From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QRVMX-0000hn-7b for garchives@archives.gentoo.org; Tue, 31 May 2011 20:16:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 624F31C086; Tue, 31 May 2011 20:16:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2E7B81C086 for ; Tue, 31 May 2011 20:16:18 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B290F1B4020 for ; Tue, 31 May 2011 20:16:17 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 1A5CD8050B for ; Tue, 31 May 2011 20:16:17 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <52787589c4ca2f84f57c933566cf27936f0961e2.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-using-commands.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 52787589c4ca2f84f57c933566cf27936f0961e2 Date: Tue, 31 May 2011 20:16:17 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 07870761cfceac783af7bcfda49d6251 commit: 52787589c4ca2f84f57c933566cf27936f0961e2 Author: Sven Vermeulen siphos be> AuthorDate: Tue May 31 20:16:07 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue May 31 20:16:07 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D52787589 Put more focus on the staff_u user, inform users that this is necessary t= o work with portage --- xml/selinux/hb-using-commands.xml | 24 +++++++++++++++++++----- 1 files changed, 19 insertions(+), 5 deletions(-) diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-com= mands.xml index b9342f0..a0e8ea4 100644 --- a/xml/selinux/hb-using-commands.xml +++ b/xml/selinux/hb-using-commands.xml @@ -7,8 +7,8 @@ =20 -2 -2011-04-22 +3 +2011-05-31 =20
SELinux Information Commands @@ -295,16 +295,30 @@ system_u system_u =20

The default behavior is that users are logged on as the user_u SE= Linux -user. If you want to allow another user (say anna) to log on as -staff_u: +user. This SELinux user is a non-administrator user: it has no specific +privileges and should be used for every account that never requires elev= ated +privileges (so no su or sudo rights for anything). +

+ +

+The account you use to administer your system should be mapped to the +staff_u SELinux user (or its own user with the appropriate roles)= . This +can be accomplished as follows (example with the Unix account anna):

=20 
 ~# semanage login -a -s staff_u anna
=20 + +Make sure that whatever account you use to administer your system is map= ped to +the staff_u user, or has the ability to switch to the sysadm_r= +role. Portage only works from within the sysadm_r role. + +

-SELinux users then can be configured to belong to one or more roles. +As mentioned, SELinux users are configured to be able to join in on one = or more +roles. To list the available roles, you can use semanage user -l:

=20