[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/
Date:	Sun, 29 Apr 2012 14:23:01
Message-Id:	`1335709217.15b6b45542f2faee92ba7168ec7df8e8098b71b2.SwifT@gentoo`

1

commit:     15b6b45542f2faee92ba7168ec7df8e8098b71b2

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sun Apr 29 14:20:17 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Sun Apr 29 14:20:17 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=15b6b455

7

8

Update with 20120217 related material

9

10

---

11

 xml/selinux/hb-intro-concepts.xml |   11 +++-

12

 xml/selinux/hb-using-install.xml  |   35 +++--------

13

 xml/selinux/hb-using-policies.xml |  119 ++++++++++++++++++++++++++++++++++++-

14

 xml/selinux/hb-using-states.xml   |   24 +++++++-

15

 4 files changed, 157 insertions(+), 32 deletions(-)

16

17

diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml

18

index 5d4470e..bc6f4c1 100644

19

--- a/xml/selinux/hb-intro-concepts.xml

20

+++ b/xml/selinux/hb-intro-concepts.xml

21

@@ -7,8 +7,8 @@

22

 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->

23

24

 <sections>

25

-<version>5</version>

26

-<date>2011-07-21</date>

27

+<version>6</version>

28

+<date>2012-04-29</date>

29

30

 <section>

31

 <title>Introduction</title>

32

@@ -81,6 +81,13 @@ development focuses mainly on <e>strict</e> and <e>mcs</e>. The

33

 that the <e>mls</e> policy is currently not fit yet for production use.

34

 </p>

35

36

+<note>

37

+To clear up some confusion, especially when trying to seek support outside

38

+Gentoo: our "strict" implementation is not what was "strict" up to the year

39

+2008. The old meaning of strict involved a different implementation of the

40

+policy.

41

+</note>

42

+

43

 </body>

44

 </subsection>

45

 </section>

46

47

diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml

48

index a806009..037877e 100644

49

--- a/xml/selinux/hb-using-install.xml

50

+++ b/xml/selinux/hb-using-install.xml

51

@@ -7,8 +7,8 @@

52

 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->

53

54

 <sections>

55

-<version>20</version>

56

-<date>2012-04-10</date>

57

+<version>21</version>

58

+<date>2012-04-29</date>

59

60

 <section>

61

 <title>Installing Gentoo (Hardened)</title>

62

@@ -91,6 +91,10 @@ Make sure to include layman's <path>make.conf</path> in your

63

 </body>

64

 </subsection>

65

-->

66

+<!-- 

67

+TODO Validate after 2.20120215-r8 is stable that this is no longer

68

+necessary? Not sure about it though : check userspace ebuilds as well.

69

+-->

70

 <subsection>

71

 <title>Switching to Python 2</title>

72

 <body>

73

@@ -273,19 +277,6 @@ tools or configurations that apply.

74

 </p>

75

76

 <ul>

77

-  <!-- 

78

-  TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed

79

-  anymore 

80

-  -->

81

-  <li>

82

-    If you use LVM for one or more file systems, you need to edit

83

-    <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)

84

-    and <path>lvm-stop.sh</path> and set the config location from

85

-    <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the 

86

-    <path>/etc/lvm/lock</path> directory. Finally, add

87

-    <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your

88

-    <path>make.conf</path> file.

89

-  </li>

90

   <li>

91

     Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,

92

     either remove those or make them a copy of their counterpart so that they

93

@@ -411,8 +402,8 @@ Next, edit <path>/etc/fstab</path> and add the following two lines:

94

95

 <pre caption="Enabling selinux-specific file system options">

96

 <comment># The udev mount is due to bug #373381</comment>

97

-udev   /dev        tmpfs        rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755  0 0

98

-none   /selinux    selinuxfs    defaults    0 0

99

+udev   /dev             tmpfs        rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755  0 0

100

+none   /sys/fs/selinux  selinuxfs    defaults    0 0

101

 </pre>

102

103

 <note>

104

@@ -420,14 +411,6 @@ In case of an MLS/MCS policy, you need to have the context with sensitivity

105

 level, so <c>...:device_t:s0</c>.

106

 </note>

107

108

-<p>

109

-Make the <path>/selinux</path> mountpoint as well:

110

-</p>

111

-

112

-<pre caption="Creating the /selinux mountpoint">

113

-~# <i>mkdir /selinux</i>

114

-</pre>

115

-

116

 </body>

117

 </subsection>

118

 <subsection>

119

@@ -436,7 +419,7 @@ Make the <path>/selinux</path> mountpoint as well:

120

121

<p>

122

 With the above changes made, reboot your system. Assert yourself that you are

123

-now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file

124

+now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file

125

 system should be mounted). Don't worry - SELinux is at this point not activated.

126

 </p>

127

128

129

diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml

130

index 4f76052..a67f20b 100644

131

--- a/xml/selinux/hb-using-policies.xml

132

+++ b/xml/selinux/hb-using-policies.xml

133

@@ -7,8 +7,8 @@

134

 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->

135

136

 <sections>

137

-<version>3</version>

138

-<date>2012-03-01</date>

139

+<version>4</version>

140

+<date>2012-04-29</date>

141

142

 <section>

143

 <title>SELinux Policy Language</title>

144

@@ -341,6 +341,121 @@ optional_policy(`

145

')

146

 </pre>

147

148

+<p>

149

+The following table shows a few common interfaces that could be in use. We

150

+seriously recommend to look at the available interfaces when enhancing or

151

+creating your own modules - and be sure to pick the interface that adds just

152

+what you need, nothing more.

153

+</p>

154

+

155

+<table>

156

+<tr>

157

+  <th colspan="3">Templates</th>

158

+</tr>

159

+<tr>

160

+  <th>Suffix</th>

161

+  <th>Example</th>

162

+  <th>Description</th>

163

+</tr>

164

+<tr>

165

+  <ti>_template</ti>

166

+  <ti>virt_domain_template(prefix)</ti>

167

+  <ti>

168

+    Not really an interface, templates create additional domains based on the

169

+    information given to them. This is usually done for fine-grained policy

170

+    templates with a common (sub)set of privileges.    

171

+  </ti>

172

+</tr>

173

+<tr>

174

+  <th colspan="3">Transformations</th>

175

+</tr>

176

+<tr>

177

+  <th>Suffix</th>

178

+  <th>Example</th>

179

+  <th>Description</th>

180

+</tr>

181

+<tr>

182

+  <ti></ti>

183

+  <ti>miscfiles_cert_type(resource)</ti>

184

+  <ti>

185

+    Transformation interfaces generally add specific attributes to resources or

186

+    domains. Attributes "transform" the given resource into something more. In

187

+    the given example, the miscfiles_cert_type(resource) assigns the cert_type

188

+    attribute to the resource (and also marks it as a file). Interfaces, like

189

+    miscfiles_read_all_certs work on these attributes.

190

+  </ti>

191

+</tr>

192

+<tr>

193

+  <th colspan="3">Access interfaces</th>

194

+</tr>

195

+<tr>

196

+  <th>Suffix</th>

197

+  <th>Example</th>

198

+  <th>Description</th>

199

+</tr>

200

+<tr>

201

+  <ti>_&lt;access&gt;_&lt;resource&gt;</ti>

202

+  <ti>mta_getattr_spool(domain)</ti>

203

+  <ti>

204

+    Grant the specified domain access towards the shown resource. The resource

205

+    usually defines the type too (like kudzu_getattr_exec_files: grant getattr

206

+    on the kudzu_exec_t files) unless it is obvious from the name, or when the

207

+    resource is a more specific term towards the domain. It can also include

208

+    dontaudit (like mta_dontaudit_getattr_spool).

209

+  </ti>

210

+</tr>

211

+<tr>

212

+  <ti>_exec</ti>

213

+  <ti>dmesg_exec(domain)</ti>

214

+  <ti>

215

+    Grant one domain the right to execute the given domains' executable file (in

216

+    the example, allow "domain" to execute dmesg_exec_t files), but without

217

+    implying that the domains transition. In other words, dmesg gets executed

218

+    but still confined by the privileges of the source domain.

219

+  </ti>

220

+</tr>

221

+<tr>

222

+  <ti>_domtrans</ti>

223

+  <ti>dmesg_domtrans(domain)</ti>

224

+  <ti>

225

+    Grant one domain execute and transition privileges towards the new domain.

226

+    This interface is most commonly used to allow application domains to

227

+    transition to another. In the given example, dmesg is ran with the

228

+    privileges of the dmesg_t domain.

229

+  </ti>

230

+</tr>

231

+<tr>

232

+  <ti>_run</ti>

233

+  <ti>netutils_run(domain, role)</ti>

234

+  <ti>

235

+    Grant a given role and domain the rights to execute and transition towards

236

+    the given domain. This is usually granted to (existing) user roles and

237

+    domains and gives them the set of privileges needed to interact safely with

238

+    the new (interactive) domain (such as terminal access).

239

+  </ti>

240

+</tr>

241

+<tr>

242

+  <ti>_role</ti>

243

+  <ti>xserver_role(role, domain)</ti>

244

+  <ti>

245

+    Allow the given role and domain the necessary permissions to transition and

246

+    interact with the given domain. This interface is enhanced with the

247

+    privileges to interact with the domain (and its underlying files) more

248

+    thoroughly, and is usually assigned to newly created users or roles within

249

+    the policy (rather than enhance existing user domains and roles).

250

+  </ti>

251

+</tr>

252

+<tr>

253

+  <ti>_admin</ti>

254

+  <ti>aide_admin(domain)</ti>

255

+  <ti>

256

+    Grant the given domain the rights to administer the target domains'

257

+    environment. This usually involves privileges to manage and relabel all

258

+    affiliated files, directories, sockets, etc.

259

+  </ti>

260

+</tr>

261

+</table>

262

+

263

 </body>

264

 </subsection>

265

 </section>

266

267

diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml

268

index 9e99d9c..ee7f8e1 100644

269

--- a/xml/selinux/hb-using-states.xml

270

+++ b/xml/selinux/hb-using-states.xml

271

@@ -7,8 +7,8 @@

272

 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->

273

274

 <sections>

275

-<version>1</version>

276

-<date>2011-10-15</date>

277

+<version>2</version>

278

+<date>2012-04-29</date>

279

280

 <section>

281

 <title>SELinux States</title>

282

@@ -191,6 +191,26 @@ in the order given above:

283

284

 </body>

285

 </subsection>

286

+<subsection>

287

+<title>Domain-permissive Mode</title>

288

+<body>

289

+

290

+<p>

291

+You can also opt to mark a single domain permissive while running the rest of

292

+the system in an enforcing state. For instance, to mark mplayer_t as a

293

+permissive domain (which means that SELinux does not enforce anything):

294

+</p>

295

+

296

+<pre caption="Marking mplayer_t as permissive">

297

+# <i>semanage permissive -a mplayer_t</i>

298

+</pre>

299

+

300

+<p>

301

+With the <c>-d</c> option, you can remove the permissive mark again.

302

+</p>

303

+

304

+</body>

305

+</subsection>

306

 </section>

307

308

 <section>

1	commit: 15b6b45542f2faee92ba7168ec7df8e8098b71b2
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sun Apr 29 14:20:17 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Sun Apr 29 14:20:17 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=15b6b455
7
8	Update with 20120217 related material
9
10	---
11	xml/selinux/hb-intro-concepts.xml \| 11 +++-
12	xml/selinux/hb-using-install.xml \| 35 +++--------
13	xml/selinux/hb-using-policies.xml \| 119 ++++++++++++++++++++++++++++++++++++-
14	xml/selinux/hb-using-states.xml \| 24 +++++++-
15	4 files changed, 157 insertions(+), 32 deletions(-)
16
17	diff --git a/xml/selinux/hb-intro-concepts.xml b/xml/selinux/hb-intro-concepts.xml
18	index 5d4470e..bc6f4c1 100644
19	--- a/xml/selinux/hb-intro-concepts.xml
20	+++ b/xml/selinux/hb-intro-concepts.xml
21	@@ -7,8 +7,8 @@
22	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-intro-concepts.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
23
24	<sections>
25	-<version>5</version>
26	-<date>2011-07-21</date>
27	+<version>6</version>
28	+<date>2012-04-29</date>
29
30	<section>
31	<title>Introduction</title>
32	@@ -81,6 +81,13 @@ development focuses mainly on <e>strict</e> and <e>mcs</e>. The
33	that the <e>mls</e> policy is currently not fit yet for production use.
34	</p>
35
36	+<note>
37	+To clear up some confusion, especially when trying to seek support outside
38	+Gentoo: our "strict" implementation is not what was "strict" up to the year
39	+2008. The old meaning of strict involved a different implementation of the
40	+policy.
41	+</note>
42	+
43	</body>
44	</subsection>
45	</section>
46
47	diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml
48	index a806009..037877e 100644
49	--- a/xml/selinux/hb-using-install.xml
50	+++ b/xml/selinux/hb-using-install.xml
51	@@ -7,8 +7,8 @@
52	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.4 2011/06/07 19:46:52 klondike Exp $ -->
53
54	<sections>
55	-<version>20</version>
56	-<date>2012-04-10</date>
57	+<version>21</version>
58	+<date>2012-04-29</date>
59
60	<section>
61	<title>Installing Gentoo (Hardened)</title>
62	@@ -91,6 +91,10 @@ Make sure to include layman's <path>make.conf</path> in your
63	</body>
64	</subsection>
65	-->
66	+<!--
67	+TODO Validate after 2.20120215-r8 is stable that this is no longer
68	+necessary? Not sure about it though : check userspace ebuilds as well.
69	+-->
70	<subsection>
71	<title>Switching to Python 2</title>
72	<body>
73	@@ -273,19 +277,6 @@ tools or configurations that apply.
74	</p>
75
76	<ul>
77	- <!--
78	- TODO When 2.20120215-r5 or higher is stabilized, the LVM change is not needed
79	- anymore
80	- -->
81	- <li>
82	- If you use LVM for one or more file systems, you need to edit
83	- <path>/lib/rcscripts/addons/lvm-start.sh</path> (or <path>/lib64/..</path>)
84	- and <path>lvm-stop.sh</path> and set the config location from
85	- <path>/dev/.lvm</path> to <path>/etc/lvm/lock</path>. Next, create the
86	- <path>/etc/lvm/lock</path> directory. Finally, add
87	- <path>/lib(64)/rcscripts/addons</path> to <c>CONFIG_PROTECT</c> in your
88	- <path>make.conf</path> file.
89	- </li>
90	<li>
91	Check if you have <path>*.old</path> files in <path>/bin</path>. If you do,
92	either remove those or make them a copy of their counterpart so that they
93	@@ -411,8 +402,8 @@ Next, edit <path>/etc/fstab</path> and add the following two lines:
94
95	<pre caption="Enabling selinux-specific file system options">
96	<comment># The udev mount is due to bug #373381</comment>
97	-udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
98	-none /selinux selinuxfs defaults 0 0
99	+udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
100	+none /sys/fs/selinux selinuxfs defaults 0 0
101	</pre>
102
103	<note>
104	@@ -420,14 +411,6 @@ In case of an MLS/MCS policy, you need to have the context with sensitivity
105	level, so <c>...:device_t:s0</c>.
106	</note>
107
108	-<p>
109	-Make the <path>/selinux</path> mountpoint as well:
110	-</p>
111	-
112	-<pre caption="Creating the /selinux mountpoint">
113	-~# <i>mkdir /selinux</i>
114	-</pre>
115	-
116	</body>
117	</subsection>
118	<subsection>
119	@@ -436,7 +419,7 @@ Make the <path>/selinux</path> mountpoint as well:
120
121	<p>
122	With the above changes made, reboot your system. Assert yourself that you are
123	-now running a Linux kernel with SELinux enabled (the <path>/selinux</path> file
124	+now running a Linux kernel with SELinux enabled (the <path>/sys/fs/selinux</path> file
125	system should be mounted). Don't worry - SELinux is at this point not activated.
126	</p>
127
128
129	diff --git a/xml/selinux/hb-using-policies.xml b/xml/selinux/hb-using-policies.xml
130	index 4f76052..a67f20b 100644
131	--- a/xml/selinux/hb-using-policies.xml
132	+++ b/xml/selinux/hb-using-policies.xml
133	@@ -7,8 +7,8 @@
134	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
135
136	<sections>
137	-<version>3</version>
138	-<date>2012-03-01</date>
139	+<version>4</version>
140	+<date>2012-04-29</date>
141
142	<section>
143	<title>SELinux Policy Language</title>
144	@@ -341,6 +341,121 @@ optional_policy(`
145	')
146	</pre>
147
148	+<p>
149	+The following table shows a few common interfaces that could be in use. We
150	+seriously recommend to look at the available interfaces when enhancing or
151	+creating your own modules - and be sure to pick the interface that adds just
152	+what you need, nothing more.
153	+</p>
154	+
155	+<table>
156	+<tr>
157	+ <th colspan="3">Templates</th>
158	+</tr>
159	+<tr>
160	+ <th>Suffix</th>
161	+ <th>Example</th>
162	+ <th>Description</th>
163	+</tr>
164	+<tr>
165	+ <ti>_template</ti>
166	+ <ti>virt_domain_template(prefix)</ti>
167	+ <ti>
168	+ Not really an interface, templates create additional domains based on the
169	+ information given to them. This is usually done for fine-grained policy
170	+ templates with a common (sub)set of privileges.
171	+ </ti>
172	+</tr>
173	+<tr>
174	+ <th colspan="3">Transformations</th>
175	+</tr>
176	+<tr>
177	+ <th>Suffix</th>
178	+ <th>Example</th>
179	+ <th>Description</th>
180	+</tr>
181	+<tr>
182	+ <ti></ti>
183	+ <ti>miscfiles_cert_type(resource)</ti>
184	+ <ti>
185	+ Transformation interfaces generally add specific attributes to resources or
186	+ domains. Attributes "transform" the given resource into something more. In
187	+ the given example, the miscfiles_cert_type(resource) assigns the cert_type
188	+ attribute to the resource (and also marks it as a file). Interfaces, like
189	+ miscfiles_read_all_certs work on these attributes.
190	+ </ti>
191	+</tr>
192	+<tr>
193	+ <th colspan="3">Access interfaces</th>
194	+</tr>
195	+<tr>
196	+ <th>Suffix</th>
197	+ <th>Example</th>
198	+ <th>Description</th>
199	+</tr>
200	+<tr>
201	+ <ti>_<access>_<resource></ti>
202	+ <ti>mta_getattr_spool(domain)</ti>
203	+ <ti>
204	+ Grant the specified domain access towards the shown resource. The resource
205	+ usually defines the type too (like kudzu_getattr_exec_files: grant getattr
206	+ on the kudzu_exec_t files) unless it is obvious from the name, or when the
207	+ resource is a more specific term towards the domain. It can also include
208	+ dontaudit (like mta_dontaudit_getattr_spool).
209	+ </ti>
210	+</tr>
211	+<tr>
212	+ <ti>_exec</ti>
213	+ <ti>dmesg_exec(domain)</ti>
214	+ <ti>
215	+ Grant one domain the right to execute the given domains' executable file (in
216	+ the example, allow "domain" to execute dmesg_exec_t files), but without
217	+ implying that the domains transition. In other words, dmesg gets executed
218	+ but still confined by the privileges of the source domain.
219	+ </ti>
220	+</tr>
221	+<tr>
222	+ <ti>_domtrans</ti>
223	+ <ti>dmesg_domtrans(domain)</ti>
224	+ <ti>
225	+ Grant one domain execute and transition privileges towards the new domain.
226	+ This interface is most commonly used to allow application domains to
227	+ transition to another. In the given example, dmesg is ran with the
228	+ privileges of the dmesg_t domain.
229	+ </ti>
230	+</tr>
231	+<tr>
232	+ <ti>_run</ti>
233	+ <ti>netutils_run(domain, role)</ti>
234	+ <ti>
235	+ Grant a given role and domain the rights to execute and transition towards
236	+ the given domain. This is usually granted to (existing) user roles and
237	+ domains and gives them the set of privileges needed to interact safely with
238	+ the new (interactive) domain (such as terminal access).
239	+ </ti>
240	+</tr>
241	+<tr>
242	+ <ti>_role</ti>
243	+ <ti>xserver_role(role, domain)</ti>
244	+ <ti>
245	+ Allow the given role and domain the necessary permissions to transition and
246	+ interact with the given domain. This interface is enhanced with the
247	+ privileges to interact with the domain (and its underlying files) more
248	+ thoroughly, and is usually assigned to newly created users or roles within
249	+ the policy (rather than enhance existing user domains and roles).
250	+ </ti>
251	+</tr>
252	+<tr>
253	+ <ti>_admin</ti>
254	+ <ti>aide_admin(domain)</ti>
255	+ <ti>
256	+ Grant the given domain the rights to administer the target domains'
257	+ environment. This usually involves privileges to manage and relabel all
258	+ affiliated files, directories, sockets, etc.
259	+ </ti>
260	+</tr>
261	+</table>
262	+
263	</body>
264	</subsection>
265	</section>
266
267	diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-states.xml
268	index 9e99d9c..ee7f8e1 100644
269	--- a/xml/selinux/hb-using-states.xml
270	+++ b/xml/selinux/hb-using-states.xml
271	@@ -7,8 +7,8 @@
272	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-commands.xml,v 1.3 2011/06/07 19:46:52 klondike Exp $ -->
273
274	<sections>
275	-<version>1</version>
276	-<date>2011-10-15</date>
277	+<version>2</version>
278	+<date>2012-04-29</date>
279
280	<section>
281	<title>SELinux States</title>
282	@@ -191,6 +191,26 @@ in the order given above:
283
284	</body>
285	</subsection>
286	+<subsection>
287	+<title>Domain-permissive Mode</title>
288	+<body>
289	+
290	+<p>
291	+You can also opt to mark a single domain permissive while running the rest of
292	+the system in an enforcing state. For instance, to mark mplayer_t as a
293	+permissive domain (which means that SELinux does not enforce anything):
294	+</p>
295	+
296	+<pre caption="Marking mplayer_t as permissive">
297	+# <i>semanage permissive -a mplayer_t</i>
298	+</pre>
299	+
300	+<p>
301	+With the <c>-d</c> option, you can remove the permissive mark again.
302	+</p>
303	+
304	+</body>
305	+</subsection>
306	</section>
307
308	<section>

Gentoo Archives: gentoo-commits