[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     be0d11a228feb80ebea1d47bd95f6ad6a2a5dfee
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul  9 17:07:28 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul  9 17:07:28 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=be0d11a2

Link to bind/ldap descriptions

---
 xml/selinux/modules/index.xml |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/xml/selinux/modules/index.xml b/xml/selinux/modules/index.xml
index 067f104..1210604 100644
--- a/xml/selinux/modules/index.xml
+++ b/xml/selinux/modules/index.xml
@@ -19,7 +19,7 @@ modules and how to work with them.
 <license/>
 
 <version>1</version>
-<date>2011-06-02</date>
+<date>2011-07-09</date>
 
 <chapter>
 <title>Modules</title>
@@ -57,6 +57,8 @@ detail.
 <body>
 
 <ul>
+  <li><uri link="bind.xml">BIND server</uri> (bind)</li>
+  <li><uri link="ldap.xml">LDAP servers</uri> (openldap)</li>
   <li><uri link="apache.xml">Web servers</uri> (apache, lighttpd)</li>
 </ul>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     e4f04e14465866f91e580ce149eb8c9b9fc05cbf
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Dec 22 12:57:44 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Dec 22 12:57:44 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e4f04e14

Drop module information, is now over at wiki.g.o

---
 xml/selinux/modules/apache.xml  |  586 ---------------------------------------
 xml/selinux/modules/bind.xml    |  132 ---------
 xml/selinux/modules/cron.xml    |  389 --------------------------
 xml/selinux/modules/index.xml   |   69 -----
 xml/selinux/modules/ldap.xml    |  105 -------
 xml/selinux/modules/portage.xml |  325 ----------------------
 xml/selinux/modules/ssh.xml     |  102 -------
 7 files changed, 0 insertions(+), 1708 deletions(-)

diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml
deleted file mode 100644
index 4d6350e..0000000
--- a/xml/selinux/modules/apache.xml
+++ /dev/null
@@ -1,586 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/apache.xml" lang="en">
-<title>SELinux Apache Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the apache module is responsible for defining the
-web server related domains and privileges. It is not tied to Apache, despite
-its name.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-06-02</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/apachedomain.png" short="General Apache domain overview"
-caption="General Apache domain overview" />
-
-<p>
-The <c>apache</c> module provides the following domains:
-</p>
-
-<table>
-<tr>
-  <th>Domain</th>
-  <th>Process(es)</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>httpd_t</ti>
-  <ti>apache<br />lighttpd</ti>
-  <ti>Webserver processes</ti>
-</tr>
-<tr>
-  <ti>httpd_helper_t</ti>
-  <ti>htsslpass</ti>
-  <ti>Domain for the htsslpass process</ti>
-</tr>
-<tr>
-  <ti>httpd_php_t</ti>
-  <ti>php-cgi</ti>
-  <ti>Domain for PHP support through CGI (php-cgi process)</ti>
-</tr>
-<tr>
-  <ti>httpd_rotatelogs_t</ti>
-  <ti>rotatelogs</ti>
-  <ti>Domain for the rotatelogs process</ti>
-</tr>
-<tr>
-  <ti>httpd_suexec_t</ti>
-  <ti>suexec</ti>
-  <ti>
-    Domain used by the webserver suexec process to switch to another user
-    before calling and executing a script
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_script_t</ti>
-  <ti></ti>
-  <ti>Domain used by the system/package-provided CGI scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_user_script_t</ti>
-  <ti></ti>
-  <ti>Domain used by the user-provided CGI scripts</ti>
-</tr>
-</table>
-
-<impo>
-The <c>apache</c> module allows other modules to define their own domains and
-types for use by the webservers. This is done through templates. The reference
-policy by default enabled two of such templated sets for <e>user</e> and
-<e>sys</e>, which you can see in domains like <c>httpd_sys_script_t</c> and
-<c>httpd_user_script_t</c>. It is very well possible that on your system, more
-of these template-instantiated domains exist.
-</impo>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>apache</c>
-module.
-</p>
-
-<ul>
-  <li>
-    If the function mentions <e>(templated)</e> then it means that the types
-    are generated by the <c>apache</c> module, but that similar others might
-    exist on your system (called through other modules).
-  </li>
-  <li>
-    When talking about <e>scripts</e>, we mean CGI scripts or other scripts that
-    are triggered from the webserver, not from an interactive shell session.
-  </li>
-</ul>
-
-
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>httpd_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the webserver processes</ti>
-</tr>
-<tr>
-  <ti>httpd_initrc_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the webserver init scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_helper_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the webserver helper processes</ti>
-</tr>
-<tr>
-  <ti>httpd_php_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the PHP scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_rotatelogs_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the rotatelog helper</ti>
-</tr>
-<tr>
-  <ti>httpd_suexec_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the suexec wrapper</ti>
-</tr>
-<tr>
-  <ti>httpd_sys_script_exec_t</ti>
-  <ti>Entrypoint (templated)</ti>
-  <ti>
-    Entrypoint for system CGI scripts (or other callable scripts) that need
-    access to the system content files (httpd_sys_content_t)
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_script_exec_t</ti>
-  <ti>Entrypoint (templated)</ti>
-  <ti>
-    Entrypoint for the user-provided scripts callable from the webserver instances
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_squirrelmail_t</ti>
-  <ti>Content</ti>
-  <ti>Squirrelmail files</ti>
-</tr>
-<tr>
-  <ti>squirrelmail_spool_t</ti>
-  <ti>Content</ti>
-  <ti>Squirrelmail attachment location</ti>
-</tr>
-<tr>
-  <ti>httpd_sys_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Readable content for the webservers and system scripts, offered through 
-    the system / packages.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_htaccess_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Label for the htaccess files, readable by the webserver but not from scripts
-    or other webserver related domains.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_rw_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and writeable content for the webservers and system scripts (not user
-    scripts). 
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_ra_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and appendable content for the webservers and system scripts (not user
-    scripts).
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Readable content for the webservers and user scripts, offered by (and
-    writeable by) users.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_htaccess_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Label for the htaccess files, readable by the webserver but not from scripts
-    or other webserver related domains.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_rw_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and writeable content for the webservers and user scripts (not system 
-    scripts).
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_ra_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and appendable content for the webservers and user scripts (not system
-    scripts).
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_php_tmp_t</ti>
-  <ti>Temporary Files</ti>
-  <ti>Temporary files from the PHP scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_suexec_tmp_t</ti>
-  <ti>Temporary Files</ti>
-  <ti>Temporery files for the suexec domain</ti>
-</tr>
-<tr>
-  <ti>httpd_tmp_t<br />httpd_tmpfs_t</ti>
-  <ti>Temporary Files</ti>
-  <ti>Temporary files from the httpd domain</ti>
-</tr>
-
-<tr>
-  <ti>httpd_cache_t</ti>
-  <ti></ti>
-  <ti>Web server cache</ti>
-</tr>
-<tr>
-  <ti>httpd_config_t</ti>
-  <ti></ti>
-  <ti>Configuration files</ti>
-</tr>
-<tr>
-  <ti>httpd_lock_t</ti>
-  <ti></ti>
-  <ti>Lock files</ti>
-</tr>
-<tr>
-  <ti>httpd_log_t</ti>
-  <ti></ti>
-  <ti>Web server log files</ti>
-</tr>
-<tr>
-  <ti>httpd_modules_t</ti>
-  <ti></ti>
-  <ti>Webserver modules</ti>
-</tr>
-<tr>
-  <ti>httpd_var_lib_t</ti>
-  <ti></ti>
-  <ti>Webserver libraries</ti>
-</tr>
-<tr>
-  <ti>httpd_var_run_t</ti>
-  <ti></ti>
-  <ti>Runtime files for httpd</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Apache</title>
-<section>
-<title>File Locations</title>
-<body>
-
-<p>
-The policy offered only contains the right file context rules for the default
-locations. If you deviate from these locations, you'll need to update the
-contexts accordingly.
-</p>
-
-<p>
-The following table provides an overview of common Apache settings (variables in
-<path>httpd.conf</path>) that are often changed by end users, and the file 
-context that it should have. If you use a different webserver you'll need to
-base it on the description instead.
-</p>
-
-<table>
-<tr>
-  <th>Setting in httpd.conf</th>
-  <th>Description</th>
-  <th>Default Location</th>
-  <th>File Context(s)</th>
-</tr>
-<tr>
-  <ti>DocumentRoot</ti>
-  <ti>Location where web content is stored (html pages and such)</ti>
-  <ti>/srv/localhost/www</ti>
-  <ti>system_u:object_r:httpd_sys_content_t</ti>
-</tr>
-<tr>
-  <ti>Document</ti>
-  <ti>Location where CGI scripts are stored</ti>
-  <ti>/srv/localhost/cgi-bin</ti>
-  <ti>system_u:object_r:httpd_sys_script_exec_t</ti>
-</tr>
-<tr>
-  <ti>Directory</ti>
-  <ti>User home directory location where user-provided content is stored</ti>
-  <ti>/home/*/public_html</ti>
-  <ti>system_u:object_r:httpd_user_content_t</ti>
-</tr>
-<tr>
-  <ti>Directory</ti>
-  <ti>User home directory location where user-provided CGI scripts are stored</ti>
-  <ti>/home/*/public_html/cgi-bin</ti>
-  <ti>system_u:object_r:httpd_user_script_exec_t</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Sharing Files</title>
-<body>
-
-<p>
-The SELinux policy (as part of the <c>miscfiles</c> module) supports two
-additional types: <c>public_content_t</c> and <c>public_content_rw_t</c>. These
-are used for what is called <e>anonymous files</e> which are readable by all
-file-serving services. If all services only need to read from it, then
-<c>public_content_t</c> is used. If at least one services needs to write to it,
-use <c>public_content_rw_t</c> and toggle the right SELinux boolean for the
-domain that needs write access to it (<c>allow_DOMAIN_anon_write</c>).
-</p>
-
-<p>
-For instance, if you have files that are shared by Apache, NFS, Samba, ... you
-label these <c>public_content_t</c> (read-only) or <c>public_content_rw_t</c>
-(read-write for some) and then toggle the appropriate booleans:
-</p>
-
-<pre caption="Enable write access for the httpd_sys_script_t domain to the public_content_rw_t domain">
-~# <i>setsebool -P allow_httpd_sys_script_anon_write on</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Booleans</title>
-<body>
-
-<p>
-The <c>apache</c> module has several booleans which manipulate the allowed
-permissions within your installation. The table below gives an overview of the
-booleans, but also mentions which USE flags you <e>could</e> associate with it.
-Note that the booleans are <e>not</e> linked to USE flags. However, if you have
-set a particular USE flag for the webserver environment, then you might want to
-toggle these booleans as well.
-</p>
-
-<table>
-<tr>
-  <th>Boolean</th>
-  <th>Description</th>
-  <th>Gentoo USE flag suggestion</th>
-</tr>
-<tr>
-  <ti>allow_httpd_anon_write</ti>
-  <ti>
-    Allow the webserver to modify public files (labeled
-    <c>public_content_rw_t</c>)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>allow_httpd_sys_script_anon_write</ti>
-  <ti>
-    Allow the system scripts to modify public files
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>allow_httpd_user_script_anon_wriet</ti>
-  <ti>
-    Allow the user scripts to modify public files
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>allow_httpd_mod_auth_pam</ti>
-  <ti>
-    Allow the webserver to use the auth_pam module
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_builtin_scripting</ti>
-  <ti>
-    Needed when your webservers use internal scripting languages like PHP
-    (languages that are read and interpreted by the webserver directly rather than
-    called through separate processes like with CGI)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_network_connect</ti>
-  <ti>
-    Allow the webserver scripts and modules to connect to the network
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_network_connect_db</ti>
-  <ti>
-    Allow the webserver scripts and modules to connect to databases over the
-    network
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_network_relay</ti>
-  <ti>
-    Allow webservers to act as a relay
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_sendmail</ti>
-  <ti>
-    Allow webservers to send e-mails
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_dbus_avahi</ti>
-  <ti>
-    Allow webservers to communicate with avahi service via dbus
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_enable_cgi</ti>
-  <ti>
-    Allow webservers to call CGI scripts (labeled <c>httpd_sys_script_exec_t</c>
-    or <c>httpd_user_script_exec_t</c>)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_enable_ftp_server</ti>
-  <ti>
-    Allow webservers to act as an FTP server by listening on the FTP ports
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_enable_homedirs</ti>
-  <ti>
-    Allow webservers to read home directories (<c>user_home_t</c>). Not to be
-    mistaken with <c>httpd_user_content_t</c>, which resides in the users' home
-    directory but is labeled, well, <c>httpd_user_content_t</c> ;-)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_ssi_exec</ti>
-  <ti>
-    Allow webservers to run SSI executables in the same domain as the CGI
-    scripts
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_tty_com</ti>
-  <ti>
-    Unify webservers to communicate with the terminal. This is needed when you
-    need to enter a passphraze for certificates at the terminal.
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_unified</ti>
-  <ti>
-    When enabled, the various webserver content types (all types with attribute
-    <c>httpdcontent</c> set) are not differentiated anymore, but all considered
-    to be readable, writeable and executable by the webserver.
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_use_cifs</ti>
-  <ti>
-    Allow webservers to access CIFS file systems
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_use_gpg</ti>
-  <ti>
-    Allow webservers to run gpg
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_use_nfs</ti>
-  <ti>
-    Allow webservers to access NFS file systems
-  </ti>
-  <ti />
-</tr>
-</table>
-
-<p>
-If you want to toggle booleans, you can do so through <c>setsebool</c>:
-</p>
-
-<pre caption="Enabling the gentoo_try_dontaudit boolean">
-<comment>( With the -P flag, the boolean state is persisted across reboots)</comment>
-~# <i>setsebool -P httpd_enable_homedirs on</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Ports</title>
-<body>
-
-<p>
-If you need to run the webserver on a non-default port, you can either mark this
-port as an HTTP port (<c>http_port_t</c>) or create the appropriate rule to allow
-it to bind to the specified port.
-</p>
-
-<p>
-To mark a particular port (say 81) as an HTTP port, use <c>semanage</c>:
-</p>
-
-<pre caption="Labeling port 81 as http_port_t">
-~# <i>semanage port -a -t http_port_t -p tcp 81</i>
-</pre>
-
-<p>
-If you need to allow the webserver to bind on a port but are not allowed to
-modify that ports' type, you'll need to create a policy that allows the
-<c>httpd_t</c> domain to bind to the particular port. For instance, to allow it
-to bind on the SMTP port:
-</p>
-
-<pre caption="Allow rules to allow httpd_t to bind on SMTP ports">
-allow httpd_t smtp_port_t:tcp_socket name_bind;
-</pre>
-
-</body>
-</section>
-</chapter>
-</guide>

diff --git a/xml/selinux/modules/bind.xml b/xml/selinux/modules/bind.xml
deleted file mode 100644
index 25c2a11..0000000
--- a/xml/selinux/modules/bind.xml
+++ /dev/null
@@ -1,132 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/bind.xml" lang="en">
-<title>SELinux Bind Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the bind module is responsible for defining the BIND
-domains and interactions.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/binddomain.png" short="General Bind domain overview"
-caption="General Bind domain overview" />
-
-<p>
-The <c>named_t</c> domain can only be transitioned towards through the
-<c>initrc_t</c> domain (i.e. through init scripts). The <c>ndc_t</c> domain
-(for the named domain controller) can be transitioned towards through the
-<c>initrc_t</c> and <c>sysadm_t</c> (general system administration) domains.
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>bind</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>named_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint domain for the named binaries</ti>
-</tr>
-<tr>
-  <ti>named_initrc_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint domain for non-Gentoo init scripts</ti>
-</tr>
-<tr>
-  <ti>named_checkconf_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the checkconf binary</ti>
-</tr>
-<tr>
-  <ti>ndc_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the ndc binaries</ti>
-</tr>
-<tr>
-  <ti>dnssec_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the key files used by the named daemon</ti>
-</tr>
-<tr>
-  <ti>named_zone_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the primary zone files</ti>
-</tr>
-<tr>
-  <ti>named_cache_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the cached zone files</ti>
-</tr>
-<tr>
-  <ti>named_conf_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the named configuration files</ti>
-</tr>
-<tr>
-  <ti>named_log_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the named log files</ti>
-</tr>
-<tr>
-  <ti>named_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the named temporary files</ti>
-</tr>
-<tr>
-  <ti>named_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the named runtime variable data</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Bind</title>
-<section>
-<title>SELinux boolean: named_write_master_zones</title>
-<body>
-
-<p>
-The <c>named</c> policy offers one boolean called
-<c>named_write_master_zones</c> which, when enabled, allows the named daemon to
-write to its master zone files (i.e. <c>named_zone_t</c>). This is used in
-master/slave setups.
-</p>
-
-</body>
-</section>
-</chapter>
-</guide>

diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
deleted file mode 100644
index e909ff8..0000000
--- a/xml/selinux/modules/cron.xml
+++ /dev/null
@@ -1,389 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/cron.xml" lang="en">
-<title>SELinux cron Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the cron module is responsible for defining the scheduling
-domains and interactions.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
-<license version="3.0"/>
-
-<version>3</version>
-<date>2011-12-14</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/crondomain.png" short="General cron domain overview"
-caption="General cron domain overview" />
-
-<p>
-The cron daemon itself (like <c>vixie-cron</c>) runs in the <e>crond_t</e>
-domain. Depending on the cron daemon used, this daemon either immediately
-executes the jobs (hence its ability to transition to various other domains) or
-does this through an intermediate domain (<e>system_cronjob_t</e> for system
-cronjobs and <e>cronjob_t</e> for user cronjobs).
-</p>
-
-<p>
-The <e>crontab_t</e> and <e>admin_crontab_t</e> domains are used by the users
-(and administrators) for maintaining their crontab files. These files are read
-in by the cron daemon.
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>cron</c>
-module (part of the base policy).
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>cronjob_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for end user cronjobs</ti>
-</tr>
-<tr>
-  <ti>system_cronjob_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for system cronjobs</ti>
-</tr>
-<tr>
-  <ti>crond_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for the cron daemon</ti>
-</tr>
-<tr>
-  <ti>admin_crontab_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for administrator-started crontab commands</ti>
-</tr>
-<tr>
-  <ti>crontab_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for user-started crontab commands</ti>
-</tr>
-<tr>
-  <ti>crond_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the cron daemon binaries</ti>
-</tr>
-<tr>
-  <ti>crontab_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the crontab commands</ti>
-</tr>
-<tr>
-  <ti>cron_spool_t</ti>
-  <ti>Configuration</ti>
-  <ti>Spool files (where the user crontab files are in)</ti>
-</tr>
-<tr>
-  <ti>user_cron_spool_t</ti>
-  <ti>Configuration</ti>
-  <ti>Spool files (for the user crontab files)</ti>
-</tr>
-<tr>
-  <ti>system_cron_spool_t</ti>
-  <ti>Configuration</ti>
-  <ti>Spool files (where the system crontab files are in)</ti>
-</tr>
-<tr>
-  <ti>cron_var_lib_t</ti>
-  <ti></ti>
-  <ti>Label for cron's /var/lib items</ti>
-</tr>
-<tr>
-  <ti>cron_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for cron's /var/run items</ti>
-</tr>
-<tr>
-  <ti>cron_log_t</ti>
-  <ti></ti>
-  <ti>Label for cron's logfiles (/var/log/cron)</ti>
-</tr>
-<tr>
-  <ti>crond_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the cron daemon's temporary files</ti>
-</tr>
-<tr>
-  <ti>crond_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the cron daemon's /var/run items</ti>
-</tr>
-<tr>
-  <ti>system_cronjob_lock_t</ti>
-  <ti></ti>
-  <ti>Label for the system cronjobs' lock files</ti>
-</tr>
-<tr>
-  <ti>system_cronjob_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the system cronjobs' temporary files</ti>
-</tr>
-<tr>
-  <ti>admin_crontab_tmp_t</ti>
-  <ti></ti>
-  <ti>
-    Label for temporary files created by a system administrators' crontab
-    command
-  </ti>
-</tr>
-<tr>
-  <ti>crontab_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for temporary files created by a users' crontab command</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Booleans</title>
-<body>
-
-<p>
-The <c>cron</c> domain supports the following SELinux booleans, which can be set
-/ unset using the standard <c>setsebool</c> statements.
-</p>
-
-<table>
-<tr>
-  <th>Boolean</th>
-  <th>Default</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>cron_can_relabel</ti>
-  <ti>false</ti>
-  <ti>
-    Allow jobs running in the <e>system_cronjob_t</e> domain to relabel files
-    and directories. When set, these jobs can also call the <c>setfiles</c> and 
-    <c>restorecon</c> commands.
-  </ti>
-</tr>
-<tr>
-  <ti>fcron_crond</ti>
-  <ti>false</ti>
-  <ti>
-    Needed to set more privileges for the cron domains in case <c>fcron</c> is
-    used as a cron daemon. These privileges are not necessary for other cron
-    daemons and as such are "behind" this boolean.
-  </ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Cron</title>
-<section>
-<title>System Administration</title>
-<body>
-
-<p>
-If you want to perform system administrative tasks using cronjobs, you will need
-to take special care that the domain in which the job runs has sufficient
-privileges.
-</p>
-
-<p>
-First, make sure that your cronjobs run in the <e>system_cronjob_t</e> domains.
-This means that the cronjobs must be defined as either
-</p>
-
-<ul>
-  <li>
-    scripts in the <path>/etc/cron.hourly</path>, <path>/etc/cron.daily</path>,
-    ... directories
-  </li>
-  <li>
-    crontab entries in the <path>/etc/cron.d</path> directory
-  </li>
-  <li>
-    crontab entries in the <path>/etc/crontab</path> file
-  </li>
-</ul>
-
-<p>
-Second, make sure that your <path>/etc/crontab</path> uses <c>HOME=/</c>.
-Setting this to another <c>HOME</c> directory might confuse some applications.
-With SELinux enabled, this could cause those applications to try and read the
-root users' home directory, which isn't allowed by policy.
-</p>
-
-<p>
-Next, verify that the commands you want to run (and thus their target domain in
-which they will run) are allowed for the <e>system_cronjob_t</e> domain.
-</p>
-
-<pre caption="Validationg the system_cronjob_t privileges">
-<comment># Example to verify if we can call emerge</comment>
-~# <i>sesearch -s system_cronjob_t -t portage_t -A</i>
-Found 1 semantic av rules:
-  allow system_cronjob_t portage_t : process transition;
-</pre>
-
-<p>
-If the domain does not have the necessary privileges, you need to update the
-policy. More information on maintaining the SELinux policy can be found in the
-<uri link="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo
-Hardened SELinux Handbook</uri>. 
-</p>
-
-<p>
-An example policy file to allow executing <c>dmesg</c>:
-</p>
-
-<pre caption="Allowing system_cronjob_t to execute dmesg">
-policy_module(fixcron, 1.0)
-
-require {
-  type dmesg_t;
-}
-
-cron_system_entry(dmesg_t)
-</pre>
-
-<p>
-For more information or help with managing your policies, do not hesitate to
-drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>.
-</p>
-
-</body>
-</section>
-<section>
-<title>User (incl. root) Cronjobs</title>
-<body>
-
-<impo>
-Part of this is for vixie-cron users with USE="ubac" set, but even if this is
-not the case it is still pertinent (cfr. the default_contexts issue).
-</impo>
-
-<p>
-When working with end user crontabs (those triggered / managed through the
-<c>crontab</c> command), you must take care that you do this as the <e>SELinux
-user</e> which is associated with the file (this is a result of the SELinux User
-Based Access Control, aka <e>UBAC</e>). In other words, if you want to edit the
-root users' <path>crontab</path> file, you need to be the <c>root</c> SELinux
-user (and not a staff user that <c>su</c>/<c>sudo</c>'ed into root).
-</p>
-
-<p>
-If this was not done correctly, you will get the following error:
-</p>
-
-<pre caption="Error due to mismatch on SELinux user">
-cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
-</pre>
-
-<p>
-Verify that the file's user and SELinux user match:
-</p>
-
-<pre caption="Verify that the SELinux user and file user ownership matches">
-~# <i>ls -Z /var/spool/cron/crontabs/root</i>
-staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
-
-~# <i>semanage login -l | grep root</i>
-root              root
-</pre>
-
-<p>
-In the above case, the root Unix account (cfr filename of the crontab file) is
-mapped to the root SELinux user (cfr second "root" in the <c>semanage login
--l</c> output). However, the SELinux user of the crontab file is <e>staff_u</e>
-instead of <e>root</e>, which is why the failure occurred.
-</p>
-
-<p>
-To fix this, use <c>chcon</c>:
-</p>
-
-<pre caption="Fix the crontab SELinux user ownership">
-~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
-</pre>
-
-<p>
-Another problem that you might see is immediately at startup:
-</p>
-
-<pre caption="Entrypoint failure on crontab">
-cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
-</pre>
-
-<p>
-In this case, even if the user of the file is correct, it is most likely due to
-the <path>/etc/selinux/*/contexts/default_context</path> file containing an
-incorrect definition. Look at the cron-related line and verify that each
-mentioned context is valid. For instance:
-</p>
-
-<pre caption="Verify if contexts are valid">
-<comment># Verify the context "system_r:cronjob_t:s0"</comment>
-~# <i>seinfo -rsystem_r -x | grep cronjob</i>
-  system_cronjob_t
-</pre>
-
-<p>
-In the above case, <e>cronjob_t</e> is not valid, but <e>system_cronjob_t</e> is.
-</p>
-
-</body>
-</section>
-<section>
-<title>Reporting Cron and SELinux Issues</title>
-<body>
-
-<p>
-If you have an issue with cron and believe that it is related to SELinux, please
-also give the output of the following command:
-</p>
-
-<pre caption="Getting the initial context from crond_t">
-<comment># Get the domain under which system-level jobs will run</comment>
-~# <i>getseuser system_u system_u:system_r:crond_t</i>
-seuser:  system_u, level (null)
-Context 0        system_u:system_r:system_cronjob_t
-
-<comment># Get the domain under which user-level jobs will run</comment>
-~# <i>getseuser john system_u:system_r:crond_t</i>
-seuser:  user_u, level (null)
-Context 0        user_u:user_r:cronjob_t
-</pre>
-
-<note>
-The <c>getseuser</c> command usually takes a Unix account name for the first
-argument, but treats <c>system_u</c> as a special case.
-</note>
-
-</body>
-</section>
-</chapter>
-</guide>

