Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/xml/selinux-changes.xml
blob: 3474a31cce621f66838f525dc543e15e9af4c031 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header$ -->

<guide lang="en">
<title>Gentoo Hardened SELinux Change Overview</title>

<author title="Author">
  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
</author>

<abstract>
As Gentoo is a rolling-release distribution, sometimes changes are being
introduced which are documented in the main installation instructions but should
be known by regular users as well. Not all of these changes are sufficiently
intrusive to be set in a Gentoo news item. This document will contain an
overview of all changes made in chronological order.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
<license/>

<version>1</version>
<date>2012-05-26</date>

<chapter>
<title>Introduction</title>
<section>
<title>About this document</title>
<body>

<p>
This document will give an overview of all SELinux documented changes made
on particular dates and that might be important for users to follow up through.
</p>

<p>
Changes that only affect ~arch users will be documented below and moved up when
they are stabilized. It is possible though that these changes will be "fixed"
automatically and as such removed from this page.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Overview of Changes for Stable Users</title>
<section>
<title>2012/05/26 - Support of initramfs</title>
<body>

<p>
Users who boot with an initramfs will need to boot in permissive mode first, and
later on switch to enforcing mode. This can be done automatically using an
init script, as documented at <uri
link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap5">Initramfs
users</uri>.
</p>

</body>
</section>
<section>
<title>2012/05/26 - Support for graphical login managers</title>
<body>

<p>
Users who boot into a graphical environment (such as through GDM) will need to
edit their PAM configuration files accordingly to support SELinux security
context settings. This is documented at <uri
link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap3">Users
of a graphical environment</uri>.
</p>

</body>
</section>
<section>
<title>2012/05/18 - No more sandbox configuration needed</title>
<body>

<p>
The previously documented editing of <path>/etc/sandbox.conf</path> to open
write access to <path>/sys/fs/selinux/context</path> can be removed as the
SELinux profile does this now automatically.
</p>

</body>
</section>
<section>
<title>2012/04/29 - Edit of lvm-start/stop scripts no longer needed</title>
<body>

<p>
When users install the newly stabilized 2.20120215 policies, the documented
editing of <path>/lib/rcscripts/addons/lvm-st*.sh</path> is no longer needed.
</p>

</body>
</section>
<section>
<title>2012/02/21 - /dev mount line in fstab no longer needed</title>
<body>

<p>
The previously documented /dev mount line in <path>/etc/fstab</path> is no
longer needed as <path>util-linux-2.20.1-r1</path> has been marked stable (which
contains the correct bug fix).
</p>

</body>
</section>
<section>
<title>2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</title>
<body>

<p>
The old SELinux profiles (starting with <c>selinux/v2refpolicy</c>) are not
supported anymore. Users are strongly encouraged to switch to the new profiles
(those ending with <c>/selinux</c>).
</p>

</body>
</section>
<section>
<title>2011/07/22 - Introduction of MLS/MCS support</title>
<body>

<p>
We now support MLS and MCS, right next to targeted and strict SELinux policy
types. When using MLS or MCS, you will need to update the <path>/tmp</path>
entry in your <path>/etc/fstab</path> to use
<c>rootcontext=system_u:object_r:tmp_t:s0</c> (note the trailing <c>:s0</c>).
</p>

</body>
</section>
</chapter>

<chapter>
<title>Overview of Changes for ~Arch Users</title>
<section>
<title>2012/05/26 - Definition of /run in fstab</title>
<body>

<p>
Users that have a <path>/run</path> location will need to mark this location in their
<path>/etc/fstab</path> to make sure it gets mounted with the right SELinux
context.
</p>

<p>
For users of the <c>strict</c> and <c>targeted</c> SELinux policy types:
</p>

<pre caption="/etc/fstab setting for strict or targeted">
tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
</pre>

<p>
For other policy types users:
</p>

<pre caption="/etc/fstab setting for other policy type users">
tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0
</pre>

</body>
</section>
</chapter>

</guide>