|
[ << ] [ < ] [ Home ] [ > ] [ >> ] 7. Change HistoryContent:This document will give an overview of all SELinux documented changes made on particular dates and that might be important for users to follow up through. Changes that only affect ~arch users will be documented below and moved up when they are stabilized. It is possible though that these changes will be "fixed" automatically and as such removed from this page. 7.b. Overview of Changes for Stable Users 2013/04/16 - Introduce selinux_gentoo init script With policycoreutils-2.1.13-r8 and later, we now provide our own init script selinux_gentoo, which includes the necessary support for the initramfs users, but also resets the contexts of dynamically generated resources (on pseudo file systems) which are different from the default setting. The first user here is /sys/devices/system/cpu/online which gets labeled cpu_online_t (from revision 13 of the SELinux policy, or when using live ebuilds for the policy). The init script will by default also restore the contexts of all /dev devices (unless you boot with the norestorecon option) and will switch to enforcing mode if /etc/selinux/config has SELINUX=enforcing set but the user booted with enforcing=0 (unless you boot with nosetenforce option). This means that users are now encouraged to add this init script to the boot runlevel:
2012/12/04 - Introduce USE=unconfined From selinux-base-2.20120725-r9 onwards, we will now also support a USE=unconfined setting. When enabled, it will configure your SELinux policy to support the unconfined domains. If your policy is targeted, this behavior will be implied, whereas the strict policy will not consider this USE flag at all (it will not activate unconfined domains on strict). Supporting this USE flag allows us to differentiate unconfined domains versus regular ones when using the mls or mcs policy types. When set, the selinux-unconfined package will be built as well, and the module will be loaded, and the policy seusers file (which contains the default domain mappings for users) will be updated to use the unconfined_u SELinux user for root and other users. 2012/08/16 - Adding system_r role to admins Since selinux-base-2.20120725-r3 and later, init scripts will now support the upstream "labeled" init script approach. This means that those services whose init script follows the <domain>_initrc_exec_t naming convention can now be assigned to specific users (allowing those to manage the services without the need to grant them system administration rights). The downside of this approach is that the system administrator itself (who uses the sysadm_t domain) now also needs to be granted the right to manage those services. And granting this right means that the SELinux user (be it root or staff_u) needs to be granted the system_r role:
2012/06/24 - Definition of /run in fstab The /run location needs to be mounted with the var_run_t context. To do so, /etc/fstab needs to be modified as per the instructions in Setting the filesystem contexts. 2012/05/26 - Support of initramfs Users who boot with an initramfs will need to boot in permissive mode first, and later on switch to enforcing mode. This can be done automatically using an init script, as documented at Initramfs users. 2012/05/26 - Support for graphical login managers Users who boot into a graphical environment (such as through GDM) will need to edit their PAM configuration files accordingly to support SELinux security context settings. This is documented at Users of a graphical environment. 2012/05/18 - No more sandbox configuration needed The previously documented editing of /etc/sandbox.conf to open write access to /sys/fs/selinux/context can be removed as the SELinux profile does this now automatically. 2012/04/29 - Edit of lvm-start/stop scripts no longer needed When users install the newly stabilized 2.20120215 policies, the documented editing of /lib/rcscripts/addons/lvm-st*.sh is no longer needed. 2012/02/21 - /dev mount line in fstab no longer needed The previously documented /dev mount line in /etc/fstab is no longer needed as util-linux-2.20.1-r1 has been marked stable (which contains the correct bug fix). 2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles The old SELinux profiles (starting with selinux/v2refpolicy) are not supported anymore. Users are strongly encouraged to switch to the new profiles (those ending with /selinux). 2011/07/22 - Introduction of MLS/MCS support We now support MLS and MCS, right next to targeted and strict SELinux policy types. When using MLS or MCS, you will need to update the /tmp entry in your /etc/fstab to use rootcontext=system_u:object_r:tmp_t:s0 (note the trailing :s0). 7.c. Overview of Changes for ~Arch Users 2013/04/19 - Introducing selocal command With policycoreutils-2.1.13-r11 onwards, a new command called selocal is available. This command allows users to easily add in additional SELinux policy rules to the local policy without having go through the hassle of building and maintaining their own .te files. Instead, this command does that for you. Rules that are added to the local policy (hence the name, selocal) can be accompanied with a small comment to allow users to describe why a change was added (or to refer to a bug id on Gentoo's bugzilla).
With --list you can view the currently added local policy rules, and with --delete they can be removed from the local policy. When you want to have the changes take effect, run selocal --build --load to build the new local policy and load it in memory. [ << ] [ < ] [ Home ] [ > ] [ >> ] The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply. |
|