From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-commits+bounces-321776-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Pusoi-0006Vv-FK
	for garchives@archives.gentoo.org; Wed, 02 Mar 2011 20:38:40 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7DFC4E0467;
	Wed,  2 Mar 2011 20:38:33 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 33814E0467
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Mar 2011 20:38:33 +0000 (UTC)
Received: from pelican.gentoo.org (unknown [66.219.59.40])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 891091B4079
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Mar 2011 20:38:32 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by pelican.gentoo.org (Postfix) with ESMTP id E88B68006E
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Mar 2011 20:38:31 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <8db9b0399314b72b932262256199102062fcf401.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/selinux/hb-using-enforcing.xml xml/selinux/hb-using-permissive.xml
X-VCS-Directories: xml/selinux/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 8db9b0399314b72b932262256199102062fcf401
Date: Wed,  2 Mar 2011 20:38:31 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: 625ff3b4b7038be4e8e85f129e0df68d

commit:     8db9b0399314b72b932262256199102062fcf401
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar  2 20:37:37 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar  2 20:37:37 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs=
.git;a=3Dcommit;h=3D8db9b039

Add information on gentoo_try_dontaudit boolean

---
 xml/selinux/hb-using-enforcing.xml  |   14 +++++++++++---
 xml/selinux/hb-using-permissive.xml |   19 +++++++++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/xml/selinux/hb-using-enforcing.xml b/xml/selinux/hb-using-en=
forcing.xml
index 01ef065..66e24a9 100644
--- a/xml/selinux/hb-using-enforcing.xml
+++ b/xml/selinux/hb-using-enforcing.xml
@@ -7,8 +7,8 @@
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb=
-install.xml,v 1.5 2010/06/25 16:07:19 pebenito Exp $ -->
=20
 <sections>
-<version>0</version>
-<date>2011-01-04</date>
+<version>1</version>
+<date>2011-03-02</date>
=20
 <section>
 <title>Switching to Enforcing Mode</title>
@@ -44,7 +44,8 @@ mode, run <c>setenforce 1</c>.
 <p>
 It is wise to ensure that you have booted the system but not logged in a=
nywhere
 except as the root user. Also verify that the session you're currently i=
n (as
-root) uses the <c>root:sysadm_r:sysadm_t</c> context (otherwise trying t=
o
+root) uses the <c>root:sysadm_r:sysadm_t</c> or=20
+<c>unconfined_u:unconfined_r:unconfined_t</c> context (otherwise trying =
to
 disable enforcing mode might not work).
 </p>
=20
@@ -210,6 +211,13 @@ If you are confident to continue with the dontaudit =
statements again, run the
 same command without the <c>-D</c>.
 </p>
=20
+<p>
+Gentoo Hardened uses a specific boolean called <c>gentoo_try_dontaudit</=
c> to=20
+show or hide the denials that the developers believe are cosmetic. Thank=
s to=20
+this approach, you can first disable the Gentoo-selected dontaudit state=
ments=20
+before showing all of them - which can be quite a lot more.
+</p>
+
 </body>
 </subsection>
 </section>

diff --git a/xml/selinux/hb-using-permissive.xml b/xml/selinux/hb-using-p=
ermissive.xml
index 83f3d73..3d9e1fb 100644
--- a/xml/selinux/hb-using-permissive.xml
+++ b/xml/selinux/hb-using-permissive.xml
@@ -225,6 +225,25 @@ shouldn't be. But a few ground-rules do apply.
   </li>
 </ul>
=20
+<p>
+During development of the policies, Gentoo Hardened developers will try =
to=20
+hide denials they believe are cosmetic. This hiding can be toggled using=
 the
+SELinux <c>gentoo_try_dontaudit</c> boolean:
+</p>
+
+<pre caption=3D"Getting and setting Gentoo's gentoo_try_dontaudit boolea=
n">
+~# <i>getsebool gentoo_try_dontaudit</i>
+gentoo_try_dontaudit --&gt; off
+~# <i>setsebool -P gentoo_try_dontaudit on</i>
+</pre>
+
+<p>
+When set, the denials that are believed to be cosmetic are hidden from y=
our
+audit logs. But if your system is not functioning properly and you do no=
t see
+any denials, it is wise to toggle this boolean again to verify if the de=
nial
+is now shown or not.
+</p>
+
 </body>
 </subsection>
 <subsection>