[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[JosA MarAa Alonso (nimiux)]

nimiux      11/06/09 18:56:37

  Modified:             hb-using-install.xml
  Log:
  Fixed small typo. No version bump

Revision  Changes    Path
1.5                  xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.5&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.5&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.4&r2=1.5

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- hb-using-install.xml	7 Jun 2011 19:46:52 -0000	1.4
+++ hb-using-install.xml	9 Jun 2011 18:56:37 -0000	1.5
@@ -4,7 +4,7 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.5 2011/06/09 18:56:37 nimiux Exp $ -->
 
 <sections>
 <version>10</version>
@@ -207,7 +207,7 @@
 <body>
 
 <p>
-Edit your <path>/etc/make.conf</path> file. If you ues the older SELinux
+Edit your <path>/etc/make.conf</path> file. If you use the older SELinux
 profiles (like <path>selinux/v2refpolicy/amd64/hardened</path>), set
 <c>FEATURES="-loadpolicy"</c>. These SELinux profiles enable the
 loadpolicy feature, but this isn't supported anymore so can be safely ignored. 

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[JosA MarAa Alonso (nimiux)]

nimiux      11/08/16 17:00:56

  Modified:             hb-using-install.xml
  Log:
  Updated selinux docs

Revision  Changes    Path
1.8                  xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.8&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.8&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.7&r2=1.8

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- hb-using-install.xml	11 Aug 2011 21:38:44 -0000	1.7
+++ hb-using-install.xml	16 Aug 2011 17:00:56 -0000	1.8
@@ -4,7 +4,7 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.7 2011/08/11 21:38:44 blueness Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.8 2011/08/16 17:00:56 nimiux Exp $ -->
 
 <sections>
 <version>12</version>
@@ -599,7 +599,7 @@
 <p>
 When you have made your choice between the SELinux policy types, save
 this in your <path>/etc/make.conf</path> file as well. That way, Portage will 
-only install the policy modules for that SELinux type rather than both.
+only install the policy modules for that SELinux type.
 </p>
 
 <pre caption="Setting the policy type in make.conf">

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/04/05 20:39:13

  Modified:             hb-using-install.xml
  Log:
  Add in reference to sandbox write requirement on /sys/fs/selinux/context until fix in upstream is stabilized

Revision  Changes    Path
1.13                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.13&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.13&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.12&r2=1.13

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- hb-using-install.xml	28 Mar 2012 18:54:56 -0000	1.12
+++ hb-using-install.xml	5 Apr 2012 20:39:13 -0000	1.13
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.12 2012/03/28 18:54:56 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.13 2012/04/05 20:39:13 swift Exp $ -->
 
 <sections>
-<version>17</version>
-<date>2012-01-29</date>
+<version>18</version>
+<date>2012-04-05</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -272,6 +272,10 @@
 </p>
 
 <ul>
+  <!-- 
+  TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed
+  anymore 
+  -->
   <li>
     If you use LVM for one or more file systems, you need to edit
     <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
@@ -288,6 +292,16 @@
     which mess up the file labelling. For instance, <c>cp /bin/hostname 
     /bin/hostname.old</c>.
   </li>
+  <!--
+  TODO When the fix is accepted in the portage code and that portage version is
+  stabilized, the change is not needed anymore.
+  -->
+  <li>
+    Edit <path>/etc/sandbox.conf</path> and add in
+    <path>/sys/fs/selinux/context</path> to the <c>SANDBOX_WRITE</c> parameter.
+    This is currently needed to work around bug <uri 
+    link="https://bugs.gentoo.org/410687">410687</uri>.
+  </li>
 </ul>
 
 </body>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/05/05 19:01:39

  Modified:             hb-using-install.xml
  Log:
  Update on SELinux docs (mainly /selinux versus /sys/fs/selinux state of affairs)

Revision  Changes    Path
1.16                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.16&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.16&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.15&r2=1.16

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- hb-using-install.xml	29 Apr 2012 14:26:40 -0000	1.15
+++ hb-using-install.xml	5 May 2012 19:01:39 -0000	1.16
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.15 2012/04/29 14:26:40 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.16 2012/05/05 19:01:39 swift Exp $ -->
 
 <sections>
-<version>21</version>
-<date>2012-04-29</date>
+<version>23</version>
+<date>2012-05-06</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -296,6 +296,15 @@
   </li>
 </ul>
 
+<p>
+Previously (before <path>sys-libs/libselinux-2.1.9</path> was stabilized) the
+location of the SELinux file system was <path>/selinux</path>. This location can
+still be used (the recent libselinux implementations are currently backwards
+compatible with it) and, due to <uri link="https://bugs.gentoo.org/14779">bug
+14779</uri>, is still the location to use if you do not boot with an initramfs
+that premounts <path>/sys</path>. 
+</p>
+
 </body>
 </subsection>
 <subsection>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/05/07 20:08:14

  Modified:             hb-using-install.xml
  Log:
  Reverting change from /sys/fs/selinux to /selinux until portage is stable

Revision  Changes    Path
1.17                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.17&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.17&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.16&r2=1.17

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- hb-using-install.xml	5 May 2012 19:01:39 -0000	1.16
+++ hb-using-install.xml	7 May 2012 20:08:14 -0000	1.17
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.16 2012/05/05 19:01:39 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.17 2012/05/07 20:08:14 swift Exp $ -->
 
 <sections>
-<version>23</version>
-<date>2012-05-06</date>
+<version>24</version>
+<date>2012-05-07</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -285,26 +285,10 @@
     /bin/hostname.old</c>.
   </li>
   <!--
-  TODO When the fix is accepted in the portage code and that portage version is
-  stabilized, the change is not needed anymore.
+  TODO When portage fix is stabilized, convert docs to /sys/fs/selinux
   -->
-  <li>
-    Edit <path>/etc/sandbox.conf</path> and add in
-    <path>/sys/fs/selinux/context</path> to the <c>SANDBOX_WRITE</c> parameter.
-    This is currently needed to work around bug <uri 
-    link="https://bugs.gentoo.org/410687">410687</uri>.
-  </li>
 </ul>
 
-<p>
-Previously (before <path>sys-libs/libselinux-2.1.9</path> was stabilized) the
-location of the SELinux file system was <path>/selinux</path>. This location can
-still be used (the recent libselinux implementations are currently backwards
-compatible with it) and, due to <uri link="https://bugs.gentoo.org/14779">bug
-14779</uri>, is still the location to use if you do not boot with an initramfs
-that premounts <path>/sys</path>. 
-</p>
-
 </body>
 </subsection>
 <subsection>
@@ -412,7 +396,7 @@
 <pre caption="Enabling selinux-specific file system options">
 <comment># The udev mount is due to bug #373381</comment>
 udev   /dev             tmpfs        rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755  0 0
-none   /sys/fs/selinux  selinuxfs    defaults    0 0
+none   /selinux         selinuxfs    defaults    0 0
 </pre>
 
 <note>
@@ -428,7 +412,7 @@
 
 <p>
 With the above changes made, reboot your system. Assert yourself that you are
-now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file
+now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file
 system should be mounted). Don't worry - SELinux is at this point not activated.
 </p>
 

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/05/07 20:20:42

  Modified:             hb-using-install.xml
  Log:
  Adding back in sandbox fix, still needed, even with /selinux

Revision  Changes    Path
1.18                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.18&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.18&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.17&r2=1.18

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- hb-using-install.xml	7 May 2012 20:08:14 -0000	1.17
+++ hb-using-install.xml	7 May 2012 20:20:42 -0000	1.18
@@ -4,7 +4,7 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.17 2012/05/07 20:08:14 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.18 2012/05/07 20:20:42 swift Exp $ -->
 
