| 1 |
commit: aab31d17deaf254902e62a93d66bac29de72a1ce |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Thu Jun 2 11:54:09 2011 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Thu Jun 2 11:54:09 2011 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=aab31d17 |
| 7 |
|
| 8 |
Add admin account during setup, people tend to forget this |
| 9 |
|
| 10 |
--- |
| 11 |
xml/selinux/hb-using-install.xml | 48 ++++++++++++++++++++++++++++++++++---- |
| 12 |
1 files changed, 43 insertions(+), 5 deletions(-) |
| 13 |
|
| 14 |
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml |
| 15 |
index 6b96109..428ed10 100644 |
| 16 |
--- a/xml/selinux/hb-using-install.xml |
| 17 |
+++ b/xml/selinux/hb-using-install.xml |
| 18 |
@@ -7,8 +7,8 @@ |
| 19 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.2 2011/04/25 20:12:59 zorry Exp $ --> |
| 20 |
|
| 21 |
<sections> |
| 22 |
-<version>7</version> |
| 23 |
-<date>2011-05-31</date> |
| 24 |
+<version>8</version> |
| 25 |
+<date>2011-06-02</date> |
| 26 |
|
| 27 |
<section> |
| 28 |
<title>Installing Gentoo Hardened</title> |
| 29 |
@@ -643,7 +643,7 @@ correctly. For instance, if you have installed |
| 30 |
</body> |
| 31 |
</subsection> |
| 32 |
<subsection> |
| 33 |
-<title>Reboot</title> |
| 34 |
+<title>Reboot and Set SELinux Booleans</title> |
| 35 |
<body> |
| 36 |
|
| 37 |
<p> |
| 38 |
@@ -655,9 +655,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean: |
| 39 |
~# <i>setsebool -P global_ssp on</i> |
| 40 |
</pre> |
| 41 |
|
| 42 |
+</body> |
| 43 |
+</subsection> |
| 44 |
+<subsection> |
| 45 |
+<title>Define the Administrator Accounts</title> |
| 46 |
+<body> |
| 47 |
+ |
| 48 |
+<p> |
| 49 |
+Finally, we need to map the account(s) you use to manage your system (those |
| 50 |
+that need access to Portage) to the <c>staff_u</c> SELinux user. By default, |
| 51 |
+users are mapped to the <c>user_u</c> SELinux user who doesn't have the |
| 52 |
+appropriate rights (nor access to the appropriate roles) to manage a system. |
| 53 |
+Accounts that are mapped to <c>staff_u</c> can, but might need to switch roles |
| 54 |
+from <c>staff_r</c> to <c>sysadm_r</c> before they are granted the appropriate |
| 55 |
+privileges. |
| 56 |
+</p> |
| 57 |
+ |
| 58 |
+<p> |
| 59 |
+Assuming that your account name is <e>john</e>: |
| 60 |
+</p> |
| 61 |
+ |
| 62 |
+<pre caption="Mapping the Linux account john to the SELinux user staff_u"> |
| 63 |
+~# <i>semanage login -a -s staff_u john</i> |
| 64 |
+~# <i>restorecon -R -F /home/john</i> |
| 65 |
+</pre> |
| 66 |
+ |
| 67 |
+<p> |
| 68 |
+If you later log on as <e>john</e> and want to manage your system, you will |
| 69 |
+probably need to switch your role. You can use <c>newrole</c> for this: |
| 70 |
+</p> |
| 71 |
+ |
| 72 |
+<pre caption="Switching roles"> |
| 73 |
+~$ <i>id -Z</i> |
| 74 |
+staff_u:staff_r:staff_t |
| 75 |
+~$ <i>newrole -r sysadm_r</i> |
| 76 |
+Password: <comment>(Enter your password)</comment> |
| 77 |
+~$ <i>id -Z</i> |
| 78 |
+staff_u:sysadm_r:sysadm_t |
| 79 |
+</pre> |
| 80 |
+ |
| 81 |
<p> |
| 82 |
-With that done, enjoy - your first steps into the SELinux world are now |
| 83 |
-made. |
| 84 |
+With that done, enjoy - your first steps into the SELinux world are now made. |
| 85 |
</p> |
| 86 |
|
| 87 |
</body> |
Archives