[11/13] polyinstantiation: Convert to markdown

Message ID	20200902131738.18425-12-richard_c_haines@btinternet.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <SRS0=vGri=CY=vger.kernel.org=selinux-owner@kernel.org> From: Richard Haines <richard_c_haines@btinternet.com> To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines <richard_c_haines@btinternet.com> Subject: [PATCH 11/13] polyinstantiation: Convert to markdown Date: Wed, 2 Sep 2020 14:17:36 +0100 Message-Id: <20200902131738.18425-12-richard_c_haines@btinternet.com> In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com> References: <20200902131738.18425-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	SELinux Notebook: Convert batch 2 to markdown \| expand [00/13] SELinux Notebook: Convert batch 2 to markdown [01/13] libselinux_functions: Convert to markdown [02/13] mac: Tidy formatting [03/13] modular_policy_statements: Convert to markdown [04/13] network_statements: Convert to markdown [05/13] network_support: Convert to markdown [06/13] objects: Convert to markdown [07/13] pam_login: Convert to markdown [08/13] policy_config_statements: Convert to markdown [09/13] policy_languages: Tidy up [10/13] policy_store_config_files: Add TOC and tidy up formatting [11/13] polyinstantiation: Convert to markdown [12/13] rbac: Minor format fix [13/13] role_statements: Convert to markdown

diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md index 3a64918..16a13c2 100644 --- a/src/polyinstantiation.md +++ b/src/polyinstantiation.md @@ -1,5 +1,12 @@ # Polyinstantiation Support +- [Polyinstantiated Objects](#polyinstantiated-objects) +- [Polyinstantiation support in PAM](#polyinstantiation-support-in-pam) + - [*namespace.conf* Configuration File](#namespace.conf-configuration-file) + - [Example Configurations](#example-configurations) +- [Polyinstantiation support in X-Windows](#polyinstantiation-support-in-x-windows) +- [Polyinstantiation support in the Reference Policy](#polyinstantiation-support-in-the-reference-policy) + GNU / Linux supports the polyinstantiation of directories that can be utilised by SELinux via the Pluggable Authentication Module (PAM) as explained in the next section. The @@ -12,16 +19,16 @@ sockets are not yet supported. To clarify polyinstantiation support: -1. SELinux has *libselinux* functions and a policy rule to support - polyinstantiation. -2. The polyinstantiation of directories is a function of GNU / Linux - not SELinux (as more correctly, the GNU / Linux services such as PAM - have been modified to support polyinstantiation of directories and - have also been made SELinux-aware. Therefore their services can be - controlled via policy). -3. The polyinstantiation of X-windows selections and properties is a - function of the XSELinux Object Manager and the supporting XACE - service. +1. SELinux has *libselinux* functions and a policy rule to support + polyinstantiation. +2. The polyinstantiation of directories is a function of GNU / Linux + not SELinux (as more correctly, the GNU / Linux services such as PAM + have been modified to support polyinstantiation of directories and + have also been made SELinux-aware. Therefore their services can be + controlled via policy). +3. The polyinstantiation of X-windows selections and properties is a + function of the XSELinux Object Manager and the supporting XACE + service. ## Polyinstantiated Objects @@ -46,10 +53,11 @@ to enable the feature and some [**examples**](#example-configurations). To implement polyinstantiated directories PAM requires the following files to be configured: -1. A **pam_namespace** module entry added to the appropriate */etc/pam.d/* - login configuration file (e.g. login, sshd, gdm etc.). Fedora - already has these entries configured, with an example - */etc/pam.d/gdm-password* file being: +- A **pam_namespace** module entry added to the appropriate */etc/pam.d/* + login configuration file (e.g. login, sshd, gdm etc.). Fedora + already has these entries configured, with an example + */etc/pam.d/gdm-password* file being: + ``` auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth @@ -73,13 +81,13 @@ session optional pam_gnome_keyring.so auto_start session include postlogin ``` -2. Entries added to the */etc/security/namespace.conf* file that defines - the directories to be polyinstantiated by PAM (and other services - that may need to use the namespace service). The entries are - explained in the - [*namespace.conf*](#namespace.conf-configuration-file) section, - with the default entries in Fedora being (note that the entries are - commented out in the distribution): +- Entries added to the */etc/security/namespace.conf* file that defines + the directories to be polyinstantiated by PAM (and other services + that may need to use the namespace service). The entries are + explained in the + [*namespace.conf*](#namespace.conf-configuration-file) section, + with the default entries in Fedora being (note that the entries are + commented out in the distribution): ``` # polydir instance-prefix method list_of_uids @@ -108,33 +116,37 @@ Each line in the namespace.conf file is formatted as follows: polydir instance_prefix method list_of_uids ``` -Where: - -<table> -<tbody> -<tr> -<td>polydir</td> -<td>The absolute path name of the directory to polyinstantiate. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.</td> -</tr> -<tr> -<td>instance_prefix</td> -<td>A string prefix used to build the pathname for the polyinstantiated directory. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.</td> -</tr> -<tr> -<td>method</td> -<td><p>This is used to determine the method of polyinstantiation with valid entries being:</p> -<p>user - Polyinstantiation is based on user name.</p> -<p>level - Polyinstantiation is based on the user name and MLS level.</p> -<p>context - Polyinstantiation is based on the user name and security context.</p> -<p>Note that level and context are only valid for SELinux enabled systems.</p></td> -</tr> -<tr> -<td>list_of_uids</td> -<td><p>A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an '~' character, then only the users in the list will have polyinstantiated directories.</p> -<p>There are a number of optional flags available that are described in the <strong>namespace.conf</strong>(5) man page.</p></td> -</tr> -</tbody> -</table> +**Where:** + +*polydir* + +- The absolute path name of the directory to polyinstantiate. The optional + strings *\$USER* and *\$HOME* will be replaced by the user name and home + directory respectively. + +*instance_prefix* + +- A string prefix used to build the pathname for the polyinstantiated + directory. The optional strings *\$USER* and *\$HOME* will be replaced by + the user name and home directory respectively. + +*method* + +- This is used to determine the method of polyinstantiation with valid + entries being: + - *user* - Polyinstantiation is based on user name. + - *level* - Polyinstantiation is based on user name and MLS level. + - *context* - Polyinstantiation is based on user name and security context. +- Note that *level* and *context* are only valid for SELinux enabled systems. + +*list_of_uids* + +- A comma separated list of user names that will not have polyinstantiated + directories. If blank, then all users are polyinstantiated. If the list is + preceded with an '~' character, then only the users in the list will have + polyinstantiated directories. + There are a number of optional flags available that are described in the + ***namespace.conf**(5)* man page. ### Example Configurations

[11/13] polyinstantiation: Convert to markdown

Commit Message

Patch