1 |
commit: 9ac37024484b464088dd7ad2dd29c66442f10a09 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Jun 2 11:58:39 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Jun 2 11:58:39 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9ac37024 |
7 |
|
8 |
Updating previews |
9 |
|
10 |
--- |
11 |
html/selinux/hb-intro-referencepolicy.html | 8 ++++- |
12 |
html/selinux/hb-using-install.html | 42 +++++++++++++++++++++++++-- |
13 |
html/selinux/hb-using-permissive.html | 5 ++- |
14 |
3 files changed, 47 insertions(+), 8 deletions(-) |
15 |
|
16 |
diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html |
17 |
index 5ff648b..3adc3f9 100644 |
18 |
--- a/html/selinux/hb-intro-referencepolicy.html |
19 |
+++ b/html/selinux/hb-intro-referencepolicy.html |
20 |
@@ -216,11 +216,15 @@ following is an overview of the policy versions' history. |
21 |
<dt>Version 23</dt> |
22 |
<dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd> |
23 |
<dt>Version 24</dt> |
24 |
- <dd>Explicit hierarchy (type bounds) (2.6.28 - current)</dd> |
25 |
+ <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd> |
26 |
+ <dt>Version 25</dt> |
27 |
+ <dd>Filename based transition support (2.6.39)</dd> |
28 |
+ <dt>Version 26</dt> |
29 |
+ <dd>Role transition support for non-process classes (3.0)</dd> |
30 |
</dl> |
31 |
</td> |
32 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
33 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr> |
34 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr> |
35 |
<tr lang="en"><td align="center" class="topsep"> |
36 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
37 |
</p> |
38 |
|
39 |
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html |
40 |
index 2ce4dfe..dadbab8 100644 |
41 |
--- a/html/selinux/hb-using-install.html |
42 |
+++ b/html/selinux/hb-using-install.html |
43 |
@@ -562,7 +562,7 @@ correctly. For instance, if you have installed |
44 |
~# <span class="code-input">rlpkg -t screen</span> |
45 |
</pre></td></tr> |
46 |
</table> |
47 |
-<p class="secthead"><a name="doc_chap1_sect1">Reboot</a></p> |
48 |
+<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p> |
49 |
<p> |
50 |
Reboot your system. Log on and, if you have indeed installed Gentoo using the |
51 |
hardened sources (as we recommended), enable the SSP SELinux boolean: |
52 |
@@ -573,13 +573,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean: |
53 |
~# <span class="code-input">setsebool -P global_ssp on</span> |
54 |
</pre></td></tr> |
55 |
</table> |
56 |
+<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p> |
57 |
+<p> |
58 |
+Finally, we need to map the account(s) you use to manage your system (those |
59 |
+that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. By default, |
60 |
+users are mapped to the <span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the |
61 |
+appropriate rights (nor access to the appropriate roles) to manage a system. |
62 |
+Accounts that are mapped to <span class="code" dir="ltr">staff_u</span> can, but might need to switch roles |
63 |
+from <span class="code" dir="ltr">staff_r</span> to <span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate |
64 |
+privileges. |
65 |
+</p> |
66 |
+<p> |
67 |
+Assuming that your account name is <span class="emphasis">john</span>: |
68 |
+</p> |
69 |
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
70 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping the Linux account john to the SELinux user staff_u</p></td></tr> |
71 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
72 |
+~# <span class="code-input">semanage login -a -s staff_u john</span> |
73 |
+~# <span class="code-input">restorecon -R -F /home/john</span> |
74 |
+</pre></td></tr> |
75 |
+</table> |
76 |
+<p> |
77 |
+If you later log on as <span class="emphasis">john</span> and want to manage your system, you will |
78 |
+probably need to switch your role. You can use <span class="code" dir="ltr">newrole</span> for this: |
79 |
+</p> |
80 |
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
81 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr> |
82 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
83 |
+~$ <span class="code-input">id -Z</span> |
84 |
+staff_u:staff_r:staff_t |
85 |
+~$ <span class="code-input">newrole -r sysadm_r</span> |
86 |
+Password: <span class="code-comment">(Enter your password)</span> |
87 |
+~$ <span class="code-input">id -Z</span> |
88 |
+staff_u:sysadm_r:sysadm_t |
89 |
+</pre></td></tr> |
90 |
+</table> |
91 |
<p> |
92 |
-With that done, enjoy - your first steps into the SELinux world are now |
93 |
-made. |
94 |
+With that done, enjoy - your first steps into the SELinux world are now made. |
95 |
</p> |
96 |
</td> |
97 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
98 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr> |
99 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr> |
100 |
<tr lang="en"><td align="center" class="topsep"> |
101 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
102 |
</p> |
103 |
|
104 |
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html |
105 |
index 0285dde..d5e77aa 100644 |
106 |
--- a/html/selinux/hb-using-permissive.html |
107 |
+++ b/html/selinux/hb-using-permissive.html |
108 |
@@ -292,7 +292,8 @@ accordingly. For instance, say you have your <span class="path" dir="ltr">lvm.co |
109 |
<span class="path" dir="ltr">/etc</span> rather than <span class="path" dir="ltr">/etc/lvm</span> as the policy would expect, |
110 |
then you can still label the file correctly using <span class="code" dir="ltr">semanage</span>. With |
111 |
<span class="code" dir="ltr">semanage</span>, you assign a correct security context unrelated to any |
112 |
-module. It is a local setting - but which is persistent across reboots. |
113 |
+module. It is a local setting - but which is persistent across reboots and |
114 |
+relabelling activities. |
115 |
</p> |
116 |
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
117 |
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting a new file context using semanage</p></td></tr> |
118 |
@@ -583,7 +584,7 @@ The same tool can be used to relabel the entire system: |
119 |
</table> |
120 |
</td> |
121 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
122 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr> |
123 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr> |
124 |
<tr lang="en"><td align="center" class="topsep"> |
125 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
126 |
</p> |