From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/selinux/
Date: Tue, 31 May 2011 20:28:29 +0000 (UTC) [thread overview]
Message-ID: <b53fa7fbcbed84ecd3eacba62a2b009f5fda7216.SwifT@gentoo> (raw)
commit: b53fa7fbcbed84ecd3eacba62a2b009f5fda7216
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 31 20:26:03 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 31 20:26:03 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b53fa7fb
Updating previews
---
html/selinux/hb-appendix-reference.html | 22 +++++++++++++++++++++-
html/selinux/hb-using-commands.html | 20 ++++++++++++++++----
html/selinux/hb-using-install.html | 9 +--------
3 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/html/selinux/hb-appendix-reference.html b/html/selinux/hb-appendix-reference.html
index 9743573..986c98f 100644
--- a/html/selinux/hb-appendix-reference.html
+++ b/html/selinux/hb-appendix-reference.html
@@ -63,9 +63,29 @@
O'Reilly Media, 2004; ISBN 0596007167
</li>
</ul>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+ </span>Gentoo Specific Resources</p>
+<p class="secthead"><a name="doc_chap1_sect1">Gentoo Hardened</a></p>
+<p>
+The following resources are specific towards Gentoo Hardened's SELinux
+implementation.
+</p>
+<ul>
+ <li>
+ <a href="selinux-faq.html">SELinux Frequently Asked
+ Questions</a>
+ </li>
+ <li>
+ <a href="selinux-development.html">SELinux Development
+ Guidelines</a>
+ </li>
+ <li>
+ <a href="selinux-policy.html">SELinux Policy</a>
+ </li>
+</ul>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated January 7, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html
index 50642a5..d9b6904 100644
--- a/html/selinux/hb-using-commands.html
+++ b/html/selinux/hb-using-commands.html
@@ -262,8 +262,14 @@ system_u system_u
</table>
<p>
The default behavior is that users are logged on as the <span class="emphasis">user_u</span> SELinux
-user. If you want to allow another user (say <span class="code" dir="ltr">anna</span>) to log on as
-<span class="code" dir="ltr">staff_u</span>:
+user. This SELinux user is a non-administrator user: it has no specific
+privileges and should be used for every account that never requires elevated
+privileges (so no <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> rights for anything).
+</p>
+<p>
+The account you use to administer your system should be mapped to the
+<span class="code" dir="ltr">staff_u</span> SELinux user (or its own user with the appropriate roles). This
+can be accomplished as follows (example with the Unix account <span class="emphasis">anna</span>):
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Letting 'anna' log on as 'staff_u'</p></td></tr>
@@ -271,8 +277,14 @@ user. If you want to allow another user (say <span class="code" dir="ltr">anna</
~# <span class="code-input">semanage login -a -s staff_u anna</span>
</pre></td></tr>
</table>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
+Make sure that whatever account you use to administer your system is mapped to
+the <span class="code" dir="ltr">staff_u</span> user, or has the ability to switch to the <span class="code" dir="ltr">sysadm_r</span>
+role. Portage only works from within the <span class="code" dir="ltr">sysadm_r</span> role.
+</p></td></tr></table>
<p>
-SELinux users then can be configured to belong to one or more roles.
+As mentioned, SELinux users are configured to be able to join in on one or more
+roles. To list the available roles, you can use <span class="code" dir="ltr">semanage user -l</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing login / role mappings</p></td></tr>
@@ -340,7 +352,7 @@ require you to enter the regular users' password.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index 6b41e61..2ce4dfe 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -119,13 +119,6 @@ the following settings to the right file (for instance
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux ~arch packages</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-sys-libs/libselinux
-sys-apps/policycoreutils
-sys-libs/libsemanage
-sys-libs/libsepol
-app-admin/setools
-dev-python/sepolgen
-sys-apps/checkpolicy
sec-policy/*
=sys-process/vixie-cron-4.1-r11
</pre></td></tr>
@@ -586,7 +579,7 @@ made.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
next reply other threads:[~2011-05-31 20:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-31 20:28 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2011-06-07 19:26 [gentoo-commits] proj/hardened-docs:master commit in: html/selinux/ Sven Vermeulen
2011-06-02 12:02 Sven Vermeulen
2011-05-24 20:42 Sven Vermeulen
2011-04-10 7:49 Sven Vermeulen
2011-02-19 17:01 Francisco Blas Izquierdo Riera
2011-02-19 3:21 Francisco Blas Izquierdo Riera
2011-02-19 3:12 Francisco Blas Izquierdo Riera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b53fa7fbcbed84ecd3eacba62a2b009f5fda7216.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox