| 1 |
commit: 52787589c4ca2f84f57c933566cf27936f0961e2 |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Tue May 31 20:16:07 2011 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Tue May 31 20:16:07 2011 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=52787589 |
| 7 |
|
| 8 |
Put more focus on the staff_u user, inform users that this is necessary to work with portage |
| 9 |
|
| 10 |
--- |
| 11 |
xml/selinux/hb-using-commands.xml | 24 +++++++++++++++++++----- |
| 12 |
1 files changed, 19 insertions(+), 5 deletions(-) |
| 13 |
|
| 14 |
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml |
| 15 |
index b9342f0..a0e8ea4 100644 |
| 16 |
--- a/xml/selinux/hb-using-commands.xml |
| 17 |
+++ b/xml/selinux/hb-using-commands.xml |
| 18 |
@@ -7,8 +7,8 @@ |
| 19 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ --> |
| 20 |
|
| 21 |
<sections> |
| 22 |
-<version>2</version> |
| 23 |
-<date>2011-04-22</date> |
| 24 |
+<version>3</version> |
| 25 |
+<date>2011-05-31</date> |
| 26 |
|
| 27 |
<section> |
| 28 |
<title>SELinux Information Commands</title> |
| 29 |
@@ -295,16 +295,30 @@ system_u system_u |
| 30 |
|
| 31 |
<p> |
| 32 |
The default behavior is that users are logged on as the <e>user_u</e> SELinux |
| 33 |
-user. If you want to allow another user (say <c>anna</c>) to log on as |
| 34 |
-<c>staff_u</c>: |
| 35 |
+user. This SELinux user is a non-administrator user: it has no specific |
| 36 |
+privileges and should be used for every account that never requires elevated |
| 37 |
+privileges (so no <c>su</c> or <c>sudo</c> rights for anything). |
| 38 |
+</p> |
| 39 |
+ |
| 40 |
+<p> |
| 41 |
+The account you use to administer your system should be mapped to the |
| 42 |
+<c>staff_u</c> SELinux user (or its own user with the appropriate roles). This |
| 43 |
+can be accomplished as follows (example with the Unix account <e>anna</e>): |
| 44 |
</p> |
| 45 |
|
| 46 |
<pre caption="Letting 'anna' log on as 'staff_u'"> |
| 47 |
~# <i>semanage login -a -s staff_u anna</i> |
| 48 |
</pre> |
| 49 |
|
| 50 |
+<impo> |
| 51 |
+Make sure that whatever account you use to administer your system is mapped to |
| 52 |
+the <c>staff_u</c> user, or has the ability to switch to the <c>sysadm_r</c> |
| 53 |
+role. Portage only works from within the <c>sysadm_r</c> role. |
| 54 |
+</impo> |
| 55 |
+ |
| 56 |
<p> |
| 57 |
-SELinux users then can be configured to belong to one or more roles. |
| 58 |
+As mentioned, SELinux users are configured to be able to join in on one or more |
| 59 |
+roles. To list the available roles, you can use <c>semanage user -l</c>: |
| 60 |
</p> |
| 61 |
|
| 62 |
<pre caption="Listing login / role mappings"> |
Archives