diff options
| author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-07-03 08:56:47 -0400 |
|---|---|---|
| committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-07-03 08:56:47 -0400 |
| commit | 09e934512dc053a96bd7b16c2c95563e055720f7 (patch) | |
| tree | e1351268921fb0fc3b64df8d565044df25196930 /doc | |
| parent | 9fe65b2fe9323da6583625cde1b2494352207d51 (diff) | |
| download | bcfg2-09e934512dc053a96bd7b16c2c95563e055720f7.tar.gz bcfg2-09e934512dc053a96bd7b16c2c95563e055720f7.tar.bz2 bcfg2-09e934512dc053a96bd7b16c2c95563e055720f7.zip | |
added selinux support
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/server/configurationentries.txt | 167 | ||||
| -rw-r--r-- | doc/server/index.txt | 1 | ||||
| -rw-r--r-- | doc/server/info.txt | 45 | ||||
| -rw-r--r-- | doc/server/plugins/generators/rules.txt | 241 | ||||
| -rw-r--r-- | doc/server/plugins/generators/semodules.txt | 66 | ||||
| -rw-r--r-- | doc/server/selinux.txt | 97 |
6 files changed, 417 insertions, 200 deletions
diff --git a/doc/server/configurationentries.txt b/doc/server/configurationentries.txt index 8e669b90a..fb1589926 100644 --- a/doc/server/configurationentries.txt +++ b/doc/server/configurationentries.txt @@ -1,138 +1,13 @@ .. -*- mode: rst -*- -.. NOTE: these are relative links (change when directory structure -.. changes) - -.. _Base: plugins/structures/base -.. _Bundler: plugins/structures/bundler -.. _Cfg: plugins/generators/cfg.html -.. _TGenshi: plugins/generators/tgenshi -.. _TCheetah: plugins/generators/tcheetah.html -.. _Rules: plugins/generators/rules.html - .. _server-configurationentries: ===================== Configuration Entries ===================== -This page describes the names and semantics of each of the configuration -entries used by Bcfg2. - -Non-POSIX entries -================= - -+-------------+---------------------+--------------------------------------------+ -| TagName | Description | Attributes | -+=============+=====================+============================================+ -| Action | Command | name, command, when, timing, status, build | -+-------------+---------------------+--------------------------------------------+ -| Package | Software Packages | name, type, version, url | -+-------------+---------------------+--------------------------------------------+ -| PostInstall | PostInstall command | name | -+-------------+---------------------+--------------------------------------------+ -| Service | System Services | name, type, status, target | -+-------------+---------------------+--------------------------------------------+ - -.. note:: - - PostInstall entries are deprecated in favor of Action entries. In - fact, a PostInstall entry is simply a specific type of Action. - Basically, the following are equivalent: - - .. code-block:: xml - - <PostInstall name='foo'/> - - and - - .. code-block:: xml - - <Action timing='post' when='modified' name='n' command='foo' status='ignore'/> - -POSIX entries -============= - -.. versionadded:: 1.0.0 - -The unified POSIX Path entries prevent inconsistent configuration -specifications of multiple entries for a given path. The following table -describes the various types available for new **Path** entries. - -The abstract specification of these entries (i.e. In `Bundler`_) -will only contain a *name* attribute. The type will be added by the -plugin that handles the entry in the case of `Cfg`_, `TGenshi`_, or -`TCheetah`_. If the entry is handled by the `Rules`_ plugin (i.e. it is -a device, directory, hardlink, symlink, etc), then you will specify both -the *type* and any other necessary attributes in `Rules`_. - -Running ``bcfg2-lint`` will check your configuration specification for -the presence of any mandatory attributes that are necessary for the -Path type specified. - -.. note:: A tool for converting old POSIX entries is available in the - Bcfg2 source directory at tools/posixunified.py - -+-------------+----------------------+-----------------+--------------------------+ -| Type | Replacement/New | Description | Attributes | -+=============+======================+=================+==========================+ -| device | New | Create block, | name, owner, group, | -| | | character, and | dev_type | -| | | fifo devices | (block, char, fifo), | -| | | | major/minor | -| | | | (for block/char devices) | -+-------------+----------------------+-----------------+--------------------------+ -| directory | Replaces Directory | Directories | name, owner, group, | -| | entries | | perms, prune | -+-------------+----------------------+-----------------+--------------------------+ -| file | Replaces ConfigFile | Configuration | name, owner, group, | -| | entries | File | perms, encoding, empty | -| | | | | -| | | | **Note:** see below | -+-------------+----------------------+-----------------+--------------------------+ -| hardlink | New | Create | name, to | -| | | hardlinks | | -+-------------+----------------------+-----------------+--------------------------+ -| symlink | Replaces SymLink | SymLinks | name, to | -| | entries | | | -+-------------+----------------------+-----------------+--------------------------+ -| ignore | New | Ignore files | name | -| | | that cause | | -| | | package | | -| | | verification | | -| | | failures | | -| | | (currently | | -| | | applies to only | | -| | | APT and YUMng) | | -+-------------+----------------------+-----------------+--------------------------+ -| nonexistent | New | Specify a path | name, recursive | -| | | that should not | | -| | | exist | | -+-------------+----------------------+-----------------+--------------------------+ -| permissions | Replaces Permissions | Permissions of | name, owner, group, | -| | entries | POSIX entities | perms, recursive | -| | | | | -+-------------+----------------------+-----------------+--------------------------+ -| vcs | New | Create version | vcstype (git), | -| | | control | sourceurl, revision | -| | | checkout | | -+-------------+----------------------+-----------------+--------------------------+ - -Keep in mind that permissions for files handled by Cfg/TGenshi/TCheetah -are still handled via the traditional :ref:`server-info` mechanisms. - -Additional information ----------------------- - -This section describes some additional behavior relating to POSIX entry -attributes. - -Recursive permissions -^^^^^^^^^^^^^^^^^^^^^ - -As per the request in ticket 871, Path type='permissions' entries allow you to -set a recursive attribute which allows the owner/group to be set recursively -for a directory. +The full semantics of each configuration entry is documented with the +:ref:`server-plugins-generators-rules` plugin. .. _boundentries: @@ -178,13 +53,14 @@ Use Cases Examples -------- -* Consider the case of ``/etc/hosts`` on linux and ``/etc/inet/hosts`` on - solaris. These files contain the same data in the same format, +* Consider the case of ``/etc/hosts`` on linux and ``/etc/inet/hosts`` + on solaris. These files contain the same data in the same format, and should typically be synchronized, however, exist in different locations. Classically, one would need to create one entry for each - in `Cfg`_ or `TCheetah`_ and perform manual synchronization. Or, - you could use symlinks and pray. Altsrc is driven from the bundle - side. For example: + in :ref:`server-plugins-generators-cfg` or + :ref:`server-plugins-generators-tcheetah` and perform manual + synchronization. Or, you could use symlinks and pray. Altsrc is + driven from the bundle side. For example: .. code-block:: xml @@ -220,10 +96,12 @@ Examples named "openssl" with different types. * Finally, consider the case where there exist complicated, but - completely independent specifications for the same configuration entry - but different groups of clients. The following bundle will allow the use - of two different `TCheetah`_ templates ``/etc/firewall-rules-external`` - and ``/etc/firewall-rules-internal`` for different clients based on + completely independent specifications for the same configuration + entry but different groups of clients. The following bundle will + allow the use of two different + :ref:`server-plugins-generators-tcheetah` templates + ``/etc/firewall-rules-external`` and + ``/etc/firewall-rules-internal`` for different clients based on their group membership. .. code-block:: xml @@ -239,11 +117,13 @@ Examples </Bundle> * Consider the case where a variety of files can be constructed by a - single template (`TCheetah`_ or `TGenshi`_). It would be possible to - copy this template into the proper location for each file, but that - requires proper synchronization upon modification and knowing up front - what the files will all be called. Instead, the following bundle allows - the use of a single template for all proper config file instances. + single template (:ref:`server-plugins-generators-tcheetah` or + :ref:`server-plugins-generators-tgenshi-index`). It would be + possible to copy this template into the proper location for each + file, but that requires proper synchronization upon modification and + knowing up front what the files will all be called. Instead, the + following bundle allows the use of a single template for all proper + config file instances. .. code-block:: xml @@ -253,5 +133,6 @@ Examples <Path name='/etc/sysconfig/network-scripts/ifcfg-eth2' altsrc='/etc/ifcfg-template'/> </Bundle> - altsrc can be used as a parameter for any entry type, and can be used - in any structure, including `Bundler`_ and `Base`_. + altsrc can be used as a parameter for any entry type, and can be + used in any structure, including + :ref:`server-plugins-structures-bundler-index`. diff --git a/doc/server/index.txt b/doc/server/index.txt index 9c427a0f4..fb1c95444 100644 --- a/doc/server/index.txt +++ b/doc/server/index.txt @@ -28,3 +28,4 @@ clients. info snapshots/index bcfg2-info + selinux diff --git a/doc/server/info.txt b/doc/server/info.txt index d949aab68..d6bcf67e2 100644 --- a/doc/server/info.txt +++ b/doc/server/info.txt @@ -1,8 +1,5 @@ .. -*- mode: rst -*- -.. NOTE: these are relative links (change when directory structure -.. changes) - .. _server-info: ==== @@ -26,24 +23,29 @@ possible fields in an info file are: +------------+-------------------+----------------------------------+---------+ | Field | Possible values | Description | Default | +============+===================+==================================+=========+ -| encoding: | ascii | base64 | Encoding of the file. Use | ascii | +| encoding | ascii | base64 | Encoding of the file. Use | ascii | | | | base64 for binary files | | +------------+-------------------+----------------------------------+---------+ -| group: | Any valid group | Sets group of the file | root | +| owner | Any valid user | Sets owner of the file | root | +------------+-------------------+----------------------------------+---------+ -| important: | true | false | Important entries are | false | -| | | installed first during client | | -| | | execution | | +| group | Any valid group | Sets group of the file | root | +------------+-------------------+----------------------------------+---------+ -| owner: | Any valid user | Sets owner of the file | root | +| perms | Numeric file mode | Sets the permissions of the file | 0644 | +| | | 'inherit' | (or inherits from the files on | | +| | | disk if set to 'inherit') | | +------------+-------------------+----------------------------------+---------+ -| paranoid: | true | false | Backup file before replacement? | true | +| secontext | A valid SELinux | Sets the SELinux context of the | default | +| | context string or | file, or sets to the default | | +| | '__default__' | context set by policy if set to | | +| | | '__default__' | | +------------+-------------------+----------------------------------+---------+ -| perms: | Numeric file mode | Sets the permissions of the file | 0644 | -| | | 'inherit' | (or inherits from the files on | | -| | | disk if set to inherit) | | +| important | true | false | Important entries are | false | +| | | installed first during client | | +| | | execution | | +------------+-------------------+----------------------------------+---------+ -| sensitive: | true | false | The contents of sensitive | false | +| paranoid | true | false | Backup file before replacement? | true | ++------------+-------------------+----------------------------------+---------+ +| sensitive | true | false | The contents of sensitive | false | | | | entries aren't included in | | | | | reports | | +------------+-------------------+----------------------------------+---------+ @@ -54,15 +56,26 @@ A sample info file for CGI script on a web server might look like:: group: www perms: 0755 +The equivalent ``info.xml`` file would be: + +.. code-block:: xml + + <FileInfo> + <Info owner="www" group="www" perms="0755"/> + </FileInfo> + Back to the fstab example again, our final ``Cfg/etc/fstab/`` directory might look like:: - :info + info.xml fstab fstab.G50_server fstab.G99_fileserver fstab.H_host.example.com +See :ref:`server-selinux` for more information on the ``secontext`` +attribute and managing SELinux in general. + Important attribute =================== @@ -76,7 +89,7 @@ specification. +------------+-------------------+----------------------------------+---------+ | Field | Possible values | Description | Default | +============+===================+==================================+=========+ -| important: | true | false | Important entries are | root | +| important | true | false | Important entries are | root | | | | installed first during client | | | | | execution | | +------------+-------------------+----------------------------------+---------+ diff --git a/doc/server/plugins/generators/rules.txt b/doc/server/plugins/generators/rules.txt index 3b1d94480..f693f6e62 100644 --- a/doc/server/plugins/generators/rules.txt +++ b/doc/server/plugins/generators/rules.txt @@ -46,6 +46,10 @@ Group membership may be negated. Tag Attributes in Rules ======================= +Running ``bcfg2-lint`` will check your configuration specification for +the presence of any mandatory attributes that are necessary for the +entry specified. + Rules Tag --------- @@ -217,6 +221,12 @@ The Path tag has different values depending on the *type* attribute of the path specified in your configuration. Below is a set of tables which describe the attributes available for various Path types. +Note that ``secontext`` below expects a full context, not just the +type. For instance, "``system_u:object_r:etc_t:s0``", not just +``etc_t``. You can also specify "``__default__``", which will restore +the context of the file to the default set by policy. See +:ref:`server-selinux` for more information. + Attributes common to all Path tags: +----------+---------------------------------------------------+-----------------+ @@ -229,46 +239,58 @@ Attributes common to all Path tags: device ^^^^^^ -+----------+---------------------+-------------------+ -| Name | Description | Values | -+==========+=====================+===================+ -| dev_type | Type of device | (block|char|fifo) | -+----------+---------------------+-------------------+ -| owner | Device owner | String | -+----------+---------------------+-------------------+ -| group | Device group | String | -+----------+---------------------+-------------------+ -| major | Major number (block | integer | -| | or char devices) | | -+----------+---------------------+-------------------+ -| minor | Minor number (block | integer | -| | or char devices) | | -+----------+---------------------+-------------------+ ++-----------+---------------------+-------------------+ +| Name | Description | Values | ++===========+=====================+===================+ +| dev_type | Type of device | (block|char|fifo) | ++-----------+---------------------+-------------------+ +| owner | Device owner | String | ++-----------+---------------------+-------------------+ +| group | Device group | String | ++-----------+---------------------+-------------------+ +| secontext | SELinux context | String | ++-----------+---------------------+-------------------+ +| major | Major number (block | integer | +| | or char devices) | | ++-----------+---------------------+-------------------+ +| minor | Minor number (block | integer | +| | or char devices) | | ++-----------+---------------------+-------------------+ directory ^^^^^^^^^ -+-------+------------------------------+------------+ -| Name | Description | Values | -+=======+==============================+============+ -| perms | Permissions of the directory | String | -+-------+------------------------------+------------+ -| owner | Owner of the directory | String | -+-------+------------------------------+------------+ -| group | Group Owner of the directory | String | -+-------+------------------------------+------------+ -| prune | prune unspecified entries | true|false | -| | from the Directory | | -+-------+------------------------------+------------+ ++-----------+------------------------------+------------+ +| Name | Description | Values | ++===========+==============================+============+ +| perms | Permissions of the directory | String | ++-----------+------------------------------+------------+ +| owner | Owner of the directory | String | ++-----------+------------------------------+------------+ +| group | Group Owner of the directory | String | ++-----------+------------------------------+------------+ +| secontext | SELinux context | String | ++-----------+------------------------------+------------+ +| prune | prune unspecified entries | true|false | +| | from the Directory | | ++-----------+------------------------------+------------+ hardlink ^^^^^^^^ -+------+----------------------+--------+ -| Name | Description | Values | -+======+======================+========+ -| to | File to link to | String | -+------+----------------------+--------+ ++-----------+------------------------------+--------+ +| Name | Description | Values | ++===========+==============================+========+ +| to | File to link to | String | ++-----------+------------------------------+--------+ +| perms | Permissions of the directory | String | ++-----------+------------------------------+--------+ +| owner | Owner of the directory | String | ++-----------+------------------------------+--------+ +| group | Group Owner of the directory | String | ++-----------+------------------------------+--------+ +| secontext | SELinux context | String | ++-----------+------------------------------+--------+ nonexistent ^^^^^^^^^^^ @@ -285,15 +307,17 @@ nonexistent permissions ^^^^^^^^^^^ -+-------+--------------------------+--------+ -| Name | Description | Values | -+=======+==========================+========+ -| perms | Permissions of the file. | String | -+-------+--------------------------+--------+ -| owner | Owner of the file. | String | -+-------+--------------------------+--------+ -| group | Group of the file. | String | -+-------+--------------------------+--------+ ++-----------+--------------------------+--------+ +| Name | Description | Values | ++===========+==========================+========+ +| perms | Permissions of the file. | String | ++-----------+--------------------------+--------+ +| owner | Owner of the file. | String | ++-----------+--------------------------+--------+ +| group | Group of the file. | String | ++-----------+--------------------------+--------+ +| secontext | SELinux context | String | ++-----------+--------------------------+--------+ symlink ^^^^^^^ @@ -304,6 +328,141 @@ symlink | to | File to link to | String | +------+----------------------+--------+ +SELinux Tag +----------- + +The SELinux tag has different values depending on the *type* attribute +of the SELinux entry specified in your configuration. Below is a set +of tables which describe the attributes available for various SELinux +types. The types (except for ``module``) correspond to ``semanage`` +subcommands. + +Note that the ``selinuxtype`` attribute takes only an SELinux type, +not a full context; e.g., "``etc_t``", not +"``system_u:object_r:etc_t:s0``". + +As it can be very tedious to create a baseline of all existing SELinux +entries, you can use ``selinux_baseline.py`` located in the ``tools/`` +directory to do that for you. + +In certain cases, it may be necessary to create multiple SELinux +entries with the same name. For instance, "root" is both an SELinux +user and an SELinux login record; or a given fcontext may need two +different SELinux types depending on whether it's a symlink or a plain +file. In these (few) cases, it is necessary to create BoundSELinux +entries directly in Bundler rather than using abstract SELinux entries +in Bundler and binding them with Rules. + +See :ref:`server-selinux` for more information. + +boolean +^^^^^^^ + ++-------+----------------------+---------+----------+ +| Name | Description | Values | Required | ++=======+======================+=========+==========+ +| name | Name of the boolean | String | Yes | ++-------+----------------------+---------+----------+ +| value | Value of the boolean | on|off | Yes | ++-------+----------------------+---------+----------+ + +port +^^^^ + ++-------------+------------------------+---------------------------+----------+ +| Name | Description | Values | Required | ++=============+========================+===========================+==========+ +| name | Port number or range | ``<port>/<proto>`` or | Yes | +| | and protocol (tcp|udp) | ``<start>-<end>/<proto>`` | | ++-------------+------------------------+---------------------------+----------+ +| selinuxtype | SELinux type to apply | String | Yes | +| | to this port | | | ++-------------+------------------------+---------------------------+----------+ + +fcontext +^^^^^^^^ + ++-------------+-------------------------+---------------------+----------+ +| Name | Description | Values | Required | ++=============+=========================+=====================+==========+ +| name | File specification | String | Yes | ++-------------+-------------------------+---------------------+----------+ +| selinuxtype | SELinux type to apply | String | Yes | +| | to files matching this | | | +| | specification | | | ++-------------+-------------------------+---------------------+----------+ +| filetype | File type to match. | (regular|directory| | No | +| | Default: all | symlink|pipe|all| | | +| | | socket|block|char) | | ++-------------+-------------------------+---------------------+----------+ + +node +^^^^ + ++-------------+------------------------------------+------------------+----------+ +| Name | Description | Values | Required | ++=============+====================================+==================+==========+ +| name | IP address and netmask of node. | <addr>/<netmask> | Yes | +| | Netmask can be numeric (/16) or | | | +| | dotted-quad (/255.255.0.0) | | | ++-------------+------------------------------------+------------------+----------+ +| selinuxtype | SELinux type to apply to this node | String | Yes | ++-------------+------------------------------------+------------------+----------+ +| proto | Protocol | (ipv4|ipv6) | Yes | ++-------------+------------------------------------+------------------+----------+ +| netmask | Netmask | String | Yes | ++-------------+------------------------------------+------------------+----------+ + +login +^^^^^ + ++-------------+-------------------------------+-----------+----------+ +| Name | Description | Values | Required | ++=============+===============================+===========+==========+ +| name | Unix username | String | Yes | ++-------------+-------------------------------+-----------+----------+ +| selinuxuser | SELinux username | String | Yes | ++-------------+-------------------------------+-----------+----------+ + +user +^^^^ + ++-------------+-------------------------------+-----------+----------+ +| Name | Description | Values | Required | ++=============+===============================+===========+==========+ +| name | SELinux username | String | Yes | ++-------------+-------------------------------+-----------+----------+ +| roles | Space-separated list of roles | String | No | ++-------------+-------------------------------+-----------+----------+ +| prefix | Home directory context prefix | String | No | ++-------------+-------------------------------+-----------+----------+ + +interface +^^^^^^^^^ + ++-------------+-------------------------+-------------+----------+ +| Name | Description | Values | Required | ++=============+=========================+=============+==========+ +| name | Interface name | String | Yes | ++-------------+-------------------------+-------------+----------+ +| selinuxtype | SELinux type to apply | String | Yes | +| | to this interface | | | ++-------------+-------------------------+-------------+----------+ + +permissive +^^^^^^^^^^ + ++-------------+------------------------------------+-------------+----------+ +| Name | Description | Values | Required | ++=============+====================================+=============+==========+ +| name | SELinux type to make permissive | String | Yes | ++-------------+------------------------------------+-------------+----------+ + +module +^^^^^^ + +See :ref:`server-plugins-generators-semodules` + Rules Directory =============== diff --git a/doc/server/plugins/generators/semodules.txt b/doc/server/plugins/generators/semodules.txt new file mode 100644 index 000000000..0d725fc1a --- /dev/null +++ b/doc/server/plugins/generators/semodules.txt @@ -0,0 +1,66 @@ +.. -*- mode: rst -*- + +.. _server-plugins-generators-semodules: + +========= +SEModules +========= + +.. versionadded:: 1.3.0 + +The SEModules plugin handles SELinux module entries. It supports +group- and host-specific module versions, and enabling/disabling +modules. + +You can use ``selinux_baseline.py`` located in the tools/ directory to +create a baseline of all of your installed modules. + +See :ref:`server-selinux` for more information. + +Usage +===== + +To use the SEModules plugin, first do ``mkdir +/var/lib/bcfg2/SEModules``. Add ``SEModules`` to your ``plugins`` +line in ``/etc/bcfg2.conf`` and restart bcfg2-server. + +The SEModules directory contains modules in a layout similar to the +Cfg plugin: at the top level, SEModules should contain directories +named after the modules you want to install, and each of those +directories can contain a global module, plus any number of group- and +host-specific modules. For instance: + + $ ls -F SEModules + foo.pp/ bar.pp/ + $ ls SEModules/foo.pp/ + foo.pp + foo.pp.G50_server + foo.pp.H_baz.example.com + +For more information on this directory layout, see +:ref:`server-plugins-generators-cfg`. + +Entries +======= + +SEModules handles ``<SELinux>`` entries with the ``module`` type. For +instance: + +.. code-block:: xml + + <Bundle name="foo"> + <SELinux type="module" name="foo.pp"/> + </Bundle> + +The ``.pp`` extension is optional. + +.. note:: + + If you use a ``BoundSELinux`` tag, you must *not* include the + ``.pp`` extension. This is not recommend, though. + +You can also install a disabled module: + +.. code-block:: xml + + <SELinux type="module" name="foo" disabled="true"/> diff --git a/doc/server/selinux.txt b/doc/server/selinux.txt new file mode 100644 index 000000000..0cbf0985e --- /dev/null +++ b/doc/server/selinux.txt @@ -0,0 +1,97 @@ +.. -*- mode: rst -*- + +.. _server-selinux: + +======= +SELinux +======= + +.. versionadded:: 1.3.0 + +Bcfg2 has the ability to handle the majority of SELinux entries with +the ``SELinux`` entry type, which handles modules (with the +:ref:`server-plugins-generators-semodules` plugin), file contexts, +users and user mappings, permissive domains, nodes, and interfaces. +In addition, ``info.xml`` files and most types of the ``Path`` tag can +accept an ``secontext`` attribute to set the context of that entry. +The full semantics of each configuration entry is documented with the +:ref:`server-plugins-generators-rules` plugin. + +.. note:: The ``secontext`` attribute takes a *full* context, + e.g., "``system_u:object_r:etc_t:s0``"; the ``selinuxtype`` + attribute always takes *only* an SELinux type, e.g., + "``etc_t``". ``secontext`` (but not ``selinuxtype``) can + also accept the special value "``__default__``", which will + restore the context on the Path entry in question to the + default supplied by the SELinux policy. + +In its current version, the SELinux support in Bcfg2 is not sufficient +to manage MCS/MLS policies. + +Extra Entries +============= + +As it can be very tedious to create a baseline of all existing SELinux +entries, you can use ``selinux_baseline.py`` located in the ``tools/`` +directory to do that for you. + +The actual definition of an "extra" entry actually depends on the +version of SELinux available; the SELinux APIs have been extremely +fluid, so many features available in newer versions are not available +in older versions. Newer SELinux versions (e.g., in recent versions +of Fedora) can be queried for only entries that have been locally +modified; on these versions of SELinux, only locally modified entries +will be considered extra. On older SELinux versions (e.g., on RHEL +5), however, that functionality is missing, so *all* SELinux entries +will be considered extra, making ``selinux_baseline.py`` quite +necessary. + +``selinux_baseline.py`` writes a bundle to stdout that contains +``BoundSELinux`` entries for the appropriate SELinux entities. It +does this rather than separate Bundle/Rules files because of the +:ref:`server-selinux-duplicate-entries` problem. + +.. _server-selinux-duplicate-entries: + +Duplicate Entries +================= + +In certain cases, it may be necessary to create multiple SELinux +entries with the same name. For instance, "root" is both an SELinux +user and an SELinux login record, so to manage both, you would have +the following in Bundler: + +.. code-block:: xml + + <SELinux name="root"/> + <SELinux name="root"/> + +And in Rules: + +.. code-block:: xml + + <SELinux type="login" selinuxuser="root" name="root"/> + <SELinux type="user" prefix="user" name="root" + roles="system_r sysadm_r user_r"/> + +But Rules has no way to tell which "root" is which, and you will get +errors. In these cases, it is necessary to use ``BoundSELinux`` tags +directly in Bundler. (See :ref:`boundentries` for more details on +bound entries.) For instance: + +.. code-block:: xml + + <BoundSELinux type="login" selinuxuser="root" name="root"/> + <BoundSELinux type="user" prefix="user" name="root" + roles="system_r sysadm_r user_r"/> + +It may also be necessary to use ``BoundSELinux`` tags if a single +fcontext needs two different SELinux types depending on whether it's a +symlink or a plain file. For instance: + +.. code-block:: xml + + <BoundSELinux type="fcontext" filetype="symlink" + name="/etc/localtime" selinuxtype="etc_t"/> + <BoundSELinux type="fcontext" filetype="regular" + name="/etc/localtime" selinuxtype="locale_t"/> |