 <sections>
 <version>24</version>
@@ -287,6 +287,12 @@
   <!--
   TODO When portage fix is stabilized, convert docs to /sys/fs/selinux
   -->
+  <li>
+    Edit <path>/etc/sandbox.conf</path> and add in
+    <c>SANDBOX_WRITE="/sys/fs/selinux/context"</c>. This is temporarily needed
+    until the necessary fix (included in Portage but not stable yet) is
+    available.
+  </li>
 </ul>
 
 </body>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/05/26 15:57:41

  Modified:             hb-using-install.xml
  Log:
  Fix bug #412421 - Using SELinux with recent udev and/or with /run location

Revision  Changes    Path
1.19                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.19&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.19&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.18&r2=1.19

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- hb-using-install.xml	7 May 2012 20:20:42 -0000	1.18
+++ hb-using-install.xml	26 May 2012 15:57:41 -0000	1.19
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.18 2012/05/07 20:20:42 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.19 2012/05/26 15:57:41 swift Exp $ -->
 
 <sections>
-<version>24</version>
-<date>2012-05-07</date>
+<version>25</version>
+<date>2012-05-26</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -140,6 +140,15 @@
 tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<i>,rootcontext=system_u:object_r:tmp_t:s0</i>  0 0
 </pre>
 
+<p>
+If (and only if) your system is using the <path>/run</path> location, then have
+the next line in your <path>/etc/fstab</path>:
+</p>
+
+<pre caption="Update /etc/fstab for /run">
+tmpfs  /run   tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
+</pre>
+
 </body>
 </subsection>
 <!--

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/05/26 15:59:36

  Modified:             hb-using-install.xml
  Log:
  Update internal comment on Python 3 support (no content change for readers)

Revision  Changes    Path
1.20                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.20&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.20&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.19&r2=1.20

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- hb-using-install.xml	26 May 2012 15:57:41 -0000	1.19
+++ hb-using-install.xml	26 May 2012 15:59:36 -0000	1.20
@@ -4,7 +4,7 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.19 2012/05/26 15:57:41 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.20 2012/05/26 15:59:36 swift Exp $ -->
 
 <sections>
 <version>25</version>
@@ -92,8 +92,8 @@
 </subsection>
 -->
 <!-- 
-TODO Validate after 2.20120215-r8 is stable that this is no longer
-necessary? Not sure about it though : check userspace ebuilds as well.
+TODO Python 3 support seems to be in with policycoreutils-2.1.10-r3,
+libsemanage-2.1.6-r1 and sepolgen-1.1.5-r2
 -->
 <subsection>
 <title>Switching to Python 2</title>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/05/26 19:24:22

  Modified:             hb-using-install.xml
  Log:
  /dev mount line no longer needed (util-linux stable), sandbox fix no longer needed (now handled by profile)

Revision  Changes    Path
1.21                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.21&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.21&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.20&r2=1.21

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- hb-using-install.xml	26 May 2012 15:59:36 -0000	1.20
+++ hb-using-install.xml	26 May 2012 19:24:22 -0000	1.21
@@ -4,10 +4,10 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.20 2012/05/26 15:59:36 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.21 2012/05/26 19:24:22 swift Exp $ -->
 
 <sections>
-<version>25</version>
+<version>26</version>
 <date>2012-05-26</date>
 
 <section>
@@ -293,15 +293,6 @@
     which mess up the file labelling. For instance, <c>cp /bin/hostname 
     /bin/hostname.old</c>.
   </li>
-  <!--
-  TODO When portage fix is stabilized, convert docs to /sys/fs/selinux
-  -->
-  <li>
-    Edit <path>/etc/sandbox.conf</path> and add in
-    <c>SANDBOX_WRITE="/sys/fs/selinux/context"</c>. This is temporarily needed
-    until the necessary fix (included in Portage but not stable yet) is
-    available.
-  </li>
 </ul>
 
 </body>
@@ -405,20 +396,13 @@
 <body>
 
 <p>
-Next, edit <path>/etc/fstab</path> and add the following two lines:
+Next, edit <path>/etc/fstab</path> and add the following line:
 </p>
 
 <pre caption="Enabling selinux-specific file system options">
-<comment># The udev mount is due to bug #373381</comment>
-udev   /dev             tmpfs        rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755  0 0
 none   /selinux         selinuxfs    defaults    0 0
 </pre>
 
-<note>
-In case of an MLS/MCS policy, you need to have the context with sensitivity
-level, so <c>...:device_t:s0</c>.
-</note>
-
 </body>
 </subsection>
 <subsection>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/06/14 18:20:06

  Modified:             hb-using-install.xml
  Log:
  Ask users to create the mount point as well

Revision  Changes    Path
1.22                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.22&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.22&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.21&r2=1.22

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- hb-using-install.xml	26 May 2012 19:24:22 -0000	1.21
+++ hb-using-install.xml	14 Jun 2012 18:20:05 -0000	1.22
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.21 2012/05/26 19:24:22 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.22 2012/06/14 18:20:05 swift Exp $ -->
 
 <sections>
-<version>26</version>
-<date>2012-05-26</date>
+<version>27</version>
+<date>2012-06-14</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -403,6 +403,14 @@
 none   /selinux         selinuxfs    defaults    0 0
 </pre>
 
+<p>
+Also create this mount point
+</p>
+
+<pre caption="Creating the /selinux mountpoint">
+# <i>mkdir /selinux</i>
+</pre>
+
 </body>
 </subsection>
 <subsection>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       12/12/03 14:54:37

  Modified:             hb-using-install.xml
  Log:
  The provided USE flags are local use flags, so might be better off in a package.use file

Revision  Changes    Path
1.25                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.25&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.25&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.24&r2=1.25

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- hb-using-install.xml	16 Aug 2012 18:12:53 -0000	1.24
+++ hb-using-install.xml	3 Dec 2012 14:54:37 -0000	1.25
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.24 2012/08/16 18:12:53 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.25 2012/12/03 14:54:37 swift Exp $ -->
 
 <sections>
-<version>29</version>
-<date>2012-08-16</date>
+<version>30</version>
+<date>2012-12-03</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -267,7 +267,9 @@
 
 <p>
 Make your choice and update the <c>USE</c> variable in
-<path>/etc/make.conf</path>.
+<path>/etc/make.conf</path> or in an appropriate
+<path>/etc/portage/package.use</path> location for the
+<path>sec-policy/selinux-base</path> package.
 </p>
 
 </body>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       13/04/16 09:38:44

  Modified:             hb-using-install.xml
  Log:
  Move policy definition on top so that users do not need to rebuild the system afterwards

Revision  Changes    Path
1.28                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.28&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.28&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.27&r2=1.28

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- hb-using-install.xml	9 Mar 2013 13:59:13 -0000	1.27
+++ hb-using-install.xml	16 Apr 2013 09:38:44 -0000	1.28
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.27 2013/03/09 13:59:13 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.28 2013/04/16 09:38:44 swift Exp $ -->
 
 <sections>
-<version>32</version>
-<date>2013-03-09</date>
+<version>33</version>
+<date>2013-04-16</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -100,7 +100,7 @@
 <body>
 
 <p>
-For now, the SELinux management utilities are not compatible with Python 3 so
+For now, the SELinux management utilities are not all compatible with Python 3 so
 we recommend to switch to Python 2 until the packages are updated and fixed.
 </p>
 
@@ -118,6 +118,70 @@
 </body>
 </subsection>
 <subsection>
+<title>Choosing a SELinux policy type</title>
+<body>
+
+<p>
+Gentoo supports four policy types within SELinux: <c>strict</c>,
+<c>targeted</c>, <c>mcs</c> and <c>mls</c>.
+</p>
+
+<p>
+The differentiation between <c>strict</c> and <c>targeted</c> is based upon the
+<e>unconfined</e> domain. When loaded, the processes on your system that are not
+specifically confined within a particular policy module will be part of the
+unconfined domains whose purpose is to allow most activities by default (rather
+than deny by default). As a result, processes that run inside unconfined
+domains have no restrictions apart from those already enforced by standard Linux
+security. Although running without the unconfined domains is considered more
+secure, it will also be more challenging for the administrator to make sure the
+system still functions properly as there are no policy modules for each and
+every application "out there".
+</p>
+
+<p>
+Next to <c>targeted</c> and <c>strict</c>, you can opt for <c>mcs</c> to allow
+categorization of the process domains. This is useful on multi-tenant systems
+such as web servers, virtualization hosts, ... where multiple processes will be
+running, most of them in the same security domain, but in different categories.
+Note though that to take advantage of the additional category support, either
+the applications themselves (such as the web server or hypervisor tools) need to
+configure the SELinux categories (so they need to support SELinux) or you will
+need to script around to start the individual instances with separate
+categories. Otherwise, <c>mcs</c> is just the same as <c>targeted</c> or
+<c>strict</c>.
+</p>
+
+<p>
+Finally, you can also select <c>mls</c> to differentiate security domains on
+a sensitivity level. However, MLS is currently still considered experimental
+in Gentoo and as such not recommended.
+</p>
+
+<p>
+In case of <c>mcs</c> or <c>mls</c>, you will need to use the <c>unconfined</c>
+USE flag to enable or disable unconfined domains in these policy types. The
+<c>strict</c> (no unconfined domains) type does not honor the USE flag, and the
+<c>targeted</c> (unconfined domains) type requires the USE flag set.
+</p>
+
+<p>
+When you have made your choice between the SELinux policy types, save
+this in your <path>/etc/make.conf</path> file as well. That way, Portage will 
+only install the policy modules for that SELinux type. By default, the SELinux
+profiles enable <c>strict</c> and <c>targeted</c> (with <c>strict</c> being the
+default active type).
+</p>
+
+<pre caption="Setting the policy type in make.conf">
+~# <i>nano /etc/make.conf</i>
+POLICY_TYPES="<i>strict</i>"
+</pre>
+
+
+</body>
+</subsection>
+<subsection>
 <title>Setting the filesystem contexts</title>
 <body>
 
@@ -575,50 +639,12 @@
     </ul>
   </li>
   <li>
-    <c>SELINUXTYPE</c> selects the SELinux policy type to load.
-    Gentoo Hardened recommends the use of <c>strict</c> for servers, and
-    <c>targeted</c> for desktops. The <c>mcs</c> type is supported, <c>mls</c>
-    is currently still considered experimental.
+    <c>SELINUXTYPE</c> selects the SELinux policy type to load. Most development
+    is done using the <c>strict</c> (as it provides full confinement) type,
+    although the others are supported as well.
   </li>
 </ul>
 
-<p>
-The differentiation between <c>strict</c> and <c>targeted</c> is based upon the
-<e>unconfined</e> domain. When loaded, the processes on your system that are not
-specifically confined within a particular policy module will be part of the
-unconfined_t domain whose purpose is to allow most activities by default (rather
-than deny by default). As a result, processes that run inside the unconfined_t
-domain have no restrictions apart from those already enforced by standard Linux
-security. Although running without the unconfined_t domain is considered more
-secure, it will also be more challenging for the administrator to make sure the
-system still functions properly as there are no policy modules for each and
-every application "out there".
-</p>
-
-<p>
-Next to <c>targeted</c> and <c>strict</c>, you can opt for <c>mcs</c> to allow
-categorization of the process domains. This is useful on multi-tenant systems
-such as web servers, virtualization hosts, ... where multiple processes will be
-running, most of them in the same security domain, but in different categories.
-</p>
-
-<p>
-Finally, you can also select <c>mls</c> to differentiate security domains on
-a sensitivity level. However, MLS is currently still considered experimental
-in Gentoo and as such not recommended.
-</p>
-
-<p>
-When you have made your choice between the SELinux policy types, save
-this in your <path>/etc/make.conf</path> file as well. That way, Portage will 
-only install the policy modules for that SELinux type.
-</p>
-
-<pre caption="Setting the policy type in make.conf">
-~# <i>nano /etc/make.conf</i>
-POLICY_TYPES="<i>strict</i>"
-</pre>
-
 </body>
 </subsection>
 <subsection>

