</a></p> -<p> -A common and user friendly way of tweaking the SELinux policy is through -booleans. A <span class="emphasis">SELinux boolean</span>, also known as a conditional, changes how the -SELinux policy behaves based on the setting that the user provides. To make this -a bit more clear, let's look at a few booleans available: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting SELinux booleans</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">getsebool -a | grep ^user</span> -user_direct_mouse --> off -user_dmesg --> off -user_ping --> on -user_rw_noexattrfile --> off -user_tcp_server --> off -user_ttyfile_stat --> off -</pre></td></tr> -</table> -<p> -Although they might not say much on first sight, these booleans alter how the -SELinux policy enforces user activity (hence the booleans starting with -<span class="path" dir="ltr">user_</span>). For instance, <span class="code" dir="ltr">user_ping</span> is set to <span class="code" dir="ltr">on</span>, so a -user is allowed to use <span class="code" dir="ltr">ping</span>. If it was set to <span class="code" dir="ltr">off</span>, the SELinux -policy would not allow a user to execute <span class="code" dir="ltr">ping</span>. -</p> -<p> -Booleans can be toggled on or off using <span class="code" dir="ltr">setsebool</span> or <span class="code" dir="ltr">togglesebool</span>. -With <span class="code" dir="ltr">setsebool</span> you need to give the value (on or off) whereas -<span class="code" dir="ltr">togglesebool</span> switches the value. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disallowing the use of ping by users</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">setsebool user_ping off</span> -</pre></td></tr> -</table> -<p> -By default, <span class="code" dir="ltr">setsebool</span> does not store the boolean values - after a reboot, -the old values are used again. To persist such changes, you need to add the -<span class="code" dir="ltr">-P</span> option: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Persistedly allow users to run dmesg</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">setsebool -P user_dmesg on</span> -</pre></td></tr> -</table> -<p> -Booleans allow administrators to tune the policy, and allow security -administrators to write policies that are flexible enough for a more widespread -use. In terms of Gentoo flexibility, these booleans might not be used enough (it -would be nice to couple these booleans on USE flags, so that a server build with -USE="ldap" gets the SELinux policy to use ldap, whereas USE="-ldap" disallows -it). But still, the use of booleans is a popular method for making a more -flexible SELinux policy. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Managing SELinux Policy Modules</a></p> -<p> -In this last part, we'll cover SELinux policy modules. We mentioned before that -the SELinux policy used by Gentoo Hardened is based on the reference policy, -which offers a modular approach to SELinux policies. There is one base policy, -which is mandatory on every system and is kept as small as possible. The rest -are SELinux policy modules, usually providing the declarations, rules and file -contexts for a single application (or type of applications). -</p> -<p> -With <span class="code" dir="ltr">semodule -l</span> you can see the list of SELinux policy modules loaded: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the loaded SELinux modules</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semodule -l</span> -alsa 1.11.0 -apache 2.3.0 -entropyd 1.6.0 -dbus 1.15.0 -dnsmasq 1.9.0 -<span class="code-comment">(...)</span> -</pre></td></tr> -</table> -<p> -Within Gentoo Hardened, each module is provided by the package -<span class="path" dir="ltr">sec-policy/selinux-<modulename></span>. For instance, the first -module encountered in the above example is provided by -<span class="path" dir="ltr">selinux-alsa</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELinux policy module package in Gentoo</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">emerge --search selinux-alsa</span> -Searching... -[ Results for search key : selinux-alsa ] -[ Applications found : 1] - -* sec-policy/selinux-alsa - Latest version available: 2.20110726 - Latest version installed: 2.20110726 - Size of files: 574 kB - Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ - Description: SELinux policy for alsa - License: GPL-2 -</pre></td></tr> -</table> -<p> -If you need a module that isn't installed on your system, this is considered a -bug (packages that need it should depend on the SELinux policy package if the -selinux USE flag is set). But once you install the package yourself, the module -will be loaded automatically: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing a SELinux policy package</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">emerge selinux-screen</span> -</pre></td></tr> -</table> -<p> -If you want to remove a module from your system though, uninstalling the package -will not suffice: the SELinux policy module itself is copied to the policy store -earlier (as part of the installation process) and is not removed from this store -by Portage. Instead, you will need to remove the module manually: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Uninstalling a SELinux policy module</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">emerge -C selinux-screen</span> -# <span class="code-input">semodule -r screen</span> -</pre></td></tr> -</table> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated September 30, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html deleted file mode 100644 index 9e97553..0000000 --- a/html/selinux/hb-using-install.html +++ /dev/null @@ -1,632 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="../../favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Installing Gentoo (Hardened)</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Getting a SELinux-powered Gentoo installation doesn't require weird actions. -What you need to do is install Gentoo Linux with the correct profile, correct -kernel configuration and some file system relabelling. We seriously recommend to -use SELinux together with other hardening improvements (such as PaX / -grSecurity). -</p> -<p> -This chapter will describe the steps to install Gentoo with SELinux. We -assume that you have an existing Gentoo Linux system which you want to convert -to Gentoo with SELinux. If this is not the case, you should still read -on: you can install Gentoo with SELinux immediately if you make the -correct decisions during the installation process, based on the information in -this chapter. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Performing a Standard Installation</a></p> -<p> -Install Gentoo Linux according to the <a href="http://www.gentoo.org/doc/en/handbook">Gentoo -Handbook</a> installation instructions. We recommend the use of the hardened -stage 3 tarballs and <span class="code" dir="ltr">hardened-sources</span> kernel instead of the standard -ones, but standard stage installations are also supported for SELinux. -Perform a full installation to the point that you have booted your system -into a (primitive) Gentoo base installation. -</p> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> -If you are an XFS user, make sure that the inode sizes of the XFS file -system is 512 byte. Since the default is 256, you will need to run the -<span class="code" dir="ltr">mkfs.xfs</span> command with the <span class="code" dir="ltr">-i size=512</span> arguments, like so: -<span class="code" dir="ltr">mkfs.xfs -i size=512 /dev/sda3</span> -</p></td></tr></table> -<p class="secthead"><a name="doc_chap1_sect1">Switching to Python 2</a></p> -<p> -For now, the SELinux management utilities are not compatible with Python 3 so -we recommend to switch to Python 2 until the packages are updated and fixed. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching to python 2</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">emerge '<=dev-lang/python-3.0'</span> -~# <span class="code-input">eselect python list</span> -Available Python interpreters: - [1] python2.7 - [2] python3.1 * - -~# <span class="code-input">eselect python set 1</span> -~# <span class="code-input">source /etc/profile</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Optional: Setting the filesystem contexts</a></p> -<p> -If your <span class="path" dir="ltr">/tmp</span> location is a tmpfs-mounted file system, then you need -to tell the kernel that the root context of this location is <span class="code" dir="ltr">tmp_t</span> -instead of <span class="code" dir="ltr">tmpfs_t</span>. Many SELinux policy objects (including various -server-level policies) assume that <span class="path" dir="ltr">/tmp</span> is <span class="code" dir="ltr">tmp_t</span>. -</p> -<p> -To configure the <span class="path" dir="ltr">/tmp</span> mount, edit your <span class="path" dir="ltr">/etc/fstab</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update /etc/fstab for /tmp</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># For a "targeted" or "strict" policy type:</span> -tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t</span> 0 0 - -<span class="code-comment"># For an "mls" or "mcs" policy type:</span> -tmpfs /tmp tmpfs defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t:s0</span> 0 0 -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p> -<p> -Now that you have a running Gentoo Linux installation, switch the Gentoo profile -to the right SELinux profile (for instance, -<span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span>). Note that the older -profiles (like <span class="path" dir="ltr">selinux/v2refpolicy/amd64/hardened</span>) are not -supported anymore. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching the Gentoo profile</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">eselect profile list</span> -Available profile symlink targets: - [1] default/linux/amd64/10.0 - [2] default/linux/amd64/10.0/selinux - [3] default/linux/amd64/10.0/desktop - [4] default/linux/amd64/10.0/desktop/gnome - [5] default/linux/amd64/10.0/desktop/kde - [6] default/linux/amd64/10.0/developer - [7] default/linux/amd64/10.0/no-multilib - [8] default/linux/amd64/10.0/server - [9] hardened/linux/amd64 - [10] hardened/linux/amd64/selinux - [11] hardened/linux/amd64/no-multilib * - [12] hardened/linux/amd64/no-multilib/selinux - -~# <span class="code-input">eselect profile set 12</span> -</pre></td></tr> -</table> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> -Starting from the profile change, Portage will warn you after every installation -that it was "Unable to set SELinux security labels". This is to be expected, -because the tools and capabilities that Portage requires to set the security -labels aren't available yet. This warning will vanish the moment the SELinux -installation is completed. -</p></td></tr></table> -<p> -Don't update your system yet - we will need to install a couple of packages in a -particular order which Portage isn't aware of in the next couple of sections. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Update make.conf</a></p> -<p> -Next, take a look at the following USE flags and decide if you want to enable -or disable them. -</p> -<table class="ntable"> -<tr> - <td class="infohead"><b>USE flag</b></td> - <td class="infohead"><b>Default Value</b></td> - <td class="infohead"><b>Description</b></td> -</tr> -<tr> - <td class="tableinfo">peer_perms</td> - <td class="tableinfo">Enabled</td> - <td class="tableinfo"> - The peer_perms capability controls the SELinux policy network peer controls. - If set, the access control mechanisms that SELinux uses for network based - labelling are consolidated. This setting is recommended as the policy is - also updated to reflect this. If not set, the old mechanisms (NetLabel and - Labeled IPsec) are used side by side. - </td> -</tr> -<tr> - <td class="tableinfo">open_perms</td> - <td class="tableinfo">Enabled</td> - <td class="tableinfo"> - The open_perms capability enables the SELinux permission "open" for files - and file-related classes. Support for the "open" call was added a bit later - than others so support was first made optional. However, the policies have - matured sufficiently to have the open permission set. - </td> -</tr> -<tr> - <td class="tableinfo">ubac</td> - <td class="tableinfo">Enabled</td> - <td class="tableinfo"> - When disabled, the SELinux policy is built without user-based access control. - </td> -</tr> -</table> -<p> -Make your choice and update the <span class="code" dir="ltr">USE</span> variable in -<span class="path" dir="ltr">/etc/make.conf</span>. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Manual System Changes</a></p> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b> -Most, if not all of the next few changes will be resolved through regular -packages as soon as possible. However, these fixes have impact beyond the Gentoo -Hardened installations. As such, these changes will be incorporated a bit slower -than the SELinux-specific updates. For the time being, manually correcting these -situations is sufficient (and a one-time operation). -</p></td></tr></table> -<p> -The following changes <span class="emphasis">might</span> be necessary on your system, depending on the -tools or configurations that apply. -</p> -<ul> - - <li> - If you use LVM for one or more file systems, you need to edit - <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-start.sh</span> (or <span class="path" dir="ltr">/lib64/..</span>) - and <span class="path" dir="ltr">lvm-stop.sh</span> and set the config location from - <span class="path" dir="ltr">/dev/.lvm</span> to <span class="path" dir="ltr">/etc/lvm/lock</span>. Next, create the - <span class="path" dir="ltr">/etc/lvm/lock</span> directory. Finally, add - <span class="path" dir="ltr">/lib(64)/rcscripts/addons</span> to <span class="code" dir="ltr">CONFIG_PROTECT</span> in your - <span class="path" dir="ltr">make.conf</span> file. - </li> - <li> - Check if you have <span class="path" dir="ltr">*.old</span> files in <span class="path" dir="ltr">/bin</span>. If you do, - either remove those or make them a copy of their counterpart so that they - get their own security context. The <span class="path" dir="ltr">.old</span> files are hard links - which mess up the file labelling. For instance, <span class="code" dir="ltr">cp /bin/hostname - /bin/hostname.old</span>. - </li> - - <li> - Edit <span class="path" dir="ltr">/etc/sandbox.conf</span> and add in - <span class="path" dir="ltr">/sys/fs/selinux/context</span> to the <span class="code" dir="ltr">SANDBOX_WRITE</span> parameter. - This is currently needed to work around bug <a href="https://bugs.gentoo.org/410687">410687</a>. - </li> -</ul> -<p class="secthead"><a name="doc_chap1_sect1">Installing a SELinux Kernel</a></p> -<p> -Although the default Linux kernels offer SELinux support, we recommend the use -of the <span class="path" dir="ltr">sys-kernel/hardened-sources</span> package. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing hardened-sources</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(Only if you have not installed it previously of course)</span> -~# <span class="code-input">emerge hardened-sources</span> -</pre></td></tr> -</table> -<p> -Next, reconfigure the kernel with the appropriate security settings. This -includes, but is not limited to -</p> -<ul> - <li>Support for extended attributes in the various file systems</li> - <li>Support system-call auditing</li> - <li>Support for SELinux</li> -</ul> -<p> -Below you can find a quick overview of the recommended settings. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recommended settings for the Linux kernel configuration</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">Under "General setup"</span> -[*] Prompt for development and/or incomplete code/drivers -[*] Auditing support -[*] Enable system-call auditing support - -<span class="code-comment">Under "File systems"</span> -<span class="code-comment">(For each file system you use, make sure extended attribute support is enabled)</span> -<*> Second extended fs support -[*] Ext2 extended attributes -[ ] Ext2 POSIX Access Control Lists -[*] Ext2 Security Labels -[ ] Ext2 execute in place support - -<*> Ext3 journalling file system support -[ ] Default to 'data=ordered' in ext3 -[*] Ext3 extended attributes -[ ] Ext3 POSIX Access Control Lists -[*] Ext3 Security Labels - -<*> The Extended 4 (ext4) filesystem -[*] Ext4 extended attributes -[ ] Ext4 POSIX Access Control Lists -[*] Ext4 Security Labels - -<*> JFS filesystem support -[ ] JFS POSIX Access Control Lists -[*] JFS Security Labels -[ ] JFS debugging -[ ] JFS statistics - -<*> XFS filesystem support -[ ] XFS Quota support -[ ] XFS POSIX ACL support -[ ] XFS Realtime subvolume support (EXPERIMENTAL) -[ ] XFS Debugging Support - -<*> Btrfs filesystem (EXPERIMENTAL) -[ ] Btrfs POSIX Access Control Lists - -<span class="code-comment">Under "Security options"</span> -[*] Enable different security models -[*] Socket and Networking Security Hooks -[*] NSA SELinux Support -[ ] NSA SELinux boot parameter -[ ] NSA SELinux runtime disable -[*] NSA SELinux Development Support -[ ] NSA SELinux AVC Statistics -(1) NSA SELinux checkreqprot default value -[ ] NSA SELinux maximum supported policy format version - Default security module (SELinux) ---> -</pre></td></tr> -</table> -<p> -We recommend to use PaX as well. More information on PaX within Gentoo Hardened -can be found in the <a href="pax-quickstart.html">Hardened -Gentoo PaX Quickstart Guide</a>. -</p> -<p> -Build and install the new Linux kernel and its modules. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Update fstab</a></p> -<p> -Next, edit <span class="path" dir="ltr">/etc/fstab</span> and add the following two lines: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling selinux-specific file system options</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># The udev mount is due to bug #373381</span> -udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0 -none /selinux selinuxfs defaults 0 0 -</pre></td></tr> -</table> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b> -In case of an MLS/MCS policy, you need to have the context with sensitivity -level, so <span class="code" dir="ltr">...:device_t:s0</span>. -</p></td></tr></table> -<p> -Make the <span class="path" dir="ltr">/selinux</span> mountpoint as well: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating the /selinux mountpoint</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">mkdir /selinux</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Reboot</a></p> -<p> -With the above changes made, reboot your system. Assert yourself that you are -now running a Linux kernel with SELinux enabled (the <span class="path" dir="ltr">/selinux</span> file -system should be mounted). Don't worry - SELinux is at this point not activated. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Configure SELinux</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Next we will need to configure SELinux by installing the appropriate -utilities, label our file system and configure the policy. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Install Policies and Utilities</a></p> -<p> -First, install the <span class="path" dir="ltr">sys-apps/checkpolicy</span> and -<span class="path" dir="ltr">sys-apps/policycoreutils</span> packages. Although these will be pulled in -as dependencies of the SELinux policy packages themselves, we need to install -these one time first - hence the <span class="code" dir="ltr">-1</span> option. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux policy core utilities</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">emerge -1 checkpolicy policycoreutils</span> -</pre></td></tr> -</table> -<p> -Next, install the SELinux policy package -(<span class="path" dir="ltr">sec-policy/selinux-base-policy</span>). This package contains the base -SELinux policy needed to get your system up and running using SELinux. -As Portage will try to label and reload policies (since the installation of -<span class="path" dir="ltr">sys-apps/policycoreutils</span>) we need to temporarily disable SELinux -support (as Portage wouldn't be able to label anything as it doesn't understand -it yet). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing the SELinux policy packages</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">FEATURES="-selinux" emerge selinux-base-policy</span> -</pre></td></tr> -</table> -<p> -Next, rebuild those packages affected by the profile change we did previously -through a standard world update, taking into account USE-flag changes (as the -new profile will change many default USE flags, including enabling the -<span class="code" dir="ltr">selinux</span> USE flag). Don't forget to use <span class="code" dir="ltr">etc-update</span> or -<span class="code" dir="ltr">dispatch-conf</span> afterwards as some changes to configuration files need to -be made. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update your Gentoo Linux system</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">emerge -uDN world</span> -</pre></td></tr> -</table> -<p> -Next, install the additional SELinux tools that you might need in the future to -debug or help with your SELinux installation. These packages are optional, but -recommended. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing additional SELinux packages</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">emerge setools sepolgen checkpolicy</span> -</pre></td></tr> -</table> -<p> -Finally, install the policy modules for those utilities you think you need -policies for. In the near future, this will be done automatically for you (the -packages will have an optional dependency on it, triggered by the selinux USE -flag), but until that time, you will need to install them yourself. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux modules</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">emerge --search selinux-</span> -[...] -<span class="code-comment">(Select the modules you want to install)</span> -~# <span class="code-input">emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Configure the SELinux Policy</a></p> -<p> -Inside <span class="path" dir="ltr">/etc/selinux/config</span> you can configure how SELinux is -configured at boot time. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Editing the /etc/selinux/config file</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# This file controls the state of SELinux on the system on boot. - -# SELINUX can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=<span class="code-input">permissive</span> - -# SELINUXTYPE can take one of these four values: -# targeted - Only targeted network daemons are protected. -# strict - Full SELinux protection. -# mls - Full SELinux protection with Multi-Level Security -# mcs - Full SELinux protection with Multi-Category Security -# (mls, but only one sensitivity level) -SELINUXTYPE=<span class="code-input">strict</span> -</pre></td></tr> -</table> -<p> -Within this configuration file, two variables can be set: -</p> -<ul> - <li> - <span class="code" dir="ltr">SELINUX</span> sets how SELinux should behave: - <ul> - <li> - <span class="code" dir="ltr">enforcing</span> will enable and enforce policies. This is where we want - to go for, but you should probably start with <span class="code" dir="ltr">permissive</span>. - </li> - <li> - <span class="code" dir="ltr">permissive</span> will enable policies, but not enforce them. Any - violation is reported but not denied. This is where you should start - from as it will not impact your system yet allow you to get acquainted - with SELinux - and validate the warnings to see if you can switch - towards <span class="code" dir="ltr">enforcing</span> or not. - </li> - <li> - <span class="code" dir="ltr">disabled</span> will completely disable the policies. As this will not - show any violations as well, it is not recommended. - </li> - </ul> - </li> - <li> - <span class="code" dir="ltr">SELINUXTYPE</span> selects the SELinux policy type to load. - Gentoo Hardened recommends the use of <span class="code" dir="ltr">strict</span> for servers, and - <span class="code" dir="ltr">targeted</span> for desktops. The <span class="code" dir="ltr">mcs</span> type is supported, <span class="code" dir="ltr">mls</span> - is currently still considered experimental. - </li> -</ul> -<p> -The differentiation between <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> is based upon the -<span class="emphasis">unconfined</span> domain. When loaded, the processes on your system that are not -specifically confined within a particular policy module will be part of the -unconfined_t domain whose purpose is to allow most activities by default (rather -than deny by default). As a result, processes that run inside the unconfined_t -domain have no restrictions apart from those already enforced by standard Linux -security. Although running without the unconfined_t domain is considered more -secure, it will also be more challenging for the administrator to make sure the -system still functions properly as there are no policy modules for each and -every application "out there". -</p> -<p> -Next to <span class="code" dir="ltr">targeted</span> and <span class="code" dir="ltr">strict</span>, you can opt for <span class="code" dir="ltr">mcs</span> to allow -categorization of the process domains. This is useful on multi-tenant systems -such as web servers, virtualization hosts, ... where multiple processes will be -running, most of them in the same security domain, but in different categories. -</p> -<p> -Finally, you can also select <span class="code" dir="ltr">mls</span> to differentiate security domains on -a sensitivity level. However, MLS is currently still considered experimental -in Gentoo and as such not recommended. -</p> -<p> -When you have made your choice between the SELinux policy types, save -this in your <span class="path" dir="ltr">/etc/make.conf</span> file as well. That way, Portage will -only install the policy modules for that SELinux type. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting the policy type in make.conf</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">nano /etc/make.conf</span> -POLICY_TYPES="<span class="code-input">strict</span>" -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Reboot, and Label the File System</a></p> -<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> -Repeat these steps every time you have rebooted from a non-SELinux enabled -kernel into a SELinux enabled kernel, as running with a non-SELinux enabled -kernel will not update the security attributes of the files you create or -manipulate during your day-to-day activities on your system. -</p></td></tr></table> -<p> -First reboot your system so that the installed policies are loaded. Now we -need to relabel your devices and openrc related files. This will apply the -correct security contexts (labels) onto the necessary files. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev structure</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">mkdir /mnt/gentoo</span> -~# <span class="code-input">mount -o bind / /mnt/gentoo</span> - -<span class="code-comment">(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</span> -~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</span> -~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</span> -~# <span class="code-input">umount /mnt/gentoo</span> -</pre></td></tr> -</table> -<p> -Next, if you have a swapfile rather than a swap partition, label it accordingly: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Labelling the swap file</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semanage fcontext -a -t swapfile_t "http://www.gentoo.org/swapfile"</span> -~# <span class="code-input">restorecon /swapfile</span> -</pre></td></tr> -</table> -<p> -Now relabel your entire file system. The next command will apply the correct -security context onto the files on your file system, based on the security -context information provided by the SELinux policy modules installed. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel the entire file system</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">rlpkg -a -r</span> -</pre></td></tr> -</table> -<p> -If you ever have to install a SELinux policy module for a package after that -that particular package is installed, you need to run <span class="code" dir="ltr">rlpkg</span> for that -package to make sure that the security contexts for these files are set -correctly. For instance, if you have installed -<span class="path" dir="ltr">sec-policy/selinux-screen</span> after discovering that you have -<span class="code" dir="ltr">screen</span> on your system: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the files for a single package</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(Make sure no screen sessions are running as their security contexts will not be adapted)</span> -~# <span class="code-input">rlpkg -t screen</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p> -<p> -Reboot your system so that the newly applied file contexts are used. Log on -and, if you have indeed installed Gentoo using the hardened sources (as we -recommended), enable the SSP SELinux boolean, allowing every domain read -access to the <span class="path" dir="ltr">/dev/urandom</span> device: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling the global_ssp boolean</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">setsebool -P global_ssp on</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p> -<p> -If the <span class="code" dir="ltr">SELINUXTYPE</span> is set to <span class="code" dir="ltr">strict</span>, then we -need to map the account(s) you use to manage your system (those -that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none -of your accounts will be able to succesfully manage the system (except for -<span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not -through <span class="code" dir="ltr">sudo</span> or <span class="code" dir="ltr">su</span>.) By default, users are mapped to the -<span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the appropriate rights (nor access -to the appropriate roles) to manage a system. Accounts that are mapped to -<span class="code" dir="ltr">staff_u</span> can, but might need to switch roles from <span class="code" dir="ltr">staff_r</span> to -<span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate privileges. -</p> -<p> -Assuming that your account name is <span class="emphasis">john</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping the Linux account john to the SELinux user staff_u</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semanage login -a -s staff_u john</span> -~# <span class="code-input">restorecon -R -F /home/john</span> -</pre></td></tr> -</table> -<p> -If you later log on as <span class="emphasis">john</span> and want to manage your system, you will -probably need to switch your role. You can use <span class="code" dir="ltr">newrole</span> for this: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~$ <span class="code-input">id -Z</span> -staff_u:staff_r:staff_t -~$ <span class="code-input">newrole -r sysadm_r</span> -Password: <span class="code-comment">(Enter your password)</span> -~$ <span class="code-input">id -Z</span> -staff_u:sysadm_r:sysadm_t -</pre></td></tr> -</table> -<p> -If you however use a <span class="code" dir="ltr">targeted</span> policy, then the user you work with will be -of type <span class="emphasis">unconfined_t</span> and will already have the necessary privileges to -perform system administrative tasks. -</p> -<p> -With that done, enjoy - your first steps into the SELinux world are now made. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-using-policies.html b/html/selinux/hb-using-policies.html deleted file mode 100644 index 0163b42..0000000 --- a/html/selinux/hb-using-policies.html +++ /dev/null @@ -1,359 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux Policy Language</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -By default, Gentoo provides a generic, yet tightly controlled policy which is -deemed a good start policy for the majority of users. However, the purpose -behind a Mandatory Access Control system is to put the security administrator in -control. As such, a handbook on SELinux without information on how to write -policies wouldn't be complete. -</p> -<p> -In this chapter, we'll talk a bit about the language behind SELinux policies and -give some pointers on how to create your own policies, roles, etc. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Building a SELinux Module</a></p> -<p> -First, before we go into the art of SELinux policy writing, let's first make a -small SELinux module with a rule we can test, build the module and see if things -work. Although these steps are fairly easy, they are important nonetheless. -Modifying the SELinux policy as offered by Gentoo is best done through -additional SELinux policy modules. Only when the core policy (the base policy) -is not to your liking should you see on using a totally different policy. -</p> -<p> -Let's start with a skeleton for a policy module we'll call <span class="emphasis">testmod</span>. You -should use simple names for the modules as the build infrastructure is quite -sensitive to special constructs. Use only letters a-z and numbers, and never -start a module name with a number. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Policy module skeleton</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -policy_module(testmod, 1.0.0) -</pre></td></tr> -</table> -<p> -Yes, that's it. But as you can see, it is fairly empty. So let's add a rule that -allows a regular user (in the user_t domain) to read ebuild files (of type -portage_ebuild_t). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Policy module testmod</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -policy_module(testmod, 1.0.0) - -require { - type user_t; - type portage_ebuild_t; - class file { read open getattr }; - class dir { read search open getattr }; -} - -allow user_t portage_ebuild_t:file { read open getattr }; -allow user_t portage_ebuild_t:dir { read search open getattr }; -</pre></td></tr> -</table> -<p> -As you can see, something as simple as allowing a user to read a file requires -quite a few privileges. The directory privileges are needed to allow a user to -navigate through the Portage tree structure whereas the file privileges are -needed for a user to be able to access and open the ebuilds. Save this file as -<span class="path" dir="ltr">testmod.te</span>. -</p> -<p> -To build the policy and convert it into the binary module that we can load into -the SELinux policy store, we can use the <span class="path" dir="ltr">Makefile</span> available in -<span class="path" dir="ltr">/usr/share/selinux/strict/include</span> (substitute strict with the -SELinux policy type you are using). -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Building a binary policy module</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -$ <span class="code-input">make -f /usr/share/selinux/struct/include/Makefile testmod.pp</span> -</pre></td></tr> -</table> -<p> -The filename (<span class="path" dir="ltr">testmod.pp</span>) is the destination binary SELinux module -name. The <span class="path" dir="ltr">Makefile</span> will automatically look for the -<span class="path" dir="ltr">testmod.te</span> file you have in the working directory. -</p> -<p> -As a result, you should now have a file called <span class="path" dir="ltr">testmod.pp</span>. This -module file can now be loaded in the SELinux policy store as follows: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Loading a binary module</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">semodule -i /path/to/testmod.pp</span> -</pre></td></tr> -</table> -<p> -Congratulations! You have now build your first SELinux policy module. If you -want to disable it, remove it through <span class="code" dir="ltr">semodule -r testmod</span>. -</p> -<p> -This method of building a policy (using the <span class="path" dir="ltr">Makefile</span> and -<span class="code" dir="ltr">semodule</span>) is something that you will need to do every time you want to -update the SELinux policy on your system. The contents of the policy however -does change as we will see in the rest of this document. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Getting the SELinux Policy Interfaces</a></p> -<p> -To streamline policy development, the SELinux policy based on the reference -policy uses interfaces to access privileges within a module. If you have built -<span class="path" dir="ltr">selinux-base-policy</span> with <span class="code" dir="ltr">USE="doc"</span> then this information is -available at -<span class="path" dir="ltr">/usr/share/doc/selinux-base-policy-<version>/html</span>. It is -recommended to have this information at hand, since most policy -development/updates will be done through the interfaces offered by the policy. -</p> -<p> -If you are just interested, you can also find these interface definitions <a href="http://oss.tresys.com/docs/refpolicy/api/">online</a>. Mind you though, -the online resource is only the reference policy and might differ a bit from the -policy available within Gentoo. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Using Policy Interfaces</a></p> -<p> -Using the policy interfaces allows you to update the policy with more readable -functions. For instance, to allow the user_t domain to call and use Portage -applications, the module could look like so: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example policy to allow user_t to use portage</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -policy_module(testmod, 1.0.0) - -require { - type user_t; - role user_r; -} - -portage_run(user_t, user_r) -</pre></td></tr> -</table> -<p> -Of course, this makes the user_t domain much more privileged than the previously -defined rules to read ebuild files: it allows the user to call portage, update -the system, etc. Of course, the user still requires the proper regular Linux -permissions (so he needs to be part of the portage group or become root). -Needless to say, we do not recommend to grant this to a regular user ;-) -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Full SELinux Policy Modules</p> -<p class="secthead"><a name="doc_chap1_sect1">Checking Out an Isolated Module</a></p> -<p> -With the above in mind, we can now go one step further and investigate a full -policy module, with both the type enforcement rules (<span class="path" dir="ltr">.te</span> file), -file contexts (<span class="path" dir="ltr">.fc</span>) and interfaces (<span class="path" dir="ltr">.if</span>). -</p> -<p> -You should know that writing a module requires you to get intimate with the -application. It isn't a matter of just hoping for the best: as a security -administrator, you will be responsible for defining what accesses are allowed -and which not. If you forget one, the application might break under the users' -hands. But if you add too much, you might grant privileges that can be abused -later on. And it will be a lot more difficult to track and remove privileges -later as you will be hesitating if the privilege is needed or not. -</p> -<p> -In this section, we will not divulge in how to write one. We have an excellent -<a href="selinux-development.html">Gentoo Hardened SELinux -Development</a> resource that guides you in that. However, we will look into -such a full module to explain the other aspects of policy development. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Type Enforcement File</a></p> -<p> -The <span class="path" dir="ltr">.te</span> file we wrote earlier is a <span class="emphasis">type enforcement file</span>. -Its purpose is to define the access rules related to the module that you are -building, but also - and more importantly - define new types (or even roles). -</p> -<p> -The example below is a snippet from a module for the skype application. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from skype.te</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -policy_module(skype, 1.0.0) - -type skype_t; -type skype_exec_t; -application_domain(skype_t, skype_exec_t) - -type skype_home_t; -userdom_user_home_content(skype_home_t) - -manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) -manage_files_pattern(skype_t, skype_home_t, skype_home_t) -</pre></td></tr> -</table> -<p> -In the above example, three new types are declared: <span class="code" dir="ltr">skype_t</span> (which will -be used for the application), <span class="code" dir="ltr">skype_exec_t</span> (which is the label given to -the application binary) and <span class="code" dir="ltr">skype_home_t</span> (which will be used for the -users' <span class="path" dir="ltr">~/.Skype</span> location). Also, the <span class="code" dir="ltr">skype_t</span> domain is given -some privileges with respect to the <span class="code" dir="ltr">skype_home_t</span> label (manage -directories and files). -</p> -<p class="secthead"><a name="doc_chap1_sect1">File Context File</a></p> -<p> -In the <span class="path" dir="ltr">.fc</span> file (which stands for <span class="emphasis">file context file</span>) the -module's resources (files, directories, sockets, ...) are defined. Once the -module is loaded, these rules are added so that file system relabeling will put -the correct context on the files. -</p> -<p> -The example below is a snippet from the skype modules' file context file. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from skype.fc</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) -/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) -/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) -</pre></td></tr> -</table> -<p> -The format of the file context file has the following syntax: -</p> -<ol> - <li> - The regular expression that matches the file(s) and directorie(s) affected - by that line - </li> - <li> - An optional identifier to differentiate the type of files (file, directory, - socket, symbolic link, ...) - </li> - <li> - A <span class="code" dir="ltr">gen_context</span> line that contains the context to assign to the file(s) - and directorie(s) - </li> -</ol> -<p class="secthead"><a name="doc_chap1_sect1">Interface File</a></p> -<p> -In the <span class="path" dir="ltr">.if</span> file (for <span class="emphasis">interface file</span>) interfaces are declared -which can be used by other modules. It is through interfaces that a nicely -defined policy can be built on top of other, existing policy modules. -</p> -<p> -One interface could be to allow users to call and execute an application. For -instance, the following interface can be found in the skype module. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from skype.if</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -interface(`skype_role',` - gen_require(` - type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; - ') - - role $1 types skype_t; - - domtrans_pattern($2, skype_exec_t, skype_t) - - allow $2 skype_t:process { ptrace signal_perms }; - - manage_dirs_pattern($2, skype_home_t, skype_home_t) - manage_files_pattern($2, skype_home_t, skype_home_t) - manage_lnk_files_pattern($2, skype_home_t, skype_home_t) - - relabel_dirs_pattern($2, skype_home_t, skype_home_t) - relabel_files_pattern($2, skype_home_t, skype_home_t) - relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) - - ps_process_pattern($2, skype_t) -') -</pre></td></tr> -</table> -<p> -Through this <span class="code" dir="ltr">skype_role</span>, we can then allow users to call skype, as can be -found in the <span class="path" dir="ltr">unprivuser.te</span> file (which defines the user_t domain): -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from unprivuser.te to call skype</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -optional_policy(` - skype_role(user_r, user_t) -') -</pre></td></tr> -</table> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Using audit2allow</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -When reading online resources on SELinux, you will notice that there are many -references to a tool called <span class="code" dir="ltr">audit2allow</span>. This tools' purpose is to read -AVC denial messages from the audit log file and transform them into a policy -module that you can load. The advantage is that it makes it a lot easier to -write policies. The downside is that the output (unless you use the <span class="code" dir="ltr">-R</span> -option) is not usable for the <span class="path" dir="ltr">Makefile</span> we used earlier to build -modules. -</p> -<p> -Another disadvantage is that the tool does not intelligently cope with changes. -It blindly accepts denials and treats them as if they need to be allowed, rather -than investigate if no other context should be given to the file, etc. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Using audit2allow</a></p> -<p> -Using <span class="code" dir="ltr">audit2allow</span> is pretty straightforward. You send it the denials you -want to fix and store the result in a <span class="path" dir="ltr">.te</span> file. You then convert it -into an intermediary format which can then be translated into a <span class="path" dir="ltr">.pp</span> -file for final loading by <span class="code" dir="ltr">semodule</span>. -</p> -<p> -For instance, to catch all denials and transform them into allowed statements -from firefox-related denials: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Generate a new policy using audit2allow</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">grep firefox /var/log/avc.log | audit2allow -m firefoxmod > firefoxmod.te</span> -# <span class="code-input">checkmodule -m -o firefoxmod.mod firefoxmod.te</span> -# <span class="code-input">semodule_package -o firefoxmod.pp -m firefoxmod.mod</span> -# <span class="code-input">semodule -i firefoxmod.pp</span> -</pre></td></tr> -</table> -<p> -Keep the module name (given through the <span class="code" dir="ltr">-m</span> option) simple: only use -characters (<span class="code" dir="ltr">[a-z]</span>) and numbers (<span class="code" dir="ltr">[0-9]</span>), and start the module name -with a character. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated March 1, 2012</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html deleted file mode 100644 index bd2398f..0000000 --- a/html/selinux/hb-using-states.html +++ /dev/null @@ -1,299 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux States</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -When SELinux is available, it will generally be in one of three states on your -system: disabled, permissive or enforcing. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Disabled</a></p> -<p> -When <span class="code" dir="ltr">getenforce</span> returns "Disabled", then SELinux is not running on your -system. Even though it might be built in your kernel, it is definitely disabled. -Your system will still run with regular discretionary access controls (the usual -permission rules for standard Linux environments) but the mandatory access -controls are not active. -</p> -<p> -When SELinux is disabled, it also means that files, directories, etc that are -modified or created will not get the proper SELinux context assigned to them. -When you later start your system with SELinux enabled (permissive or enforcing), -issues will arise since the SELinux subsystem will not know which label the -files have (it will default the label to one that is not accessible by most -domains). -</p> -<p> -The best way to go forward in such case is to boot in permissive mode and then -relabel the entire file system: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the entire file system</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">rlpkg -a -r</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Permissive</a></p> -<p> -When SELinux is enabled in permissive mode (<span class="code" dir="ltr">getenforce</span> returns -"Permissive"), then SELinux is enabled and it has a policy loaded. Every access -a process makes is checked against the policy rules and, if an access is not -allowed, it will be logged (unless the denial is marked as dontaudit) but it -will <span class="emphasis">not</span> be prohibited. -</p> -<p> -The permissive mode is perfect to get acquainted with SELinux and have the -system made ready for future "enforcing" mode. While running in permissive mode, -applications <span class="emphasis">that are not SELinux aware</span> will behave as if SELinux is not -running. This is perfect to validate if a problem is caused by SELinux or not: -if in permissive mode the problem still persists, then it is not caused by -SELinux. -</p> -<p> -There is one caveat though: if the application is <span class="emphasis">SELinux-aware</span> (it knows -that it can run in a SELinux environment and is able to make SELinux-specific -calls) it might still react differently. Although this is often (but not always) -a bad programming practice, some applications check if SELinux is enabled and -base their functional flow on the results, regardless of the state being -permissive or enforcing. -</p> -<p> -To find out if an application is SELinux aware, simply check if it is linked -against libselinux (with <span class="code" dir="ltr">ldd</span> or <span class="code" dir="ltr">scanelf</span> - part of -<span class="path" dir="ltr">app-misc/pax-utils</span>): -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if /bin/ls is SELinux-aware</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">scanelf -n /bin/ls</span> - TYPE NEEDED FILE -ET_DYN libselinux.so.1,librt.so.1,libc.so.6 /bin/ls -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Enforcing</a></p> -<p> -If <span class="code" dir="ltr">getenforce</span> returns "Enforcing", then SELinux is loaded and will act -based on the policy. When a process tries some activity that is not allowed by -the policy, it will be logged (unless a dontaudit is set) and the activity will -not go through. This is the only mode where you can truely say that SELinux is -active, because it is only now that the policy is acted upon. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Switching States</a></p> -<p> -Depending on your Linux kernel configuration, you can switch between states -using one of the following methods. The kernel configuration however can be made -so that some of these options are disabled (for instance, a fully hardened -system will not allow disabling SELinux in any way). -</p> -<p> -Using the command <span class="code" dir="ltr">setenforce</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(Switching to permissive mode)</span> -# <span class="code-input">setenforce 0</span> - -<span class="code-comment">(Switching to enforcing mode)</span> -# <span class="code-input">setenforce 1</span> -</pre></td></tr> -</table> -<p> -Using the kernel boot option <span class="code" dir="ltr">enforcing</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive through boot options</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment">(The following GRUB kernel line would boot in permissive mode)</span> -kernel /kernel-2.6.39-hardened-r8 root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=0</span> -</pre></td></tr> -</table> -<p> -Using the <span class="path" dir="ltr">/etc/selinux/config</span> <span class="code" dir="ltr">SELINUX</span> variable: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config SELINUX setting</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">cat /etc/selinux/config</span> -# This file controls the state of SELinux on the system on boot. - -# SELINUX can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -<span class="code-input">SELINUX=enforcing</span> - -# SELINUXTYPE can take one of these four values: -# targeted - Only targeted network daemons are protected. -# strict - Full SELinux protection. -# mls - Full SELinux protection with Multi-Level Security -# mcs - Full SELinux protection with Multi-Category Security -# (mls, but only one sensitivity level) -SELINUXTYPE=strict -</pre></td></tr> -</table> -<p> -When you want to switch from permissive to enforcing, it is recommended to do so -in the order given above: -</p> -<ol> - <li> - First boot up in permissive mode, log on, verify that your context is - correct (<span class="code" dir="ltr">id -Z</span>) and then switch to enforcing (<span class="code" dir="ltr">setenforce 1</span>). - You can now test if your system is still working properly. - </li> - <li> - Next, boot with <span class="code" dir="ltr">enforcing=1</span> as kernel parameter. This way, your - system will boot in enforcing mode, but if things go haywire, you can just - reboot, leave out the option and be back in permissive mode - </li> - <li> - Finally, edit <span class="path" dir="ltr">/etc/selinux/config</span> to persist this change. - </li> -</ol> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>SELinux Policy Types</p> -<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> -<p> -Next to the SELinux state, SELinux also offers different policy types. These -types differentiate themselves in specific SELinux features that are enabled or -disabled. Within Gentoo, three are supported (and a fourth is available): -<span class="code" dir="ltr">targeted</span>, <span class="code" dir="ltr">strict</span>, <span class="code" dir="ltr">mcs</span> (and <span class="code" dir="ltr">mls</span>). -</p> -<p> -The type used on a system is declared in <span class="path" dir="ltr">/etc/selinux/config</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELINUXTYPE information in /etc/selinux/config</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -# <span class="code-input">cat /etc/selinux/config</span> -# This file controls the state of SELinux on the system on boot. - -# SELINUX can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=enforcing - -# SELINUXTYPE can take one of these four values: -# targeted - Only targeted network daemons are protected. -# strict - Full SELinux protection. -# mls - Full SELinux protection with Multi-Level Security -# mcs - Full SELinux protection with Multi-Category Security -# (mls, but only one sensitivity level) -<span class="code-input">SELINUXTYPE=strict</span> -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">strict (without unconfined domains)</a></p> -<p> -The <span class="code" dir="ltr">strict</span> policy type is the policy type that was described in the -earlier chapters, and coincidentally the type that is the easiest to understand. -With the strict policy type, each and every application runs in a domain that -has limited privileges. Although there are highly privileged domains, they are -never truely unlimited in their privileges. -</p> -<p class="secthead"><a name="doc_chap1_sect1">targeted (using unconfined domains)</a></p> -<p> -The <span class="code" dir="ltr">targeted</span> policy type is similar to the strict one, with one major -addition: support for unconfined domains. Applications (or users) that run in an -unconfined domain are almost unlimited in their privileges. The unconfined -domains are usually used for users and user applications, but also the init -system and other domains are marked as "unconfined" domains. -</p> -<p> -The idea behind the targeted policy is that network-facing services are running -in (confined) regular domains whereas the rest uses the standard discretionary -access controls offered by Linux. These other domains are running as -"unconfined". -</p> -<p class="secthead"><a name="doc_chap1_sect1">mcs (using multiple categories)</a></p> -<p> -The introduction of <span class="code" dir="ltr">mls</span> and <span class="code" dir="ltr">mcs</span> offers the ability for -<span class="emphasis">multi-tenancy</span>: multiple instances of the same application should be able -to run, but each instance should be confined with respect to the others (instead -of all these processes running in the same domain and, hence, the same -privileges). -</p> -<p> -A simple example is virtualization: a virtual guest which runs in the -<span class="code" dir="ltr">qemu_t</span> domain needs write privileges on the image file that contains the -guest operating system. However, if you run two guests, you do not want each -guest to write to the other guests' file. With regular domains, you will need to -provide this. With <span class="code" dir="ltr">mcs</span>, you can give each running instance a specific -category (number) and only grant it write privileges to the guest file with the -correct category (number). -</p> -<p class="secthead"><a name="doc_chap1_sect1">mls (using multiple security levels)</a></p> -<p> -The <span class="code" dir="ltr">mls</span> policy type is available but not yet supported by Gentoo -Hardened. With this policy type, it is possible to give sensitivity levels on -files and resources as well as domains. Sensitivity levels can best be expressed -in terms of <span class="emphasis">public</span>, <span class="emphasis">private</span>, <span class="emphasis">confidential</span> or <span class="emphasis">strictly -confidential</span>. With MLS, you can mark a file as one (or a set of) -sensitivity level(s) and ensure that only domains with the right sensitivity -level can access it. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p> -<p> -It is not recommended to switch between types often. At best, you choose your -policy type at install time and stick with it. But it is not impossible (nor -that hard) to switch between types. -</p> -<p> -First, you need to edit <span class="path" dir="ltr">/etc/selinux/config</span> so that it both -switches the policy type as well as put the mode in <span class="emphasis">permissive</span>. This is -necessary, since at your next reboot, many labels might (or will) be incorrect. -</p> -<p> -Next, edit <span class="path" dir="ltr">/etc/fstab</span> and make sure that the domains you use there -are updated accordingly. For instance, the line for <span class="path" dir="ltr">/tmp</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing /etc/fstab</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -<span class="code-comment"># Example when switching from strict to mcs</span> -tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<span class="code-input">:c0</span> 0 0 -</pre></td></tr> -</table> -<p> -When this is done, reboot your system. Log on as root, and relabel your entire -file system using <span class="code" dir="ltr">rlpkg -a -r</span>. Finally, reboot again and then validate if -your context (such as when logged on as a user) is correct again. Once you are -confident that the domains and contexts are correct, switch the SELinux policy -mode back to "enforcing". -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/hb-using-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html deleted file mode 100644 index c18afc1..0000000 --- a/html/selinux/hb-using-troubleshoot.html +++ /dev/null @@ -1,310 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Handbook Page --- - </title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Unable To Load SELinux Policy</p> -<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p> -<p> -If you notice that SELinux is not functioning at all, a quick run of -<span class="code" dir="ltr">sestatus</span> should give you closure if SELinux is enabled and loaded or not. -If you get the following output, no SELinux policy is loaded: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: sestatus output</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -SELinux status: disabled -</pre></td></tr> -</table> -<p> -If this is the case, read on in this section to find out how to troubleshoot and -resolve this. -</p> -<p class="secthead"><a name="doc_chap1_sect1">No Policy Installed</a></p> -<p> -One potential reason would be that there is no policy to load to begin with. -Take a look inside <span class="path" dir="ltr">/usr/share/selinux/strict</span> or -<span class="path" dir="ltr">/usr/share/selinux/targeted</span> (depending on your configuration) and -look for a file called <span class="path" dir="ltr">base.pp</span>. If no such file exists, you will -need to install the base policy. This policy is offered by the -<span class="path" dir="ltr">sec-policy/selinux-base-policy</span> package, but it is better to read up -on the chapter regarding <span title="Link to other book part not available"><font color="#404080">(Gentoo SELinux -Installation / Conversion)</font></span> as more important changes might be missing. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Policy Not Loaded</a></p> -<p> -If the <span class="path" dir="ltr">base.pp</span> file exists in -<span class="path" dir="ltr">/usr/share/selinux/strict</span> (or <span class="path" dir="ltr">targeted/</span>), take a look -inside <span class="path" dir="ltr">/etc/selinux/strict/policy</span>. This location too should contain -a <span class="path" dir="ltr">base.pp</span> policy module (when a SELinux policy is loaded, it is -copied from the first location to the second). -</p> -<p> -If no <span class="path" dir="ltr">base.pp</span> file exists, install and load the policy: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing the base policy</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semodule -n -B</span> -</pre></td></tr> -</table> -<p> -This is a one-time operation - once installed and loaded, it will be reloaded -upon every reboot. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Init Can Not Load the SELinux Policy</a></p> -<p> -During system boot, the <span class="code" dir="ltr">init</span> process is responsible for loading and -interacting with the SELinux policy in memory. If <span class="code" dir="ltr">init</span> does not support -SELinux, you will get no SELinux support in your environment. -</p> -<p> -To verify if <span class="code" dir="ltr">init</span> supports SELinux, we need to check if it uses the -<span class="path" dir="ltr">libselinux.so</span> shared object: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if init supports SELinux</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">ldd /sbin/init</span> - linux-vdso.so.1 => (0x00006ace30e84000) - <span class="code-comment">( You should see something similar to the following line: )</span> - libselinux.so.1 => /lib/libselinux.so.1 (0x00006ace30a46000) - libc.so.6 => /lib/libc.so.6 (0x00006ace306e9000) - libdl.so.2 => /lib/libdl.so.2 (0x00006ace304e5000) - /lib64/ld-linux-x86-64.so.2 (0x00006ace30c68000) -</pre></td></tr> -</table> -<p> -If this is not the case, make sure that <span class="code" dir="ltr">emerge --info</span> shows that the -selinux USE flag is in place, and reinstall <span class="path" dir="ltr">sys-apps/sysvinit</span>. If -the selinux USE flag is not in place, check your Gentoo profile and make sure it -points to a <span class="path" dir="ltr">selinux/v2refpolicy/...</span> profile. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Policy Store is Corrupt</a></p> -<p> -If you encounter problems during boot-up or <span class="code" dir="ltr">semodule</span> operations which -fail with loading problems, but cannot be resolved with the above solution, then -you might need to reinstall the policies after eliminating the corrupt store. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recovering from store corruption</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">semodule -n -B</span> -libsemanage.semanage_load_module: Error while reading from module file -/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory) - -~# <span class="code-input">setenforce 0</span> -~# <span class="code-input">mv /etc/selinux/targeted /etc/selinux/targeted.old</span> -~# <span class="code-input">FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)</span> -~# <span class="code-input">restorecon -R /etc/selinux</span> -</pre></td></tr> -</table> -<p> -This will effectively disable the current, corrupted SELinux policy store and -then use Portage to reinstall all SELinux policy packages that are installed on -the system. When done, the file contexts of <span class="path" dir="ltr">/etc/selinux</span> are -restored, after which you should be able to continue. -</p> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Unable to Log On</p> -<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p> -<p> -If you are unable to log on in a particular situation (remote, local, as root, -as regular user, ...) there are a few possible problems which you might have -hit. However, to resolve them you'll need to be able to log on to the system as -<span class="emphasis">sysadm_r</span> in one way or the other. -</p> -<p> -If you can not log in as a <span class="emphasis">sysadm_r</span> user, disable SELinux (boot with -<span class="code" dir="ltr">enforcing=0</span>) so that no SELinux enforcements are made. Changes that you -make in permissive mode are equally effective as in enforcing mode. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Incorrect Context</a></p> -<p> -In the majority of cases will you find that a security context is incorrect. Run -<span class="code" dir="ltr">sestatus -v</span> and compare the <span class="emphasis">Process contexts</span> or <span class="emphasis">File -contexts</span> that you see in the output with the next table. -</p> -<table class="ntable"> -<tr> - <td class="infohead"><b>Process</b></td> - <td class="infohead"><b>Context</b></td> - <td class="infohead"><b>If wrong context...</b></td> -</tr> -<tr> - <td class="tableinfo">Init context</td> - <td class="tableinfo">system_u:system_r:init_t</td> - <td class="tableinfo"> - First, verify that init itself is correclty labeled. Check the output of - the previously run <span class="code" dir="ltr">sestatus -v</span> command for the - <span class="path" dir="ltr">/sbin/init</span> file and make sure that it is set to - system_u:object_r:init_exec_t. If that is not the case, relabel - <span class="path" dir="ltr">sys-apps/sysvinit</span> using <span class="code" dir="ltr">rlpkg sysvinit</span>. Also make the - same checks as in the <a href="#doc_chap1">Unable To Load SELinux - Policy</a> section. Reboot your system and retry. - </td> -</tr> -<tr> - <td class="tableinfo">agetty context</td> - <td class="tableinfo">system_u:system_r:getty_t</td> - <td class="tableinfo"> - Make sure that the <span class="path" dir="ltr">/sbin/agetty</span> binary is labeled - system_u:object_r:getty_exec_t. If not, relabel the - <span class="path" dir="ltr">sys-apps/util-linux</span> package using <span class="code" dir="ltr">rlpkg util-linux</span>. Then - restart all the agetty processes using <span class="code" dir="ltr">pkill agetty</span> (they will - automatically respawn). - </td> -</tr> -<tr> - <td class="infohead"><b>File</b></td> - <td class="infohead"><b>Context</b></td> - <td class="infohead"><b>If wrong context...</b></td> -</tr> -<tr> - <td class="tableinfo">/bin/login</td> - <td class="tableinfo">system_u:object_r:login_exec_t</td> - <td class="tableinfo"> - The login binary is part of <span class="path" dir="ltr">sys-apps/shadow</span>. Run <span class="code" dir="ltr">rlpkg - shadow</span> to relabel the files of that package and retry logging in. - </td> -</tr> -<tr> - <td class="tableinfo">/sbin/unix_chkpwd</td> - <td class="tableinfo">system_u:object_r:chkpwd_exec_t</td> - <td class="tableinfo"> - This binary is part of the <span class="path" dir="ltr">sys-libs/pam</span> package and is used by - SSH when it is configured to use PAM for user authentication. Relabel the - package using <span class="code" dir="ltr">rlpkg pam</span> and retry logging in. - </td> -</tr> -<tr> - <td class="tableinfo">/etc/passwd</td> - <td class="tableinfo">system_u:object_r:etc_t</td> - <td class="tableinfo" rowspan="2"> - The <span class="path" dir="ltr">/etc/passwd</span> and <span class="path" dir="ltr">/etc/shadow</span> must be labeled - correctly, otherwise PAM will not be able to authenticate any user. Relabel - the files through <span class="code" dir="ltr">restorecon /etc/passwd /etc/shadow</span> and retry - logging in. - </td> -</tr> -<tr> - <td class="tableinfo">/etc/shadow</td> - <td class="tableinfo">system_u:object_r:shadow_t</td> -</tr> -<tr> - <td class="tableinfo">/bin/bash</td> - <td class="tableinfo">system_u:object_r:shell_exec_t</td> - <td class="tableinfo"> - The users' shell (in this case, <span class="code" dir="ltr">bash</span>) must be labeled correctly so - the user can transition into the user domain when logging in. To do so, - relabel the <span class="path" dir="ltr">app-shells/bash</span> package using <span class="code" dir="ltr">rlpkg bash</span>. - Then, try logging in again. - </td> -</tr> -</table> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)</p> -<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p> -<p> -When trying to install software with Portage, you get a huge python stacktrace -and finally the error message <span class="emphasis">OSError: [Errno 22] Invalid argument</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Stacktrace dump when portage fails to install software</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -Traceback (most recent call last): - File "http://www.gentoo.org/usr/bin/emerge", line 43, in <module> - retval = emerge_main() - File "http://www.gentoo.org/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main - myopts, myaction, myfiles, spinner) - File "http://www.gentoo.org/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build - retval = mergetask.merge() -... - File "http://www.gentoo.org/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn - return spawn(cmd, settings, **kwargs) - File "http://www.gentoo.org/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn - return spawn_func(mystring, env=mysettings.environ(), **keywords) - File "http://www.gentoo.org/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func - setexec(con) - File "http://www.gentoo.org/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec - if selinux.setexeccon(ctx) < 0: -OSError: [Errno 22] Invalid argument -</pre></td></tr> -</table> -<p class="secthead"><a name="doc_chap1_sect1">Wrong Context</a></p> -<p> -The above error comes when you launch portage (through <span class="code" dir="ltr">emerge</span>) while you -are not in <span class="code" dir="ltr">sysadm_t</span> context. You can verify this with <span class="code" dir="ltr">id -Z</span>: -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking current context</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">id -Z</span> -system_u:system_r:local_login_t -</pre></td></tr> -</table> -<p> -As long as the context isn't <span class="code" dir="ltr">sysadm_t</span>, then Portage will break. This is -because Portage wants to switch its execution context from <span class="code" dir="ltr">portage_t</span> to -<span class="code" dir="ltr">portage_sandbox_t</span> but fails (it isn't in <span class="code" dir="ltr">portage_t</span> to begin with -because the user who launched Portage isn't in <span class="code" dir="ltr">sysadm_t</span>). -</p> -<p> -Please check <a href="#doc_chap2">Unable to Log On</a> above first. Also -make sure that you can <span class="code" dir="ltr">dispatch-conf</span> or <span class="code" dir="ltr">etc-update</span> after -installing SELinux so that <span class="path" dir="ltr">/etc/pam.d/system-login</span> is updated with -the right <span class="path" dir="ltr">pam_selinux.so</span> calls. -</p> -<p class="secthead"><a name="doc_chap1_sect1">Forcing Installation</a></p> -<p> -If you need to force Portage to continue regardless (for instance, you were in -the middle of a SELinux installation so cannot properly resolve such issues -now), run the <span class="code" dir="ltr">emerge</span> command but with <span class="code" dir="ltr">FEATURES="-selinux"</span>. This -will effectively disable Portage' SELinux integration, but allows you to -continue installing software. -</p> -<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> -<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running emerge without selinux support</p></td></tr> -<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> -~# <span class="code-input">FEATURES="-selinux" emerge -u world</span> -</pre></td></tr> -</table> -<p> -Make sure that you relabel the entire file system after using this approach! -Portage will not label the files installed on the system correctly if you -disable its SELinux support. To relabel the entire file system, use <span class="code" dir="ltr">rlpkg -a --r</span>. -</p> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/index.html b/html/selinux/index.html deleted file mode 100644 index 60e3ac5..0000000 --- a/html/selinux/index.html +++ /dev/null @@ -1,216 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Projects --- - SELinux</title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<br><h1>SELinux</h1> -<form name="contents" action="http://www.gentoo.org"> -<b>Content</b>: - <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option> -<option value="#doc_chap2">2. Project Goals</option> -<option value="#doc_chap3">3. Developers</option> -<option value="#doc_chap4">4. Contributors</option> -<option value="#doc_chap5">5. Resources</option> -<option value="#doc_chap6">6. I Want to Participate</option></select> -</form> -<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>Project Description</p> -<p> -This project manages SELinux support in Gentoo. This includes providing -kernels with SELinux support, providing patches to userland utilities, writing -strong Gentoo-specific default profiles, and maintaining a good default set of -policies. -</p> -<p> -<a href="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced -Linux</a> (SELinux) is a Mandatory Access Control system using type -enforcement and role-based access control. It is integrated within Linux as a -<a href="http://lsm.immunix.org/">Linux Security Module</a> (LSM) -implementation. In addition to the kernel portion, SELinux consists of a library -(libselinux) and userland utilities for compiling policy (checkpolicy), and loading -policy (policycoreutils), in addition to other user programs. -</p> -<p> -One common misconception is that SELinux is a complete security solution. It is -not. SELinux only provides access control on system objects. It can work well -with other Hardened projects, such as PaX, for a more complete solution. -</p> -<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. - </span>Project Goals</p> -<p> -Our goal is to make SELinux (with Gentoo Hardened) available to more users. -As a result, we -</p> -<ul> - <li> - develop, improve and maintain the proper documentation and learning - material for end users to master SELinux - </li> - <li> - maintain a stable yet progressive set of userland tools that are needed - to interoperate with SELinux on a Linux system (such as the core utilities, - libselinux and more) - </li> - <li> - focus on the integration of SELinux and SELinux-awareness within the Gentoo - distribution, offering the necessary feedback on Portage and other utilities - </li> - <li> - develop, improve and maintain a good and secure default policy, based on the - reference policy, so that end users have no difficulties working with and - enhancing SELinux within their environment - </li> -</ul> -<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3. - </span>Developers</p> -<table class="ntable"> - <tr> - <td class="infohead"><b>Developer</b></td> - <td class="infohead"><b>Nickname</b></td> - <td class="infohead"><b>Role</b></td> - </tr> - <tr> - <td class="tableinfo">Sven Vermeulen</td> - <td class="tableinfo">swift</td> - <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td> - </tr> - <tr> - <td class="tableinfo">Anthony G. Basile</td> - <td class="tableinfo">blueness</td> - <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td> - </tr> - <tr> - <td class="tableinfo">Chris PeBenito</td> - <td class="tableinfo">pebenito</td> - <td class="tableinfo">Developer ( Policy development, Userspace tools )</td> - </tr> - <tr> - <td class="tableinfo">Matt Thode</td> - <td class="tableinfo">prometheanfire</td> - <td class="tableinfo">Developer ( Policy development, Support )</td> - </tr> - </table> -<p> - All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>. - </p> -<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. - </span>Contributors</p> -<p> -The following people, although non-developer, are actively contributing to the project: -</p> -<table class="ntable"> -<tr> -<td class="infohead"><b>Contributor</b></td> -<td class="infohead"><b>Nickname</b></td> -<td class="infohead"><b>Role</b></td> -</tr> -<tr> -<td class="tableinfo">Chris Richards</td> -<td class="tableinfo">gizmo</td> -<td class="tableinfo">Policy development, support</td> -</tr> -</table> -<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5. - </span>Resources</p> -<p>Resources offered by the - SELinux - project are:</p> -<ul> - <li> - <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a> - </li> - <li> - <a href="selinux-faq.html">Gentoo SELinux FAQ</a> - </li> - <li> - <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a> - </li> - <li> - <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a> - </li> - <li> - <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a> - </li> - <li> - <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a> - </li> - <li> - <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a> - </li> - </ul> -<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6. - </span>I Want to Participate</p> -<p> -To participate in the SELinux project first join the mailing list at -<span class="code" dir="ltr">gentoo-hardened@gentoo.org</span>. Then ask if there are plans to support -something that you are interested in, propose a new subproject that you are -interested in or choose one of the planned subprojects to work on. You may talk -to the developers and users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on -<span class="code" dir="ltr">irc.freenode.net</span> for more information or just to chat about the project -or any subprojects. If you don't have the ability to actively help by -contributing work we will always need testers to use and audit the SELinux -policies. All development, testing, feedback, and productive comments will -be greatly appreciated. -</p> -<p class="secthead"><a name="doc_chap6_sect2">Policy Submissions</a></p> -<p> -The critical component of a SELinux system is having a strong policy. The -team does its best to support as many daemons as possible. However, we cannot -create policies for daemons with which we are unfamiliar. But we are happy -to receive policy submissions for consideration. There are a few requirements: -</p> -<ul> - <li> - Make comments (in the policy and/or bug), so we can understand changes - from the Reference Policy example policy. - </li> - <li> - The policy should cover common installations. Please do not submit policies - for odd or nonstandard daemon configurations. - </li> - <li> - We need to know if the policy is dependent on another policy (for example - rpcd is dependent on portmap) other than base-policy. - </li> -</ul> -<p> -The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>. -Please attach the .te and .fc files separately to the bug, not as a tarball. -The bug should be Cc'ed to <span class="code" dir="ltr">selinux@gentoo.org</span> and will be properly -reassigned by the team. -</p> -<br><br> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</p></td></tr> -<tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html deleted file mode 100644 index 038daf2..0000000 --- a/html/selinux/selinux-handbook.html +++ /dev/null @@ -1,168 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html lang="en"> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> -<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css"> -<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> -<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> -<title>Gentoo Linux Documentation --- - Gentoo SELinux Handbook</title> -</head> -<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> -<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> -<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> -<td width="99%" class="content" valign="top" align="left"> -<hr> -<p> - [ << ] - - [ < ] - - [ <a href="pebenito@gentoo.org">Home</a> ] - - [ <a href="pebenito@gentoo.org?part=1">></a> ] - - [ <a href="pebenito@gentoo.org?part=1">>></a> ] - </p> -<hr> -<h1>Gentoo SELinux Handbook</h1> -<p>Content:</p> -<ul> -<li> -<b><a href="?part=1">Introduction to Gentoo/Hardened SELinux</a></b><br> -In this part we cover what SELinux is and how it is positioned within the -Gentoo/Hardened project. -<ol> -<li> -<b><a href="?part=1&chap=1">Enhancing Linux Security</a></b><br> -Security is more than enabling a certain framework or installing a different -Linux kernel. It is a way of working / administrating your Gentoo Linux system. -We cover a few (generic) best practices, and then elaborate on what Mandatory -Access Control is and how SELinux fills in this gap. -</li> -<li> -<b><a href="?part=1&chap=2">SELinux Concepts</a></b><br> -To be able to properly work with SELinux, it is vital that you understand a few -of its concepts like domains, domain transitions and file contexts. Without -a basic understanding of these aspects, it will be difficult to understand -how SELinux policies work and how to troubleshoot if things go wrong. -</li> -<li> -<b><a href="?part=1&chap=3">SELinux Resources</a></b><br> -To get more acquainted with SELinux, many resources exist on the Internet. -In this chapter we give a quick overview of the various resources as well -as places where you can get more help when you are fighting with SELinux. -</li> -</ol> -</li> -<li> -<b><a href="?part=2">Using Gentoo/Hardened SELinux</a></b><br> -With the theoretic stuff behind us, let us start by installing Gentoo/Hardened -with a SELinux kernel as well as the SELinux tools. -<ol> -<li> -<b><a href="?part=2&chap=1">Gentoo SELinux Installation / Conversion</a></b><br> -To set up SELinux within Gentoo/Hardened, you first need to install Gentoo with -the correct Hardened profile (or convert to the Hardened profile) and then -update your system to become a SELinux-managed system. This chapter will guide -you through this process. -</li> -<li> -<b><a href="?part=2&chap=2">Configuring SELinux For Your Needs</a></b><br> -With SELinux now "installed" and enabled (although in permissive mode), we now -configure it to suit your particular needs. After all, SELinux is a Mandatory -Access Control system where you, as security administrator, define what is -allowed and what not. -</li> -<li> -<b><a href="?part=2&chap=3">SELinux Commands</a></b><br> -Let's take a step back and get to know a few more commands. We covered most of -them in the previous section, but we will now dive a bit deeper in its -syntax, features and potential pitfalls. -</li> -<li> -<b><a href="?part=2&chap=4">Permissive, Unconfined, Disabled or What Not...</a></b><br> -Your system can be in many SELinux states. In this chapter, we help you switch -between the various states / policies. -</li> -<li> -<b><a href="?part=2&chap=5">Modifying the Gentoo Hardened SELinux Policy</a></b><br> -Gentoo Hardened offers a default policy, but this might not allow what you want -(or allows too much). In this chapter we tell you how you can tweak Gentoo's -policy, or even run your own. -</li> -<li> -<b><a href="?part=2&chap=6">Troubleshooting SELinux</a></b><br> -Everything made by a human can and will fail. In this chapter we will try to -keep track of all potential issues you might come across and how to resolve -them. -</li> -</ol> -</li> -</ul> -<hr> -<p> - [ << ] - - [ < ] - - [ <a href="pebenito@gentoo.org">Home</a> ] - - [ <a href="pebenito@gentoo.org?part=1">></a> ] - - [ <a href="pebenito@gentoo.org?part=1">>></a> ] - </p> -<hr> -<p class="copyright"> - The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply. - </p> -<!-- - <rdf:RDF xmlns="http://web.resource.org/cc/" - xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> - - <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> - - <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> - <permits rdf:resource="http://web.resource.org/cc/Distribution" /> - <requires rdf:resource="http://web.resource.org/cc/Notice" /> - <requires rdf:resource="http://web.resource.org/cc/Attribution" /> - <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> - <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> - </License> - </rdf:RDF> ---> -</td> -<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="pebenito@gentoo.org?full=1">View all</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="alttext">Page updated September 18, 2011</p></td></tr> -<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> -This is the Gentoo SELinux Handbook. -</p></td></tr> -<tr><td align="left" class="topsep"><p class="alttext"> - <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a> -<br><i>Author</i><br><br> - <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a> -<br><i>Author</i><br><br> - Chris Richards -<br><i>Author</i><br></p></td></tr> -<tr lang="en"><td align="center" class="topsep"> -<p class="alttext"><b>Donate</b> to support our development efforts. - </p> -<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> -<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> -</form> -</td></tr> -<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> -</table></td> -</tr></table></td></tr> -<tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. -</td></tr> -</table></body> -</html> diff --git a/pdf/selinux-handbook.pdf b/pdf/selinux-handbook.pdf Binary files differdeleted file mode 100644 index cdb8c9b..0000000 --- a/pdf/selinux-handbook.pdf +++ /dev/null |