From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-commits+bounces-351611-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1QU2Wi-0004N9-H6
	for garchives@archives.gentoo.org; Tue, 07 Jun 2011 20:05:24 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7B4461C174;
	Tue,  7 Jun 2011 20:05:07 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id F12671C175
	for <gentoo-commits@lists.gentoo.org>; Tue,  7 Jun 2011 20:05:06 +0000 (UTC)
Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7A5951B403F
	for <gentoo-commits@lists.gentoo.org>; Tue,  7 Jun 2011 19:46:53 +0000 (UTC)
Received: by flycatcher.gentoo.org (Postfix, from userid 2296)
	id 34F9420036; Tue,  7 Jun 2011 19:46:52 +0000 (UTC)
From: "Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Reply-To: gentoo-dev@lists.gentoo.org, klondike@gentoo.org
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-appendix-reference.xml hb-intro-concepts.xml hb-intro-enhancingsecurity.xml hb-intro-referencepolicy.xml hb-using-commands.xml hb-using-install.xml hb-using-permissive.xml hb-using-policymodules.xml
X-VCS-Repository: gentoo
X-VCS-Files: hb-appendix-reference.xml hb-intro-concepts.xml hb-intro-enhancingsecurity.xml hb-intro-referencepolicy.xml hb-using-commands.xml hb-using-install.xml hb-using-permissive.xml hb-using-policymodules.xml
X-VCS-Directories: xml/htdocs/proj/en/hardened/selinux
X-VCS-Committer: klondike
X-VCS-Committer-Name: Francisco Blas Izquierdo Riera
Content-Type: text/plain; charset=utf8
Message-Id: <20110607194652.34F9420036@flycatcher.gentoo.org>
Date: Tue,  7 Jun 2011 19:46:52 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: 2ffc08b608c95b7c4b0074b7a97019c3

klondike    11/06/07 19:46:52

  Modified:             hb-appendix-reference.xml hb-intro-concepts.xml
                        hb-intro-enhancingsecurity.xml
                        hb-intro-referencepolicy.xml hb-using-commands.xm=
l
                        hb-using-install.xml hb-using-permissive.xml
                        hb-using-policymodules.xml
  Log:
  Pushing the manual as requested by swift 2nd attempt

Revision  Changes    Path
1.3                  xml/htdocs/proj/en/hardened/selinux/hb-appendix-refe=
rence.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-appendix-reference.xml?rev=3D1.3&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-appendix-reference.xml?rev=3D1.3&content-type=3Dtext/pla=
in
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-appendix-reference.xml?r1=3D1.2&r2=3D1.3

Index: hb-appendix-reference.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-appe=
ndix-reference.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- hb-appendix-reference.xml	25 Apr 2011 20:12:59 -0000	1.2
+++ hb-appendix-reference.xml	7 Jun 2011 19:46:52 -0000	1.3
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-appendix-reference.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-appendix-reference.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
-<version>1.3</version>
-<date>2011-01-07</date>
+<version>2</version>
+<date>2011-05-31</date>
=20
 <section>
 <title>Background</title>
@@ -78,4 +78,32 @@
 </subsection>
 </section>
=20
+<section>
+<title>Gentoo Specific Resources</title>
+<subsection>
+<title>Gentoo Hardened</title>
+<body>
+
+<p>
+The following resources are specific towards Gentoo Hardened's SELinux
+implementation.=20
+</p>
+
+<ul>
+  <li>
+    <uri link=3D"/proj/en/hardened/selinux-faq.xml">SELinux Frequently A=
sked
+    Questions</uri>
+  </li>
+  <li>
+    <uri link=3D"/proj/en/hardened/selinux-development.xml">SELinux Deve=
lopment
+    Guidelines</uri>
+  </li>
+  <li>
+    <uri link=3D"/proj/en/hardened/selinux-policy.xml">SELinux Policy</u=
ri>
+  </li>
+</ul>
+
+</body>
+</subsection>
+</section>
 </sections>



1.4                  xml/htdocs/proj/en/hardened/selinux/hb-intro-concept=
s.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-concepts.xml?rev=3D1.4&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-concepts.xml?rev=3D1.4&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-concepts.xml?r1=3D1.3&r2=3D1.4

Index: hb-intro-concepts.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intr=
o-concepts.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- hb-intro-concepts.xml	7 Jun 2011 19:40:20 -0000	1.3
+++ hb-intro-concepts.xml	7 Jun 2011 19:46:52 -0000	1.4
@@ -4,7 +4,7 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-intro-concepts.xml,v 1.3 2011/06/07 19:40:20 klondike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
 <version>4</version>
@@ -512,7 +512,8 @@
=20
 <p>
 At this moment, Gentoo Hardened SELinux' supports both policies with and
-without UBAC. This is controlled through the <c>ubac</c> USE flag.
+without UBAC, although we strongly recommend to use UBAC. This is contro=
lled
+through the <c>ubac</c> USE flag.
 </p>
=20
 </body>



1.3                  xml/htdocs/proj/en/hardened/selinux/hb-intro-enhanci=
ngsecurity.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-enhancingsecurity.xml?rev=3D1.3&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-enhancingsecurity.xml?rev=3D1.3&content-type=3Dtex=
t/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-enhancingsecurity.xml?r1=3D1.2&r2=3D1.3

Index: hb-intro-enhancingsecurity.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intr=
o-enhancingsecurity.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- hb-intro-enhancingsecurity.xml	25 Apr 2011 20:12:59 -0000	1.2
+++ hb-intro-enhancingsecurity.xml	7 Jun 2011 19:46:52 -0000	1.3
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-intro-enhancingsecurity.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-intro-enhancingsecurity.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
-<version>1</version>
-<date>2011-01-10</date>
+<version>2</version>
+<date>2011-05-25</date>
=20
 <section>
 <title>Introduction</title>
@@ -343,7 +343,7 @@
 within the authorization system, SELinux also requires particular tools =
to
 support the SELinux features. Examples are administrative tools to view =
and
 manipulate labels, privilege management tools (like <c>sudo</c>), system
-services (like HAL or SysVInit) etc. This is reflected in a set of patch=
es
+services (like SysVInit) etc. This is reflected in a set of patches
 against these (and more) tools which are not always part of the applicat=
ions'
 main source code.
 </p>



1.3                  xml/htdocs/proj/en/hardened/selinux/hb-intro-referen=
cepolicy.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-referencepolicy.xml?rev=3D1.3&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-referencepolicy.xml?rev=3D1.3&content-type=3Dtext/=
plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-intro-referencepolicy.xml?r1=3D1.2&r2=3D1.3

Index: hb-intro-referencepolicy.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intr=
o-referencepolicy.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- hb-intro-referencepolicy.xml	25 Apr 2011 20:12:59 -0000	1.2
+++ hb-intro-referencepolicy.xml	7 Jun 2011 19:46:52 -0000	1.3
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-intro-referencepolicy.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-intro-referencepolicy.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
-<version>0</version>
-<date>2010-12-01</date>
+<version>1</version>
+<date>2011-06-02</date>
=20
 <section>
 <title>About SELinux Policies</title>
@@ -242,7 +242,11 @@
   <dt>Version 23</dt>
   <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
   <dt>Version 24</dt>
-  <dd>Explicit hierarchy (type bounds) (2.6.28 - current)</dd>
+  <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
+  <dt>Version 25</dt>
+  <dd>Filename based transition support (2.6.39)</dd>
+  <dt>Version 26</dt>
+  <dd>Role transition support for non-process classes (3.0)</dd>
 </dl>
=20
 </body>



1.3                  xml/htdocs/proj/en/hardened/selinux/hb-using-command=
s.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-commands.xml?rev=3D1.3&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-commands.xml?rev=3D1.3&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-commands.xml?r1=3D1.2&r2=3D1.3

Index: hb-using-commands.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-usin=
g-commands.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- hb-using-commands.xml	25 Apr 2011 20:12:59 -0000	1.2
+++ hb-using-commands.xml	7 Jun 2011 19:46:52 -0000	1.3
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-commands.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
-<version>2</version>
-<date>2011-04-22</date>
+<version>3</version>
+<date>2011-05-31</date>
=20
 <section>
 <title>SELinux Information Commands</title>
@@ -295,16 +295,30 @@
=20
 <p>
 The default behavior is that users are logged on as the <e>user_u</e> SE=
Linux
-user. If you want to allow another user (say <c>anna</c>) to log on as
-<c>staff_u</c>:
+user. This SELinux user is a non-administrator user: it has no specific
+privileges and should be used for every account that never requires elev=
ated
+privileges (so no <c>su</c> or <c>sudo</c> rights for anything).
+</p>
+
+<p>
+The account you use to administer your system should be mapped to the
+<c>staff_u</c> SELinux user (or its own user with the appropriate roles)=
. This
+can be accomplished as follows (example with the Unix account <e>anna</e=
>):
 </p>
=20
 <pre caption=3D"Letting 'anna' log on as 'staff_u'">
 ~# <i>semanage login -a -s staff_u anna</i>
 </pre>
=20
+<impo>
+Make sure that whatever account you use to administer your system is map=
ped to
+the <c>staff_u</c> user, or has the ability to switch to the <c>sysadm_r=
</c>
+role. Portage only works from within the <c>sysadm_r</c> role.
+</impo>
+
 <p>
-SELinux users then can be configured to belong to one or more roles.
+As mentioned, SELinux users are configured to be able to join in on one =
or more
+roles. To list the available roles, you can use <c>semanage user -l</c>:
 </p>
=20
 <pre caption=3D"Listing login / role mappings">



1.4                  xml/htdocs/proj/en/hardened/selinux/hb-using-install=
.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-install.xml?rev=3D1.4&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-install.xml?rev=3D1.4&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-install.xml?r1=3D1.3&r2=3D1.4

Index: hb-using-install.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-usin=
g-install.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- hb-using-install.xml	7 Jun 2011 19:40:20 -0000	1.3
+++ hb-using-install.xml	7 Jun 2011 19:46:52 -0000	1.4
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-install.xml,v 1.3 2011/06/07 19:40:20 klondike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
-<version>5</version>
-<date>2011-04-16</date>
+<version>10</version>
+<date>2011-06-07</date>
=20
 <section>
 <title>Installing Gentoo Hardened</title>
@@ -42,7 +42,8 @@
 <p>
 Install Gentoo Linux according to the <uri link=3D"/doc/en/handbook">Gen=
too
 Handbook</uri> installation instructions. We recommend the use of the ha=
rdened
-stage 3 tarballs instead of the standard ones. Perform a full installati=
on to
+stage 3 tarballs instead of the standard ones, but standard stage
+installations are also supported for SELinux. Perform a full installatio=
n to
 the point that you have booted your system into a (primitive) Gentoo bas=
e
 installation.
 </p>
@@ -56,6 +57,7 @@
=20
 </body>
 </subsection>
+<!--
 <subsection>
 <title>Installing the Hardened Development Overlay</title>
 <body>
@@ -88,6 +90,7 @@
=20
 </body>
 </subsection>
+-->
 <subsection>
 <title>Switching to Python 2</title>
 <body>
@@ -110,7 +113,7 @@
 </body>
 </subsection>
 <subsection>
-<title>Optional: Setting the /tmp context</title>
+<title>Optional: Setting the filesystem contexts</title>
 <body>
=20
 <p>
@@ -142,14 +145,6 @@
 </p>
=20
 <pre caption=3D"SELinux ~arch packages">
-sys-libs/libselinux
-sys-apps/policycoreutils
-sys-libs/libsemanage
-sys-libs/libsepol
-app-admin/setools
-dev-python/sepolgen
-sys-apps/checkpolicy
-sec-policy/*
 =3Dsys-process/vixie-cron-4.1-r11
 </pre>
=20
@@ -162,7 +157,9 @@
 <p>
 Now that you have a running Gentoo Linux installation, switch the Gentoo=
 profile
 to the right SELinux hardened profile (for instance,=20
-<path>selinux/v2refpolicy/amd64/hardened</path>).=20
+<path>hardened/linux/amd64/no-multilib/selinux</path>). Note that the ol=
der
+profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>) are stil=
l
+supported though.
 </p>
=20
 <pre caption=3D"Switching the Gentoo profile">
@@ -174,18 +171,20 @@
   [4]   default/linux/amd64/10.0/desktop/kde
   [5]   default/linux/amd64/10.0/developer
   [6]   default/linux/amd64/10.0/no-multilib
-  [7]   default/linux/amd64/10.0/server *
+  [7]   default/linux/amd64/10.0/server
   [8]   hardened/linux/amd64
-  [9]   hardened/linux/amd64/no-multilib
-  [10]  selinux/2007.0/amd64
-  [11]  selinux/2007.0/amd64/hardened
-  [12]  selinux/v2refpolicy/amd64
-  [13]  selinux/v2refpolicy/amd64/desktop
-  [14]  selinux/v2refpolicy/amd64/developer
-  [15]  selinux/v2refpolicy/amd64/hardened
-  [16]  selinux/v2refpolicy/amd64/server
+  [9]   hardened/linux/amd64/selinux
+  [10]  hardened/linux/amd64/no-multilib *
+  [11]  hardened/linux/amd64/no-multilib/selinux
+  [12]  selinux/2007.0/amd64
+  [13]  selinux/2007.0/amd64/hardened
+  [14]  selinux/v2refpolicy/amd64
+  [15]  selinux/v2refpolicy/amd64/desktop
+  [16]  selinux/v2refpolicy/amd64/developer
+  [17]  selinux/v2refpolicy/amd64/hardened
+  [18]  selinux/v2refpolicy/amd64/server
=20
-~# <i>eselect profile set 15</i>
+~# <i>eselect profile set 11</i>
 </pre>
=20
 <note>
@@ -208,9 +207,11 @@
 <body>
=20
 <p>
-Edit your <path>/etc/make.conf</path> file and set
-<c>FEATURES=3D"-loadpolicy"</c>. The current SELinux profile enables the
-loadpolicy feature, but this isn't supported anymore so can be safely ig=
nored.
+Edit your <path>/etc/make.conf</path> file. If you ues the older SELinux
+profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>), set
+<c>FEATURES=3D"-loadpolicy"</c>. These SELinux profiles enable the
+loadpolicy feature, but this isn't supported anymore so can be safely ig=
nored.=20
+More recent profiles do not set this anymore.
 </p>
=20
 <p>
@@ -247,11 +248,9 @@
 </tr>
 <tr>
   <ti>ubac</ti>
-  <ti>Disabled</ti>
+  <ti>Enabled</ti>
   <ti>
-    When enabled, the SELinux policy is built with user-based access con=
trol
-    enabled. This is optional as it introduces constraints that might be
-    difficult to notice at first when you hit them.
+    When disabled, the SELinux policy is built without user-based access=
 control.
   </ti>
 </tr>
 </table>
@@ -602,8 +601,8 @@
 </impo>
=20
 <p>
-First relabel your devices. This will apply the correct security context=
s
-(labels) onto the device files.
+First relabel your devices and openrc related files. This will apply the
+correct security contexts (labels) onto the necessary files.
 </p>
=20
 <pre caption=3D"Relabel /dev structure">
@@ -612,6 +611,7 @@
=20
 <comment>(Substitute the "strict" in the next command with "targeted" if=
 that is your SELINUXTYPE selection)</comment>
 ~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_co=
ntexts /mnt/gentoo/dev</i>
+~# <i>setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_co=
ntexts /mnt/gentoo/lib64</i>
 ~# <i>umount /mnt/gentoo</i>
 </pre>
=20
@@ -651,7 +651,7 @@
 </body>
 </subsection>
 <subsection>
-<title>Reboot</title>
+<title>Reboot and Set SELinux Booleans</title>
 <body>
=20
 <p>
@@ -663,9 +663,47 @@
 ~# <i>setsebool -P global_ssp on</i>
 </pre>
=20
+</body>
+</subsection>
+<subsection>
+<title>Define the Administrator Accounts</title>
+<body>
+
+<p>
+Finally, we need to map the account(s) you use to manage your system (th=
ose
+that need access to Portage) to the <c>staff_u</c> SELinux user. By defa=
ult,
+users are mapped to the <c>user_u</c> SELinux user who doesn't have the
+appropriate rights (nor access to the appropriate roles) to manage a sys=
tem.
+Accounts that are mapped to <c>staff_u</c> can, but might need to switch=
 roles
+from <c>staff_r</c> to <c>sysadm_r</c> before they are granted the appro=
priate
+privileges.
+</p>
+
+<p>
+Assuming that your account name is <e>john</e>:
+</p>
+
+<pre caption=3D"Mapping the Linux account john to the SELinux user staff=
_u">
+~# <i>semanage login -a -s staff_u john</i>
+~# <i>restorecon -R -F /home/john</i>
+</pre>
+
+<p>
+If you later log on as <e>john</e> and want to manage your system, you w=
ill
+probably need to switch your role. You can use <c>newrole</c> for this:
+</p>
+
+<pre caption=3D"Switching roles">
+~$ <i>id -Z</i>
+staff_u:staff_r:staff_t
+~$ <i>newrole -r sysadm_r</i>
+Password: <comment>(Enter your password)</comment>
+~$ <i>id -Z</i>
+staff_u:sysadm_r:sysadm_t
+</pre>
+
 <p>
-With that done, enjoy - your first steps into the SELinux world are now
-made.
+With that done, enjoy - your first steps into the SELinux world are now =
made.
 </p>
=20
 </body>



1.3                  xml/htdocs/proj/en/hardened/selinux/hb-using-permiss=
ive.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-permissive.xml?rev=3D1.3&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-permissive.xml?rev=3D1.3&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-permissive.xml?r1=3D1.2&r2=3D1.3

Index: hb-using-permissive.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-usin=
g-permissive.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- hb-using-permissive.xml	25 Apr 2011 20:12:59 -0000	1.2
+++ hb-using-permissive.xml	7 Jun 2011 19:46:52 -0000	1.3
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-permissive.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-permissive.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
-<version>4</version>
-<date>2011-04-22</date>
+<version>5</version>
+<date>2011-06-02</date>
=20
 <section>
 <title>Keeping Track of Denials</title>
@@ -326,7 +326,8 @@
 <path>/etc</path> rather than <path>/etc/lvm</path> as the policy would =
expect,
 then you can still label the file correctly using <c>semanage</c>. With=20
 <c>semanage</c>, you assign a correct security context unrelated to any
-module. It is a local setting - but which is persistent across reboots.
+module. It is a local setting - but which is persistent across reboots a=
nd
+relabelling activities.
 </p>
=20
 <pre caption=3D"Setting a new file context using semanage">



1.5                  xml/htdocs/proj/en/hardened/selinux/hb-using-policym=
odules.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-policymodules.xml?rev=3D1.5&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-policymodules.xml?rev=3D1.5&content-type=3Dtext/pl=
ain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/har=
dened/selinux/hb-using-policymodules.xml?r1=3D1.4&r2=3D1.5

Index: hb-using-policymodules.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-usin=
g-policymodules.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- hb-using-policymodules.xml	7 Jun 2011 19:40:20 -0000	1.4
+++ hb-using-policymodules.xml	7 Jun 2011 19:46:52 -0000	1.5
@@ -4,7 +4,7 @@
 <!-- The content of this document is licensed under the CC-BY-SA license=
 -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
=20
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-policymodules.xml,v 1.4 2011/06/07 19:40:20 klondike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-using-policymodules.xml,v 1.5 2011/06/07 19:46:52 klondike Exp $ -->
=20
 <sections>
 <version>1</version>