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       13/10/24 19:47:38

  Modified:             hb-using-install.xml
  Log:
  Add warning about not rebuilding system after changing profile

Revision  Changes    Path
1.32                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.32&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.32&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.31&r2=1.32

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- hb-using-install.xml	16 Aug 2013 11:49:42 -0000	1.31
+++ hb-using-install.xml	24 Oct 2013 19:47:38 -0000	1.32
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.31 2013/08/16 11:49:42 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.32 2013/10/24 19:47:38 swift Exp $ -->
 
 <sections>
-<version>36</version>
-<date>2013-08-16</date>
+<version>37</version>
+<date>2013-10-24</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -269,6 +269,12 @@
 ~# <i>eselect profile set 12</i>
 </pre>
 
+<warn>
+Do not rebuild your system right now - wait until this is instructed by this
+document later. Rebuilding the system will pull in SELinux policies which could
+make your system unreachable if you reboot after it.
+</warn>
+
 <note>
 Starting from the profile change, Portage will warn you after every installation
 that it was "Unable to set SELinux security labels". This is to be expected,

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       13/12/20 12:43:55

  Modified:             hb-using-install.xml
  Log:
  xfs inode size change for SELinux is no longer necessary

Revision  Changes    Path
1.33                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.33&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.33&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.32&r2=1.33

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- hb-using-install.xml	24 Oct 2013 19:47:38 -0000	1.32
+++ hb-using-install.xml	20 Dec 2013 12:43:55 -0000	1.33
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.32 2013/10/24 19:47:38 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.33 2013/12/20 12:43:55 swift Exp $ -->
 
 <sections>
-<version>37</version>
-<date>2013-10-24</date>
+<version>38</version>
+<date>2013-12-20</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -48,13 +48,6 @@
 into a (primitive) Gentoo base installation.
 </p>
 
-<note>
-If you are an XFS user, make sure that the inode sizes of the XFS file
-system is 512 byte. Since the default is 256, you will need to run the
-<c>mkfs.xfs</c> command with the <c>-i size=512</c> arguments, like so:
-<c>mkfs.xfs -i size=512 /dev/sda3</c>
-</note>
-
 </body>
 </subsection>
 <!--

[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml

[Sven Vermeulen (swift)]

swift       14/03/06 15:07:50

  Modified:             hb-using-install.xml
  Log:
  Configure SELINUXTYPE before building world as per gentoo-hardened@g.o discussion

Revision  Changes    Path
1.34                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.34&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.34&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.33&r2=1.34

Index: hb-using-install.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- hb-using-install.xml	20 Dec 2013 12:43:55 -0000	1.33
+++ hb-using-install.xml	6 Mar 2014 15:07:50 -0000	1.34
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.33 2013/12/20 12:43:55 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.34 2014/03/06 15:07:50 swift Exp $ -->
 
 <sections>
-<version>38</version>
-<date>2013-12-20</date>
+<version>39</version>
+<date>2014-03-06</date>
 
 <section>
 <title>Installing Gentoo (Hardened)</title>
@@ -518,7 +518,7 @@
 </body>
 </subsection>
 <subsection>
-<title>Install Policies and Utilities</title>
+<title>Install Policies and Utilities, Part One</title>
 <body>
 
 <p>
@@ -533,54 +533,13 @@
 </pre>
 
 <p>
-Next, install the SELinux policy package 
-(<path>sec-policy/selinux-base-policy</path>). This package contains the base
-SELinux policy needed to get your system up and running using SELinux. 
-As Portage will try to label and reload policies (since the installation of
-<path>sys-apps/policycoreutils</path>) we need to temporarily disable SELinux
-support (as Portage wouldn't be able to label anything as it doesn't understand
-it yet).
+Next, we install the <e>base</e> SELinux policy package. This package provides
+the SELinux configuration file which we need to adjust prior to building all
+other SELinux packages.
 </p>
 
-<pre caption="Installing the SELinux policy packages">
-~# <i>FEATURES="-selinux" emerge selinux-base-policy</i>
-</pre>
-
-<p>
-Next, rebuild those packages affected by the profile change we did previously
-through a standard world update, taking into account USE-flag changes (as the 
-new profile will change many default USE flags, including enabling the 
-<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or
-<c>dispatch-conf</c> afterwards as some changes to configuration files need to
-be made.
-</p>
-
-<pre caption="Update your Gentoo Linux system">
-~# <i>emerge -uDN world</i>
-</pre>
-
-<p>
-Next, install the additional SELinux tools that you might need in the future to
-debug or help with your SELinux installation. These packages are optional, but
-recommended.
-</p>
-
-<pre caption="Installing additional SELinux packages">
-~# <i>emerge setools sepolgen checkpolicy</i>
-</pre>
-
-<p>
-Finally, install the policy modules for those utilities you think you need
-policies for. In the near future, this will be done automatically for you (the
-packages will have an optional dependency on it, triggered by the selinux USE
-flag), but until that time, you will need to install them yourself.
-</p>
-
-<pre caption="Installing SELinux modules">
-~# <i>emerge --search selinux-</i>
-[...]
-<comment>(Select the modules you want to install)</comment>
-~# <i>emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</i>
+<pre caption="Installing the SELinux base policy package">
+~# <i>FEATURES="-selinux" emerge -1 selinux-base</i>
 </pre>
 
 </body>
@@ -590,7 +549,7 @@
 <body>
 
 <p>
-Inside <path>/etc/selinux/config</path> you can configure how SELinux is
+Inside <path>/etc/selinux/config</path> you can now configure how SELinux is
 configured at boot time.
 </p>
 
@@ -644,6 +603,71 @@
   </li>
 </ul>
 
+<p>
+Make sure that the <c>SELINUX</c> variable is set to <c>permissive</c> right now.
+We will switch to enforcing later.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Install Policies and Utilities, Part Two</title>
+<body>
+
+<p>
+We can now continue with the installation of the SELinux policies. Rebuild the
+<path>selinux-base</path> package if you changed <c>SELINUXTYPE</c> to something
+else than <c>strict</c>, and then install the core SELinux policies through the
+<path>sec-policy/selinux-base-policy</path> package. This package contains the core
+SELinux policies needed to get your system up and running using SELinux. 
+As Portage will try to label and reload policies (since the installation of
+<path>sys-apps/policycoreutils</path>) we need to temporarily disable SELinux
+support again (as Portage wouldn't be able to label anything as it doesn't understand
+it yet).
+</p>
+
+<pre caption="Installing the SELinux policy packages">
+~# <i>FEATURES="-selinux" emerge -1 selinux-base</i>
+~# <i>FEATURES="-selinux" emerge selinux-base-policy</i>
+</pre>
+
+<p>
+Next, rebuild those packages affected by the profile change we did previously
+through a standard world update, taking into account USE-flag changes (as the 
+new profile will change many default USE flags, including enabling the 
+<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or
+<c>dispatch-conf</c> afterwards as some changes to configuration files need to
+be made.
+</p>
+
+<pre caption="Update your Gentoo Linux system">
+~# <i>emerge -uDN world</i>
+</pre>
+
+<p>
+Next, install the additional SELinux tools that you might need in the future to
+debug or help with your SELinux installation. These packages are optional, but
+recommended.
+</p>
+
+<pre caption="Installing additional SELinux packages">
+~# <i>emerge setools sepolgen checkpolicy</i>
+</pre>
+
+<p>
+Finally, install the policy modules for those utilities you think you need
+policies for. In the near future, this will be done automatically for you (the
+packages will have an optional dependency on it, triggered by the selinux USE
+flag), but until that time, you will need to install them yourself.
+</p>
+
+<pre caption="Installing SELinux modules">
+~# <i>emerge --search selinux-</i>
+[...]
+<comment>(Select the modules you want to install)</comment>
+~# <i>emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</i>
+</pre>
+
 </body>
 </subsection>
 <subsection>