public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2013-04-19 10:34 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2013-04-19 10:34 UTC (permalink / raw
  To: gentoo-commits

swift       13/04/19 10:34:11

  Modified:             hb-using-changes.xml
  Log:
  Add in information on selocal

Revision  Changes    Path
1.11                 xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.11&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.11&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.10&r2=1.11

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- hb-using-changes.xml	16 Apr 2013 10:06:42 -0000	1.10
+++ hb-using-changes.xml	19 Apr 2013 10:34:11 -0000	1.11
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.10 2013/04/16 10:06:42 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.11 2013/04/19 10:34:11 swift Exp $ -->
 
 <sections>
-<version>10</version>
-<date>2013-04-16</date>
+<version>11</version>
+<date>2013-04-19</date>
 
 
 <section>
@@ -228,10 +228,33 @@
 <section>
 <title>Overview of Changes for ~Arch Users</title>
 <subsection>
+<title>2013/04/19 - Introducing selocal command</title>
 <body>
 
 <p>
-No ~arch-specific changes yet.
+With policycoreutils-2.1.13-r11 onwards, a new command called <c>selocal</c> is
+available. This command allows users to easily add in additional SELinux policy
+rules to the local policy without having go through the hassle of building and
+maintaining their own <path>.te</path> files. Instead, this command does that
+for you.
+</p>
+
+<p>
+Rules that are added to the local policy (hence the name, <c>selocal</c>) can be
+accompanied with a small comment to allow users to describe why a change was
+added (or to refer to a bug id on Gentoo's bugzilla).
+</p>
+
+<pre caption="Adding a rule to the local policy">
+# <i>selocal -a "rpcbind_stream_connect(sysadm_t)" -c "Be able to call exportfs (NFS)"</i>
+# <i>selocal --build --load</i>
+</pre>
+
+<p>
+With <c>--list</c> you can view the currently added local policy rules, and with
+<c>--delete</c> they can be removed from the local policy. When you want to have
+the changes take effect, run <c>selocal --build --load</c> to build the new
+local policy and load it in memory.
 </p>
 
 </body>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2013-07-07 19:52 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2013-07-07 19:52 UTC (permalink / raw
  To: gentoo-commits

swift       13/07/07 19:52:16

  Modified:             hb-using-changes.xml
  Log:
  Changes on top, not bottom

Revision  Changes    Path
1.14                 xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.14&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.14&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.13&r2=1.14

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- hb-using-changes.xml	7 Jul 2013 17:53:16 -0000	1.13
+++ hb-using-changes.xml	7 Jul 2013 19:52:16 -0000	1.14
@@ -4,10 +4,10 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.13 2013/07/07 17:53:16 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.14 2013/07/07 19:52:16 swift Exp $ -->
 
 <sections>
-<version>13</version>
+<version>14</version>
 <date>2013-07-07</date>
 
 
@@ -35,6 +35,38 @@
 <section>
 <title>Overview of Changes for Stable Users</title>
 <subsection>
+<title>2013/04/19 - Introducing selocal command</title>
+<body>
+
+<p>
+With policycoreutils-2.1.13-r11 onwards, a new command called <c>selocal</c> is
+available. This command allows users to easily add in additional SELinux policy
+rules to the local policy without having go through the hassle of building and
+maintaining their own <path>.te</path> files. Instead, this command does that
+for you.
+</p>
+
+<p>
+Rules that are added to the local policy (hence the name, <c>selocal</c>) can be
+accompanied with a small comment to allow users to describe why a change was
+added (or to refer to a bug id on Gentoo's bugzilla).
+</p>
+
+<pre caption="Adding a rule to the local policy">
+# <i>selocal -a "rpcbind_stream_connect(sysadm_t)" -c "Be able to call exportfs (NFS)"</i>
+# <i>selocal --build --load</i>
+</pre>
+
+<p>
+With <c>--list</c> you can view the currently added local policy rules, and with
+<c>--delete</c> they can be removed from the local policy. When you want to have
+the changes take effect, run <c>selocal --build --load</c> to build the new
+local policy and load it in memory.
+</p>
+
+</body>
+</subsection>
+<subsection>
 <title>2013/04/16 - Introduce selinux_gentoo init script</title>
 <body>
 
@@ -223,38 +255,6 @@
 
 </body>
 </subsection>
-<subsection>
-<title>2013/04/19 - Introducing selocal command</title>
-<body>
-
-<p>
-With policycoreutils-2.1.13-r11 onwards, a new command called <c>selocal</c> is
-available. This command allows users to easily add in additional SELinux policy
-rules to the local policy without having go through the hassle of building and
-maintaining their own <path>.te</path> files. Instead, this command does that
-for you.
-</p>
-
-<p>
-Rules that are added to the local policy (hence the name, <c>selocal</c>) can be
-accompanied with a small comment to allow users to describe why a change was
-added (or to refer to a bug id on Gentoo's bugzilla).
-</p>
-
-<pre caption="Adding a rule to the local policy">
-# <i>selocal -a "rpcbind_stream_connect(sysadm_t)" -c "Be able to call exportfs (NFS)"</i>
-# <i>selocal --build --load</i>
-</pre>
-
-<p>
-With <c>--list</c> you can view the currently added local policy rules, and with
-<c>--delete</c> they can be removed from the local policy. When you want to have
-the changes take effect, run <c>selocal --build --load</c> to build the new
-local policy and load it in memory.
-</p>
-
-</body>
-</subsection>
 </section>
 
 <section>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2013-07-07 17:53 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2013-07-07 17:53 UTC (permalink / raw
  To: gentoo-commits

swift       13/07/07 17:53:16

  Modified:             hb-using-changes.xml
  Log:
  Add information about mcstransd

Revision  Changes    Path
1.13                 xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.13&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.13&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.12&r2=1.13

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- hb-using-changes.xml	7 Jul 2013 16:14:25 -0000	1.12
+++ hb-using-changes.xml	7 Jul 2013 17:53:16 -0000	1.13
@@ -4,10 +4,10 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.12 2013/07/07 16:14:25 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.13 2013/07/07 17:53:16 swift Exp $ -->
 
 <sections>
-<version>12</version>
+<version>13</version>
 <date>2013-07-07</date>
 
 
@@ -260,13 +260,61 @@
 <section>
 <title>Overview of Changes for ~Arch Users</title>
 <subsection>
-<title>None</title>
+<title>2013/07/07 - Introduced support for mcstrans</title>
 <body>
 
 <p>
-No differences for ~arch only for now
+When the SELinux policy is MLS-enabled (so it is MCS or MLS), then we have the
+option of managing categories. Categories allow us to "tag" resources and make
+sure that only processes that have the right category set assigned to them can
+read/manipulate the resources.
 </p>
 
+<p>
+For SELinux, categories are numbers, starting from <c>c0</c> (category zero) to
+whatever maximum is used in the policy:
+</p>
+
+<pre caption="Checking the maximum number of categories">
+$ <i>seinfo | grep Categories</i>
+  Sensitivities:      1   Categories:       1024
+</pre>
+
+<p>
+For most administrators/humans though, this is not that efficient. To support
+more human readable formats, SELinux supports category translations (and even
+sensitivity translations). Inside a configuration file
+(<path>setrans.conf</path> in the main configuration directory, like
+<path>/etc/selinux/mcs</path>) administrators can enter common sensitivity sets
+and ranges. The <c>chcat</c> tool can then be used to list those:
+</p>
+
+<pre caption="Listing translated sensitivity ranges">
+# <i>chcat -L</i>
+s0                             SystemLow
+s0-s0:c0.c1023                 SystemLow-SystemHigh
+s0:c0.c1023                    SystemHigh
+</pre>
+
+<p>
+To enable these translations, create the proper translation file (of which you
+can find numerous examples in <path>/usr/share/doc/policycoreutils-*/mcstrans</path>)
+and then start the <c>mcstransd</c> service.
+</p>
+
+<pre caption="Starting the mcstransd service">
+# <i>rc-service mcstransd start</i>
+</pre>
+
+<p>
+That's it - if we now look at contexts, we will see the translated ranges:
+</p>
+
+<pre caption="Listing contexts to see translated ranges">
+# <i>ls -lZ seusers</i>
+-rw-r--r--. root root system_u:object_r:selinux_config_t:SystemLow seusers
+</pre>
+
 </body>
 </subsection>
 </section>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2013-04-05 18:14 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2013-04-05 18:14 UTC (permalink / raw
  To: gentoo-commits

swift       13/04/05 18:14:12

  Modified:             hb-using-changes.xml
  Log:
  Make USE=unconfined usage a bit more clear in change history

Revision  Changes    Path
1.9                  xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.9&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.9&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.8&r2=1.9

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- hb-using-changes.xml	10 Mar 2013 16:01:33 -0000	1.8
+++ hb-using-changes.xml	5 Apr 2013 18:14:12 -0000	1.9
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.8 2013/03/10 16:01:33 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.9 2013/04/05 18:14:12 swift Exp $ -->
 
 <sections>
-<version>8</version>
-<date>2013-03-10</date>
+<version>9</version>
+<date>2013-04-05</date>
 
 
 <section>
@@ -42,7 +42,9 @@
 From <path>selinux-base-2.20120725-r9</path> onwards, we will now also support
 a <c>USE=unconfined</c> setting. When enabled, it will configure your SELinux
 policy to support the unconfined domains. If your policy is <e>targeted</e>,
-this behavior will be implied.
+this behavior will be implied, whereas the <e>strict</e> policy will not
+consider this USE flag at all (it will not activate unconfined domains on
+strict).
 </p>
 
 <p>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2013-03-10 16:01 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2013-03-10 16:01 UTC (permalink / raw
  To: gentoo-commits

swift       13/03/10 16:01:33

  Modified:             hb-using-changes.xml
  Log:
  Information on selinux_gentoo init script

Revision  Changes    Path
1.8                  xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.8&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.8&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.7&r2=1.8

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- hb-using-changes.xml	9 Mar 2013 13:59:13 -0000	1.7
+++ hb-using-changes.xml	10 Mar 2013 16:01:33 -0000	1.8
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.7 2013/03/09 13:59:13 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.8 2013/03/10 16:01:33 swift Exp $ -->
 
 <sections>
-<version>7</version>
-<date>2013-03-09</date>
+<version>8</version>
+<date>2013-03-10</date>
 
 
 <section>
@@ -188,13 +188,34 @@
 
 <section>
 <title>Overview of Changes for ~Arch Users</title>
+<subsection>
+<title>2013/03/10 - Introduce selinux_gentoo init script</title>
 <body>
 
 <p>
-No specific ~arch changes.
+With policycoreutils-2.1.13-r8 and later, we now provide our own init script
+<path>selinux_gentoo</path>, which includes the necessary support for the
+initramfs users, but also resets the contexts of dynamically generated resources
+(on pseudo file systems) which are different from the default setting.
+</p>
+
+<p>
+The first user here is <path>/sys/devices/system/cpu/online</path> which gets
+labeled cpu_online_t (from revision 13 of the SELinux policy, or when using live
+ebuilds for the policy).
+</p>
+
+<p>
+This means that users are now encouraged to add this init script to the boot
+runlevel:
 </p>
 
+<pre caption="Adding selinux_gentoo to the boot runlevel">
+# <i>rc-update add selinux_gentoo boot</i>
+</pre>
+
 </body>
+</subsection>
 </section>
 
 </sections>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2012-12-04 20:22 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-04 20:22 UTC (permalink / raw
  To: gentoo-commits

swift       12/12/04 20:22:20

  Modified:             hb-using-changes.xml
  Log:
  Introduce information on USE=unconfined

Revision  Changes    Path
1.6                  xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.6&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.6&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.5&r2=1.6

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- hb-using-changes.xml	6 Nov 2012 20:00:34 -0000	1.5
+++ hb-using-changes.xml	4 Dec 2012 20:22:20 -0000	1.6
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.5 2012/11/06 20:00:34 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.6 2012/12/04 20:22:20 swift Exp $ -->
 
 <sections>
-<version>5</version>
-<date>2012-11-06</date>
+<version>6</version>
+<date>2012-12-04</date>
 
 
 <section>
@@ -167,11 +167,23 @@
 <section>
 <title>Overview of Changes for ~Arch Users</title>
 <subsection>
-<title>None yet</title>
+<title>2012/12/04 - Introduce USE=unconfined</title>
 <body>
 
 <p>
-No specific changes that need to be documented at this level.
+From <path>selinux-base-2.20120725-r9</path> onwards, we will now also support
+a <c>USE=unconfined</c> setting. When enabled, it will configure your SELinux
+policy to support the unconfined domains. If your policy is <e>targeted</e>,
+this behavior will be implied.
+</p>
+
+<p>
+Supporting this USE flag allows us to differentiate unconfined domains versus
+regular ones when using the <e>mls</e> or <e>mcs</e> policy types. When set, the
+<path>selinux-unconfined</path> package will be built as well, and the module
+will be loaded, and the policy <path>seusers</path> file (which contains the
+default domain mappings for users) will be updated to use the
+<c>unconfined_u</c> SELinux user for root and other users.
 </p>
 
 </body>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2012-11-06 20:00 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2012-11-06 20:00 UTC (permalink / raw
  To: gentoo-commits

swift       12/11/06 20:00:34

  Modified:             hb-using-changes.xml
  Log:
  Change on system_r is now in stable

Revision  Changes    Path
1.5                  xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.5&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.5&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.4&r2=1.5

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- hb-using-changes.xml	16 Aug 2012 18:12:53 -0000	1.4
+++ hb-using-changes.xml	6 Nov 2012 20:00:34 -0000	1.5
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.4 2012/08/16 18:12:53 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.5 2012/11/06 20:00:34 swift Exp $ -->
 
 <sections>
-<version>4</version>
-<date>2012-08-16</date>
+<version>5</version>
+<date>2012-11-06</date>
 
 
 <section>
@@ -35,6 +35,33 @@
 <section>
 <title>Overview of Changes for Stable Users</title>
 <subsection>
+<title>2012/08/16 - Adding system_r role to admins</title>
+<body>
+
+<p>
+Since <path>selinux-base-2.20120725-r3</path> and later, init scripts will now
+support the upstream "labeled" init script approach. This means that those
+services whose init script follows the <path>&lt;domain&gt;_initrc_exec_t</path>
+naming convention can now be assigned to specific users (allowing those to
+manage the services without the need to grant them system administration
+rights).
+</p>
+
+<p>
+The downside of this approach is that the system administrator itself (who uses
+the <c>sysadm_t</c> domain) now also needs to be granted the right to manage
+those services. And granting this right means that the SELinux user (be it
+<c>root</c> or <c>staff_u</c>) needs to be granted the <c>system_r</c> role:
+</p>
+
+<pre caption="Granting system_r role">
+# <i>semanage user -a -R "staff_r sysadm_r system_r" root</i>
+# <i>semanage user -a -R "staff_r sysadm_r system_r" staff_u</i>
+</pre>
+
+</body>
+</subsection>
+<subsection>
 <title>2012/06/24 - Definition of /run in fstab</title>
 <body>
 
@@ -140,30 +167,13 @@
 <section>
 <title>Overview of Changes for ~Arch Users</title>
 <subsection>
-<title>2012/08/16 - Adding system_r role to admins</title>
+<title>None yet</title>
 <body>
 
 <p>
-Since <path>selinux-base-2.20120725-r3</path> and later, init scripts will now
-support the upstream "labeled" init script approach. This means that those
-services whose init script follows the <path>&lt;domain&gt;_initrc_exec_t</path>
-naming convention can now be assigned to specific users (allowing those to
-manage the services without the need to grant them system administration
-rights).
+No specific changes that need to be documented at this level.
 </p>
 
-<p>
-The downside of this approach is that the system administrator itself (who uses
-the <c>sysadm_t</c> domain) now also needs to be granted the right to manage
-those services. And granting this right means that the SELinux user (be it
-<c>root</c> or <c>staff_u</c>) needs to be granted the <c>system_r</c> role:
-</p>
-
-<pre caption="Granting system_r role">
-# <i>semanage user -a -R "staff_r sysadm_r system_r" root</i>
-# <i>semanage user -a -R "staff_r sysadm_r system_r" staff_u</i>
-</pre>
-
 </body>
 </subsection>
 </section>





^ permalink raw reply	[flat|nested] 8+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml
@ 2012-06-25 19:18 Sven Vermeulen (swift)
  0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen (swift) @ 2012-06-25 19:18 UTC (permalink / raw
  To: gentoo-commits

swift       12/06/25 19:18:05

  Modified:             hb-using-changes.xml
  Log:
  Fix bug #423479 - Correct link to subsection, thanks to Chema \"nimiux\" Alonso for providing patch

Revision  Changes    Path
1.3                  xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.3&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?rev=1.3&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml?r1=1.2&r2=1.3

Index: hb-using-changes.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- hb-using-changes.xml	24 Jun 2012 12:00:42 -0000	1.2
+++ hb-using-changes.xml	25 Jun 2012 19:18:05 -0000	1.3
@@ -4,11 +4,11 @@
 <!-- The content of this document is licensed under the CC-BY-SA license -->
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.2 2012/06/24 12:00:42 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-changes.xml,v 1.3 2012/06/25 19:18:05 swift Exp $ -->
 
 <sections>
-<version>2</version>
-<date>2012-06-24</date>
+<version>3</version>
+<date>2012-06-25</date>
 
 
 <section>
@@ -69,7 +69,7 @@
 Users who boot into a graphical environment (such as through GDM) will need to
 edit their PAM configuration files accordingly to support SELinux security
 context settings. This is documented at <uri
-link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap3">Users
+link="/proj/en/hardened/selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap5">Users
 of a graphical environment</uri>.
 </p>
 






^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2013-07-07 19:52 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-19 10:34 [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-changes.xml Sven Vermeulen (swift)
  -- strict thread matches above, loose matches on Subject: below --
2013-07-07 19:52 Sven Vermeulen (swift)
2013-07-07 17:53 Sven Vermeulen (swift)
2013-04-05 18:14 Sven Vermeulen (swift)
2013-03-10 16:01 Sven Vermeulen (swift)
2012-12-04 20:22 Sven Vermeulen (swift)
2012-11-06 20:00 Sven Vermeulen (swift)
2012-06-25 19:18 Sven Vermeulen (swift)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox