1 |
commit: 52787589c4ca2f84f57c933566cf27936f0961e2 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue May 31 20:16:07 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue May 31 20:16:07 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=52787589 |
7 |
|
8 |
Put more focus on the staff_u user, inform users that this is necessary to work with portage |
9 |
|
10 |
--- |
11 |
xml/selinux/hb-using-commands.xml | 24 +++++++++++++++++++----- |
12 |
1 files changed, 19 insertions(+), 5 deletions(-) |
13 |
|
14 |
diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-commands.xml |
15 |
index b9342f0..a0e8ea4 100644 |
16 |
--- a/xml/selinux/hb-using-commands.xml |
17 |
+++ b/xml/selinux/hb-using-commands.xml |
18 |
@@ -7,8 +7,8 @@ |
19 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ --> |
20 |
|
21 |
<sections> |
22 |
-<version>2</version> |
23 |
-<date>2011-04-22</date> |
24 |
+<version>3</version> |
25 |
+<date>2011-05-31</date> |
26 |
|
27 |
<section> |
28 |
<title>SELinux Information Commands</title> |
29 |
@@ -295,16 +295,30 @@ system_u system_u |
30 |
|
31 |
<p> |
32 |
The default behavior is that users are logged on as the <e>user_u</e> SELinux |
33 |
-user. If you want to allow another user (say <c>anna</c>) to log on as |
34 |
-<c>staff_u</c>: |
35 |
+user. This SELinux user is a non-administrator user: it has no specific |
36 |
+privileges and should be used for every account that never requires elevated |
37 |
+privileges (so no <c>su</c> or <c>sudo</c> rights for anything). |
38 |
+</p> |
39 |
+ |
40 |
+<p> |
41 |
+The account you use to administer your system should be mapped to the |
42 |
+<c>staff_u</c> SELinux user (or its own user with the appropriate roles). This |
43 |
+can be accomplished as follows (example with the Unix account <e>anna</e>): |
44 |
</p> |
45 |
|
46 |
<pre caption="Letting 'anna' log on as 'staff_u'"> |
47 |
~# <i>semanage login -a -s staff_u anna</i> |
48 |
</pre> |
49 |
|
50 |
+<impo> |
51 |
+Make sure that whatever account you use to administer your system is mapped to |
52 |
+the <c>staff_u</c> user, or has the ability to switch to the <c>sysadm_r</c> |
53 |
+role. Portage only works from within the <c>sysadm_r</c> role. |
54 |
+</impo> |
55 |
+ |
56 |
<p> |
57 |
-SELinux users then can be configured to belong to one or more roles. |
58 |
+As mentioned, SELinux users are configured to be able to join in on one or more |
59 |
+roles. To list the available roles, you can use <c>semanage user -l</c>: |
60 |
</p> |
61 |
|
62 |
<pre caption="Listing login / role mappings"> |