[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
Date: Thu,  2 Jun 2011 11:55:00 +0000 (UTC)	[thread overview]
Message-ID: <aab31d17deaf254902e62a93d66bac29de72a1ce.SwifT@gentoo> (raw)

commit:     aab31d17deaf254902e62a93d66bac29de72a1ce
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun  2 11:54:09 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun  2 11:54:09 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=aab31d17

Add admin account during setup, people tend to forget this

---
 xml/selinux/hb-using-install.xml |   48 ++++++++++++++++++++++++++++++++++----
 1 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
index 6b96109..428ed10 100644
--- a/xml/selinux/hb-using-install.xml
+++ b/xml/selinux/hb-using-install.xml
@@ -7,8 +7,8 @@
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ -->
 
 <sections>
-<version>7</version>
-<date>2011-05-31</date>
+<version>8</version>
+<date>2011-06-02</date>
 
 <section>
 <title>Installing Gentoo Hardened</title>
@@ -643,7 +643,7 @@ correctly. For instance, if you have installed
 </body>
 </subsection>
 <subsection>
-<title>Reboot</title>
+<title>Reboot and Set SELinux Booleans</title>
 <body>
 
 <p>
@@ -655,9 +655,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean:
 ~# <i>setsebool -P global_ssp on</i>
 </pre>
 
+</body>
+</subsection>
+<subsection>
+<title>Define the Administrator Accounts</title>
+<body>
+
+<p>
+Finally, we need to map the account(s) you use to manage your system (those
+that need access to Portage) to the <c>staff_u</c> SELinux user. By default,
+users are mapped to the <c>user_u</c> SELinux user who doesn't have the
+appropriate rights (nor access to the appropriate roles) to manage a system.
+Accounts that are mapped to <c>staff_u</c> can, but might need to switch roles
+from <c>staff_r</c> to <c>sysadm_r</c> before they are granted the appropriate
+privileges.
+</p>
+
+<p>
+Assuming that your account name is <e>john</e>:
+</p>
+
+<pre caption="Mapping the Linux account john to the SELinux user staff_u">
+~# <i>semanage login -a -s staff_u john</i>
+~# <i>restorecon -R -F /home/john</i>
+</pre>
+
+<p>
+If you later log on as <e>john</e> and want to manage your system, you will
+probably need to switch your role. You can use <c>newrole</c> for this:
+</p>
+
+<pre caption="Switching roles">
+~$ <i>id -Z</i>
+staff_u:staff_r:staff_t
+~$ <i>newrole -r sysadm_r</i>
+Password: <comment>(Enter your password)</comment>
+~$ <i>id -Z</i>
+staff_u:sysadm_r:sysadm_t
+</pre>
+
 <p>
-With that done, enjoy - your first steps into the SELinux world are now
-made.
+With that done, enjoy - your first steps into the SELinux world are now made.
 </p>
 
 </body>

next             reply	other threads:[~2011-06-02 11:55 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-02 11:55 Sven Vermeulen [this message]
  -- strict thread matches above, loose matches on Subject: below --
2012-05-07 20:20 [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ Sven Vermeulen
2012-05-07 20:07 Sven Vermeulen
2012-05-05 18:56 Sven Vermeulen
2012-04-29 14:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-10 18:22 Sven Vermeulen
2012-04-05 16:24 Sven Vermeulen
2012-03-01 20:09 Sven Vermeulen
2012-01-29 12:42 Sven Vermeulen
2012-01-21 13:20 Sven Vermeulen
2011-12-17 10:52 Sven Vermeulen
2011-12-11 14:39 Sven Vermeulen
2011-12-11 14:36 Sven Vermeulen
2011-12-10 14:00 Sven Vermeulen
2011-11-22 20:08 Sven Vermeulen
2011-11-11 19:59 Sven Vermeulen
2011-10-27 19:18 José María Alonso
2011-10-26 22:05 José María Alonso
2011-10-23 13:01 Sven Vermeulen
2011-10-19 12:55 Sven Vermeulen
2011-10-15 18:24 Sven Vermeulen
2011-10-15 17:43 Sven Vermeulen
2011-10-15 17:12 Sven Vermeulen
2011-10-15 15:54 Sven Vermeulen
2011-10-15 15:18 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-10-15 13:04 Sven Vermeulen
2011-09-30 17:36 Sven Vermeulen
2011-09-18 13:49 Sven Vermeulen
2011-09-11  9:51 Sven Vermeulen
2011-09-04 19:22 Sven Vermeulen
2011-08-16 16:58 José María Alonso
2011-08-12 21:00 Sven Vermeulen
2011-07-22 16:03 Sven Vermeulen
2011-07-21 19:11 Sven Vermeulen
2011-07-13 21:39 Sven Vermeulen
2011-07-09 18:56 Sven Vermeulen
2011-06-09 18:54 José María Alonso
2011-06-09 17:49 Sven Vermeulen
2011-06-09 17:40 Francisco Blas Izquierdo Riera
2011-06-09 17:24 Sven Vermeulen
2011-06-07 19:38 Sven Vermeulen
2011-06-07 19:26 Sven Vermeulen
2011-06-02 19:50 Sven Vermeulen
2011-06-02 11:57 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-06-02 11:03 Sven Vermeulen
2011-05-31 20:22 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-31 20:16 Sven Vermeulen
2011-05-24 20:39 Sven Vermeulen
2011-05-24 19:56 Sven Vermeulen
2011-05-20 19:32 Sven Vermeulen
2011-05-14 12:51 Sven Vermeulen
2011-05-13 19:43 Sven Vermeulen
2011-05-03 20:47 Sven Vermeulen
2011-05-03 20:12 Sven Vermeulen
2011-04-22 21:43 Sven Vermeulen
2011-04-22 19:30 Sven Vermeulen
2011-04-22 19:28 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 19:05 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-22 10:32 Sven Vermeulen
2011-04-16  9:06 Sven Vermeulen
2011-04-15 19:10 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-15 17:52 Sven Vermeulen
2011-04-10  7:49 Sven Vermeulen
2011-04-01 17:45 Sven Vermeulen
2011-03-09 16:54 Sven Vermeulen
2011-03-02 20:48 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:38 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 20:13 Sven Vermeulen
2011-03-02 15:53 Sven Vermeulen
2011-02-24 21:19 Sven Vermeulen
2011-02-20 13:26 Sven Vermeulen
2011-02-19 17:00 Francisco Blas Izquierdo Riera
2011-02-19  3:21 Francisco Blas Izquierdo Riera
2011-02-19  3:12 Francisco Blas Izquierdo Riera
2011-02-13 18:20 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 23:44 Sven Vermeulen
2011-02-12 20:50 Sven Vermeulen
2011-02-12 20:49 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 20:47 Sven Vermeulen
2011-02-12 17:33 Sven Vermeulen
2011-02-06 19:53 Sven Vermeulen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6b96109 dfblob:428ed10 )
 OR (
bs:"[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aab31d17deaf254902e62a93d66bac29de72a1ce.SwifT@gentoo \
    --to=sven.vermeulen@siphos.be \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox