[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     37823f895ec2add96e802cedcf0d13d909bfa08e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  3 20:09:22 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  3 20:09:22 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=37823f89

Add information on ubac USE flag as well as other SELinux-related USE flags

---
 xml/selinux/hb-intro-concepts.xml |    9 ++++-
 xml/selinux/hb-using-install.xml  |   56 +++++++++++++++++++++++++++++++++++-
 2 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
index f1cbc71..4a3ea90 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -7,8 +7,8 @@
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
 
 <sections>
-<version>3</version>
-<date>2011-04-15</date>
+<version>4</version>
+<date>2011-05-03</date>
 
 <section>
 <title>Introduction</title>
@@ -510,6 +510,11 @@ which has write access to the domain of the file, but can still not write to the
 file because the SELinux users' differ.
 </p>
 
+<p>
+At this moment, Gentoo Hardened SELinux' supports both policies with and
+without UBAC. This is controlled through the <c>ubac</c> USE flag.
+</p>
+
 </body>
 </subsection>
 </section>

diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 30dc495..a6a61a3 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -197,14 +197,66 @@ installation is completed.
 </note>
 
 <p>
+Don't update your system yet - we will need to install a couple of packages in a
+particular order which Portage isn't aware of in the next couple of sections. 
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Update make.conf</title>
+<body>
+
+<p>
 Edit your <path>/etc/make.conf</path> file and set
 <c>FEATURES="-loadpolicy"</c>. The current SELinux profile enables the
 loadpolicy feature, but this isn't supported anymore so can be safely ignored.
 </p>
 
 <p>
-Don't update your system yet - we will need to install a couple of packages in a
-particular order which Portage isn't aware of in the next couple of sections. 
+Next, take a look at the following USE flags and decide if you want to enable
+or disable them.
+</p>
+
+<table>
+<tr>
+  <th>USE flag</th>
+  <th>Default Value</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>peer_perms</ti>
+  <ti>Enabled</ti>
+  <ti>
+    The peer_perms capability controls the SELinux policy network peer controls.
+    If set, the access control mechanisms that SELinux uses for network based
+    labelling are consolidated. This setting is recommended as the policy is
+    also updated to reflect this. If not set, the old mechanisms (NetLabel and
+    Labeled IPsec) are used side by side.
+  </ti>
+</tr>
+<tr>
+  <ti>open_perms</ti>
+  <ti>Disabled</ti>
+  <ti>
+    The open_perms capability enables the SELinux permission "open" for files
+    and file-related classes. 
+  </ti>
+</tr>
+<tr>
+  <ti>ubac</ti>
+  <ti>Disabled</ti>
+  <ti>
+    When enabled, the SELinux policy is built with user-based access control
+    enabled. This is optional as it introduces constraints that might be
+    difficult to notice at first when you hit them.
+  </ti>
+</tr>
+</table>
+
+<p>
+Make your choice and update the <c>USE</c> variable in
+<path>/etc/make.conf</path>.
 </p>
 
 </body>