diff options
56 files changed, 440 insertions, 60 deletions
diff --git a/html/capabilities.html b/html/capabilities.html index 228f38a..796046d 100644 --- a/html/capabilities.html +++ b/html/capabilities.html @@ -422,7 +422,7 @@ set of distinct privileges </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/docs/devel-chroots-intro.html b/html/docs/devel-chroots-intro.html index 06b2a82..130c11d 100644 --- a/html/docs/devel-chroots-intro.html +++ b/html/docs/devel-chroots-intro.html @@ -459,7 +459,7 @@ of chroots using a tool developed for the Gentoo dev machines. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/docs/glossary.html b/html/docs/glossary.html index 7c44e65..5e60a81 100644 --- a/html/docs/glossary.html +++ b/html/docs/glossary.html @@ -160,7 +160,7 @@ each of its subprojects in simple terms. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/docs/index.html b/html/docs/index.html index ee625a2..06df3e1 100644 --- a/html/docs/index.html +++ b/html/docs/index.html @@ -154,7 +154,7 @@ up and running with a PaX kernel and PIE/SSP userland. </table></td> </tr> <tr lang="en"><td align="right" class="infohead" colspan="3"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/docs/pax-howto.html b/html/docs/pax-howto.html index 305adc6..e2009d8 100644 --- a/html/docs/pax-howto.html +++ b/html/docs/pax-howto.html @@ -267,7 +267,7 @@ A quickstart covering PaX and Hardened Gentoo. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/etdyn.html b/html/etdyn.html index b1adb2d..99ea501 100644 --- a/html/etdyn.html +++ b/html/etdyn.html @@ -207,7 +207,7 @@ These guidelines are required to achieve full Address Space Layout Randomization </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/gnu-stack.html b/html/gnu-stack.html index 7153e5d..fd6caf0 100644 --- a/html/gnu-stack.html +++ b/html/gnu-stack.html @@ -419,7 +419,7 @@ If no one can seem to answer your question, give me a poke either on irc </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/grsecurity.html b/html/grsecurity.html index ae6137e..919e458 100644 --- a/html/grsecurity.html +++ b/html/grsecurity.html @@ -820,7 +820,7 @@ system's security to higher standards. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardened-debugging.html b/html/hardened-debugging.html index bc8309e..ee89ada 100644 --- a/html/hardened-debugging.html +++ b/html/hardened-debugging.html @@ -209,7 +209,7 @@ hardened kernel and toolcahin with PaX/Grsec, PIE and SSP. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardened-toolchain.html b/html/hardened-toolchain.html index f3090c7..7fefc3c 100644 --- a/html/hardened-toolchain.html +++ b/html/hardened-toolchain.html @@ -351,7 +351,7 @@ Technical description of, and rationale for, the Gentoo Hardened Toolchain modif </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardened-virtualization.html b/html/hardened-virtualization.html index 0c57c68..3b8d6c9 100644 --- a/html/hardened-virtualization.html +++ b/html/hardened-virtualization.html @@ -144,7 +144,7 @@ insight on how to harden the host using Gentoo Hardened. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html index b0c304f..bcbeaa8 100644 --- a/html/hardenedfaq.html +++ b/html/hardenedfaq.html @@ -511,7 +511,7 @@ the gentoo-hardened mailing list. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/hardenedxorg.html b/html/hardenedxorg.html index 935fe09..3480e67 100644 --- a/html/hardenedxorg.html +++ b/html/hardenedxorg.html @@ -144,7 +144,7 @@ How to install and use Xorg on Hardened Gentoo </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/index.html b/html/index.html index 564ac48..7b48110 100644 --- a/html/index.html +++ b/html/index.html @@ -301,7 +301,7 @@ greatly appreciated. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/index2.html b/html/index2.html index dfebfe8..62a72d1 100644 --- a/html/index2.html +++ b/html/index2.html @@ -298,7 +298,7 @@ greatly appreciated. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/pax-quickstart.html b/html/pax-quickstart.html index fd434ff..ad3fc1b 100644 --- a/html/pax-quickstart.html +++ b/html/pax-quickstart.html @@ -274,7 +274,7 @@ A quickstart covering PaX and Hardened Gentoo. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/pax-utils.html b/html/pax-utils.html index 52d430c..2fda7fd 100644 --- a/html/pax-utils.html +++ b/html/pax-utils.html @@ -687,7 +687,7 @@ package to find and identify problematic binaries. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/pic-fix-guide.html b/html/pic-fix-guide.html index d602735..c27137d 100644 --- a/html/pic-fix-guide.html +++ b/html/pic-fix-guide.html @@ -871,7 +871,7 @@ mmx32_rgb888_mask dd 00ffffffh,00ffffffh </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/pic-guide.html b/html/pic-guide.html index e1c4922..00b2ff7 100644 --- a/html/pic-guide.html +++ b/html/pic-guide.html @@ -169,7 +169,7 @@ References: </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/pic-internals.html b/html/pic-internals.html index 0756374..aeded3e 100644 --- a/html/pic-internals.html +++ b/html/pic-internals.html @@ -243,7 +243,7 @@ These executables simply do not need the PIC addressing mode for their functions </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/pie-ssp.html b/html/pie-ssp.html index 53669a1..4009ff2 100644 --- a/html/pie-ssp.html +++ b/html/pie-ssp.html @@ -252,7 +252,7 @@ glibc-based SSP setup for userland in GNU/Linux for Gentoo-Linux at all! </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/prelude-ids.html b/html/prelude-ids.html index e77616d..65bd9ba 100644 --- a/html/prelude-ids.html +++ b/html/prelude-ids.html @@ -618,7 +618,7 @@ $conf{'dbpasswd'}='dbpass'; </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/primer.html b/html/primer.html index 16301b4..3d48453 100644 --- a/html/primer.html +++ b/html/primer.html @@ -268,7 +268,7 @@ </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/roadmap.html b/html/roadmap.html index 7f943ab..274a8bc 100644 --- a/html/roadmap.html +++ b/html/roadmap.html @@ -298,7 +298,7 @@ Hardened Gentoo project. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/rsbac/index.html b/html/rsbac/index.html index 0b7175f..d0c4886 100644 --- a/html/rsbac/index.html +++ b/html/rsbac/index.html @@ -158,7 +158,7 @@ The required tool for the policies is still being developped. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/rsbac/intro.html b/html/rsbac/intro.html index 27d4114..8c6dc2b 100644 --- a/html/rsbac/intro.html +++ b/html/rsbac/intro.html @@ -107,7 +107,7 @@ access control system. </p></td></tr> </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/rsbac/overview.html b/html/rsbac/overview.html index d8b17bf..3922ec8 100644 --- a/html/rsbac/overview.html +++ b/html/rsbac/overview.html @@ -219,7 +219,7 @@ This document should give you an overview of RSBAC access control system. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/rsbac/quickstart.html b/html/rsbac/quickstart.html index 17d4a19..6045dcb 100644 --- a/html/rsbac/quickstart.html +++ b/html/rsbac/quickstart.html @@ -347,7 +347,7 @@ RSBAC on Gentoo Linux</p></td></tr> </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/rsbac/transition.html b/html/rsbac/transition.html index 71b2e6e..725616c 100644 --- a/html/rsbac/transition.html +++ b/html/rsbac/transition.html @@ -84,7 +84,7 @@ rsbac-sources to hardened-sources </p></td></tr> </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-concepts.html index 6a0d54d..91f1871 100644 --- a/html/selinux/hb-intro-concepts.html +++ b/html/selinux/hb-intro-concepts.html @@ -19,6 +19,7 @@ <td width="99%" class="content" valign="top" align="left"> <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. </span>Introduction</p> +<p class="secthead"><a name="doc_chap1_sect1">SELinux Concepts</a></p> <p> Since SELinux is a MAC system, you should already figure out that managing SELinux-based permissions and rights might be a bit more challenging than @@ -459,6 +460,7 @@ role. </p> <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. </span>Next Steps</p> +<p class="secthead"><a name="doc_chap1_sect1">What Next</a></p> <p> It might be difficult to understand now, but the concepts are important because, if something fails on your system when SELinux is enabled, but it doesn't fail @@ -515,7 +517,7 @@ generate the permissions instead of creating the allow-rules one by one. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-intro-enhancingsecurity.html b/html/selinux/hb-intro-enhancingsecurity.html index 433add6..9e7cdbe 100644 --- a/html/selinux/hb-intro-enhancingsecurity.html +++ b/html/selinux/hb-intro-enhancingsecurity.html @@ -19,6 +19,7 @@ <td width="99%" class="content" valign="top" align="left"> <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. </span>Introduction</p> +<p class="secthead"><a name="doc_chap1_sect1">A Warm Welcome</a></p> <p> Welcome to the Gentoo SELinux handbook. In this resource, we will bring you up to speed with Gentoo Hardened's implementation of SELinux and the policies @@ -340,7 +341,7 @@ run and manage a SELinux hardened Gentoo system. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html index 3881dec..89d650f 100644 --- a/html/selinux/hb-intro-referencepolicy.html +++ b/html/selinux/hb-intro-referencepolicy.html @@ -163,7 +163,7 @@ user_dmesg --> on </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-intro-virtualization.html b/html/selinux/hb-intro-virtualization.html index 8a9e272..345ac88 100644 --- a/html/selinux/hb-intro-virtualization.html +++ b/html/selinux/hb-intro-virtualization.html @@ -36,7 +36,7 @@ This is a place-holder for future expansion. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-conv-profile.html b/html/selinux/hb-selinux-conv-profile.html index fc6ff15..09ac7a2 100644 --- a/html/selinux/hb-selinux-conv-profile.html +++ b/html/selinux/hb-selinux-conv-profile.html @@ -112,7 +112,7 @@ The SELinux profile already does this for you. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-conv-reboot1.html b/html/selinux/hb-selinux-conv-reboot1.html index 89c2f57..2157c17 100644 --- a/html/selinux/hb-selinux-conv-reboot1.html +++ b/html/selinux/hb-selinux-conv-reboot1.html @@ -203,7 +203,7 @@ RC_DEVICE_TARBALL="<span class="code-comment">no</span>" </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-conv-reboot2.html b/html/selinux/hb-selinux-conv-reboot2.html index dfe4e67..a5b6108 100644 --- a/html/selinux/hb-selinux-conv-reboot2.html +++ b/html/selinux/hb-selinux-conv-reboot2.html @@ -238,7 +238,7 @@ reboot)</p> </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-faq.html b/html/selinux/hb-selinux-faq.html index 668610f..3b4036f 100644 --- a/html/selinux/hb-selinux-faq.html +++ b/html/selinux/hb-selinux-faq.html @@ -142,7 +142,7 @@ make: *** [relabel] Error 1 </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-howto.html b/html/selinux/hb-selinux-howto.html index 83d25aa..bd8304f 100644 --- a/html/selinux/hb-selinux-howto.html +++ b/html/selinux/hb-selinux-howto.html @@ -281,7 +281,7 @@ Controlling term: pebenito:object_r:sysadm_devpts_t </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-initpol.html b/html/selinux/hb-selinux-initpol.html index cd4f3d0..276ff62 100644 --- a/html/selinux/hb-selinux-initpol.html +++ b/html/selinux/hb-selinux-initpol.html @@ -66,7 +66,7 @@ </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-libsemanage.html b/html/selinux/hb-selinux-libsemanage.html index 5e6c05b..afc93e4 100644 --- a/html/selinux/hb-selinux-libsemanage.html +++ b/html/selinux/hb-selinux-libsemanage.html @@ -269,7 +269,7 @@ user_u user_r </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-localmod.html b/html/selinux/hb-selinux-localmod.html index 9246a43..81ed4ba 100644 --- a/html/selinux/hb-selinux-localmod.html +++ b/html/selinux/hb-selinux-localmod.html @@ -152,7 +152,7 @@ For more information on building a complete Reference Policy module, see the </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-loglocal.html b/html/selinux/hb-selinux-loglocal.html index b74dc3b..20ece4a 100644 --- a/html/selinux/hb-selinux-loglocal.html +++ b/html/selinux/hb-selinux-loglocal.html @@ -206,7 +206,7 @@ </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-logremote.html b/html/selinux/hb-selinux-logremote.html index a99b408..a05fc26 100644 --- a/html/selinux/hb-selinux-logremote.html +++ b/html/selinux/hb-selinux-logremote.html @@ -222,7 +222,7 @@ UsePAM yes </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-overview.html b/html/selinux/hb-selinux-overview.html index 038b0ad..a8dd3b9 100644 --- a/html/selinux/hb-selinux-overview.html +++ b/html/selinux/hb-selinux-overview.html @@ -546,7 +546,7 @@ scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capab </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-selinux-references.html b/html/selinux/hb-selinux-references.html index f32c791..d629135 100644 --- a/html/selinux/hb-selinux-references.html +++ b/html/selinux/hb-selinux-references.html @@ -111,7 +111,7 @@ </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html index fa73096..9db1430 100644 --- a/html/selinux/hb-using-commands.html +++ b/html/selinux/hb-using-commands.html @@ -305,7 +305,7 @@ ssh_port_t tcp 22 </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using-enforcing.html index 8a9e272..345ac88 100644 --- a/html/selinux/hb-using-enforcing.html +++ b/html/selinux/hb-using-enforcing.html @@ -36,7 +36,7 @@ This is a place-holder for future expansion. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html index 6e0a27d..b9e742c 100644 --- a/html/selinux/hb-using-install.html +++ b/html/selinux/hb-using-install.html @@ -431,7 +431,7 @@ made. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html index 8a9e272..3223941 100644 --- a/html/selinux/hb-using-permissive.html +++ b/html/selinux/hb-using-permissive.html @@ -18,13 +18,187 @@ <tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> <td width="99%" class="content" valign="top" align="left"> <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. - </span>TODO</p> + </span>Keeping Track of Denials</p> +<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p> <p> -This is a place-holder for future expansion. +The moment you start using SELinux in permissive mode, SELinux will start +logging all of its denials through your system logger. Based on this +information, you can and will: </p> +<ul> + <li> + see if certain domains are missing (for instance, commands are being ran + inside a more standard domain whereas you would expect it to run within a + more specific one) in which case you'll probably look for a SELinux policy + module to introduce the specific domain, + </li> + <li> + see if some files have wrong security contexts in which case you'll either + restore their context or set it yourself, + </li> + <li> + see if soem denials are made which you don't expect in which case you'll + find out why the denial is made and what the original policy writer intended + (a prime example would be a website hosted in the wrong location in the file + system) + </li> +</ul> +<p> +Of course, several other aspects can be performed the moment you analyze the +denial messages, but the above ones are the most common. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Configuring System Logger</a></p> +<p> +Before we start investigating denials, let's first configure the system logger +to log the denials in its own log file. If you are running syslog-ng with a +Gentoo Hardened profile, it will already be configured to log these denials in +/var/log/avc.log: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng configuration</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +destination avc { file("http://www.gentoo.org/var/log/avc.log"); }; +[...] +filter f_avc { message(".*avc: .*"); }; +filter f_audit { message("^(\\[.*\..*] |)audit.*") and not message(".*avc: .*"); }; +[...] +log { source(kernsrc); filter(f_avc); destination(avc); }; +</pre></td></tr> +</table> +<p> +If you use a different logger, look for the configuration of the kernel audit +events. Throughout the rest of this document, we assume that the log where the +denials are logged in is /var/log/avc.log. +</p> +<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p> +<p> +When we previously showed a few of SELinux' policy allow rules, what you were +actually looking at was an <span class="emphasis">access vector</span> rule. For instance: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example access vector rule</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +allow sysadm_t portage_t : process transition ; +</pre></td></tr> +</table> +<p> +Up until now we have seen only the <span class="emphasis">allow</span> permission, but SELinux supports +others as well: +</p> +<ul> + <li> + <span class="emphasis">auditallow</span> will allow an activity to occur, but will still log it + (but then with a "granted" message instead of "denied") + </li> + <li> + <span class="emphasis">dontaudit</span> will not allow an activity to occur but will also not log + this. This is particularly useful where the activity is not needed and would + otherwise fill the avc.log file. + </li> +</ul> +<p> +To improve efficiency of the policy enforcement, SELinux uses a cache for its +access vectors - the <span class="emphasis">access vector cache</span> or <span class="emphasis">AVC</span>. Whenever some +access is requested which isn't in the cache yet, it is first loaded in the +cache from which the allow/deny is triggered. Hence the "avc" messages and the +avc.log log file. +</p> +<p class="secthead"><a name="doc_chap1_sect1">Looking at the AVC Log</a></p> +<p> +During regular system operations, you can keep track of the denials through a +simple <span class="code" dir="ltr">tail</span> session: +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Looking at the avc logs</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +~# <span class="code-input">tail -f /var/log/avc.log</span> +Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 audit(1293872219.247:156): + avc: denied { setattr } for pid=7419 comm="gorg" name="selinux-handbook.xml" dev=dm-3 ino=159061 + scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file +Jan 1 10:08:52 hpl kernel: [ 2944.664577] type=1400 audit(1293872932.907:157): + avc: denied { use } for pid=9917 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs ino=1546 + scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=fd +Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): + avc: denied { create } for pid=10016 comm="logger" + scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket +</pre></td></tr> +</table> +<p> +But how do you interprete such messages? Well, let's take a closer look at the +first denial from the example. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample denial message</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +<span class="code-comment">[ Standard data within log message, such as date, time, hostname, ... ]</span> +Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 +<span class="code-comment">[ The message is an AVC audit message, telling a deny for the setattr system call ]</span> + audit(1293872219.247:156): avc: denied { setattr } +<span class="code-comment">[ The offending process has PID 7419 and is named "gorg" ]</span> + for pid=7419 comm="gorg" +<span class="code-comment">[ The target for the system call is a file named "selinux-handbook.xml" + on the dm-3 device; the file has inode 159061 ]</span> + name="selinux-handbook.xml" dev=dm-3 ino=159061 +<span class="code-comment">[ The source and target security contexts and the class of the target (in this case, a file) ]</span> + scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file +</pre></td></tr> +</table> +<p> +A similar one can be found of the last line in the example. +</p> +<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Another sample denial message</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): + avc: denied { create } for pid=10016 comm="logger" + scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket +</pre></td></tr> +</table> +<p> +In this particular case, the offending process is <span class="code" dir="ltr">logger</span> (with PID 10016) +which is trying to create a Unix stream socket (see the <span class="emphasis">tclass</span> +information). +</p> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Analyzing Denials</p> +<p class="secthead"><a name="doc_chap1_sect1">A Standard Setup Will Not Work</a></p> +<p> +If you have taken a look at your denials, you'll probably think "If I'm going to +go to enforcing mode, my system will not function properly" and you're right. At +this point, Gentoo Hardened is constantly updating the SELinux policies to get +you a working system - but we're not there yet. For this reason, being able to +analyze the denials (and take corrective actions) is very important. +</p> +<p> +It is not easy to describe what the best option is when you see a denial which +shouldn't be. But a few ground-rules do apply. +</p> +<ul> + <li> + Verify if the denial is cosmetic or not. Try focusing on denials of which + you are <span class="emphasis">sure</span> that they are not cosmetic and will result in a + malfunction of your system (or that particular command) if no corrective + action is taken. + </li> + <li> + If you see a denial where the source context is a generic one (such as + <span class="emphasis">sysadm_t</span> or <span class="emphasis">staff_t</span> or <span class="emphasis">user_t</span>), try to find out if + there are specific SELinux policy modules for the offending resource. In the + previous example of the <span class="code" dir="ltr">gorg</span> process, we definitely need to check if + there is no selinux-gorg SELinux policy. Note that, even if there is none, + it doesn't mean there shouldn't be ;-) + </li> + <li> + If the target for the denial is a file, verify if its security context is + correct or if no different context should be given. It is also possible that + the process is trying to work on the wrong path. Sometimes a simple + configuration change of that process is sufficient to make it work properly + under its SELinux policy. + </li> +</ul> </td> <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> -<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated December 31, 2010</p></td></tr> <tr lang="en"><td align="center" class="topsep"> <p class="alttext"><b>Donate</b> to support our development efforts. </p> @@ -36,7 +210,7 @@ This is a place-holder for future expansion. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/hb-using-policymodules.html b/html/selinux/hb-using-policymodules.html index 8a9e272..345ac88 100644 --- a/html/selinux/hb-using-policymodules.html +++ b/html/selinux/hb-using-policymodules.html @@ -36,7 +36,7 @@ This is a place-holder for future expansion. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/index.html b/html/selinux/index.html index 6835449..1f3b937 100644 --- a/html/selinux/index.html +++ b/html/selinux/index.html @@ -223,7 +223,7 @@ </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html index 53f92a5..6817b9a 100644 --- a/html/selinux/selinux-handbook.html +++ b/html/selinux/selinux-handbook.html @@ -173,7 +173,7 @@ This is the Gentoo SELinux Handbook. </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/html/toolchain-upgrade-guide.html b/html/toolchain-upgrade-guide.html index 0c663ee..4229402 100644 --- a/html/toolchain-upgrade-guide.html +++ b/html/toolchain-upgrade-guide.html @@ -274,7 +274,7 @@ Guide for upgrading from hardened gcc-3/glibc-2.3/binutils-2.16 to gcc-4/glibc-2 </table></td> </tr></table></td></tr> <tr><td colspan="2" align="right" class="infohead"> -Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. +Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>. </td></tr> </table></body> </html> diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml index 45062e3..2579c1a 100644 --- a/xml/selinux/hb-intro-concepts.xml +++ b/xml/selinux/hb-intro-concepts.xml @@ -13,6 +13,7 @@ <section> <title>Introduction</title> <subsection> +<title>SELinux Concepts</title> <body> <p> @@ -514,6 +515,7 @@ role. <section> <title>Next Steps</title> <subsection> +<title>What Next</title> <body> <p> diff --git a/xml/selinux/hb-intro-enhancingsecurity.xml b/xml/selinux/hb-intro-enhancingsecurity.xml index a6f2db0..d79c40a 100644 --- a/xml/selinux/hb-intro-enhancingsecurity.xml +++ b/xml/selinux/hb-intro-enhancingsecurity.xml @@ -13,6 +13,7 @@ <section> <title>Introduction</title> <subsection> +<title>A Warm Welcome</title> <body> <p> diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-permissive.xml index 37e02ac..499d650 100644 --- a/xml/selinux/hb-using-permissive.xml +++ b/xml/selinux/hb-using-permissive.xml @@ -7,18 +7,218 @@ <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ --> <sections> -<version>0</version> -<date>2010-12-01</date> +<version>1</version> +<date>2010-12-31</date> <section> -<title>TODO</title> +<title>Keeping Track of Denials</title> <subsection> +<title>Introduction</title> <body> <p> -This is a place-holder for future expansion. +The moment you start using SELinux in permissive mode, SELinux will start +logging all of its denials through your system logger. Based on this +information, you can and will: </p> +<ul> + <li> + see if certain domains are missing (for instance, commands are being ran + inside a more standard domain whereas you would expect it to run within a + more specific one) in which case you'll probably look for a SELinux policy + module to introduce the specific domain, + </li> + <li> + see if some files have wrong security contexts in which case you'll either + restore their context or set it yourself, + </li> + <li> + see if soem denials are made which you don't expect in which case you'll + find out why the denial is made and what the original policy writer intended + (a prime example would be a website hosted in the wrong location in the file + system) + </li> +</ul> + +<p> +Of course, several other aspects can be performed the moment you analyze the +denial messages, but the above ones are the most common. +</p> + +</body> +</subsection> +<subsection> +<title>Configuring System Logger</title> +<body> + +<p> +Before we start investigating denials, let's first configure the system logger +to log the denials in its own log file. If you are running syslog-ng with a +Gentoo Hardened profile, it will already be configured to log these denials in +<file>/var/log/avc.log</file>: +</p> + +<pre caption="syslog-ng configuration"> +destination avc { file("/var/log/avc.log"); }; +[...] +filter f_avc { message(".*avc: .*"); }; +filter f_audit { message("^(\\[.*\..*] |)audit.*") and not message(".*avc: .*"); }; +[...] +log { source(kernsrc); filter(f_avc); destination(avc); }; +</pre> + +<p> +If you use a different logger, look for the configuration of the kernel audit +events. Throughout the rest of this document, we assume that the log where the +denials are logged in is <file>/var/log/avc.log</file>. +</p> + +</body> +</subsection> +<subsection> +<title>What is AVC?</title> +<body> + +<p> +When we previously showed a few of SELinux' policy allow rules, what you were +actually looking at was an <e>access vector</e> rule. For instance: +</p> + +<pre caption="Example access vector rule"> +allow sysadm_t portage_t : process transition ; +</pre> + +<p> +Up until now we have seen only the <e>allow</e> permission, but SELinux supports +others as well: +</p> + +<ul> + <li> + <e>auditallow</e> will allow an activity to occur, but will still log it + (but then with a "granted" message instead of "denied") + </li> + <li> + <e>dontaudit</e> will not allow an activity to occur but will also not log + this. This is particularly useful where the activity is not needed and would + otherwise fill the <file>avc.log</file> file. + </li> +</ul> + +<p> +To improve efficiency of the policy enforcement, SELinux uses a cache for its +access vectors - the <e>access vector cache</e> or <e>AVC</e>. Whenever some +access is requested which isn't in the cache yet, it is first loaded in the +cache from which the allow/deny is triggered. Hence the "avc" messages and the +<file>avc.log</file> log file. +</p> + +</body> +</subsection> +<subsection> +<title>Looking at the AVC Log</title> +<body> + +<p> +During regular system operations, you can keep track of the denials through a +simple <c>tail</c> session: +</p> + +<pre caption="Looking at the avc logs"> +~# <i>tail -f /var/log/avc.log</i> +Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 audit(1293872219.247:156): + avc: denied { setattr } for pid=7419 comm="gorg" name="selinux-handbook.xml" dev=dm-3 ino=159061 + scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file +Jan 1 10:08:52 hpl kernel: [ 2944.664577] type=1400 audit(1293872932.907:157): + avc: denied { use } for pid=9917 comm="ifconfig" path="/dev/null" dev=tmpfs ino=1546 + scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=fd +Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): + avc: denied { create } for pid=10016 comm="logger" + scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket +</pre> + +<p> +But how do you interprete such messages? Well, let's take a closer look at the +first denial from the example. +</p> + +<pre caption="Sample denial message"> +<comment>[ Standard data within log message, such as date, time, hostname, ... ]</comment> +Jan 1 09:56:59 hpl kernel: [ 2232.354810] type=1400 +<comment>[ The message is an AVC audit message, telling a deny for the setattr system call ]</comment> + audit(1293872219.247:156): avc: denied { setattr } +<comment>[ The offending process has PID 7419 and is named "gorg" ]</comment> + for pid=7419 comm="gorg" +<comment>[ The target for the system call is a file named "selinux-handbook.xml" + on the dm-3 device; the file has inode 159061 ]</comment> + name="selinux-handbook.xml" dev=dm-3 ino=159061 +<comment>[ The source and target security contexts and the class of the target (in this case, a file) ]</comment> + scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file +</pre> + +<p> +A similar one can be found of the last line in the example. +</p> + +<pre caption="Another sample denial message"> +Jan 1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): + avc: denied { create } for pid=10016 comm="logger" + scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket +</pre> + +<p> +In this particular case, the offending process is <c>logger</c> (with PID 10016) +which is trying to create a Unix stream socket (see the <e>tclass</e> +information). +</p> + +</body> +</subsection> +</section> +<section> +<title>Analyzing Denials</title> +<subsection> +<title>A Standard Setup Will Not Work</title> +<body> + +<p> +If you have taken a look at your denials, you'll probably think "If I'm going to +go to enforcing mode, my system will not function properly" and you're right. At +this point, Gentoo Hardened is constantly updating the SELinux policies to get +you a working system - but we're not there yet. For this reason, being able to +analyze the denials (and take corrective actions) is very important. +</p> + +<p> +It is not easy to describe what the best option is when you see a denial which +shouldn't be. But a few ground-rules do apply. +</p> + +<ul> + <li> + Verify if the denial is cosmetic or not. Try focusing on denials of which + you are <e>sure</e> that they are not cosmetic and will result in a + malfunction of your system (or that particular command) if no corrective + action is taken. + </li> + <li> + If you see a denial where the source context is a generic one (such as + <e>sysadm_t</e> or <e>staff_t</e> or <e>user_t</e>), try to find out if + there are specific SELinux policy modules for the offending resource. In the + previous example of the <c>gorg</c> process, we definitely need to check if + there is no selinux-gorg SELinux policy. Note that, even if there is none, + it doesn't mean there shouldn't be ;-) + </li> + <li> + If the target for the denial is a file, verify if its security context is + correct or if no different context should be given. It is also possible that + the process is trying to work on the wrong path. Sometimes a simple + configuration change of that process is sufficient to make it work properly + under its SELinux policy. + </li> +</ul> + </body> </subsection> </section> |