[gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/modules/, html/selinux/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/modules/, html/selinux/
@ 2011-07-13 21:40 Sven Vermeulen
  0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2011-07-13 21:40 UTC (permalink / raw
  To: gentoo-commits

commit:     9cc8a753e2194f68abb8215821979cb440126a5e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 13 21:38:27 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 13 21:38:27 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9cc8a753

update previews

---
 html/pic-guide.html                          |    2 +-
 html/roadmap.html                            |    8 +++---
 html/selinux-faq.html                        |   11 ++++++--
 html/selinux/hb-using-commands.html          |   32 +++++++++++++++++++++++++-
 html/selinux/modules/bind.html               |    2 +-
 html/selinux/modules/ldap.html               |    2 +-
 html/selinux/modules/{ldap.html => ssh.html} |   20 ++++++++--------
 7 files changed, 56 insertions(+), 21 deletions(-)

diff --git a/html/pic-guide.html b/html/pic-guide.html
index 843cb84..0b5fde9 100644
--- a/html/pic-guide.html
+++ b/html/pic-guide.html
@@ -68,7 +68,7 @@ or not. There are occasional architectures which don't make the
 distinction, usually because all object code is position independent by
 virtue of the Application Binary Interface (ABI), or less often because
 the load address of the object is fixed at compile time, which implies
-that shared libraries are not supported by such a platform).
+that shared libraries are not supported by such a platform.
 
 If an object is compiled as position independent code (PIC),
 then the operating system can load the object at any address

diff --git a/html/roadmap.html b/html/roadmap.html
index 25e8f71..ae59a97 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -287,15 +287,15 @@ of the packages.
 </tr>
 <tr>
   <td class="tableinfo">Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</td>
-  <td class="tableinfo">2011-07-01</td>
-  <td class="tableinfo"><span class="code-keyword">On track</span></td>
+  <td class="tableinfo">2011-07-15</td>
+  <td class="tableinfo"><span class="code-variable">In progress</span></td>
   <td class="tableinfo">blueness, SwifT</td>
   <td class="tableinfo"><a href="https://bugs.gentoo.org/370927">#370927</a></td>
 </tr>
 <tr>
   <td class="tableinfo">Stabilize the new SELinux profile structure</td>
   <td class="tableinfo">2011-07-15</td>
-  <td class="tableinfo"><span class="code-keyword">On track</span></td>
+  <td class="tableinfo"><span class="code-variable">In progress</span></td>
   <td class="tableinfo">blueness, SwifT</td>
   <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
 </tr>
@@ -311,7 +311,7 @@ of the packages.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 13, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated July 10, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 A roadmap that plots current needs and goals of the
 Hardened Gentoo project.

diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index f202d8b..f3c097c 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -97,8 +97,13 @@ features of the compiler.
 </p>
 <p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">Can I use SELinux and RSBAC?</a></p>
 <p>
-We don't know. If you try this combination, we would be very interested
-in its results.
+Yes, SELinux and RSBAC can be used together, but it is not recommended. The
+RSBAC framework that is added to the Linux Security Modules framework (which
+is used by SELinux) impacts performance for little added value. 
+</p>
+<p>
+In most cases, it makes more sense to use RSBAC without SELinux, or SELinux
+without RSBAC.
 </p>
 <p class="secthead"><a name="filesystem"></a><a name="doc_chap2_sect5">Can I use SELinux with any file system?</a></p>
 <p>
@@ -471,7 +476,7 @@ Another fix would be to disable UBAC completely. This is accomplished with
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 1, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or 

diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html
index d9b6904..6d6f21a 100644
--- a/html/selinux/hb-using-commands.html
+++ b/html/selinux/hb-using-commands.html
@@ -162,6 +162,36 @@ the last command example, dropping <span class="code" dir="ltr">-d</span> would
 rules: for each domain that has file_type set, the search tries to find rules
 that allow file-write access to that particular domain.
 </p>
+<p>
+Another interesting functionality of the <span class="code" dir="ltr">sesearch</span> command is to show you
+the rules that are applicable depending on the state of a boolean. If you want
+to query on a particular boolean, use <span class="code" dir="ltr">-b</span>. If you want to see the logic
+that the policy uses, use <span class="code" dir="ltr">-C</span> (and yes, both can be combined).
+</p>
+<p>
+As an example, we'll check what we allow (or deny) when the <span class="code" dir="ltr">global_ssp</span>
+boolean is set:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the policy regarding the global_ssp boolean</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">sesearch -b global_ssp -A -C -d</span>
+Found 2 semantic av rules:
+ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
+ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
+</pre></td></tr>
+</table>
+<p>
+The prefix you see shows two letters, relating to two important definitions:
+</p>
+<ul>
+  <li>
+    Is the rule currently <b>E</b>nabled or <b>D</b>isabled?
+  </li>
+  <li>
+    Does the boolean need to be set to <b>T</b>rue or <b>F</b>alse to enable the rule?
+  </li>
+</ul>
 <p class="secthead"><a name="doc_chap1_sect1">Getting Security Context Information</a></p>
 <p>
 During administrative tasks, and especially when you are checking if a SELinux
@@ -352,7 +382,7 @@ require you to enter the regular users' password.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>

diff --git a/html/selinux/modules/bind.html b/html/selinux/modules/bind.html
index 522f2a4..d801cbe 100644
--- a/html/selinux/modules/bind.html
+++ b/html/selinux/modules/bind.html
@@ -130,7 +130,7 @@ master/slave setups.
 --><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/apache.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/bind.xml?style=printable">Print</a></p></td></tr>
 <tr><td class="topsep" align="center"><p class="alttext">Updated July 9, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Within SELinux, the bind module is responsible for defining the BIND

diff --git a/html/selinux/modules/ldap.html b/html/selinux/modules/ldap.html
index 64dda6e..597a8f7 100644
--- a/html/selinux/modules/ldap.html
+++ b/html/selinux/modules/ldap.html
@@ -105,7 +105,7 @@ module.
 --><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/apache.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/ldap.xml?style=printable">Print</a></p></td></tr>
 <tr><td class="topsep" align="center"><p class="alttext">Updated July 9, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Within SELinux, the ldap module is responsible for defining the openldap

diff --git a/html/selinux/modules/ldap.html b/html/selinux/modules/ssh.html
similarity index 90%
copy from html/selinux/modules/ldap.html
copy to html/selinux/modules/ssh.html
index 64dda6e..ebe3ec4 100644
--- a/html/selinux/modules/ldap.html
+++ b/html/selinux/modules/ssh.html
@@ -11,24 +11,25 @@
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
 <title>Gentoo Linux Documentation
 --
-  SELinux LDAP Module</title>
+  SELinux SSH Module</title>
 </head>
 <body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
 <tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
 <tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
 <td width="99%" class="content" valign="top" align="left">
-<br><h1>SELinux LDAP Module</h1>
+<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
+    This document is a work in progress and should not be considered official yet.
+  </p></td></tr></table>
+<br><h1>SELinux SSH Module</h1>
 <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
             </span>Structure</p>
 <p class="secthead"><a name="doc_chap1_sect1">Domains</a></p>
 <br><a name="doc_chap1_fig1"></a><table cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Figure1.1: General LDAP domain overview</p></td></tr>
-<tr><td align="center" bgcolor="#ddddff"><img src="./images/ldapdomain.png" alt="Fig. 1: General LDAP domain overview"></td></tr>
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Figure1.1: General SSH domain overview</p></td></tr>
+<tr><td align="center" bgcolor="#ddddff"><img src="./images/sshdomain.png" alt="Fig. 1: General SSH domain overview"></td></tr>
 </table>
 <br><p>
-The <span class="code" dir="ltr">slapd</span> daemon runs within the <span class="code" dir="ltr">slapd_t</span> domain and can only be
-transitioned towards through the <span class="code" dir="ltr">sysadm_t</span> (general system administrative
-domain) or <span class="code" dir="ltr">initrc_t</span> (init script launched) domains.
+The...
 </p>
 <p class="secthead"><a name="doc_chap1_sect2">File Types/Labels</a></p>
 <p>
@@ -105,11 +106,10 @@ module.
 --><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/apache.xml?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/ssh.xml?style=printable">Print</a></p></td></tr>
 <tr><td class="topsep" align="center"><p class="alttext">Updated July 9, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
-Within SELinux, the ldap module is responsible for defining the openldap
-domains and interactions.
+Within SELinux, the SSH module is responsible for defining what openssh can do
 </p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
   <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>



^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2011-07-13 21:40 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-13 21:40 [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/modules/, html/selinux/ Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox