[gentoo-commits] proj/hardened-docs:master commit in: html/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     9ac37024484b464088dd7ad2dd29c66442f10a09
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun  2 11:58:39 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun  2 11:58:39 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9ac37024

Updating previews

---
 html/selinux/hb-intro-referencepolicy.html |    8 ++++-
 html/selinux/hb-using-install.html         |   42 +++++++++++++++++++++++++--
 html/selinux/hb-using-permissive.html      |    5 ++-
 3 files changed, 47 insertions(+), 8 deletions(-)

diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html
index 5ff648b..3adc3f9 100644
--- a/html/selinux/hb-intro-referencepolicy.html
+++ b/html/selinux/hb-intro-referencepolicy.html
@@ -216,11 +216,15 @@ following is an overview of the policy versions' history.
   <dt>Version 23</dt>
   <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
   <dt>Version 24</dt>
-  <dd>Explicit hierarchy (type bounds) (2.6.28 - current)</dd>
+  <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
+  <dt>Version 25</dt>
+  <dd>Filename based transition support (2.6.39)</dd>
+  <dt>Version 26</dt>
+  <dd>Role transition support for non-process classes (3.0)</dd>
 </dl>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>

diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index 2ce4dfe..dadbab8 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -562,7 +562,7 @@ correctly. For instance, if you have installed
 ~# <span class="code-input">rlpkg -t screen</span>
 </pre></td></tr>
 </table>
-<p class="secthead"><a name="doc_chap1_sect1">Reboot</a></p>
+<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p>
 <p>
 Reboot your system. Log on and, if you have indeed installed Gentoo using the
 hardened sources (as we recommended), enable the SSP SELinux boolean:
@@ -573,13 +573,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean:
 ~# <span class="code-input">setsebool -P global_ssp on</span>
 </pre></td></tr>
 </table>
+<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
+<p>
+Finally, we need to map the account(s) you use to manage your system (those
+that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. By default,
+users are mapped to the <span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the
+appropriate rights (nor access to the appropriate roles) to manage a system.
+Accounts that are mapped to <span class="code" dir="ltr">staff_u</span> can, but might need to switch roles
+from <span class="code" dir="ltr">staff_r</span> to <span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate
+privileges.
+</p>
+<p>
+Assuming that your account name is <span class="emphasis">john</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping the Linux account john to the SELinux user staff_u</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">semanage login -a -s staff_u john</span>
+~# <span class="code-input">restorecon -R -F /home/john</span>
+</pre></td></tr>
+</table>
+<p>
+If you later log on as <span class="emphasis">john</span> and want to manage your system, you will
+probably need to switch your role. You can use <span class="code" dir="ltr">newrole</span> for this:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~$ <span class="code-input">id -Z</span>
+staff_u:staff_r:staff_t
+~$ <span class="code-input">newrole -r sysadm_r</span>
+Password: <span class="code-comment">(Enter your password)</span>
+~$ <span class="code-input">id -Z</span>
+staff_u:sysadm_r:sysadm_t
+</pre></td></tr>
+</table>
 <p>
-With that done, enjoy - your first steps into the SELinux world are now
-made.
+With that done, enjoy - your first steps into the SELinux world are now made.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>

diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
index 0285dde..d5e77aa 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -292,7 +292,8 @@ accordingly. For instance, say you have your <span class="path" dir="ltr">lvm.co
 <span class="path" dir="ltr">/etc</span> rather than <span class="path" dir="ltr">/etc/lvm</span> as the policy would expect,
 then you can still label the file correctly using <span class="code" dir="ltr">semanage</span>. With 
 <span class="code" dir="ltr">semanage</span>, you assign a correct security context unrelated to any
-module. It is a local setting - but which is persistent across reboots.
+module. It is a local setting - but which is persistent across reboots and
+relabelling activities.
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting a new file context using semanage</p></td></tr>
@@ -583,7 +584,7 @@ The same tool can be used to relabel the entire system:
 </table>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>