* [gentoo-commits] proj/hardened-docs:master commit in: html/, xml/, html/selinux/
@ 2011-04-06 18:18 Matthew Thode
0 siblings, 0 replies; only message in thread
From: Matthew Thode @ 2011-04-06 18:18 UTC (permalink / raw
To: gentoo-commits
commit: f3d78ad276f953bb4305f700d7ba4f15c422275b
Author: Matthew Thode <mthode <AT> mthode <DOT> org>
AuthorDate: Wed Apr 6 18:13:34 2011 +0000
Commit: Matthew Thode <mthode <AT> mthode <DOT> org>
CommitDate: Wed Apr 6 18:13:34 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=f3d78ad2
html and update of intel udref situation for virt
---
html/grsec-tpe.html | 2 +-
html/hardened-virtualization.html | 36 ++-
html/hardenedfaq.html | 12 +-
html/selinux/hb-selinux-conv-profile.html | 118 ------
html/selinux/hb-selinux-conv-reboot1.html | 209 -----------
html/selinux/hb-selinux-conv-reboot2.html | 244 -------------
html/selinux/hb-selinux-faq.html | 148 --------
html/selinux/hb-selinux-howto.html | 287 ---------------
html/selinux/hb-selinux-initpol.html | 72 ----
html/selinux/hb-selinux-libsemanage.html | 275 --------------
html/selinux/hb-selinux-localmod.html | 158 --------
html/selinux/hb-selinux-loglocal.html | 212 -----------
html/selinux/hb-selinux-logremote.html | 228 ------------
html/selinux/hb-selinux-overview.html | 552 -----------------------------
html/selinux/hb-selinux-references.html | 117 ------
xml/hardened-virtualization.xml | 16 +-
16 files changed, 47 insertions(+), 2639 deletions(-)
diff --git a/html/grsec-tpe.html b/html/grsec-tpe.html
index b1925a6..8a91b45 100644
--- a/html/grsec-tpe.html
+++ b/html/grsec-tpe.html
@@ -2662,7 +2662,7 @@ still be modified by that user.
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="grsec-tpe.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-1-19</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-3-27</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
TPE tends to be one of the harder to understand parts of GRSecurity as options
like invert GID can be confusing at times. In this documents we explain how each
diff --git a/html/hardened-virtualization.html b/html/hardened-virtualization.html
index 3b8d6c9..2c3eed8 100644
--- a/html/hardened-virtualization.html
+++ b/html/hardened-virtualization.html
@@ -63,10 +63,34 @@ of this guide.
</p>
<p>
As of this writing, there are no known restrictions on hardening for the
-guest. Test of both x86 and x86_64 guests using either emulated hardware or
-virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and
-CONFIG_PAX_MEMORY_UDEREF, have been successfull.
+guest on amd64 hosts. Test of both x86 and x86_64 guests using either emulated
+hardware or virtio, with all hardening features, including CONFIG_PAX_KERNEXEC
+and CONFIG_PAX_MEMORY_UDEREF, have been successfull on amd64 guests. For Intel
+hosts there have been reports going both ways on whether or not
+CONFIG_PAX_MEMORY_UDEREF being enabled in the guests causes the guest to run
+slowly. Currently it is recomended to not enable CONFIG_PAX_MEMORY_UDEREF on
+Intel guests.
</p>
+<table class="ntable">
+ <tr>
+ <td class="infohead" colspan="3" style="text-align:center"><b>guest kerel config breakout</b></td>
+ </tr>
+ <tr>
+ <td class="infohead"><b></b></td>
+ <td class="infohead"><b>AMD</b></td>
+ <td class="infohead"><b>INTEL</b></td>
+ </tr>
+ <tr>
+ <td class="infohead"><b>CONFIG_PAX_KERNEXEC</b></td>
+ <td class="tableinfo">Y</td>
+ <td class="tableinfo">Y</td>
+ </tr>
+ <tr>
+ <td class="infohead"><b>CONFIG_PAX_MEMORY_UDEREF</b></td>
+ <td class="tableinfo">Y</td>
+ <td class="tableinfo">N</td>
+ </tr>
+</table>
<p>
For the host, however, one must disable both CONFIG_PAX_KERNEXEC and
CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel
@@ -90,7 +114,11 @@ regards. It employs a hypervisor which boots a specialize host's kernel
</p>
<p class="secthead"><a name="doc_chap1_sect5">VMWare Workstation</a></p>
<p>
-TODO
+VMWare Workstation needs to link precompiled binaries against system
+libraries in order to function. Because Gentoo Hardened uses more secure
+functions of GCC, VMWare Workstation cannot link against it. Because
+VMWare Workstation cannot link, it does not function. In fact, using
+VMWare Workstation at all on Hardened Gentoo led to a hard system reset.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Resources</p>
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index af801c7..5658af4 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -354,8 +354,7 @@ That is <a href="http://pax.grsecurity.net">the homepage for PaX</a>.
</p>
<p class="secthead"><a name="paxgentoodoc"></a><a name="doc_chap3_sect2">What Gentoo documentation exists about PaX?</a></p>
<p>
-Currently the only Gentoo documentation that exists about PaX is a <a href="pax-quickstart.html"> PaX quickstart
-guide</a>.
+Currently the only Gentoo documentation that exists about PaX is a <a href="pax-quickstart.html"> PaX quickstart guide</a>.
</p>
<p class="secthead"><a name="paxmarkings"></a><a name="doc_chap3_sect3">How do PaX markings work?</a></p>
<p>
@@ -512,8 +511,7 @@ That is the <a href="http://www.grsecurity.net">homepage for Grsecurity</a>.
</p>
<p class="secthead"><a name="grsecgentoodoc"></a><a name="doc_chap4_sect2">What Gentoo documentation exists about Grsecurity?</a></p>
<p>
-The most current documentation for Grsecurity is a <a href="grsecurity.html">Grsecurity2
-quickstart guide</a>.
+The most current documentation for Grsecurity is a <a href="grsecurity.html">Grsecurity2 quickstart guide</a>.
</p>
<p class="secthead"><a name="grsectpe"></a><a name="doc_chap4_sect3">How does TPE work?</a></p>
<p>
@@ -532,14 +530,14 @@ support kernel sources not coming from the portage tree.
</span>SELinux Questions</p>
<p class="secthead"><a name="selinuxfaq"></a><a name="doc_chap5_sect1">Where can I find SELinux related frequently asked questions?</a></p>
<p>
-There is a <a href="selinux/selinux-handbook.xml?part=3&chap=3">
-SELinux specific FAQ</a>.
+There is a <a href="selinux-faq.html"> SELinux specific FAQ
+</a>.
</p>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedfaq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-2-19</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-3-27</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
the gentoo-hardened mailing list.
diff --git a/html/selinux/hb-selinux-conv-profile.html b/html/selinux/hb-selinux-conv-profile.html
deleted file mode 100644
index 783a2af..0000000
--- a/html/selinux/hb-selinux-conv-profile.html
+++ /dev/null
@@ -1,118 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Change Profile</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>SELinux is only supported on ext2/3, XFS, JFS, and Btrfs. Other filesystems
-lack the complete extended attribute support.</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Users should convert from a 2006.1 or newer profile otherwise
-there may be unpredictable results.</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>As always, keep a LiveCD at hand in case things go wrong.</p></td></tr></table>
-<p>First switch your profile to the SELinux profile for your architecture:</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switch profiles</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rm -f /etc/make.profile</span>
-
-
-<span class="code-comment">x86 (server):</span>
-# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/server /etc/make.profile</span>
-<span class="code-comment">x86 (hardened):</span>
-# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/x86/hardened /etc/make.profile</span>
-<span class="code-comment">AMD64:</span>
-# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/server /etc/make.profile</span>
-<span class="code-comment">AMD64 (hardened):</span>
-# <span class="code-input">ln -sf /usr/portage/profiles/selinux/v2refpolicy/amd64/hardened /etc/make.profile</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>You can also switch profiles with eselect if you have the gentoolkit
- package installed. That method is not shown here because the specific options
- available and their numbering will vary according to your system
- configuration.</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Do not use any profiles other than the ones listed above, even
-if they seem to be out of date. SELinux profiles are not necessarily
-created as often as default Gentoo profiles.</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>The SELinux profile has significanly fewer USE flags asserted than
-the default profile. Use <span class="code" dir="ltr">emerge info</span> to see if any use flags
-need to be reenabled in make.conf.</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>It is not necessary to add selinux to your USE flags in make.conf.
-The SELinux profile already does this for you.
-</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- You may encounter this message from portage: "!!! SELinux module not found.
- Please verify that it was installed." This is normal, and will be fixed
- later in the conversion process.
-</p></td></tr></table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Update Kernel Headers</p>
-<p>
- We will start by updating essential packages. First check which version
- of linux-headers is installed.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Check linux-headers version</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge -s linux-headers</span>
-<span class="code-comment">or if you have gentoolkit installed:</span>
-# <span class="code-input">equery list -i linux-headers</span>
-</pre></td></tr>
-</table>
-<p>
- If the linux-headers version is older than 2.4.20, newer headers must be merged.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge newer headers</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge \>=sys-kernel/linux-headers-2.4.20</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Update Glibc</p>
-<p>
- If you have merged new headers, or you are unsure if your glibc was
- compiled with newer headers, you must recompile glibc.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recompile glibc</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge glibc</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
- This is a critical operation. Glibc must be compiled with newer linux-headers,
- otherwise some operations will malfunction.
-</p></td></tr></table>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 15, 2010</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-conv-reboot1.html b/html/selinux/hb-selinux-conv-reboot1.html
deleted file mode 100644
index 2157c17..0000000
--- a/html/selinux/hb-selinux-conv-reboot1.html
+++ /dev/null
@@ -1,209 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Merge a SELinux Kernel</p>
-<p>Merge an appropriate kernel. A 2.6 kernel is required. The
- suggested kernel is hardened-sources.
-</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>2.6.28-r9 is the current hardened release version at the time of this writing,
- and all instructions in this document assume at least this version.</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>Kernels 2.6.14 and 2.6.15 should not be used by XFS users as they
- have bugs in the SELinux XFS support.</p></td></tr></table>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge an appropriate kernel</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">Any 2.6 kernel</span>
-# <span class="code-input">emerge hardened-sources</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Compile the Kernel with SELinux Options</p>
-<p>The kernel must be compiled with security module support, SELinux support,
-devpts, and extended attribute security labels. Refer to the main installation
-guide for futher kernel options.</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-The available options may vary slightly depending on the kernel version
-being used. In particular, Btrfs first became available with the 2.6.29
-kernel, and the /dev/pts and tmpfs Extended Attributs and Security Labels
-options were obsoleted in kernel 2.6.13 (they are now enabled by default).
-"Default Linux Capabilies" under "Security options" was obsoleted in the
-2.6.26 kernel (it is now enabled by default).
-
-XFS always enables security labeling, so there is no additional option
-to set for this file system
-
-Ext4 should work, but is NOT well tested at the time of this writing!
-
-Any extended attribute options not specifically enabled below should be turned
-off.
-</p></td></tr></table>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Location and required options under menuconfig</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">Under "General setup"</span>
-[*] Prompt for development and/or incomplete code/drivers
-[*] Auditing support
-[*] Enable system-call auditing support
-
-<span class="code-comment">Under "File systems"</span>
-<*> Second extended fs support <span class="code-comment">(If using ext2)</span>
-[*] Ext2 extended attributes
-[ ] Ext2 POSIX Access Control Lists
-[*] Ext2 Security Labels
-[ ] Ext2 Execute in place support
-<*> Ext3 journalling file system support <span class="code-comment">(If using ext3)</span>
-[*] Ext3 extended attributes
-[ ] Ext3 POSIX Access Control Lists
-[*] Ext3 Security labels
-<*> The Extended 4 (ext4) filesystem <span class="code-comment">(If using ext4)</span>
-[ ] Enable ext4dev compatibility
-[*] Ext4 extended attrributes
-[ ] Ext4 POSIX Access Control Lists
-[*] Ext4 Security Labels
-<*> JFS filesystem support <span class="code-comment">(If using JFS)</span>
-[ ] JFS POSIX Access Control Lists
-[*] JFS Security Labels
-[ ] JFS debugging
-[ ] JFS statistics
-<*> XFS filesystem support <span class="code-comment">(If using XFS)</span>
-[ ] XFS Quota support
-[ ] XFS POSIX ACL support
-[ ] XFS Realtime subvolume support (EXPERIMENTAL)
-[ ] XFS Debugging Support
-<*> Btrfs filesystem (EXPERIMENTAL) Unstable disk format <span class="code-comment">(if
-using Btrfs)</span>
-[ ] Btrfs POSIX Access Control Lists (NEW)
-<span class="code-comment">Under "Pseudo filesystems (via "File systems")</span>
-[ ] /dev file system support (EXPERIMENTAL)
-[*] /dev/pts Extended Attributes
-[*] /dev/pts Security Labels
-[*] Virtual memory file system support (former shm fs)
-[*] tmpfs Extended Attributes
-[*] tmpfs Security Labels
-
-<span class="code-comment">Under "Security options"</span>
-[*] Enable different security models
-[*] Socket and Networking Security Hooks
-<*> Default Linux Capabilities
-[*] NSA SELinux Support
-[ ] NSA SELinux boot parameter
-[ ] NSA SELinux runtime disable
-[*] NSA SELinux Development Support
-[ ] NSA SELinux AVC Statistics
-(1) NSA SELinux checkreqprot default value
-[ ] NSA SELinux enable new secmark network controls by default
-[ ] NSA SELinux maximum supported policy format version
- Default security module (SELinux) --->
-</pre></td></tr>
-</table>
-<p>
- The extended attribute security labels must be turned on for devpts and
- your filesystem(s). Devfs is not usable in SELinux, and should be
- turned off. Not all options exist on older 2.6 kernels,
- such as Auditing support, and runtime disable. In newer kernels,
- the extended attributes support for proc and the virtual memory fs (tmpfs)
- are enabled by default; thus, no options will appear in menuconfig.
-</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>It is recommended to configure PaX if you are using harded-sources (also
-recommended). More information about Pax can be found in the <a href="pax-quickstart.html">Hardened Gentoo
-PaX Quickstart Guide</a>.
-</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>
- Do not enable the SELinux MLS policy option if its available, as it is
- not supported, and will cause your machine to not start.
-</p></td></tr></table>
-<p>
- Now compile and install the kernel and modules, but do not reboot.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Update fstab</p>
-<p>
- SElinuxfs must also be enabled to mount at boot.
- Add this to /etc/fstab:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fstab settings for selinuxfs</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-none /selinux selinuxfs defaults 0 0
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Configure Baselayout</p>
-<p>
-SELinux does not support devfs. You must configure baselayout to
-use either static device nodes or udev. If using udev, the
-device tarball must be disabled. Edit the /etc/conf.d/rc file.
-Set RC_DEVICES to static or udev, and RC_DEVICE_TARBALL to no.
-If you have several custom device nodes, static is suggested,
-otherwise udev is suggested (udev is the default at the time of this writing).
-For more information on udev, consult the <a href="http://www.gentoo.org/doc/en/udev-guide.xml">Gentoo UDEV Guide</a>.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Init script configuration</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# Use this variable to control the /dev management behavior.
-# auto - let the scripts figure out what's best at boot
-# devfs - use devfs (requires sys-fs/devfsd)
-# udev - use udev (requires sys-fs/udev)
-# static - let the user manage /dev
-
-RC_DEVICES="<span class="code-comment">udev</span>"
-
-# UDEV OPTION:
-# Set to "yes" if you want to save /dev to a tarball on shutdown
-# and restore it on startup. This is useful if you have a lot of
-# custom device nodes that udev does not handle/know about.
-
-RC_DEVICE_TARBALL="<span class="code-comment">no</span>"
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Reboot</p>
-<p>
- We need to make some directories before we reboot.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Making Required Directories</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">mkdir /selinux</span>
-# <span class="code-input">mkdir /sys</span>
-</pre></td></tr>
-</table>
-<p>
- Now reboot.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 27, 2010</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-conv-reboot2.html b/html/selinux/hb-selinux-conv-reboot2.html
deleted file mode 100644
index 265bf6c..0000000
--- a/html/selinux/hb-selinux-conv-reboot2.html
+++ /dev/null
@@ -1,244 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="../../favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Merge SELinux Packages</p>
-<p>Merge the libraries, utilities and base-policy. The policy version may need
- be adjusted, refer to the SELinux Overview
- for more information on policy versions. Then load the policy.</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Merge base SELinux packages and policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge -1 checkpolicy policycoreutils</span>
-# <span class="code-input">FEATURES=-selinux emerge -1 selinux-base-policy</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-The "FEATURES=-selinux" part of the emerge command should only be used on the above command.
-It is required to merge selinux-base-policy (only for the first time) as the portage SELinux features require both policycoreutils and selinux-base-policy otherwise portage will fail.
-</p></td></tr></table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Choose the policy type</p>
-<p>
-New in 2006.1, users now have the choice between the strict policy and the
-targeted policy.
-</p>
-<p>
-In the strict policy, all processes are confined.
-If you are familiar with pre 2006.1 Gentoo SELinux policy, that policy was a strict policy.
-Strict policy is suggested for servers.
-Gentoo does not support the strict policy on desktops.
-</p>
-<p>
-The targeted policy differs with strict, as only network-facing services are
-confined and local users are unconfined. Gentoo only supports desktops with
-the targeted policy. This policy can also be used on servers.
-</p>
-<p>
-Edit the /etc/selinux/config file to set the policy type.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config contents</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=permissive <span class="code-comment">(This should be set permissive for the remainder of the install)</span>
-
-# SELINUXTYPE can take one of these two values:
-# targeted - Only targeted network daemons are protected.
-# strict - Full SELinux protection.
-SELINUXTYPE=strict <span class="code-comment">(Set this as strict or targeted)</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Merge SELinux-patched packages</p>
-<p>
- There are several system packages that have SELinux patches. These patches
- provide a variety of additional SELinux functionality, such as displaying
- file contexts.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Remerge Packages</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge -1 sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- If you find that you can't use portage due to a errors like these:
- !!! 'module' object has no attribute 'secure_rename' or
- AttributeError: 'module' object has no attribute 'getcontext', this is
- a portage bug, where it can't handle a missing python-selinux. Merge it
- with "FEATURES=-selinux emerge python-selinux" to fix the problem. See
- bug <a href="http://bugs.gentoo.org/show_bug.cgi?id=122517">#122517</a>
- for more information.
-</p></td></tr></table>
-<p>There are other packages that have SELinux patches, but are optional. These
-should be remerged if they are already installed, so the SELinux patches are
-applied:</p>
-<ul>
-<li>app-admin/logrotate</li>
-<li>sys-apps/fcron</li>
-<li>sys-apps/vixie-cron</li>
-<li>sys-fs/device-mapper</li>
-<li>sys-fs/udev</li>
-<li>sys-libs/pwdb</li>
-</ul>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- Fcron and Vixie-cron are the only crons with SELinux support.
-</p></td></tr></table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>The above packages are NOT an exhaustive list; they are only the most
-common ones. In general, any package installed on the system which has the
-selinux USE flag should be remerged. To see which packages may need to be
-merged, you can:
-emerge -upDN world
-
-Since changing to the selinux profile has changed your USE flags, the above
-will get everything that is listening to the selinux USE flag. It will
-probably also get some other stuff as well. To actually remerge everything,
-simply remove the 'p', or manually specify the packages you want to remerge.
-</p></td></tr></table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Merge Application Policies</p>
-<p>
- In future, when merging a package, the policy will be set as a dependency so
- that it is merged first; however, since the system is being converted, policy
- for currently installed packages must be merged. The selinux-base-policy
- already covers most packages in the system profile.
-</p>
-<p>
- Look in the <span class="code" dir="ltr">/usr/portage/sec-policy</span>, it has several entries, each which
- represent a policy. The naming scheme is selinux-PKGNAME, where PKGNAME is
- the name of the package that the policy is associated. For example, the
- selinux-apache package is the SELinux policy package for net-www/apache.
- Merge each of the needed policy packages and then load the policy.
- If you are converting a desktop, make sure to include the selinux-desktop policy package.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example Merge of Apache and BIND policies</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">ls /usr/portage/sec-policy</span>
-<span class="code-comment">(many directories listed)</span>
-
-# <span class="code-input">emerge -1 selinux-apache selinux-bind</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Label Filesystems</p>
-<p>
- Before you can relabel the rest of the filesystems, you need to first relabel
- /dev. Strictly speaking, this is only necessary if you aren't using a static
- /dev. However, as the vast majority of current and new systems are going to
- be built with udev, this probably means you are using udev as well. There
- are a lot of different ways to get at this problem, but the steps below are
- easy to do and work.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-input"># mkdir /mnt/gentoo
-# mount -o bind / /mnt/gentoo
-# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
-# umount /mnt/gentoo
-</span>
- </pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Remember to select one of {strict,targeted} above based on your
- enforcement mode.</p></td></tr></table>
-<p>
- Now label the filesystems. This gives each of the files in the filesystems
- a security label. Keeping these labels consistent is important.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Label filesystems</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>
- There is a known issue with older versions of GRUB
- not being able to read symlinks that have been labeled.
- Please make sure you have at least GRUB 0.94 installed.
- Also rerun GRUB and reinstall it into the MBR to ensure
- the updated code is in use.
- You do have a LiveCD handy, right?
-</p></td></tr></table>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reinstall GRUB on the MBR (GRUB users only)</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">grub</span>
-
-grub> root (hd0,0) <span class="code-comment">(Your boot partition)</span>
-grub> setup (hd0) <span class="code-comment">(Where the boot record is installed; here, it is the MBR)</span>
-</pre></td></tr>
-</table>
-<p>
- If you've installed Gentoo using the hardened sources, then you'll need to
- tell SELinux that you are using the hardened tool-chain with ssp. You do
- this by setting an SELinux global boolean
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux global_ssp</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-input">setsebool -P global_ssp on</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>Make sure you use the -P flag, or the setting won't survive the reboot,
-and you'll likely see a lot of errors relating to /dev/null and /dev/random
-</p></td></tr></table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Final reboot</p>
-<p>Reboot. Log in, then relabel again to ensure all files
-are labeled correctly (some files may have been created during shutdown and
-reboot)</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- It is strongly suggested to <a href="http://www.gentoo.org/main/en/lists.xml">subscribe</a>
- to the gentoo-hardened mail list. It is generally a low traffic list, and
- SELinux announcements are made there.
-</p></td></tr></table>
-<p>
- SELinux is now installed!
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 27, 2010</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-faq.html b/html/selinux/hb-selinux-faq.html
deleted file mode 100644
index 2c1f29d..0000000
--- a/html/selinux/hb-selinux-faq.html
+++ /dev/null
@@ -1,148 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux features</p>
-<p class="secthead"><a name="doc_chap1_sect1">Does SELinux enforce resource limits?</a></p>
-<p>
- No, resource limits are outside the scope of an access control system. If you
- are looking for this type of support, GRSecurity and RSBAC are better choices.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux and other hardened projects</p>
-<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and GRSecurity (and PaX)?</a></p>
-<p>
- Yes, SELinux can be used with GRSecurity and/or PaX with no problems; however,
- it is suggested that GRACL should not be used, since it would be redundant
- to SELinux's access control.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and the hardened compiler (PIE-SSP)?</a></p>
-<p>
- Yes. It is also suggested that PaX be used to take full advantage
- of the PIE features of the compiler.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux and RSBAC?</a></p>
-<p>
- Unknown. Please report your results if you try this combination.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux and filesystems</p>
-<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my primary filesystems?</a></p>
-<p>
- SELinux can be used with ext2, ext3, JFS, and XFS. Reiserfs (Reiser3) has
- extended attributes, but the support was never complete, and has been broken
- since 2.6.14. Reiser4 is not supported.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my ancillary filesystems?</a></p>
-<p>
- Yes, SELinux can mount ancillary filesystems, such as vfat and iso9660
- filesystems, with an important caveat. All files in each filesystem will
- have the same SELinux type, since the filesystems do not support extended
- attributes. Tmpfs is the only ancillary filesystem with complete extended
- attribute support, which allows it to behave like a primary filesystem.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Can I use SELinux with my network filesystems?</a></p>
-<p>
- Yes, SELinux can mount network filesystems, such as NFS and CIFS
- filesystems, with an important caveat. All files in each filesystem will
- have the same SELinux type, since the filesystems do not support extended
- attributes. In the future, hopefully network filesystems will begin to
- support extended attributes, then they will work like a primary filesystem.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Portage error messages</p>
-<p class="secthead"><a name="doc_chap1_sect1">I get a missing SELinux module error when using emerge:</a></p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Portage message</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-!!! SELinux module not found. Please verify that it was installed.
-</pre></td></tr>
-</table>
-<p>
- This indicates that the portage SELinux module is missing or damaged.
- Also python may have been upgraded to a new version which requires
- python-selinux to be recompiled. Remerge dev-python/python-selinux.
- If packages have been merged under this condition, they must be relabed
- after fixing this condition. If the packages needing to be remerged cannot
- be determined, a full relabel may be required.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux kernel error messages</p>
-<p class="secthead"><a name="doc_chap1_sect1">I get a register_security error message when booting:</a></p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Kernel message</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-There is already a security framework initialized, register_security failed.
-Failure registering capabilities with the kernel
-selinux_register_security: Registering secondary module capability
-Capability LSM initialized
-</pre></td></tr>
-</table>
-<p>
- This means that the Capability LSM module couldn't register as the primary
- module, since SELinux is the primary module. The third message means that it
- registers with SELinux as a secondary module. This is normal.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Setfiles error messages</p>
-<p class="secthead"><a name="doc_chap1_sect1">When I try to relabel, it fails with invalid contexts:</a></p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Invalid contexts example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# make relabel
-/usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
-/usr/sbin/setfiles: read 559 specifications
-/usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39
-/usr/sbin/setfiles: invalid context system_u:object_r:urandom_device_t on line number 120
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 377
-/usr/sbin/setfiles: invalid context system_u:object_r:fonts_t on line number 378
-/usr/sbin/setfiles: invalid context system_u:object_r:krb5_conf_t on line number 445
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 478
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 479
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 492
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 493
-/usr/sbin/setfiles: invalid context system_u:object_r:system_cron_spool_t on line number 494
-Exiting after 10 errors.
-make: *** [relabel] Error 1
-</pre></td></tr>
-</table>
-<p>
- First ensure that /selinux is mounted. If selinuxfs is not mounted, setfiles
- cannot validate any contexts, causing it to believe all contexts are
- invalid. If /selinux is mounted, then most likely there is new policy that
- has not yet been loaded; therefore, the contexts have not yet become valid.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 1, 2006</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-howto.html b/html/selinux/hb-selinux-howto.html
deleted file mode 100644
index 4b431f0..0000000
--- a/html/selinux/hb-selinux-howto.html
+++ /dev/null
@@ -1,287 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Load policy into a running SELinux kernel</p>
-<p>
- This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Semodule command</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -B</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Change roles</p>
-<p>
- This requires your user have access to the target role. This example
- is for changing to the <span class="code" dir="ltr">sysadm_r</span> role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Newrole</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">newrole -r sysadm_r</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Specify available roles for a user</p>
-<p>
- There is a mapping of linux users to SELinux identities. The policy has
- generic SELinux users for relevant configurations of roles. For example, to
- map the user <span class="code" dir="ltr">pebenito</span> to the SELinux identity <span class="code" dir="ltr">staff_u</span>, run:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Map pebenito to staff_u</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -a -s staff_u pebenito</span>
-</pre></td></tr>
-</table>
-<p>
- The policy does not need to be reloaded. If the user is logged in, it
- must log out and log in again to take effect.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Relabel filesystems</p>
-<p>
- This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg -a</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Relabel an individual package</p>
-<p>
- In addition to relabeling entire filesystems, individual portage packages
- can be relabeled. This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: rlpkg example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg shadow sash</span>
-</pre></td></tr>
-</table>
-<p>
- The script rlpkg is used, and any number of packages can be specified
- on the command line.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Scan for libraries with text relocations</p>
-<p>
- SELinux has improved memory protections. One feature supported is
- the permission for ELF text relocations. The libraries with text relocations
- have a special label, and the <span class="code" dir="ltr">rlpkg</span> tool has an option to scan for
- these libraries.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: TEXTREL Scan</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg -t</span>
-</pre></td></tr>
-</table>
-<p>
- This will also be done by automatically after a full relabel.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Start daemons in the correct domain</p>
-<p>
- Controlling daemons that have init scripts in /etc/init.d is slightly
- different in SELinux. The <span class="code" dir="ltr">run_init</span> command must be used to run
- the scripts, to ensure they are ran in the correct domain. The command
- can be ran normally, except the command is prefixed with <span class="code" dir="ltr">run_init</span>.
- This requires you to be in the <span class="code" dir="ltr">sysadm_r</span> role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: run_init examples</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">run_init /etc/init.d/ntpd start</span>
-# <span class="code-input">run_init /etc/init.d/apache2 restart</span>
-# <span class="code-input">run_init /etc/init.d/named stop</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Gentoo run_init integration</a></p>
-<p>
- <span class="code" dir="ltr">run_init</span> has been integrated into Gentoo's init script system. With
- SELinux installed, services can be started and stopped as usual, but will
- now authenticate the user.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Integrated run_init example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">/etc/init.d/sshd restart</span>
-Authenticating root.
-Password:
- * Stopping sshd... [ ok ]
- * Starting sshd... [ ok ]
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Switch between enforcing and permissive modes</p>
-<p>
- Switching between modes in SELinux is very simple. Write a 1 for
- enforcing, or 0 for permissive to /selinux/enforce to set the mode.
- The current mode can be queried by reading /selinux/enforce; 0 means
- permissive mode, and 1 means enforcing mode. If the kernel option
- "NSA SELinux Development Support" is turned off, the system will always
- be in enforcing mode, and cannot be switched to permissive mode.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">Query current mode</span>
-# <span class="code-input">cat /selinux/enforce</span>
-<span class="code-comment">Switch to enforcing mode</span>
-# <span class="code-input">echo 1 > /selinux/enforce</span>
-<span class="code-comment">Switch to permissive mode</span>
-# <span class="code-input">echo 0 > /selinux/enforce</span>
-</pre></td></tr>
-</table>
-<p>
- A machine with development support turned on can be started in enforcing
- mode by adding <span class="code" dir="ltr">enforcing=1</span> to the kernel command line, in the
- bootloader (GRUB, lilo, etc).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Managed policy</a></p>
-<p>
- In addition to the above kernel options, the mode at boot can be
- set by the <span class="code" dir="ltr">/etc/selinux/config</span> file.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# SELINUX can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=<span class="code-comment">permissive</span>
-</pre></td></tr>
-</table>
-<p>
- The setting in this file will be overridden by the kernel command line
- options described above.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Understand sestatus output</p>
-<p>
- The <span class="code" dir="ltr">sestatus</span> tool can be used to determine detailed SELinux-specific
- status information about the system. The <span class="code" dir="ltr">-v</span> option provides extra
- detail about the context of processes and files. The output will be
- divided into four sections. Sestatus only provides complete information
- for a user logged in as root (or su/sudo), in the <span class="code" dir="ltr">sysadm_r</span> role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Status example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-SELinux status: enabled
-SELinuxfs mount: /selinux
-Current mode: enforcing
-Policy version: 18
-</pre></td></tr>
-</table>
-<p>
- The main status information is provided in the first section. The first
- line shows if SELinux kernel functions exists and are enabled. If the
- status is disabled, either the kernel does not have SELinux support, or
- the policy is not loaded. The second line shows the mount point for
- the SELinux filesystem. During the normal use, the filesystem should be
- mounted at the default location of <span class="code" dir="ltr">/selinux</span>. The third line
- shows the current SELinux mode, either enforcing or permissive. The fourth
- line shows the policy database version supported by the currently running
- kernel.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Booleans example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Policy booleans:
-secure_mode inactive
-ssh_sysadm_login inactive
-user_ping inactive
-</pre></td></tr>
-</table>
-<p>
- The second section displays the status of the conditional policy booleans. The
- left column is the name of boolean. The right column is the status of the
- boolean, either active, or inactive. This section will not be shown on
- policy version 15 kernels, as they do not support conditional policy.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Process context example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Process contexts:
-Current context: pebenito:sysadm_r:sysadm_t
-Init context: system_u:system_r:init_t
-/sbin/agetty system_u:system_r:getty_t
-/usr/sbin/sshd system_u:system_r:sshd_t
-</pre></td></tr>
-</table>
-<p>
- The third section displays the context of the current process, and of several
- key processes. If a process is running in the incorrect context, it will not
- function correctly.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: File context example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-File contexts:
-Controlling term: pebenito:object_r:sysadm_devpts_t
-/sbin/init system_u:object_r:init_exec_t
-/sbin/agetty system_u:object_r:getty_exec_t
-/bin/login system_u:object_r:login_exec_t
-/sbin/rc system_u:object_r:initrc_exec_t
-/sbin/runscript.sh system_u:object_r:initrc_exec_t
-/usr/sbin/sshd system_u:object_r:sshd_exec_t
-/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
-/etc/passwd system_u:object_r:etc_t
-/etc/shadow system_u:object_r:shadow_t
-/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
-/bin/bash system_u:object_r:shell_exec_t
-/bin/sash system_u:object_r:shell_exec_t
-/usr/bin/newrole system_u:object_r:newrole_exec_t
-/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
-/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:shlib_t
-</pre></td></tr>
-</table>
-<p>
- The fourth section displays the context of the current process's controlling
- terminal, and of several key files. For symbolic links, the context of
- the link and then the context of the link target is displayed. If a file has
- an incorrect context, the file may be inaccessable or have incorrect
- permissions for a particular process.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 14, 2006</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-initpol.html b/html/selinux/hb-selinux-initpol.html
deleted file mode 100644
index ad29136..0000000
--- a/html/selinux/hb-selinux-initpol.html
+++ /dev/null
@@ -1,72 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Verify Available Policy</p>
-<p>
- You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action.
-</p>
-<p>
- A binary policy must be available in
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install
- the policy.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -n -B</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Verify Init Can Load the Policy</p>
-<p>
- The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">ldd /sbin/init</span>
- linux-gate.so.1 => (0xffffe000)
- <span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre></td></tr>
-</table>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-libsemanage.html b/html/selinux/hb-selinux-libsemanage.html
deleted file mode 100644
index afc93e4..0000000
--- a/html/selinux/hb-selinux-libsemanage.html
+++ /dev/null
@@ -1,275 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Management Infrastructure</p>
-<p>
- The SElinux management infrastructure manages several aspects of SELinux
- policy. These management tools are based on the core library libsemanage.
- There are several management programs to to various tasks, including
- <span class="code" dir="ltr">semanage</span> and <span class="code" dir="ltr">semodule</span>. They allow you to configure aspects
- of the policy without requiring the policy sources.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Policy Module Management</p>
-<p class="secthead"><a name="doc_chap1_sect1">What is a policy module?</a></p>
-<p>
- SELinux supports a modular policy. This means several pieces of policy
- are brought together to form one complete policy to be loaded in the
- kernel. This is a similar structure as the kernel itself and kernel modules.
- There is a main kernel image that is loaded, and various kernel modules can
- be added (assuming their dependencies are met) and removed on a running
- system without restarting. Similarly each policy has a base module and
- zero or more policy modules, all used to create a policy.
- Modules are built by compiling a piece of policy, and creating a policy
- package (*.pp) with that compiled policy, and optionally file contexts.
-</p>
-<p>
- The base module policy package (base.pp) contains the basic requirements of
- the policy. All modular policies must have a base module at minimum.
- In Gentoo we have these plus policies for all parts of the system profile.
- This is contained in the selinux-base-policy ebuild. The other policy ebuilds
- in portage have one or more policy modules.
-</p>
-<p>
- For more information on writing a policy module, in particular for managing
- your local customizations to the policy, please see the
- <a href="selinux-handbook.xml?part=3&chap=5">policy module guide</a>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">The SELinux module store</a></p>
-<p>
- When a policy module is inserted or removed, modules are copied into or
- removed from the module store. This repository has a copy of the
- modules that were used to create the current policy, in addition to several
- auxilliary files. This repository is stored in the
- /etc/selinux/{strict,targeted}/modules. You should never need to directly
- access the contents of the module store. A libsemanage-based tool should be
- used instead.
-</p>
-<p>
- Libsemanage handles the module store transactionally. This means that if
- a set of operations (a transaction) is performed on the store and one part
- fails, the entire transaction is aborted. This keeps the store in a
- consistent state.
-</p>
-<p>
- Managing the module store is accomplished with the <span class="code" dir="ltr">semodule</span> command.
- Listing the contents of the module store is done with the <span class="code" dir="ltr">-l</span> option.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# semodule -l
-distcc 1.1.1
-</pre></td></tr>
-</table>
-<p>
- Since the base module is required in all cases, and is not versioned, it will
- not be shown in the list. All other modules will be listed, along with their
- versions.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Inserting a policy module</a></p>
-<p>
- The module should be referenced by its file name.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -i module.pp</span>
-</pre></td></tr>
-</table>
-<p>
- This will insert the module into module store for the currently configured
- policy as specified in /etc/selinux/config. If the insert succeeds, the
- policy will be loaded, unless the <span class="code" dir="ltr">-n</span> option is used. To insert the
- module into an alternate module store, the <span class="code" dir="ltr">-s</span> option.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -s targeted -i module.pp</span>
-</pre></td></tr>
-</table>
-<p>
- Since this refers to an alternate module store, the policy will not be loaded.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Removing a policy module</a></p>
-<p>
- The module is referenced by its name in the module store.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -r module</span>
-</pre></td></tr>
-</table>
-<p>
- This will remove the module into module store for the currently configured
- policy as specified in /etc/selinux/config. If the remove succeeds, the
- policy will be loaded, unless the <span class="code" dir="ltr">-n</span> option is used. The remove
- command also respects the <span class="code" dir="ltr">-s</span> option.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Configuring User Login Mappings</p>
-<p>
- The current method of assigning sets of roles to a user is by setting
- up a mapping between linux users and SELinux identities. When a user
- logs in, the login program will set the SELinux identity based on the
- this map. If there is no explicit map, the <span class="code" dir="ltr">__default__</span> map is
- used.
-</p>
-<p>
- Managing the SELinux user login map is accomplished with the <span class="code" dir="ltr">semanage</span>
- tool.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux login user map</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -l</span>
-Login Name SELinux User
-
-__default__ user_u
-root root
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Add a user login mapping</a></p>
-<p>
- To map the linux user <span class="code" dir="ltr">pebenito</span> to the SELinux identity <span class="code" dir="ltr">staff_u</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -a -s staff_u pebenito</span>
-</pre></td></tr>
-</table>
-<p>
- For descriptions on the available SELinux identities, see the
- <a href="selinux-handbook.xml?part=3&chap=1#doc_chap3">SELinux Overview</a>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Remove a user login mapping</a></p>
-<p>
- To remove a login map for the linux user <span class="code" dir="ltr">pebenito</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -d pebenito</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- User login maps specified by the policy (not by the management infrastructure)
- cannot be removed.
-</p></td></tr></table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Configuring Initial Boolean States</p>
-<p>
- The <span class="code" dir="ltr">setsebool</span> program is now a libsemanage tool. This tool's basic
- function is to set the state of a Boolean. However, if the machine is
- restarted, the Booelans will be set using the initial state as specified in
- the policy. To set the Boolean state, and make that the new initial state
- in the policy, the <span class="code" dir="ltr">-P</span> option of <span class="code" dir="ltr">setsebool</span> is used.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Set Boolean default state</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">setsebool -P fcron_crond 1</span>
-</pre></td></tr>
-</table>
-<p>
- This will set the fcron_crond Boolean to true and also make the initial state
- for the Boolean true.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Configuring SELinux Identities</p>
-<p>
- Generally SELinux identities need not be added to the policy, as user
- login mappings are sufficient. However, one reason to add them is for
- improved auditing, since the SELinux identity is part of the scontext of a
- denial message.
-</p>
-<p>
- Managing the SELinux identities is accomplished with the <span class="code" dir="ltr">semanage</span> tool.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux identity list</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage user -l</span>
-SELinux User SELinux Roles
-
-root sysadm_r staff_r
-staff_u sysadm_r staff_r
-sysadm_u sysadm_r
-system_u system_r
-user_u user_r
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Add a SELinux identity</a></p>
-<p>
- In addition to specifying the roles for an identity, a prefix must
- also be specified. This prefix should match a role, for example
- <span class="code" dir="ltr">staff</span> or <span class="code" dir="ltr">sysadm</span>, and it is used for home directory
- entries. So if <span class="code" dir="ltr">staff</span> is used for the prefix, linux users that
- are mapped to this identity will have their home directory labeled
- <span class="code" dir="ltr">staff_home_dir_t</span>.
-</p>
-<p>
- To add the <span class="code" dir="ltr">test_u</span> identity with the roles <span class="code" dir="ltr">staff_r</span> and
- <span class="code" dir="ltr">sysadm_r</span> with the prefix <span class="code" dir="ltr">staff</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage user -a -R 'staff_r sysadm_r' -P staff test_u</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- To use the SELinux identity, a user login map still must be added.
-</p></td></tr></table>
-<p class="secthead"><a name="doc_chap1_sect1">Remove a SELinux user identity</a></p>
-<p>
- To remove the test_u SELinux identity:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage user -d test_u</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- SELinux identities specified by the policy (not by the management
- infrastructure) cannot be removed.
-</p></td></tr></table>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2006</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-localmod.html b/html/selinux/hb-selinux-localmod.html
deleted file mode 100644
index 81ed4ba..0000000
--- a/html/selinux/hb-selinux-localmod.html
+++ /dev/null
@@ -1,158 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Introduction</p>
-<p>
- This guide discusses how to set up a policy module for local additions
- of rules to the policy.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Preparation</p>
-<p>
- Copy the example Makefile from the selinux-base-policy doc directory to the
- directory that will be used for building the policy. It is suggested that
- /root be used. The places that the <span class="code" dir="ltr">semodule</span> tool can read policy
- modules includes sysadm home directories.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Write a TE file</p>
-<p>
- In a policy module, most policy statements are usable in modules.
- There are a few extra statements that must be added for proper operation.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example local.te</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(local,1.0)
-
-require {
- type sysadm_su_t, newrole_t;
-}
-allow sysadm_su_t newrole_t:process sigchld;
-</pre></td></tr>
-</table>
-<p>
- In addition to the basic allow rule, it has a couple statements required
- by policy modules. The first is a policy_module() macro that has the
- name of the module, and the module's version. It also has a require
- block. This block specifies all types that are required for this module
- to function. All types used in the module must either be declared in the
- module or required by this module.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Write a FC File (optional)</p>
-<p>
- The file contexts file is optional and has the same syntax as as always.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example local.fc</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/opt/myprogs/mybin -- system_u:object_r:bin_t
-</pre></td></tr>
-</table>
-<p>
- Types used in the file context file should be required or declared in
- the TE file.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Compile Policy Modules</p>
-<p>
- Simply run <span class="code" dir="ltr">make</span> to build all modules in the directory. The module
- will be compiled for the current policy as specified by /etc/selinux/config.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">make</span>
-Compiling strict local module
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule: policy configuration loaded
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
-Creating strict local.pp policy package
-</pre></td></tr>
-</table>
-<p>
- To build the module for a policy other than the configured policy, use the
- <span class="code" dir="ltr">NAME=</span> option.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">make NAME=targeted</span>
-Compiling targeted local module
-/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
-/usr/bin/checkmodule: policy configuration loaded
-/usr/bin/checkmodule: writing binary representation (version 6) to tmp/local.mod
-Creating targeted local.pp policy package
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Load the Modules</p>
-<p>
- The modules can be loaded into the currently configured policy simply
- by using the load target of the Makefile.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">make load</span>
-</pre></td></tr>
-</table>
-<p>
- The load target also respects the <span class="code" dir="ltr">NAME=</span> option. Alternatively,
- the <span class="code" dir="ltr">semodule</span> command can be used to load individual modules.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -i local.pp</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Building Reference Policy Modules</p>
-<p>
-The new Gentoo policy is based on the <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>.
-For more information on building a complete Reference Policy module, see the
-<a href="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Reference Policy Wiki</a>.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2006</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-loglocal.html b/html/selinux/hb-selinux-loglocal.html
deleted file mode 100644
index 20ece4a..0000000
--- a/html/selinux/hb-selinux-loglocal.html
+++ /dev/null
@@ -1,212 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Begin Here</p>
-<p>
- You must be in <span class="code" dir="ltr">sysadm_r</span> to perform these actions.
-</p>
-<p>
- Run <span class="code" dir="ltr">sestatus -v</span>. Click the first context that doesn't match:
-</p>
-<table class="ntable">
-<tr>
-<td class="infohead"><b>Process</b></td>
-<td class="infohead"><b>Context</b></td>
-</tr>
-<tr>
-<td class="tableinfo">Init context</td>
-<td class="tableinfo"><a href="#doc_chap2">system_u:system_r:init_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/sbin/agetty</td>
-<td class="tableinfo"><a href="#doc_chap3">system_u:system_r:getty_t</a></td>
-</tr>
-<tr>
-<td class="infohead"><b>File</b></td>
-<td class="infohead"><b>Context</b></td>
-</tr>
-<tr>
-<td class="tableinfo">/bin/login</td>
-<td class="tableinfo"><a href="#doc_chap4">system_u:object_r:login_exec_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/sbin/unix_chkpwd</td>
-<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:chkpwd_exec_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/etc/passwd</td>
-<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:etc_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/etc/shadow</td>
-<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:shadow_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/bin/bash</td>
-<td class="tableinfo"><a href="#doc_chap7">system_u:object_r:shell_exec_t</a></td>
-</tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Init Context</p>
-<p class="secthead"><a name="doc_chap1_sect1">Verify Init Label</a></p>
-<p>
- There are several possible reasons why init may have the wrong context.
- First, verify that init is labeled correctly, refer to the sestatus's output
- for /sbin/init. If it is not <span class="code" dir="ltr">system_u:object_r:init_exec_t</span>, relabel sysvinit.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix init context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg sysvinit</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Verify Available Policy</a></p>
-<p>
- You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action.
-</p>
-<p>
- A binary policy must be available in /etc/selinux/{strict,targeted}/policy.
- If it is missing, then install the policy.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install binary policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -n -B</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Verify Init Can Load the Policy</a></p>
-<p>
- The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Check init linking</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">ldd /sbin/init</span>
- linux-gate.so.1 => (0xffffe000)
- <span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre></td></tr>
-</table>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect agetty Context</p>
-<p>
- Verify that agetty is labeled correctly. Refer to the sestatus's output
- for /sbin/agetty. If it is not <span class="code" dir="ltr">system_u:object_r:getty_exec_t</span>, relabel
- util-linux. Then restart all gettys.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix agetty context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg util-linux</span>
-# <span class="code-input">killall agetty</span> <span class="code-comment">(they will respawn)</span>
-</pre></td></tr>
-</table>
-<p>
- All of the agettys should now be in the correct <span class="code" dir="ltr">system_u:object_r:getty_exec_t</span>
- context. Try logging in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Login Context</p>
-<p>
- The login program (/bin/login) is not labeled correctly. Relabel shadow.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel shadow</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg shadow</span>
-</pre></td></tr>
-</table>
-<p>
- /bin/login should now be <span class="code" dir="ltr">system_u:object_r:login_exec_t</span>.
- Try logging in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect PAM Context</p>
-<p>
- Sshd must be able to use PAM for authenticating the user. The PAM password
- checking program (/sbin/unix_chkpwd) must be labeled correctly so
- sshd can transition to the password checking context. Relabel PAM.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix unix_chkpwd context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg pam</span>
-</pre></td></tr>
-</table>
-<p>
- The password checking program should now be <span class="code" dir="ltr">system_u:object_r:chkpwd_exec_t</span>.
- Try loggin in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Password File Contexts</p>
-<p>
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must
- be labeled correctly, otherwise PAM will not be able to
- authenticate your user. Relabel the files.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix shadow context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">restorecon /etc/passwd /etc/shadow</span>
-</pre></td></tr>
-</table>
-<p>
- The password and shadow files should now be <span class="code" dir="ltr">system_u:object_r:etc_t</span>
- and <span class="code" dir="ltr">system_u:object_r:shadow_t</span>, respectively. Try logging in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Bash File Context</p>
-<p>
- Bash must be labeled correctly so the user can transition into the user
- domain when logging in. Relabel bash.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Fix bash context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg bash</span>
-</pre></td></tr>
-</table>
-<p>
- Bash (/bin/bash) should now be <span class="code" dir="ltr">system_u:object_r:shell_exec_t</span>.
- Try logging in again.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-logremote.html b/html/selinux/hb-selinux-logremote.html
deleted file mode 100644
index a05fc26..0000000
--- a/html/selinux/hb-selinux-logremote.html
+++ /dev/null
@@ -1,228 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Begin Here</p>
-<p>
- You must be in <span class="code" dir="ltr">sysadm_r</span> to perform these actions.
-</p>
-<p>
- Run <span class="code" dir="ltr">sestatus -v</span>. Click the first context that doesn't match:
-</p>
-<table class="ntable">
-<tr>
-<td class="infohead"><b>Process</b></td>
-<td class="infohead"><b>Context</b></td>
-</tr>
-<tr>
-<td class="tableinfo">Init context</td>
-<td class="tableinfo"><a href="#doc_chap2">system_u:system_r:init_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/usr/sbin/sshd</td>
-<td class="tableinfo"><a href="#doc_chap3">system_u:system_r:sshd_t</a></td>
-</tr>
-<tr>
-<td class="infohead"><b>File</b></td>
-<td class="infohead"><b>Context</b></td>
-</tr>
-<tr>
-<td class="tableinfo">/sbin/unix_chkpwd</td>
-<td class="tableinfo"><a href="#doc_chap4">system_u:object_r:chkpwd_exec_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/etc/passwd</td>
-<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:etc_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/etc/shadow</td>
-<td class="tableinfo"><a href="#doc_chap5">system_u:object_r:shadow_t</a></td>
-</tr>
-<tr>
-<td class="tableinfo">/bin/bash</td>
-<td class="tableinfo"><a href="#doc_chap6">system_u:object_r:shell_exec_t</a></td>
-</tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Init Context</p>
-<p class="secthead"><a name="doc_chap1_sect1">Verify Init Label</a></p>
-<p>
- There are several possible reasons why init may have the wrong context.
- First, verify that init is labeled correctly, refer to the sestatus's output
- for /sbin/init. If it is not <span class="code" dir="ltr">system_u:object_r:init_exec_t</span>, relabel sysvinit.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg sysvinit</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Verify Available Policy</a></p>
-<p>
- You must be in <span class="code" dir="ltr">sysadm_r</span> to perform this action.
-</p>
-<p>
- A binary policy must be available in
- /etc/selinux/{strict,targeted}/policy. If it is missing, then install
- the policy.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Install policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -n -B</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Verify Init Can Load the Policy</a></p>
-<p>
- The final check is to ensure init can load the policy. Run <span class="code" dir="ltr">ldd</span> on
- init, and if libselinux is not in the output, remerge sysvinit.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">ldd /sbin/init</span>
- linux-gate.so.1 => (0xffffe000)
- <span class="code-comment">libselinux.so.1 => /lib/libselinux.so.1 (0x40025000)</span>
- libc.so.6 => /lib/libc.so.6 (0x40035000)
- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
-</pre></td></tr>
-</table>
-<p>
- Now reboot so init gains the correct context, and loads the policy.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect sshd Context</p>
-<p>
- Another possibility is sshd is not labeled correctly, meaning it is not running
- in the right context. Relabel openssh, then restart sshd.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg openssh</span>
-# <span class="code-input">/etc/init.d/sshd restart</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect PAM Context</p>
-<p>
- Sshd must be able to use PAM for authenticating the user. The PAM password
- checking program (/sbin/unix_chkpwd) must be labeled correctly so
- sshd can transition to the password checking context. Relabel PAM.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg pam</span>
-</pre></td></tr>
-</table>
-<p>
- The password checking program should now be <span class="code" dir="ltr">system_u:object_r:chkpwd_exec_t</span>.
- Try loggin in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Password File Contexts</p>
-<p>
- The password file (/etc/passwd), and the shadow file (/etc/shadow) must
- be labeled correctly, otherwise PAM will not be able to
- authenticate your user. Relabel the files.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">restorecon /etc/passwd /etc/shadow</span>
-</pre></td></tr>
-</table>
-<p>
- The password and shadow files should now be <span class="code" dir="ltr">system_u:object_r:etc_t</span>
- and <span class="code" dir="ltr">system_u:object_r:shadow_t</span>, respectively. Try logging in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Incorrect Bash File Context</p>
-<p>
- Bash must be labeled correctly so the user can transition into the user
- domain when logging in. Relabel bash.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg bash</span>
-</pre></td></tr>
-</table>
-<p>
- Bash (/bin/bash) should now be <span class="code" dir="ltr">system_u:object_r:shell_exec_t</span>.
- Try logging in again.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Other sshd Issues</p>
-<p class="secthead"><a name="doc_chap1_sect1">Valid Shell</a></p>
-<p>
- First, make sure the user has a valid shell.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">grep</span> <span class="code-comment">username</span> <span class="code-input">/etc/passwd | cut -d: -f7</span>
-/bin/bash <span class="code-comment">(or your shell of choice)</span>
-</pre></td></tr>
-</table>
-<p>
- If the above command does not return anything, or the shell is wrong,
- set the user's shell.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">usermod -s /bin/bash</span> <span class="code-comment">username</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">PAM enabled</a></p>
-<p>
- PAM also must be enabled in sshd. Make sure this line
- in <span class="code" dir="ltr">/etc/ssh/sshd_config</span> is uncommented:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: </p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-UsePAM yes
-</pre></td></tr>
-</table>
-<p>
- SELinux currently only allows PAM and a select few programs direct access
- to <span class="code" dir="ltr">/etc/shadow</span>; therefore, openssh must now
- use PAM for password authentication (public key still works).
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 16, 2004</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-overview.html b/html/selinux/hb-selinux-overview.html
deleted file mode 100644
index a8dd3b9..0000000
--- a/html/selinux/hb-selinux-overview.html
+++ /dev/null
@@ -1,552 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Types</p>
-<p>
- A type is a security attribute given to objects such as files, and network
- ports, etc. The type of a process is commonly referred to as its domain.
- The SELinux policy is primarily composed of type enforcement rules, which
- describe how domains are allowed to interact with objects, and how domains
- are allowed to interact with other domains. A type is generally suffixed
- with a '_t', such as <span class="code" dir="ltr">sysadm_t</span>. This is the most important
- attribute for a process or object, as most policy decisions are based on
- the source and target types.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Roles</p>
-<p>
- SELinux is type enforcement, so the SELinux role is not the same as those
- in a role-based access control system. Permissions are not given to roles.
- A role describes the set of types a user can use. For example, a system
- administrator that is using the system for regular user tasks should be
- in the <span class="code" dir="ltr">staff_r</span> role. If they need to administrate the system, then
- a role change to <span class="code" dir="ltr">sysadm_r</span> is required. In SELinux terms, the
- domains that a user can be in is determined by their role. If a role is not
- allowed to have a certain domain, a transition to that domain will be denied,
- even if the type enforcement rules allow the domain transition. A role is
- generally suffixed with a '_r', such as <span class="code" dir="ltr">system_r</span>.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Identities</p>
-<p class="secthead"><a name="doc_chap1_sect1">What is a SELinux Identity?</a></p>
-<p>
- The SELinux identity is similar to a Linux username. The change of identity
- should be limited to very specific cases, since the role-based access control
- relies on the SELinux identity. Therfore, in general, a user’s SELinux
- identity will not change during a session. The user ID in Linux can be
- changed by set(e)uid, making it inappropriate for a SELinux identity.
- If a user is given a SELinux identity, it must match the Linux username. Each
- SELinux identity is allowed a set of roles.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Configure SELinux Identity Mapping</a></p>
-<p>
- The SELinux policy has several generic SELinux identities that should
- be sufficient for all users. This mapping only needs to be configured
- on the strict policy. The identity mapping for the targeted policy
- need not be configured, as the default identity (user_u) is sufficient
- in all cases.
-</p>
-<p>
- When a user logs in, the SELinux identity used is determined by this mapping.
-</p>
-<table class="ntable">
-<tr>
-<td class="infohead"><b>SELinux Identity</b></td>
- <td class="infohead"><b>Roles</b></td>
- <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-<td class="tableinfo">system_u</td>
- <td class="tableinfo">system_r</td>
- <td class="tableinfo">System (non-interactive) processes. Should not be used on users.</td>
-</tr>
-<tr>
-<td class="tableinfo">user_u</td>
- <td class="tableinfo">user_r</td>
- <td class="tableinfo">Generic unprivileged users. The default identity mapping.</td>
-</tr>
-<tr>
-<td class="tableinfo">staff_u</td>
- <td class="tableinfo">staff_r, sysadm_r</td>
- <td class="tableinfo">System administrators that also log in to do regular user activties.</td>
-</tr>
-<tr>
-<td class="tableinfo">sysadm_u</td>
- <td class="tableinfo">sysadm_r</td>
- <td class="tableinfo">System administrators that only log in to do administrative tasks. It is not suggested that this identity is used.</td>
-</tr>
-<tr>
-<td class="tableinfo">root</td>
- <td class="tableinfo">staff_r, sysadm_r</td>
- <td class="tableinfo">Special identity for root. Other users should use staff_u instead.</td>
-</tr>
-</table>
-<p>
- See the <a href="selinux-handbook.xml?part=3&chap=2#doc_chap3">SELinux HOWTO</a>
- for semanage syntax for configuring SELinux identity mappings.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Contexts</p>
-<p>
- Using the above three security models together is called a SELinux
- context. A context takes the form <span class="code" dir="ltr">identity</span>:<span class="code" dir="ltr">role</span>:<span class="code" dir="ltr">type</span>.
- The SELinux context is the most important value for determining access.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Object Contexts</a></p>
-<p>
- A typical <span class="code" dir="ltr">ls -Z</span> may have an output similar to this:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example ls -Z output</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-drwxr-xr-x root root system_u:object_r:bin_t bin
-drwxr-xr-x root root system_u:object_r:boot_t boot
-drwxr-xr-x root root system_u:object_r:device_t dev
-drwxr-xr-x root root system_u:object_r:etc_t etc
-</pre></td></tr>
-</table>
-<p>
- The first three columns are the typical linux permissions, user and group.
- The fourth column is the file or directory's security context. Objects
- are given the generic <span class="code" dir="ltr">object_r</span> role. From the other two fields of
- the context, it can be seen that the files are in the system identity,
- and have four different types, <span class="code" dir="ltr">bin_t</span>, <span class="code" dir="ltr">boot_t</span>, <span class="code" dir="ltr">device_t</span>,
- and <span class="code" dir="ltr">etc_t</span>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Process Contexts</a></p>
-<p>
- A typical <span class="code" dir="ltr">ps ax -Z</span> may have an output similar to this:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example ps ax -Z output</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
- PID CONTEXT COMMAND
- 1 system_u:system_r:init_t [init]
- 2 system_u:system_r:kernel_t [keventd]
- 3 system_u:system_r:kernel_t [ksoftirqd_CPU0]
- 4 system_u:system_r:kernel_t [kswapd]
- 5 system_u:system_r:kernel_t [bdflush]
- 6 system_u:system_r:kernel_t [kupdated]
- 706 system_u:system_r:syslogd_t [syslog-ng]
- 712 system_u:system_r:httpd_t [apache]
- 791 system_u:system_r:sshd_t [sshd]
- 814 system_u:system_r:crond_t [cron]
- 826 system_u:system_r:getty_t [agetty]
- 827 system_u:system_r:getty_t [agetty]
- 828 system_u:system_r:getty_t [agetty]
- 829 system_u:system_r:getty_t [agetty]
- 830 system_u:system_r:getty_t [agetty]
- 831 system_u:system_r:httpd_t [apache]
- 832 system_u:system_r:httpd_t [apache]
- 833 system_u:system_r:httpd_t [apache]
-23093 system_u:system_r:sshd_t [sshd]
-23095 user_u:user_r:user_t [bash]
-23124 system_u:system_r:sshd_t [sshd]
-23126 user_u:user_r:user_t [bash]
-23198 system_u:system_r:sshd_t [sshd]
-23204 user_u:user_r:user_t [bash]
-23274 system_u:system_r:sshd_t [sshd]
-23275 pebenito:staff_r:staff_t [bash]
-23290 pebenito:staff_r:staff_t ps ax -Z
-</pre></td></tr>
-</table>
-<p>
- In this example, the typical process information is displayed, in addition
- to the process's context. By inspection, all of the system's kernel
- processes and daemons run under the <span class="code" dir="ltr">system_u</span> identity, and
- <span class="code" dir="ltr">system_r</span> role. The individual domains depend on the program.
- There are a few users logged in over ssh, using the generic <span class="code" dir="ltr">user_u</span>
- identity. Finally there is a user with the identity <span class="code" dir="ltr">pebenito</span> logged in
- with the <span class="code" dir="ltr">staff_r</span> role, running in the <span class="code" dir="ltr">staff_t</span> domain.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>SELinux Policy Files</p>
-<p>
- The SELinux policy source files are no longer installed onto the system.
- In the <span class="code" dir="ltr">/usr/share/selinux/{strict,targeted}</span> directory there are a
- collection of policy packages and headers for building local modules.
- The policy files are processed by m4, and then the policy compiler <span class="code" dir="ltr">checkmodule</span>
- verifies that there are no syntactic errors, and a policy module is created.
- Then a policy package is created with with the <span class="code" dir="ltr">semodule_package</span>
- program, using the policy module and the module file contexts.
- The policy packaged then can be loaded into a running SELinux kernel
- by inserting it into the module store.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">*.pp</a></p>
-<p>
- Policy packages for this policy. These must be inserted into the module
- store so they can be loaded into the policy. Inside the package
- there is a loadable policy module, and optionally a file context file.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">include/</a></p>
-<p>
- Policy headers for this policy.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Binary Policy Versions</p>
-<p>
- When compiling the policy, the resultant binary policy is versioned.
- The first version that was merged into 2.6 was version 15.
- The version number is only incremented generally when new features are added that require changes to the structure of the compiled policy.
- For example, in 2.6.5, conditional policy extensions were added.
- This required the policy version to be incremented to version 16.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">What Policy Version Does My Kernel Use?</a></p>
-<p>
- The policy version of a running kernel can be determined by executing
- <span class="code" dir="ltr">sestatus</span> or <span class="code" dir="ltr">policyvers</span>. Current kernels can load
- the previous version policy for compatibility. For example a version 17
- kernel can also load a version 16 policy. However, this compatibility
- code may be removed in the future.
-</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
- The policy management infrastructure (libsemanage) will automatically
- create and use the correct version policies. No extra steps need be taken.
-</p></td></tr></table>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Versions</a></p>
-<p>
- The following table contains the policy versions in 2.6 kernels.
-</p>
-<table class="ntable">
-<tr>
-<td class="infohead"><b>Version</b></td>
- <td class="infohead"><b>Description</b></td>
- <td class="infohead"><b>Kernel Versions</b></td>
-</tr>
-<tr>
-<td class="tableinfo">12</td>
- <td class="tableinfo">"Old API" SELinux (deprecated).</td>
-</tr>
-<tr>
-<td class="tableinfo">15</td>
- <td class="tableinfo">"New API" SELinux merged into 2.6.</td>
- <td class="tableinfo">2.6.0 - 2.6.4</td>
-</tr>
-<tr>
-<td class="tableinfo">16</td>
- <td class="tableinfo">Conditional policy extensions added.</td>
- <td class="tableinfo">2.6.5</td>
-</tr>
-<tr>
-<td class="tableinfo">17</td>
- <td class="tableinfo">IPV6 support added.</td>
- <td class="tableinfo">2.6.6 - 2.6.7</td>
-</tr>
-<tr>
-<td class="tableinfo">18</td>
- <td class="tableinfo">Fine-grained netlink socket support added.</td>
- <td class="tableinfo">2.6.8 - 2.6.11</td>
-</tr>
-<tr>
-<td class="tableinfo">19</td>
- <td class="tableinfo">Enhanced multi-level security.</td>
- <td class="tableinfo">2.6.12 - 2.6.13</td>
-</tr>
-<tr>
-<td class="tableinfo">20</td>
- <td class="tableinfo">Access vector table size optimizations.</td>
- <td class="tableinfo">2.6.14 - 2.6.18</td>
-</tr>
-<tr>
-<td class="tableinfo">21</td>
- <td class="tableinfo">Object classes in range transitions.</td>
- <td class="tableinfo">2.6.19 - 2.6.24</td>
-</tr>
-<tr>
-<td class="tableinfo">22</td>
- <td class="tableinfo">Policy capabilities (features).</td>
- <td class="tableinfo">2.6.25</td>
-</tr>
-<tr>
-<td class="tableinfo">23</td>
- <td class="tableinfo">Per-domain permissive mode.</td>
- <td class="tableinfo">2.6.26 - 2.6.27</td>
-</tr>
-<tr>
-<td class="tableinfo">24</td>
- <td class="tableinfo">Explicit hierarchy (type bounds).</td>
- <td class="tableinfo">2.6.28 - current</td>
-</tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Conditional Policy Extensions</p>
-<p>
- The conditional policy extensions allow the enabling and disabling of policy
- rules at runtime, without loading a modified policy. Using policy booleans
- and expressions, policy rules can be conditionally applied.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Determine Boolean Values</a></p>
-<p>
- The status of policy booleans in the current running policy can be determined
- two ways. The first is by using <span class="code" dir="ltr">sestatus</span>.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example sestatus output</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# sestatus
-SELinux status: enabled
-SELinuxfs mount: /selinux
-Current mode: enforcing
-Policy version: 17
-
-Policy booleans:
-user_ping inactive
-</pre></td></tr>
-</table>
-<p>
- The second is <span class="code" dir="ltr">getsebool</span> which is a simple tool that displays
- the status of policy booleans, and if a value change is pending.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example getsebool command</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# getsebool -a
-user_ping --> active: 0 pending: 0
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Changing Boolean Values</a></p>
-<p>
- The value of a boolean can be toggled by using the <span class="code" dir="ltr">togglesebool</span>
- command. Multiple booleans can be specified on the command line. The
- new value of the boolean will be displayed.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example togglesebool command</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# togglesebool user_ping
-user_ping: active
-</pre></td></tr>
-</table>
-<p>
- The value of a boolean can be set specifically by using the <span class="code" dir="ltr">setsebool</span>
- command.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example setsebool command</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# setsebool user_ping 0
-</pre></td></tr>
-</table>
-<p>
- To set the value of a boolean, and make it the devault value, use the <span class="code" dir="ltr">-P</span> option.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Change default value</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# setsebool -P user_ping 1
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Policy Kernel Messages</p>
-<p>
- While a system is running, a program or user may attempt to do something
- that violates the security policy. If the system is enforcing the policy,
- the access will be denied, and there will be a message in the kernel log.
- If the system is not enforcing (permissive mode), the access will be allowed,
- but there will still be a kernel message.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">AVC Messages</a></p>
-<p>
- Most kernel messages from SELinux come from the access vector cache (AVC).
- Understanding denials is important to understand if an attack is happening,
- or if the program is requiring unexpected accesses. An example denial
- may look like this:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-avc: denied { read write } for pid=3392 exe=/bin/mount dev=03:03 ino=65554
-scontext=pebenito:sysadm_r:mount_t tcontext=system_u:object_r:tmp_t tclass=file
-</pre></td></tr>
-</table>
-<p>
- While most AVC messages are denials, occasionally there might be an audit
- message for an access that was granted:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message 2</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-avc: granted { load_policy } for pid=3385 exe=/usr/sbin/load_policy
-scontext=pebenito:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
-</pre></td></tr>
-</table>
-<p>
- In this case, the ability to load the policy was granted. This is a critical
- security event, and thus is always audited. Another event that is always
- audited is switching between enforcing and permissive modes.
-</p>
-<p>
- SELinux will supress logging of denials if many are received in a short
- amount of time. However, This does not always imply there is an attack
- in progress. A program may be doing something that could cause
- many denials in a short time, such as doing a stat() on device nodes in
- /dev. To protect from filling up the system logs, SELinux has rate limiting
- for its messages:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC Message 3</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-AVC: 12 messages suppressed.
-</pre></td></tr>
-</table>
-<p>
- The policy would have to be modified to not audit these accesses if they
- are normal program behavior, but still need to be denied.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Other kernel messages</a></p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: inode_doinit_with_dentry</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-inode_doinit_with_dentry: context_to_sid(system_u:object_r:bar_t) returned 22 for dev=hda3 ino=517610
-</pre></td></tr>
-</table>
-<p>
- This means that the file on /dev/hda3 with inode number 517610 has the context
- system_u:object_r:bar_t, which is invalid. Objects with an invalid context
- are treated as if they had the system_u:object_r:unlabeled_t context.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Dissecting a Denial</p>
-<p>
- Denials contain varying amounts of information, depending on the access type.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example Denials</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-avc: denied { lock } for pid=28341 exe=/sbin/agetty path=/var/log/wtmp dev=03:03 ino=475406
-scontext=system_u:system_r:getty_t tcontext=system_u:object_r:var_log_t tclass=file
-
-avc: denied { create } for pid=20909 exe=/bin/ls scontext=pebenito:sysadm_r:mkinitrd_t
-tcontext=pebenito:sysadm_r:mkinitrd_t tclass=unix_stream_socket
-
-avc: denied { setuid } for pid=3170 exe=/usr/bin/ntpd capability=7
-scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=capability
-
-</pre></td></tr>
-</table>
-<p>
- The most common denial relates to access of files. For better understanding,
- the first denial message will be broken down:
-</p>
-<table class="ntable">
-<tr>
-<td class="infohead"><b>Component</b></td>
-<td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-<td class="tableinfo">avc: denied</td>
- <td class="tableinfo">SELinux has denied this access.</td>
-</tr>
-<tr>
-<td class="tableinfo">{ lock }</td>
- <td class="tableinfo">The attempted access is a lock.</td>
-</tr>
-<tr>
-<td class="tableinfo">pid=28341</td>
- <td class="tableinfo">The process ID performing this access is 28341.</td>
-</tr>
-<tr>
-<td class="tableinfo">exec=/sbin/agetty</td>
- <td class="tableinfo">The full path and name of the process's executable is /sbin/agetty.</td>
-</tr>
-<tr>
-<td class="tableinfo">path=/var/log/wtmp</td>
- <td class="tableinfo">The path and name of the target object is /var/log/wtmp. Note: a complete
- path is not always available.</td>
-</tr>
-<tr>
-<td class="tableinfo">dev=03:03</td>
- <td class="tableinfo">The target object resides on device 03:03 (major:minor number).
- On 2.6 kernels this may resolve to a name, hda3 in this example.</td>
-</tr>
-<tr>
-<td class="tableinfo">ino=475406</td>
- <td class="tableinfo">The inode number of the target object is 475406.</td>
-</tr>
-<tr>
-<td class="tableinfo">scontext=system_u:system_r:getty_t</td>
- <td class="tableinfo">The context of the program is system_u:system_r:getty_t.</td>
-</tr>
-<tr>
-<td class="tableinfo">tcontext=system_u:object_r:var_log_t</td>
- <td class="tableinfo">The context of the target object is system_u:object_r:var_log_t.</td>
-</tr>
-<tr>
-<td class="tableinfo">tclass=file</td>
- <td class="tableinfo">The target object is a normal file.</td>
-</tr>
-</table>
-<p>
- Not all AVC messages will have all of these fields, as shown in the other
- two denials. The fields vary depending on the target object's class.
- However, the most important fields: access type, source and target contexts,
- and the target object's class will always be in an AVC message.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Understanding the Denial</a></p>
-<p>
- Denials can be very confusing since they can be triggered for several reasons.
- The key to understanding what is happening is to know the behavior of the
- program, and to correctly interpret the denial message. The target is not
- limited to files; it could also be related to network sockets,
- interprocess communications, or others.
-</p>
-<p>
- In the above example, the agetty is denied locking of a file. The file's type
- is var_log_t, therefore it is implied that the target file is in /var/log.
- With the extra information from the path= field in the denial message, it is
- confirmed to be the file /var/log/wtmp. If path information was unavailable,
- this could be further confirmed by searching for the inode. Wtmp is a file that has
- information about users currently logged in, and agetty handles logins on
- ttys. It can be concluded that this is an expected access of agetty, for
- updating wtmp. However, why is this access being denied? Is there a flaw
- in the policy by not allowing agetty to update wtmp? It turns out that wtmp
- has the incorrect context. It should be system_u:object_r:wtmp_t, rather
- than system_u:object_r:var_log_t.
-</p>
-<p>
- If this access was not understood, an administrator might mistakenly allow getty_t
- read/write access to var_log_t files, which would be incorrect, since agetty
- only needs to modify /var/log/wtmp. This underscores how critical keeping
- file contexts consistent is.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>References</p>
-<p>
- <a href="http://www.nsa.gov/selinux">U.S. National Security Agency</a>,
- SELinux Policy README
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 13, 2009</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-selinux-references.html b/html/selinux/hb-selinux-references.html
deleted file mode 100644
index d629135..0000000
--- a/html/selinux/hb-selinux-references.html
+++ /dev/null
@@ -1,117 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../../css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/../../../favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
- </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Background</p>
-<ul>
-<li>
- <a href="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure:
- The Flawed Assumption of Security in Modern Computing Environments</a>
- explains the need for mandatory access controls.</li>
-<li>
- <a href="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture:
- System Support for Diverse Security Policies</a>
- explains the security architecture of Flask, the architecture used by SELinux.</li>
-<li>
- <a href="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</a>
- has specifics about SELinux access checks in the kernel.</li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Policy</p>
-<ul>
-<li>
- <a href="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</a>
-</li>
-<li>
- <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>
-</li>
-<li>
- SELinux <a href="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</a>
- Overview</li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Books</p>
-<ul>
-<li>
- <span class="code" dir="ltr">SELinux by Example: Using Security Enhanced Linux</span>, Frank Mayer,
- Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694</li>
-<li>
- <span class="code" dir="ltr">SELinux: NSA's Open Source Security Enhanced Linux</span>, Bill McCarty,
- O'Reilly Media, 2004; ISBN 0596007167</li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Meeting Notes</p>
-<ul>
-<li>
- <a href="http://www.selinux-symposium.org/2006/summit.php">March 3rd, 2006 SELinux Developer Summit</a>
-</li>
-<li>
- <a href="http://www.selinux-symposium.org/meeting.php">May 6th, 2004 Informal Meeting</a>
-</li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
- </span>Presentations</p>
-<p class="secthead"><a name="doc_chap1_sect1">2006 SELinux Symposium</a></p>
-<ul>
-<li>
- <a href="http://www.nsa.gov/selinux/papers/selsymp2006-abs.cfm">SELinux Year in Review</a>,
- Stephen Smalley, National Security Agency</li>
-<li>
- <a href="http://www.selinux-symposium.org/2006/slides/03-refpolicy-slides.pdf">Reference Policy for Security Enhanced Linux</a>,
- Karl MacMillan, Tresys Technology (<a href="http://www.selinux-symposium.org/2006/papers/05-refpol.pdf">Paper</a>)</li>
-</ul>
-<p class="secthead"><a name="doc_chap1_sect1">2005 SELinux Symposium</a></p>
-<ul>
-<li>
- <a href="http://www.nsa.gov/research/selinux/index.shtml">SELinux Overview</a>,
- NSA</li>
-<li>
- <a href="http://www.selinux-symposium.org/2005/presentations/session3/3-2-macmillan.pdf">Core Policy Management Infrastructure for SELinux</a>,
- Karl MacMillan, Tresys Technology</li>
-<li>
- <a href="http://www.selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf">Targeted vs. Strict Policy History and Strategy</a>,
- Dan Walsh, Red Hat</li>
-<li>
- <a href="http://www.selinux-symposium.org/2005/presentations/session4/4-4-mayer.pdf">Tresys SETools: Tools and Libraries for Policy Analysis and Management</a>,
- Frank Mayer, Tresys Technology</li>
-<li>
- <a href="http://www.selinux-symposium.org/2005/presentations/session5/5-3-macmillan.pdf">Information Flow Analysis for Type Enforcement Policies</a>,
- Karl MacMillan, Tresys Technology</li>
-<li>
- <a href="http://www.selinux-symposium.org/2005/presentations/session6/6-2-mayer.pdf">SELinux Policy Analysis Concepts and Techniques</a>,
- David Caplan, Frank Mayer, Tresys Technology</li>
-</ul>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 7, 2006</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
- </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/xml/hardened-virtualization.xml b/xml/hardened-virtualization.xml
index 84e18b1..6ed521b 100644
--- a/xml/hardened-virtualization.xml
+++ b/xml/hardened-virtualization.xml
@@ -78,18 +78,21 @@ of this guide.
<p>
As of this writing, there are no known restrictions on hardening for the
-guest. Test of both x86 and x86_64 guests using either emulated hardware or
-virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and
-CONFIG_PAX_MEMORY_UDEREF, have been successfull.
+guest on amd64 hosts. Test of both x86 and x86_64 guests using either emulated
+hardware or virtio, with all hardening features, including CONFIG_PAX_KERNEXEC
+and CONFIG_PAX_MEMORY_UDEREF, have been successfull on amd64 guests. For Intel
+hosts there have been reports going both ways on whether or not
+CONFIG_PAX_MEMORY_UDEREF being enabled in the guests causes the guest to run
+slowly. Currently it is recomended to not enable CONFIG_PAX_MEMORY_UDEREF on
+Intel guests.
</p>
<table>
<tr>
- <th>guest kerel config breakout</th>
+ <th colspan='3'>guest kerel config breakout</th>
</tr>
<tr>
- <th rowspan=2></th>
- <th colspan=2>CPU</th>
+ <th></th>
<th>AMD</th>
<th>INTEL</th>
</tr>
@@ -105,7 +108,6 @@ CONFIG_PAX_MEMORY_UDEREF, have been successfull.
</tr>
</table>
-
<p>
For the host, however, one must disable both CONFIG_PAX_KERNEXEC and
CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2011-04-06 18:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-06 18:18 [gentoo-commits] proj/hardened-docs:master commit in: html/, xml/, html/selinux/ Matthew Thode
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox