From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-commits+bounces-341646-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1QHLxB-0006Ab-Om
	for garchives@archives.gentoo.org; Tue, 03 May 2011 20:12:18 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A82101C001;
	Tue,  3 May 2011 20:12:10 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 689431C001
	for <gentoo-commits@lists.gentoo.org>; Tue,  3 May 2011 20:12:10 +0000 (UTC)
Received: from pelican.gentoo.org (unknown [66.219.59.40])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 793C51B4053
	for <gentoo-commits@lists.gentoo.org>; Tue,  3 May 2011 20:12:09 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by pelican.gentoo.org (Postfix) with ESMTP id DD94980505
	for <gentoo-commits@lists.gentoo.org>; Tue,  3 May 2011 20:12:08 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <37823f895ec2add96e802cedcf0d13d909bfa08e.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/selinux/hb-intro-concepts.xml xml/selinux/hb-using-install.xml
X-VCS-Directories: xml/selinux/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 37823f895ec2add96e802cedcf0d13d909bfa08e
Date: Tue,  3 May 2011 20:12:08 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: b730b6293322a2c03065c5e3999f82a1

commit:     37823f895ec2add96e802cedcf0d13d909bfa08e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  3 20:09:22 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  3 20:09:22 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs=
.git;a=3Dcommit;h=3D37823f89

Add information on ubac USE flag as well as other SELinux-related USE fla=
gs

---
 xml/selinux/hb-intro-concepts.xml |    9 ++++-
 xml/selinux/hb-using-install.xml  |   56 +++++++++++++++++++++++++++++++=
++++-
 2 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-con=
cepts.xml
index f1cbc71..4a3ea90 100644
--- a/xml/selinux/hb-intro-concepts.xml
+++ b/xml/selinux/hb-intro-concepts.xml
@@ -7,8 +7,8 @@
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
=20
 <sections>
-<version>3</version>
-<date>2011-04-15</date>
+<version>4</version>
+<date>2011-05-03</date>
=20
 <section>
 <title>Introduction</title>
@@ -510,6 +510,11 @@ which has write access to the domain of the file, bu=
t can still not write to the
 file because the SELinux users' differ.
 </p>
=20
+<p>
+At this moment, Gentoo Hardened SELinux' supports both policies with and
+without UBAC. This is controlled through the <c>ubac</c> USE flag.
+</p>
+
 </body>
 </subsection>
 </section>

diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-inst=
all.xml
index 30dc495..a6a61a3 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -197,14 +197,66 @@ installation is completed.
 </note>
=20
 <p>
+Don't update your system yet - we will need to install a couple of packa=
ges in a
+particular order which Portage isn't aware of in the next couple of sect=
ions.=20
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Update make.conf</title>
+<body>
+
+<p>
 Edit your <path>/etc/make.conf</path> file and set
 <c>FEATURES=3D"-loadpolicy"</c>. The current SELinux profile enables the
 loadpolicy feature, but this isn't supported anymore so can be safely ig=
nored.
 </p>
=20
 <p>
-Don't update your system yet - we will need to install a couple of packa=
ges in a
-particular order which Portage isn't aware of in the next couple of sect=
ions.=20
+Next, take a look at the following USE flags and decide if you want to e=
nable
+or disable them.
+</p>
+
+<table>
+<tr>
+  <th>USE flag</th>
+  <th>Default Value</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>peer_perms</ti>
+  <ti>Enabled</ti>
+  <ti>
+    The peer_perms capability controls the SELinux policy network peer c=
ontrols.
+    If set, the access control mechanisms that SELinux uses for network =
based
+    labelling are consolidated. This setting is recommended as the polic=
y is
+    also updated to reflect this. If not set, the old mechanisms (NetLab=
el and
+    Labeled IPsec) are used side by side.
+  </ti>
+</tr>
+<tr>
+  <ti>open_perms</ti>
+  <ti>Disabled</ti>
+  <ti>
+    The open_perms capability enables the SELinux permission "open" for =
files
+    and file-related classes.=20
+  </ti>
+</tr>
+<tr>
+  <ti>ubac</ti>
+  <ti>Disabled</ti>
+  <ti>
+    When enabled, the SELinux policy is built with user-based access con=
trol
+    enabled. This is optional as it introduces constraints that might be
+    difficult to notice at first when you hit them.
+  </ti>
+</tr>
+</table>
+
+<p>
+Make your choice and update the <c>USE</c> variable in
+<path>/etc/make.conf</path>.
 </p>
=20
 </body>