From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QS6bi-0006Hz-U3 for garchives@archives.gentoo.org; Thu, 02 Jun 2011 12:02:35 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 173701C0EB; Thu, 2 Jun 2011 12:02:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id CD6F41C0E4 for ; Thu, 2 Jun 2011 12:02:21 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 348641B4018 for ; Thu, 2 Jun 2011 12:02:21 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id A23FF80506 for ; Thu, 2 Jun 2011 12:02:20 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <9ac37024484b464088dd7ad2dd29c66442f10a09.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/selinux/hb-intro-referencepolicy.html html/selinux/hb-using-install.html html/selinux/hb-using-permissive.html X-VCS-Directories: html/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 9ac37024484b464088dd7ad2dd29c66442f10a09 Date: Thu, 2 Jun 2011 12:02:20 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: fbf3fa57f2444134dbcdf9116a8dfd6f commit: 9ac37024484b464088dd7ad2dd29c66442f10a09 Author: Sven Vermeulen siphos be> AuthorDate: Thu Jun 2 11:58:39 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Jun 2 11:58:39 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D9ac37024 Updating previews --- html/selinux/hb-intro-referencepolicy.html | 8 ++++- html/selinux/hb-using-install.html | 42 ++++++++++++++++++++++= +++-- html/selinux/hb-using-permissive.html | 5 ++- 3 files changed, 47 insertions(+), 8 deletions(-) diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb= -intro-referencepolicy.html index 5ff648b..3adc3f9 100644 --- a/html/selinux/hb-intro-referencepolicy.html +++ b/html/selinux/hb-intro-referencepolicy.html @@ -216,11 +216,15 @@ following is an overview of the policy versions' hi= story.
Version 23
Per-domain permissive mode (2.6.26 - 2.6.27)
Version 24
-
Explicit hierarchy (type bounds) (2.6.28 - current)
+
Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)
+
Version 25
+
Filename based transition support (2.6.39)
+
Version 26
+
Role transition support for non-process classes (3.0)
- +

Updated D= ecember 1, 2010

Updated J= une 2, 2011

Donate to support our development efforts.

diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-i= nstall.html index 2ce4dfe..dadbab8 100644 --- a/html/selinux/hb-using-install.html +++ b/html/selinux/hb-using-install.html @@ -562,7 +562,7 @@ correctly. For instance, if you have installed ~# rlpkg -t screen
-

Reboot

+

Reboot and Set SELinux= Booleans

Reboot your system. Log on and, if you have indeed installed Gentoo usin= g the hardened sources (as we recommended), enable the SSP SELinux boolean: @@ -573,13 +573,47 @@ hardened sources (as we recommended), enable the SS= P SELinux boolean: ~# setsebool -P global_ssp on +

Define the Administrat= or Accounts

+

+Finally, we need to map the account(s) you use to manage your system (th= ose +that need access to Portage) to the sta= ff_u SELinux user. By default, +users are mapped to the user_u S= ELinux user who doesn't have the +appropriate rights (nor access to the appropriate roles) to manage a sys= tem. +Accounts that are mapped to staff_u can, but might need to switch roles +from staff_r to sysadm_r before they are granted the appropriate +privileges. +

+

+Assuming that your account name is john: +

+ + + +

Code Listing1.1: Mapp= ing the Linux account john to the SELinux user staff_u

+~# semanage login -a -s staff_u john
+~# restorecon -R -F /home/john
+
+

+If you later log on as john and want to = manage your system, you will +probably need to switch your role. You can use newrole for this: +

+ + + +

Code Listing1.1: Swit= ching roles

+~$ id -Z
+staff_u:staff_r:staff_t
+~$ newrole -r sysadm_r
+Password: (Enter your password)
+~$ id -Z
+staff_u:sysadm_r:sysadm_t
+

-With that done, enjoy - your first steps into the SELinux world are now -made. +With that done, enjoy - your first steps into the SELinux world are now = made.

- +

Updated M= ay 31, 2011

Updated J= une 2, 2011

Donate to support our development efforts.

diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-usin= g-permissive.html index 0285dde..d5e77aa 100644 --- a/html/selinux/hb-using-permissive.html +++ b/html/selinux/hb-using-permissive.html @@ -292,7 +292,8 @@ accordingly. For instance, say you have your lvm.co /etc rather than /etc/lvm as the policy would expect, then you can still label the file correctly using semanage. With=20 semanage, you assign a correct s= ecurity context unrelated to any -module. It is a local setting - but which is persistent across reboots. +module. It is a local setting - but which is persistent across reboots a= nd +relabelling activities.

@@ -583,7 +584,7 @@ The same tool can be used to relabel the entire syste= m:

Code Listing1.1: Sett= ing a new file context using semanage

 - +

Updated A= pril 22, 2011

Updated J= une 2, 2011

Donate to support our development efforts.