diff --git a/xml/selinux/modules/index.xml b/xml/selinux/modules/index.xml
deleted file mode 100644
index d93bf05..0000000
--- a/xml/selinux/modules/index.xml
+++ /dev/null
@@ -1,69 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/index.xml" lang="en">
-<title>SELinux Modules</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-SELinux aggregates its permissions in modules to make the entire policy more
-manageable. To help users work with these modules, we document the common
-modules and how to work with them.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Modules</title>
-<section>
-<body>
-
-<p>
-If you use Gentoo Hardened with SELinux, then you'll eventually need to
-configure your system to work with the policies (or update the policies to work
-with your system). To help you tune the policy, insight in how the modules are
-structured and what they contain is necessary.
-</p>
-
-<p>
-Gentoo Hardened tries to document the common modules as well as how they are
-structured. Also, we document what configuration changes are often requested and
-how to deal with them. If a module contains booleans, we explain them in more
-detail.
-</p>
-
-</body>
-</section>
-<section>
-<title>Administrative Modules</title>
-<body>
-
-<ul>
-  <li><uri link="portage.xml">Portage</uri></li>
-</ul>
-
-</body>
-</section>
-<section>
-<title>Services (Daemons)</title>
-<body>
-
-<ul>
-  <li><uri link="bind.xml">BIND server</uri> (bind)</li>
-  <li><uri link="cron.xml">Cron service</uri> (vixie-cron)</li>
-  <li><uri link="ldap.xml">LDAP servers</uri> (openldap)</li>
-  <li><uri link="apache.xml">Web servers</uri> (apache, lighttpd)</li>
-</ul>
-
-</body>
-</section>
-</chapter>
-</guide>

diff --git a/xml/selinux/modules/ldap.xml b/xml/selinux/modules/ldap.xml
deleted file mode 100644
index 4da1c55..0000000
--- a/xml/selinux/modules/ldap.xml
+++ /dev/null
@@ -1,105 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/ldap.xml" lang="en">
-<title>SELinux LDAP Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the ldap module is responsible for defining the openldap
-domains and interactions.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/ldapdomain.png" short="General LDAP domain overview"
-caption="General LDAP domain overview" />
-
-<p>
-The <c>slapd</c> daemon runs within the <c>slapd_t</c> domain and can only be
-transitioned towards through the <c>sysadm_t</c> (general system administrative
-domain) or <c>initrc_t</c> (init script launched) domains.
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>ldap</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>slapd_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Executable entry point for the slapd daemon binaries</ti>
-</tr>
-<tr>
-  <ti>slapd_etc_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for OpenLDAP configuration files</ti>
-</tr>
-<tr>
-  <ti>slapd_cert_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for certificate keystores used by OpenLDAP</ti>
-</tr>
-<tr>
-  <ti>slapd_db_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the OpenLDAP database files (backend content)</ti>
-</tr>
-<tr>
-  <ti>slapd_replog_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the slurpd replication log location</ti>
-</tr>
-<tr>
-  <ti>slapd_lock_t</ti>
-  <ti></ti>
-  <ti>Label for the lock files (runtime)</ti>
-</tr>
-<tr>
-  <ti>slapd_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the temporary files</ti>
-</tr>
-<tr>
-  <ti>slapd_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the runtime variable data</ti>
-</tr>
-<tr>
-  <ti>slapd_initrc_exec_t</ti>
-  <ti></ti>
-  <ti>Label for non-Gentoo init script</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-</guide>

diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
deleted file mode 100644
index 293b8b0..0000000
--- a/xml/selinux/modules/portage.xml
+++ /dev/null
@@ -1,325 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/portage.xml" lang="en">
-<title>SELinux Portage Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the portage module is responsible for defining the
-Gentoo-related domains and privileges, including those for the Portage package
-manager, Gentoo-specific file system locations and the command-line wrappers.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>4</version>
-<date>2011-07-21</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/portagedomain.png" short="General Portage domain overview"
-caption="General Portage domain overview" />
-
-<p>
-The <c>portage</c> module provides the following domains:
-</p>
-
-<table>
-<tr>
-  <th>Domain</th>
-  <th>Process(es)</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>portage_t</ti>
-  <ti>emerge, ebuild, quickpkg, ebuild.sh, regenworld, sandbox</ti>
-  <ti>Gentoo's package manager domain</ti>
-</tr>
-<tr>
-  <ti>portage_sandbox_t</ti>
-  <ti>sandbox</ti>
-  <ti>Portage compile sandbox domain</ti>
-</tr>
-<tr>
-  <ti>portage_fetch_t</ti>
-  <ti>rsync</ti>
-  <ti>
-    Domain responsible for fetching ebuilds and sources and storing them on
-    the system
-  </ti>
-</tr>
-<tr>
-  <ti>gcc_config_t</ti>
-  <ti>gcc-config</ti>
-  <ti>Domain for the gcc-config wrapper</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>portage</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>portage_exec_t</ti>
-  <ti>
-    Entrypoints for the portage and protage-related domains. Used for binaries
-    or scripts such as sandbox, emerge, ...
-  </ti>
-</tr>
-<tr>
-  <ti>gcc_config_exec_t</ti>
-  <ti>
-    Entrypoints for the gcc-config wrapper domain
-  </ti>
-</tr>
-<tr>
-  <ti>portage_ebuild_t</ti>
-  <ti>
-    Type assigned to the ebuild files and directories
-  </ti>
-</tr>
-<tr>
-  <ti>portage_srcrepo_t</ti>
-  <ti>
-    Type assigned to the live repository pulls (git, svn, cvs, ...) used by live
-    ebuilds
-  </ti>
-</tr>
-<tr>
-  <ti>portage_fetch_tmp_t</ti>
-  <ti>
-    Type used by the portage_fetch_t domain when storing files in a temporary
-    location
-  </ti>
-</tr>
-<tr>
-  <ti>portage_db_t</ti>
-  <ti>
-    Type used by Portage' data files
-  </ti>
-</tr>
-<tr>
-  <ti>portage_conf_t</ti>
-  <ti>
-    Type used by Portage' configuration files
-  </ti>
-</tr>
-<tr>
-  <ti>portage_cache_t</ti>
-  <ti>
-    Type used for the Portage cache
-  </ti>
-</tr>
-<tr>
-  <ti>portage_log_t</ti>
-  <ti>
-    Type used by Portage for its log files
-  </ti>
-</tr>
-<tr>
-  <ti>portage_tmp_t<br />portage_tmpfs_t</ti>
-  <ti>
-    Type used by Portage for temporary files
-  </ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Other Types</title>
-<body>
-
-<p>
-Besides the file and file location types, the following types are also defined:
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>portage_devpts_t</ti>
-  <ti>
-    Type used for the terminal output device/location
-  </ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Portage</title>
-<section>
-<title>File Locations</title>
-<body>
-
-<p>
-The policy offered only contains the right file context rules for the default
-locations. If you deviate from these locations, you'll need to update the
-contexts accordingly.
-</p>
-
-<p>
-The following table provides an overview of the Portage settings (variables in
-<path>make.conf</path>) that are commonly changed by end users, and the file 
-context that it should have.
-</p>
-
-<table>
-<tr>
-  <th>Variable in make.conf</th>
-  <th>Default Location</th>
-  <th>File Context(s)</th>
-</tr>
-<tr>
-  <ti>
-    ${PORTDIR}
-  </ti>
-  <ti>
-    <path>/usr/portage</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_ebuild_t
-  </ti>
-</tr>
-<tr>
-  <ti>
-    ${DISTDIR}/svn-src<br />
-    ${DISTDIR}/git-src<br />
-    ${DISTDIR}/cvs-src
-  </ti>
-  <ti>
-    <path>/usr/portage/distfiles/svn-src</path><br />
-    <path>/usr/portage/distfiles/git-src</path><br />
-    <path>/usr/portage/distfiles/cvs-src</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_srcrepo_t
-  </ti>
-</tr>
-<tr>
-  <ti>${PKGDIR}</ti>
-  <ti>
-    <path>/usr/portage/packages</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_ebuild_t
-  </ti>
-</tr>
-<tr>
-  <ti>${PORT_LOGDIR}</ti>
-  <ti>
-    <path>/var/log/portage</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_log_t
-  </ti>
-</tr>
-<tr>
-  <ti>${PORTAGE_TMPDIR}</ti>
-  <ti>
-    <path>/var/tmp/portage</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_tmp_t
-  </ti>
-</tr>
-</table>
-
-<p>
-If you use different locations, use the following commands to update the file
-contexts accordingly:
-</p>
-
-<pre caption="Updating file contexts">
-<comment>( Example for a different PORTDIR location, say /var/repo/portage )</comment>
-~# <i>semanage -a -t portage_ebuild_t /var/repo/portage</i>
-~# <i>restorecon -R /var/repo/portage</i>
-</pre>
-
-<p>
-Don't forget that Portage uses subdirectories with different labels (think
-distfiles or the repositories for the live ebuilds) so take care when
-relabelling locations!
-</p>
-
-<p>
-If you are using different mounts, you might need to use the 
-<c>rootcontext=</c> mount option to set the initial context. If the file system
-does not suppor SELinux contexts (like NFS), you can use the <c>context=</c>
-mount option to force the context of all files on the mounted location.
-</p>
-
-</body>
-</section>
-<section>
-<title>Booleans</title>
-<body>
-
-<p>
-The Portage module within Gentoo defines three booleans, called
-<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_use_nfs</c> and
-<c>gentoo_wait_requests</c>. 
-</p>
-
-<p>
-When <c>gentoo_try_dontaudit</c> is enabled, the policy will hide the AVC
-denials of which the Gentoo developers believe they are harmless (cosmetic).
-If this boolean is enabled and you are experiencing permission problems, it
-is wise to first disable the boolean and see if you now get any denials that
-could explain the problem.
-</p>
-
-<p>
-When <c>gentoo_portage_use_nfs</c> is enabled, then the Portage-related
-domains will be able to manage the <c>nfs_t</c> and as such, allow for the 
-Portage tree and other locations to be NFS-mounted without correcting their
-label (which is still supported when using the <c>context=</c> mount option).
-</p>
-
-<p>
-When <c>gentoo_wait_requests</c> is enabled, then policy rules that are
-introduced to get things working, but which are temporary until the upstream
-project enhances its application (and a bug report is opened for it), are
-active. Disabling this boolean is only recommended if you are running the
-system with the proper patches and is more used for development traceability.
-</p>
-
-<p>
-To switch booleans, use <c>setsebool</c> or <c>togglesebool</c>.
-</p>
-
-<pre caption="Enabling the gentoo_try_dontaudit boolean">
-<comment>( With the -P flag, the boolean state is persisted across reboots)</comment>
-~# <i>setsebool -P gentoo_try_dontaudit on</i>
-</pre>
-
-</body>
-</section>
-</chapter>
-</guide>

diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml
deleted file mode 100644
index 20edf7a..0000000
--- a/xml/selinux/modules/ssh.xml
+++ /dev/null
@@ -1,102 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/ssh.xml" disclaimer="draft" lang="en">
-<title>SELinux SSH Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the SSH module is responsible for defining what openssh can do
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/sshdomain.png" short="General SSH domain overview"
-caption="General SSH domain overview" />
-
-<p>
-The...
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>ldap</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>slapd_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Executable entry point for the slapd daemon binaries</ti>
-</tr>
-<tr>
-  <ti>slapd_etc_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for OpenLDAP configuration files</ti>
-</tr>
-<tr>
-  <ti>slapd_cert_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for certificate keystores used by OpenLDAP</ti>
-</tr>
-<tr>
-  <ti>slapd_db_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the OpenLDAP database files (backend content)</ti>
-</tr>
-<tr>
-  <ti>slapd_replog_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the slurpd replication log location</ti>
-</tr>
-<tr>
-  <ti>slapd_lock_t</ti>
-  <ti></ti>
-  <ti>Label for the lock files (runtime)</ti>
-</tr>
-<tr>
-  <ti>slapd_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the temporary files</ti>
-</tr>
-<tr>
-  <ti>slapd_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the runtime variable data</ti>
-</tr>
-<tr>
-  <ti>slapd_initrc_exec_t</ti>
-  <ti></ti>
-  <ti>Label for non-Gentoo init script</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     8e2bfebca6699d43df0ab162e2a133e1da4da4d3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 14 20:12:05 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Dec 14 20:12:05 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=8e2bfebc

Add information on HOME=/, cfr bug #392699

---
 xml/selinux/modules/cron.xml |   44 ++++++++++++-----------------------------
 1 files changed, 13 insertions(+), 31 deletions(-)

diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
index 4683c18..e909ff8 100644
--- a/xml/selinux/modules/cron.xml
+++ b/xml/selinux/modules/cron.xml
@@ -14,11 +14,11 @@ domains and interactions.
 </abstract>
 
 <!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
+<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
+<license version="3.0"/>
 
-<version>2</version>
-<date>2011-08-13</date>
+<version>3</version>
+<date>2011-12-14</date>
 
 <chapter>
 <title>Structure</title>
@@ -231,6 +231,13 @@ This means that the cronjobs must be defined as either
 </ul>
 
 <p>
+Second, make sure that your <path>/etc/crontab</path> uses <c>HOME=/</c>.
+Setting this to another <c>HOME</c> directory might confuse some applications.
+With SELinux enabled, this could cause those applications to try and read the
+root users' home directory, which isn't allowed by policy.
+</p>
+
+<p>
 Next, verify that the commands you want to run (and thus their target domain in
 which they will run) are allowed for the <e>system_cronjob_t</e> domain.
 </p>
@@ -257,38 +264,13 @@ An example policy file to allow executing <c>dmesg</c>:
 policy_module(fixcron, 1.0)
 
 require {
-  type system_cronjob_t;
+  type dmesg_t;
 }
 
-dmesg_domtrans(system_cronjob_t)
+cron_system_entry(dmesg_t)
 </pre>
 
 <p>
-In order to find out which specific calls are necessary, it can come in handy to
-use the privileges assigned to the <e>sysadm_t</e> domain. Take a look at this
-<uri
-link="http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/sysadm.te">sysadm.te</uri>
-file. If you search for "dmesg" you will notice the following in the file:
-</p>
-
-<pre caption="Snippet in sysadm.te related to dmesg">
-128 	')
-129 	
-130 	optional_policy(`
-131 	        dmesg_domtrans(sysadm_t)
-132 	')
-133 	
-134 	optional_policy(`
-</pre>
-
-<p>
-It is this call - <c>dmesg_domtrans</c> - that we are interested in (and which you
-can notice in the sample policy mentioned above. It is possible that you notice
-a <c>_run</c> or <c>_exec</c> instead. Try this one first, but most of the time
-you'll need a <c>_domtrans</c> method.
-</p>
-
-<p>
 For more information or help with managing your policies, do not hesitate to
 drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>.
 </p>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     38c0512b16f6f2d67e950394347837753736bd3e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 14 13:30:16 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Aug 14 13:30:16 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=38c0512b

Improve information on getseuser

---
 xml/selinux/modules/cron.xml |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
index 92cf836..4683c18 100644
--- a/xml/selinux/modules/cron.xml
+++ b/xml/selinux/modules/cron.xml
@@ -17,8 +17,8 @@ domains and interactions.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1</version>
-<date>2011-07-23</date>
+<version>2</version>
+<date>2011-08-13</date>
 
 <chapter>
 <title>Structure</title>
@@ -391,11 +391,16 @@ seuser:  system_u, level (null)
 Context 0        system_u:system_r:system_cronjob_t
 
 <comment># Get the domain under which user-level jobs will run</comment>
-~# <i>getseuser user_u system_u:system_r:crond_t</i>
+~# <i>getseuser john system_u:system_r:crond_t</i>
 seuser:  user_u, level (null)
 Context 0        user_u:user_r:cronjob_t
 </pre>
 
+<note>
+The <c>getseuser</c> command usually takes a Unix account name for the first
+argument, but treats <c>system_u</c> as a special case.
+</note>
+
 </body>
 </section>
 </chapter>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     50861d1e0e0c7a988fbfb0437a776340bc570c88
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 23 19:03:40 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul 23 19:03:40 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=50861d1e

Update cron definition with default_context issue

---
 xml/selinux/modules/cron.xml |   28 +++++++++++++++++++++++++++-
 1 files changed, 27 insertions(+), 1 deletions(-)

diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
index 516e3b8..92cf836 100644
--- a/xml/selinux/modules/cron.xml
+++ b/xml/selinux/modules/cron.xml
@@ -300,7 +300,8 @@ drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>.
 <body>
 
 <impo>
-This is applicable to vixie-cron users with USE="ubac" set.
+Part of this is for vixie-cron users with USE="ubac" set, but even if this is
+not the case it is still pertinent (cfr. the default_contexts issue).
 </impo>
 
 <p>
@@ -347,6 +348,31 @@ To fix this, use <c>chcon</c>:
 ~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
 </pre>
 
+<p>
+Another problem that you might see is immediately at startup:
+</p>
+
+<pre caption="Entrypoint failure on crontab">
+cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
+</pre>
+
+<p>
+In this case, even if the user of the file is correct, it is most likely due to
+the <path>/etc/selinux/*/contexts/default_context</path> file containing an
+incorrect definition. Look at the cron-related line and verify that each
+mentioned context is valid. For instance:
+</p>
+
+<pre caption="Verify if contexts are valid">
+<comment># Verify the context "system_r:cronjob_t:s0"</comment>
+~# <i>seinfo -rsystem_r -x | grep cronjob</i>
+  system_cronjob_t
+</pre>
+
+<p>
+In the above case, <e>cronjob_t</e> is not valid, but <e>system_cronjob_t</e> is.
+</p>
+
 </body>
 </section>
 <section>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     406d7c2a5043bd674f444eba43afd6595bee05d4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 23 13:43:54 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul 23 13:43:54 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=406d7c2a

update

---
 xml/selinux/modules/cron.xml |   32 +++++++++++++++++++++++++++++++-
 1 files changed, 31 insertions(+), 1 deletions(-)

diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
index 55c7009..516e3b8 100644
--- a/xml/selinux/modules/cron.xml
+++ b/xml/selinux/modules/cron.xml
@@ -246,7 +246,7 @@ Found 1 semantic av rules:
 If the domain does not have the necessary privileges, you need to update the
 policy. More information on maintaining the SELinux policy can be found in the
 <uri link="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo
-Hardened SELinux Handbook</uri>.
+Hardened SELinux Handbook</uri>. 
 </p>
 
 <p>
@@ -263,6 +263,36 @@ require {
 dmesg_domtrans(system_cronjob_t)
 </pre>
 
+<p>
+In order to find out which specific calls are necessary, it can come in handy to
+use the privileges assigned to the <e>sysadm_t</e> domain. Take a look at this
+<uri
+link="http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/sysadm.te">sysadm.te</uri>
+file. If you search for "dmesg" you will notice the following in the file:
+</p>
+
+<pre caption="Snippet in sysadm.te related to dmesg">
+128 	')
+129 	
+130 	optional_policy(`
+131 	        dmesg_domtrans(sysadm_t)
+132 	')
+133 	
+134 	optional_policy(`
+</pre>
+
+<p>
+It is this call - <c>dmesg_domtrans</c> - that we are interested in (and which you
+can notice in the sample policy mentioned above. It is possible that you notice
+a <c>_run</c> or <c>_exec</c> instead. Try this one first, but most of the time
+you'll need a <c>_domtrans</c> method.
+</p>
+
+<p>
+For more information or help with managing your policies, do not hesitate to
+drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>.
+</p>
+
 </body>
 </section>
 <section>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     dd727043c74e46def4e423341fa5657b7217a5b3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 21 09:20:08 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 21 09:20:08 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=dd727043

Use gentoo_portage_use_nfs instead of allow_nfs

---
 xml/selinux/modules/portage.xml |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
index cb55696..293b8b0 100644
--- a/xml/selinux/modules/portage.xml
+++ b/xml/selinux/modules/portage.xml
@@ -18,7 +18,7 @@ manager, Gentoo-specific file system locations and the command-line wrappers.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>3</version>
+<version>4</version>
 <date>2011-07-21</date>
 
 <chapter>
@@ -283,7 +283,7 @@ mount option to force the context of all files on the mounted location.
 
 <p>
 The Portage module within Gentoo defines three booleans, called
-<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_allow_nfs</c> and
+<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_use_nfs</c> and
 <c>gentoo_wait_requests</c>. 
 </p>
 
@@ -296,7 +296,7 @@ could explain the problem.
 </p>
 
 <p>
-When <c>gentoo_portage_allow_nfs</c> is enabled, then the Portage-related
+When <c>gentoo_portage_use_nfs</c> is enabled, then the Portage-related
 domains will be able to manage the <c>nfs_t</c> and as such, allow for the 
 Portage tree and other locations to be NFS-mounted without correcting their
 label (which is still supported when using the <c>context=</c> mount option).

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     4e825c1c786dfc960eadcf3ba30386c95d9f4e31
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 21 08:31:51 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 21 08:31:51 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=4e825c1c

Add information on gentoo_wait_requests boolean, introduced with r20 of base policy

---
 xml/selinux/modules/portage.xml |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
index 6353a60..cb55696 100644
--- a/xml/selinux/modules/portage.xml
+++ b/xml/selinux/modules/portage.xml
@@ -18,8 +18,8 @@ manager, Gentoo-specific file system locations and the command-line wrappers.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>2</version>
-<date>2011-07-07</date>
+<version>3</version>
+<date>2011-07-21</date>
 
 <chapter>
 <title>Structure</title>
@@ -282,8 +282,9 @@ mount option to force the context of all files on the mounted location.
 <body>
 
 <p>
-The Portage module within Gentoo defines two booleans, called
-<c>gentoo_try_dontaudit</c> and <c>gentoo_portage_allow_nfs</c>. 
+The Portage module within Gentoo defines three booleans, called
+<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_allow_nfs</c> and
+<c>gentoo_wait_requests</c>. 
 </p>
 
 <p>
@@ -302,6 +303,14 @@ label (which is still supported when using the <c>context=</c> mount option).
 </p>
 
 <p>
+When <c>gentoo_wait_requests</c> is enabled, then policy rules that are
+introduced to get things working, but which are temporary until the upstream
+project enhances its application (and a bug report is opened for it), are
+active. Disabling this boolean is only recommended if you are running the
+system with the proper patches and is more used for development traceability.
+</p>
+
+<p>
 To switch booleans, use <c>setsebool</c> or <c>togglesebool</c>.
 </p>
 

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     5f6349c4c3ce1a6e2e81b4bd768ddaa52d2d13c4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 13 20:06:07 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 13 20:06:07 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=5f6349c4

mark ssh as draft for now

---
 xml/selinux/modules/ssh.xml |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml
index fa45739..20edf7a 100644
--- a/xml/selinux/modules/ssh.xml
+++ b/xml/selinux/modules/ssh.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
 
-<guide link="/proj/en/hardened/selinux/modules/ssh.xml" lang="en">
+<guide link="/proj/en/hardened/selinux/modules/ssh.xml" disclaimer="draft" lang="en">
 <title>SELinux SSH Module</title>
 <author title="Author">
   <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     b37fb9cd0c951d425f27153694c2fcd78b9c286d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul  9 18:53:45 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul  9 18:53:45 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b37fb9cd

Correct references

---
 xml/selinux/modules/bind.xml |    2 +-
 xml/selinux/modules/ldap.xml |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/selinux/modules/bind.xml b/xml/selinux/modules/bind.xml
index 3ef655c..25c2a11 100644
--- a/xml/selinux/modules/bind.xml
+++ b/xml/selinux/modules/bind.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
 
-<guide link="/proj/en/hardened/selinux/modules/apache.xml" lang="en">
+<guide link="/proj/en/hardened/selinux/modules/bind.xml" lang="en">
 <title>SELinux Bind Module</title>
 <author title="Author">
   <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>

diff --git a/xml/selinux/modules/ldap.xml b/xml/selinux/modules/ldap.xml
index 2aa16f2..4da1c55 100644
--- a/xml/selinux/modules/ldap.xml
+++ b/xml/selinux/modules/ldap.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
 
-<guide link="/proj/en/hardened/selinux/modules/apache.xml" lang="en">
+<guide link="/proj/en/hardened/selinux/modules/ldap.xml" lang="en">
 <title>SELinux LDAP Module</title>
 <author title="Author">
   <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     a766238cca7223f38713bfaf9bfd1be616fee3a2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul  9 18:54:24 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul  9 18:54:24 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=a766238c

Initial start for SSH domain information (but still WIP)

---
 xml/selinux/modules/ssh.xml |  102 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 102 insertions(+), 0 deletions(-)

diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml
new file mode 100644
index 0000000..fa45739
--- /dev/null
+++ b/xml/selinux/modules/ssh.xml
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
+
+<guide link="/proj/en/hardened/selinux/modules/ssh.xml" lang="en">
+<title>SELinux SSH Module</title>
+<author title="Author">
+  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
+</author>
+
+<abstract>
+Within SELinux, the SSH module is responsible for defining what openssh can do
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2011-07-09</date>
+
+<chapter>
+<title>Structure</title>
+<section>
+<title>Domains</title>
+<body>
+
+<figure link="./images/sshdomain.png" short="General SSH domain overview"
+caption="General SSH domain overview" />
+
+<p>
+The...
+</p>
+
+</body>
+</section>
+<section>
+<title>File Types/Labels</title>
+<body>
+
+<p>
+The following table lists the file type/labels defined in the <c>ldap</c>
+module.
+</p>
+
+<table>
+<tr>
+  <th>Type</th>
+  <th>Function</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>slapd_exec_t</ti>
+  <ti>Entrypoint</ti>
+  <ti>Executable entry point for the slapd daemon binaries</ti>
+</tr>
+<tr>
+  <ti>slapd_etc_t</ti>
+  <ti>Configuration</ti>
+  <ti>Label for OpenLDAP configuration files</ti>
+</tr>
+<tr>
+  <ti>slapd_cert_t</ti>
+  <ti>Configuration</ti>
+  <ti>Label for certificate keystores used by OpenLDAP</ti>
+</tr>
+<tr>
+  <ti>slapd_db_t</ti>
+  <ti>Configuration</ti>
+  <ti>Label for the OpenLDAP database files (backend content)</ti>
+</tr>
+<tr>
+  <ti>slapd_replog_t</ti>
+  <ti>Configuration</ti>
+  <ti>Label for the slurpd replication log location</ti>
+</tr>
+<tr>
+  <ti>slapd_lock_t</ti>
+  <ti></ti>
+  <ti>Label for the lock files (runtime)</ti>
+</tr>
+<tr>
+  <ti>slapd_tmp_t</ti>
+  <ti></ti>
+  <ti>Label for the temporary files</ti>
+</tr>
+<tr>
+  <ti>slapd_var_run_t</ti>
+  <ti></ti>
+  <ti>Label for the runtime variable data</ti>
+</tr>
+<tr>
+  <ti>slapd_initrc_exec_t</ti>
+  <ti></ti>
+  <ti>Label for non-Gentoo init script</ti>
+</tr>
+</table>
+
+</body>
+</section>
+</chapter>
+</guide>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     bf0f25aee5101e5b5b58ec37caf90f180fe5319b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul  7 19:04:23 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul  7 19:04:23 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=bf0f25ae

Update portage module information with latest commit

---
 xml/selinux/modules/portage.xml |   38 ++++++++++++++++++++++++++++++--------
 1 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
index e9dc226..6353a60 100644
--- a/xml/selinux/modules/portage.xml
+++ b/xml/selinux/modules/portage.xml
@@ -18,8 +18,8 @@ manager, Gentoo-specific file system locations and the command-line wrappers.
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1</version>
-<date>2011-06-02</date>
+<version>2</version>
+<date>2011-07-07</date>
 
 <chapter>
 <title>Structure</title>
@@ -268,6 +268,13 @@ distfiles or the repositories for the live ebuilds) so take care when
 relabelling locations!
 </p>
 
+<p>
+If you are using different mounts, you might need to use the 
+<c>rootcontext=</c> mount option to set the initial context. If the file system
+does not suppor SELinux contexts (like NFS), you can use the <c>context=</c>
+mount option to force the context of all files on the mounted location.
+</p>
+
 </body>
 </section>
 <section>
@@ -275,12 +282,27 @@ relabelling locations!
 <body>
 
 <p>
-The Portage module within Gentoo defines one boolean, called
-<c>gentoo_try_dontaudit</c>. When enabled, the policy will hide the AVC denials
-of which the Gentoo developers believe they are harmless (cosmetic). If this
-boolean is enabled and you are experiencing permission problems, it is wise to
-first disable the boolean and see if you now get any denials that could explain
-the problem.
+The Portage module within Gentoo defines two booleans, called
+<c>gentoo_try_dontaudit</c> and <c>gentoo_portage_allow_nfs</c>. 
+</p>
+
+<p>
+When <c>gentoo_try_dontaudit</c> is enabled, the policy will hide the AVC
+denials of which the Gentoo developers believe they are harmless (cosmetic).
+If this boolean is enabled and you are experiencing permission problems, it
+is wise to first disable the boolean and see if you now get any denials that
+could explain the problem.
+</p>
+
+<p>
+When <c>gentoo_portage_allow_nfs</c> is enabled, then the Portage-related
+domains will be able to manage the <c>nfs_t</c> and as such, allow for the 
+Portage tree and other locations to be NFS-mounted without correcting their
+label (which is still supported when using the <c>context=</c> mount option).
+</p>
+
+<p>
+To switch booleans, use <c>setsebool</c> or <c>togglesebool</c>.
 </p>
 
 <pre caption="Enabling the gentoo_try_dontaudit boolean">

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     553af17654ebe94180c0080b4cb1d989ba4a692f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul  9 17:07:16 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul  9 17:07:16 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=553af176

Update apache description, had some wrong references to the portage description

---
 xml/selinux/modules/apache.xml |   17 -----------------
 1 files changed, 0 insertions(+), 17 deletions(-)

diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml
index 6572e7e..4d6350e 100644
--- a/xml/selinux/modules/apache.xml
+++ b/xml/selinux/modules/apache.xml
@@ -347,23 +347,6 @@ base it on the description instead.
 </tr>
 </table>
 
-<p>
-If you use different locations, use the following commands to update the file
-contexts accordingly:
-</p>
-
-<pre caption="Updating file contexts">
-<comment>( Example for a different PORTDIR location, say /var/repo/portage )</comment>
-~# <i>semanage -a -t portage_ebuild_t /var/repo/portage</i>
-~# <i>restorecon -R /var/repo/portage</i>
-</pre>
-
-<p>
-Don't forget that Portage uses subdirectories with different labels (think
-distfiles or the repositories for the live ebuilds) so take care when
-relabeling locations!
-</p>
-
 </body>
 </section>
 <section>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     cbc15e7645ec5aa3e14ff5ac8c674afb284d011f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun  2 17:09:20 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun  2 17:09:20 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=cbc15e76

More apache locations

---
 xml/selinux/modules/apache.xml |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml
index 553beeb..6572e7e 100644
--- a/xml/selinux/modules/apache.xml
+++ b/xml/selinux/modules/apache.xml
@@ -327,6 +327,24 @@ base it on the description instead.
   <ti>/srv/localhost/www</ti>
   <ti>system_u:object_r:httpd_sys_content_t</ti>
 </tr>
+<tr>
+  <ti>Document</ti>
+  <ti>Location where CGI scripts are stored</ti>
+  <ti>/srv/localhost/cgi-bin</ti>
+  <ti>system_u:object_r:httpd_sys_script_exec_t</ti>
+</tr>
+<tr>
+  <ti>Directory</ti>
+  <ti>User home directory location where user-provided content is stored</ti>
+  <ti>/home/*/public_html</ti>
+  <ti>system_u:object_r:httpd_user_content_t</ti>
+</tr>
+<tr>
+  <ti>Directory</ti>
+  <ti>User home directory location where user-provided CGI scripts are stored</ti>
+  <ti>/home/*/public_html/cgi-bin</ti>
+  <ti>system_u:object_r:httpd_user_script_exec_t</ti>
+</tr>
 </table>
 
 <p>

[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/modules/

[Sven Vermeulen]

commit:     2a7643b038b9a37fc76b72b6eeb2af8f80abe7d0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun  2 16:41:35 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jun  2 16:41:35 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=2a7643b0

Correcting image location

---
 xml/selinux/modules/apache.xml  |    2 +-
 xml/selinux/modules/portage.xml |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml
index 7e25e2b..553beeb 100644
--- a/xml/selinux/modules/apache.xml
+++ b/xml/selinux/modules/apache.xml
@@ -27,7 +27,7 @@ its name.
 <title>Domains</title>
 <body>
 
-<figure link="images/apachedomain.png" short="General Apache domain overview"
+<figure link="./images/apachedomain.png" short="General Apache domain overview"
 caption="General Apache domain overview" />
 
 <p>

diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
index fb9e4ae..e9dc226 100644
--- a/xml/selinux/modules/portage.xml
+++ b/xml/selinux/modules/portage.xml
@@ -27,7 +27,7 @@ manager, Gentoo-specific file system locations and the command-line wrappers.
 <title>Domains</title>
 <body>
 
-<figure link="images/portagedomain.png" short="General Portage domain overview"
+<figure link="./images/portagedomain.png" short="General Portage domain overview"
 caption="General Portage domain overview" />
 
 <p>