diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-09-04 21:12:54 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-09-04 21:12:54 +0200 |
commit | 7338144ab2abc1d1a6b63c163c2ebf17e8456e11 (patch) | |
tree | f0e106455ff9735a6d09e4abb43b336255d9015e /html | |
parent | Update FAQ, add entry regarding local policy (id=localpolicy) (diff) | |
download | hardened-docs-7338144ab2abc1d1a6b63c163c2ebf17e8456e11.tar.gz hardened-docs-7338144ab2abc1d1a6b63c163c2ebf17e8456e11.tar.bz2 hardened-docs-7338144ab2abc1d1a6b63c163c2ebf17e8456e11.zip |
Update previews
Diffstat (limited to 'html')
-rw-r--r-- | html/selinux-faq.html | 107 |
1 files changed, 101 insertions, 6 deletions
diff --git a/html/selinux-faq.html b/html/selinux-faq.html index 5e2161a..611eaf5 100644 --- a/html/selinux-faq.html +++ b/html/selinux-faq.html @@ -59,6 +59,7 @@ as well. <li><a href="#matchcontext"> How do I know which file context rule is used for a particular file? </a></li> +<li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li> </ul> <p class="secthead">SELinux Kernel Error Messages</p> <ul> @@ -140,10 +141,8 @@ like we will eventually support these file systems on SELinux fully as well. </p> <p class="secthead"><a name="nomultilib"></a><a name="doc_chap2_sect6">Can I use SELinux with AMD64 no-multilib?</a></p> <p> -Yes. However, for the time being, it is only supported through developer -profiles, meaning that the profiles should not be seen as very stable (their -content can still change swiftly). Try out -<span class="code" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> and tell us what you get. +Yes, just use the <span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> profile +and you're all set. </p> <p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p> <p> @@ -257,7 +256,103 @@ The most specific means, in order of tests: <p> However, when you add your own file contexts (using <span class="code" dir="ltr">semanage</span>), this does not apply. Instead, tools like <span class="code" dir="ltr">restorecon</span> will take the <span class="emphasis">last</span> hit -within the locally added file contexts! +within the locally added file contexts! You can check the content of the +locally added rules in <span class="path" dir="ltr">/etc/selinux/strict/contexts/files/file_contexts.local</span> +(substitute <span class="path" dir="ltr">strict</span> with your SELinux type). +</p> +<p class="secthead"><a name="localpolicy"></a><a name="doc_chap3_sect5">How do I make small changes (additions) to the policy?</a></p> +<p> +If you are interested in the Gentoo Hardened SELinux development itself, please +have a look at the <a href="selinux-development.html">SELinux +Development Guide</a> and other documentation linked from the <a href="selinux/index.html">SELinux project page</a>. +</p> +<p> +However, you will eventually need to keep some changes on your policy, due to +how you have configured your system or when you need to allow something that is +not going to be accepted as a distribution-wide policy change. In that case, +read on. +</p> +<p> +Updates on the policy are only possible as long as you need to <span class="emphasis">allow</span> +additional privileges. It is not possible to remove rules from the policy, only +enhance it. To maintain your own set of additional rules, create a file in which +you will keep your changes. In the next example, I will use the term +<span class="path" dir="ltr">fixlocal</span>, substitute with whatever name you like - but keep it +consistent. In the file (<span class="path" dir="ltr">fixlocal.te</span>) put in the following text +(again, substitute <span class="path" dir="ltr">fixlocal</span> with your chosen name): +</p> +<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: fixlocal.te content</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +policy_module(fixlocal, 1.0) + +require { +<span class="code-comment"># Declarations of types, classes and permissions used</span> + +} + +<span class="code-comment"># Declaration of policy rules</span> +</pre></td></tr> +</table> +<p> +In this file, you can add rules as you like. In the next example, we add three +rules: +</p> +<ol> + <li> + Allow <span class="code" dir="ltr">mozilla_t</span> the <span class="code" dir="ltr">execmem</span> privilege (based on a denial that + occurs when mozilla fails to start) + </li> + <li> + Allow <span class="code" dir="ltr">ssh_t</span> to connect to any port rather than just the SSH port + </li> + <li> + Allows the <span class="code" dir="ltr">user_t</span> domain to send messages directly to the system + logger + </li> +</ol> +<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: fixlocal.te content</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +policy_module(fixlocal, 1.0) + +require { + type mozilla_t; + type ssh_t; + type user_t; + + class process { execmem }; +} + +<span class="code-comment"># Grant mozilla the execmem privilege</span> +allow mozilla_t self:process { execmem }; + +<span class="code-comment"># Allow SSH client to connect to any port (as provided by the user through the +# "ssh -p <portnum> ..." command)</span> +corenet_tcp_connect_all_ports(ssh_t) + +<span class="code-comment"># Allow the user_t domain to send messages to the system logger</span> +logging_send_syslog_msg(user_t) +</pre></td></tr> +</table> +<p> +If you need to provide raw allow statements (like the one above for the +<span class="code" dir="ltr">mozilla_t</span> domain), make sure that the type (<span class="code" dir="ltr">mozilla_t</span>), +class (<span class="code" dir="ltr">process</span>) and privilege (<span class="code" dir="ltr">execmem</span>) are mentioned in +the <span class="code" dir="ltr">require { ... }</span> paragraph. +</p> +<p> +When using interface names, make sure that the type (<span class="code" dir="ltr">ssh_t</span> and +<span class="code" dir="ltr">user_t</span>) is mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph. +</p> +<p> +To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span> +above), you can either look for it in the <a href="http://oss.tresys.com/docs/refpolicy/api/">SELinux Reference Policy +API</a> online or, if <span class="code" dir="ltr">sec-policy/selinux-base-policy</span> is built with the +<span class="emphasis">doc</span> USE flag, in <span class="path" dir="ltr">/usr/share/doc/selinux-base-policy-.*/html</span>. +Of course, you can also ask for help in <span class="code" dir="ltr">#gentoo-hardened</span> on +irc.freenode.net, the mailinglist, forums, etc. to find the proper rules and +statements for your case. </p> <p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4. </span>SELinux Kernel Error Messages</p> @@ -565,7 +660,7 @@ version, or force set it to the higher version. </td> <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="alttext">Updated September 3, 2011</p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr> <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> Frequently Asked Questions on SELinux integration with Gentoo Hardened. The FAQ is a collection of solutions found on IRC, mailinglist, forums or |