1 |
commit: aab31d17deaf254902e62a93d66bac29de72a1ce |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Jun 2 11:54:09 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Jun 2 11:54:09 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=aab31d17 |
7 |
|
8 |
Add admin account during setup, people tend to forget this |
9 |
|
10 |
--- |
11 |
xml/selinux/hb-using-install.xml | 48 ++++++++++++++++++++++++++++++++++---- |
12 |
1 files changed, 43 insertions(+), 5 deletions(-) |
13 |
|
14 |
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml |
15 |
index 6b96109..428ed10 100644 |
16 |
--- a/xml/selinux/hb-using-install.xml |
17 |
+++ b/xml/selinux/hb-using-install.xml |
18 |
@@ -7,8 +7,8 @@ |
19 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ --> |
20 |
|
21 |
<sections> |
22 |
-<version>7</version> |
23 |
-<date>2011-05-31</date> |
24 |
+<version>8</version> |
25 |
+<date>2011-06-02</date> |
26 |
|
27 |
<section> |
28 |
<title>Installing Gentoo Hardened</title> |
29 |
@@ -643,7 +643,7 @@ correctly. For instance, if you have installed |
30 |
</body> |
31 |
</subsection> |
32 |
<subsection> |
33 |
-<title>Reboot</title> |
34 |
+<title>Reboot and Set SELinux Booleans</title> |
35 |
<body> |
36 |
|
37 |
<p> |
38 |
@@ -655,9 +655,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean: |
39 |
~# <i>setsebool -P global_ssp on</i> |
40 |
</pre> |
41 |
|
42 |
+</body> |
43 |
+</subsection> |
44 |
+<subsection> |
45 |
+<title>Define the Administrator Accounts</title> |
46 |
+<body> |
47 |
+ |
48 |
+<p> |
49 |
+Finally, we need to map the account(s) you use to manage your system (those |
50 |
+that need access to Portage) to the <c>staff_u</c> SELinux user. By default, |
51 |
+users are mapped to the <c>user_u</c> SELinux user who doesn't have the |
52 |
+appropriate rights (nor access to the appropriate roles) to manage a system. |
53 |
+Accounts that are mapped to <c>staff_u</c> can, but might need to switch roles |
54 |
+from <c>staff_r</c> to <c>sysadm_r</c> before they are granted the appropriate |
55 |
+privileges. |
56 |
+</p> |
57 |
+ |
58 |
+<p> |
59 |
+Assuming that your account name is <e>john</e>: |
60 |
+</p> |
61 |
+ |
62 |
+<pre caption="Mapping the Linux account john to the SELinux user staff_u"> |
63 |
+~# <i>semanage login -a -s staff_u john</i> |
64 |
+~# <i>restorecon -R -F /home/john</i> |
65 |
+</pre> |
66 |
+ |
67 |
+<p> |
68 |
+If you later log on as <e>john</e> and want to manage your system, you will |
69 |
+probably need to switch your role. You can use <c>newrole</c> for this: |
70 |
+</p> |
71 |
+ |
72 |
+<pre caption="Switching roles"> |
73 |
+~$ <i>id -Z</i> |
74 |
+staff_u:staff_r:staff_t |
75 |
+~$ <i>newrole -r sysadm_r</i> |
76 |
+Password: <comment>(Enter your password)</comment> |
77 |
+~$ <i>id -Z</i> |
78 |
+staff_u:sysadm_r:sysadm_t |
79 |
+</pre> |
80 |
+ |
81 |
<p> |
82 |
-With that done, enjoy - your first steps into the SELinux world are now |
83 |
-made. |
84 |
+With that done, enjoy - your first steps into the SELinux world are now made. |
85 |
</p> |
86 |
|
87 |
</body> |