1 |
commit: b53fa7fbcbed84ecd3eacba62a2b009f5fda7216 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue May 31 20:26:03 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue May 31 20:26:03 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=b53fa7fb |
7 |
|
8 |
Updating previews |
9 |
|
10 |
--- |
11 |
html/selinux/hb-appendix-reference.html | 22 +++++++++++++++++++++- |
12 |
html/selinux/hb-using-commands.html | 20 ++++++++++++++++---- |
13 |
html/selinux/hb-using-install.html | 9 +-------- |
14 |
3 files changed, 38 insertions(+), 13 deletions(-) |
15 |
|
16 |
diff --git a/html/selinux/hb-appendix-reference.html b/html/selinux/hb-appendix-reference.html |
17 |
index 9743573..986c98f 100644 |
18 |
--- a/html/selinux/hb-appendix-reference.html |
19 |
+++ b/html/selinux/hb-appendix-reference.html |
20 |
@@ -63,9 +63,29 @@ |
21 |
O'Reilly Media, 2004; ISBN 0596007167 |
22 |
</li> |
23 |
</ul> |
24 |
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. |
25 |
+ </span>Gentoo Specific Resources</p> |
26 |
+<p class="secthead"><a name="doc_chap1_sect1">Gentoo Hardened</a></p> |
27 |
+<p> |
28 |
+The following resources are specific towards Gentoo Hardened's SELinux |
29 |
+implementation. |
30 |
+</p> |
31 |
+<ul> |
32 |
+ <li> |
33 |
+ <a href="selinux-faq.html">SELinux Frequently Asked |
34 |
+ Questions</a> |
35 |
+ </li> |
36 |
+ <li> |
37 |
+ <a href="selinux-development.html">SELinux Development |
38 |
+ Guidelines</a> |
39 |
+ </li> |
40 |
+ <li> |
41 |
+ <a href="selinux-policy.html">SELinux Policy</a> |
42 |
+ </li> |
43 |
+</ul> |
44 |
</td> |
45 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
46 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated January 7, 2011</p></td></tr> |
47 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr> |
48 |
<tr lang="en"><td align="center" class="topsep"> |
49 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
50 |
</p> |
51 |
|
52 |
diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html |
53 |
index 50642a5..d9b6904 100644 |
54 |
--- a/html/selinux/hb-using-commands.html |
55 |
+++ b/html/selinux/hb-using-commands.html |
56 |
@@ -262,8 +262,14 @@ system_u system_u |
57 |
</table> |
58 |
<p> |
59 |
The default behavior is that users are logged on as the <span class="emphasis">user_u</span> SELinux |
60 |
-user. If you want to allow another user (say <span class="code" dir="ltr">anna</span>) to log on as |
61 |
-<span class="code" dir="ltr">staff_u</span>: |
62 |
+user. This SELinux user is a non-administrator user: it has no specific |
63 |
+privileges and should be used for every account that never requires elevated |
64 |
+privileges (so no <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> rights for anything). |
65 |
+</p> |
66 |
+<p> |
67 |
+The account you use to administer your system should be mapped to the |
68 |
+<span class="code" dir="ltr">staff_u</span> SELinux user (or its own user with the appropriate roles). This |
69 |
+can be accomplished as follows (example with the Unix account <span class="emphasis">anna</span>): |
70 |
</p> |
71 |
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
72 |
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Letting 'anna' log on as 'staff_u'</p></td></tr> |
73 |
@@ -271,8 +277,14 @@ user. If you want to allow another user (say <span class="code" dir="ltr">anna</ |
74 |
~# <span class="code-input">semanage login -a -s staff_u anna</span> |
75 |
</pre></td></tr> |
76 |
</table> |
77 |
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> |
78 |
+Make sure that whatever account you use to administer your system is mapped to |
79 |
+the <span class="code" dir="ltr">staff_u</span> user, or has the ability to switch to the <span class="code" dir="ltr">sysadm_r</span> |
80 |
+role. Portage only works from within the <span class="code" dir="ltr">sysadm_r</span> role. |
81 |
+</p></td></tr></table> |
82 |
<p> |
83 |
-SELinux users then can be configured to belong to one or more roles. |
84 |
+As mentioned, SELinux users are configured to be able to join in on one or more |
85 |
+roles. To list the available roles, you can use <span class="code" dir="ltr">semanage user -l</span>: |
86 |
</p> |
87 |
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
88 |
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing login / role mappings</p></td></tr> |
89 |
@@ -340,7 +352,7 @@ require you to enter the regular users' password. |
90 |
</p> |
91 |
</td> |
92 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
93 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr> |
94 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr> |
95 |
<tr lang="en"><td align="center" class="topsep"> |
96 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
97 |
</p> |
98 |
|
99 |
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html |
100 |
index 6b41e61..2ce4dfe 100644 |
101 |
--- a/html/selinux/hb-using-install.html |
102 |
+++ b/html/selinux/hb-using-install.html |
103 |
@@ -119,13 +119,6 @@ the following settings to the right file (for instance |
104 |
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
105 |
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux ~arch packages</p></td></tr> |
106 |
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
107 |
-sys-libs/libselinux |
108 |
-sys-apps/policycoreutils |
109 |
-sys-libs/libsemanage |
110 |
-sys-libs/libsepol |
111 |
-app-admin/setools |
112 |
-dev-python/sepolgen |
113 |
-sys-apps/checkpolicy |
114 |
sec-policy/* |
115 |
=sys-process/vixie-cron-4.1-r11 |
116 |
</pre></td></tr> |
117 |
@@ -586,7 +579,7 @@ made. |
118 |
</p> |
119 |
</td> |
120 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
121 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 14, 2011</p></td></tr> |
122 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr> |
123 |
<tr lang="en"><td align="center" class="topsep"> |
124 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
125 |
</p> |