From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QS6UX-0005UY-VQ for garchives@archives.gentoo.org; Thu, 02 Jun 2011 11:55:10 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 365B51C0C2; Thu, 2 Jun 2011 11:55:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id F339C1C0C2 for ; Thu, 2 Jun 2011 11:55:02 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 07EDE1B402D for ; Thu, 2 Jun 2011 11:55:01 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 6352280506 for ; Thu, 2 Jun 2011 11:55:00 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-using-install.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: aab31d17deaf254902e62a93d66bac29de72a1ce Date: Thu, 2 Jun 2011 11:55:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: f59eb1d3b5ed0a36ad24324af747d17a commit: aab31d17deaf254902e62a93d66bac29de72a1ce Author: Sven Vermeulen siphos be> AuthorDate: Thu Jun 2 11:54:09 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Jun 2 11:54:09 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3Daab31d17 Add admin account during setup, people tend to forget this --- xml/selinux/hb-using-install.xml | 48 ++++++++++++++++++++++++++++++++= ++---- 1 files changed, 43 insertions(+), 5 deletions(-) diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-inst= all.xml index 6b96109..428ed10 100644 --- a/xml/selinux/hb-using-install.xml +++ b/xml/selinux/hb-using-install.xml @@ -7,8 +7,8 @@ =20 -7 -2011-05-31 +8 +2011-06-02 =20
Installing Gentoo Hardened @@ -643,7 +643,7 @@ correctly. For instance, if you have installed -Reboot +Reboot and Set SELinux Booleans =20

@@ -655,9 +655,47 @@ hardened sources (as we recommended), enable the SSP= SELinux boolean: ~# setsebool -P global_ssp on =20 + + + +Define the Administrator Accounts + + +

+Finally, we need to map the account(s) you use to manage your system (th= ose +that need access to Portage) to the staff_u SELinux user. By defa= ult, +users are mapped to the user_u SELinux user who doesn't have the +appropriate rights (nor access to the appropriate roles) to manage a sys= tem. +Accounts that are mapped to staff_u can, but might need to switch= roles +from staff_r to sysadm_r before they are granted the appro= priate +privileges. +

+ +

+Assuming that your account name is john: +

+ +
+~# semanage login -a -s staff_u john
+~# restorecon -R -F /home/john
+
+ +

+If you later log on as john and want to manage your system, you w= ill +probably need to switch your role. You can use newrole for this: +

+ +
+~$ id -Z
+staff_u:staff_r:staff_t
+~$ newrole -r sysadm_r
+Password: (Enter your password)
+~$ id -Z
+staff_u:sysadm_r:sysadm_t
+
+

-With that done, enjoy - your first steps into the SELinux world are now -made. +With that done, enjoy - your first steps into the SELinux world are now = made.

=20