| 1 |
commit: 9ac37024484b464088dd7ad2dd29c66442f10a09 |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Thu Jun 2 11:58:39 2011 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Thu Jun 2 11:58:39 2011 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=9ac37024 |
| 7 |
|
| 8 |
Updating previews |
| 9 |
|
| 10 |
--- |
| 11 |
html/selinux/hb-intro-referencepolicy.html | 8 ++++- |
| 12 |
html/selinux/hb-using-install.html | 42 +++++++++++++++++++++++++-- |
| 13 |
html/selinux/hb-using-permissive.html | 5 ++- |
| 14 |
3 files changed, 47 insertions(+), 8 deletions(-) |
| 15 |
|
| 16 |
diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html |
| 17 |
index 5ff648b..3adc3f9 100644 |
| 18 |
--- a/html/selinux/hb-intro-referencepolicy.html |
| 19 |
+++ b/html/selinux/hb-intro-referencepolicy.html |
| 20 |
@@ -216,11 +216,15 @@ following is an overview of the policy versions' history. |
| 21 |
<dt>Version 23</dt> |
| 22 |
<dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd> |
| 23 |
<dt>Version 24</dt> |
| 24 |
- <dd>Explicit hierarchy (type bounds) (2.6.28 - current)</dd> |
| 25 |
+ <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd> |
| 26 |
+ <dt>Version 25</dt> |
| 27 |
+ <dd>Filename based transition support (2.6.39)</dd> |
| 28 |
+ <dt>Version 26</dt> |
| 29 |
+ <dd>Role transition support for non-process classes (3.0)</dd> |
| 30 |
</dl> |
| 31 |
</td> |
| 32 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
| 33 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr> |
| 34 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr> |
| 35 |
<tr lang="en"><td align="center" class="topsep"> |
| 36 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
| 37 |
</p> |
| 38 |
|
| 39 |
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html |
| 40 |
index 2ce4dfe..dadbab8 100644 |
| 41 |
--- a/html/selinux/hb-using-install.html |
| 42 |
+++ b/html/selinux/hb-using-install.html |
| 43 |
@@ -562,7 +562,7 @@ correctly. For instance, if you have installed |
| 44 |
~# <span class="code-input">rlpkg -t screen</span> |
| 45 |
</pre></td></tr> |
| 46 |
</table> |
| 47 |
-<p class="secthead"><a name="doc_chap1_sect1">Reboot</a></p> |
| 48 |
+<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p> |
| 49 |
<p> |
| 50 |
Reboot your system. Log on and, if you have indeed installed Gentoo using the |
| 51 |
hardened sources (as we recommended), enable the SSP SELinux boolean: |
| 52 |
@@ -573,13 +573,47 @@ hardened sources (as we recommended), enable the SSP SELinux boolean: |
| 53 |
~# <span class="code-input">setsebool -P global_ssp on</span> |
| 54 |
</pre></td></tr> |
| 55 |
</table> |
| 56 |
+<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p> |
| 57 |
+<p> |
| 58 |
+Finally, we need to map the account(s) you use to manage your system (those |
| 59 |
+that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. By default, |
| 60 |
+users are mapped to the <span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the |
| 61 |
+appropriate rights (nor access to the appropriate roles) to manage a system. |
| 62 |
+Accounts that are mapped to <span class="code" dir="ltr">staff_u</span> can, but might need to switch roles |
| 63 |
+from <span class="code" dir="ltr">staff_r</span> to <span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate |
| 64 |
+privileges. |
| 65 |
+</p> |
| 66 |
+<p> |
| 67 |
+Assuming that your account name is <span class="emphasis">john</span>: |
| 68 |
+</p> |
| 69 |
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
| 70 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping the Linux account john to the SELinux user staff_u</p></td></tr> |
| 71 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
| 72 |
+~# <span class="code-input">semanage login -a -s staff_u john</span> |
| 73 |
+~# <span class="code-input">restorecon -R -F /home/john</span> |
| 74 |
+</pre></td></tr> |
| 75 |
+</table> |
| 76 |
+<p> |
| 77 |
+If you later log on as <span class="emphasis">john</span> and want to manage your system, you will |
| 78 |
+probably need to switch your role. You can use <span class="code" dir="ltr">newrole</span> for this: |
| 79 |
+</p> |
| 80 |
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
| 81 |
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr> |
| 82 |
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> |
| 83 |
+~$ <span class="code-input">id -Z</span> |
| 84 |
+staff_u:staff_r:staff_t |
| 85 |
+~$ <span class="code-input">newrole -r sysadm_r</span> |
| 86 |
+Password: <span class="code-comment">(Enter your password)</span> |
| 87 |
+~$ <span class="code-input">id -Z</span> |
| 88 |
+staff_u:sysadm_r:sysadm_t |
| 89 |
+</pre></td></tr> |
| 90 |
+</table> |
| 91 |
<p> |
| 92 |
-With that done, enjoy - your first steps into the SELinux world are now |
| 93 |
-made. |
| 94 |
+With that done, enjoy - your first steps into the SELinux world are now made. |
| 95 |
</p> |
| 96 |
</td> |
| 97 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
| 98 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr> |
| 99 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr> |
| 100 |
<tr lang="en"><td align="center" class="topsep"> |
| 101 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
| 102 |
</p> |
| 103 |
|
| 104 |
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html |
| 105 |
index 0285dde..d5e77aa 100644 |
| 106 |
--- a/html/selinux/hb-using-permissive.html |
| 107 |
+++ b/html/selinux/hb-using-permissive.html |
| 108 |
@@ -292,7 +292,8 @@ accordingly. For instance, say you have your <span class="path" dir="ltr">lvm.co |
| 109 |
<span class="path" dir="ltr">/etc</span> rather than <span class="path" dir="ltr">/etc/lvm</span> as the policy would expect, |
| 110 |
then you can still label the file correctly using <span class="code" dir="ltr">semanage</span>. With |
| 111 |
<span class="code" dir="ltr">semanage</span>, you assign a correct security context unrelated to any |
| 112 |
-module. It is a local setting - but which is persistent across reboots. |
| 113 |
+module. It is a local setting - but which is persistent across reboots and |
| 114 |
+relabelling activities. |
| 115 |
</p> |
| 116 |
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> |
| 117 |
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting a new file context using semanage</p></td></tr> |
| 118 |
@@ -583,7 +584,7 @@ The same tool can be used to relabel the entire system: |
| 119 |
</table> |
| 120 |
</td> |
| 121 |
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> |
| 122 |
-<tr><td class="topsep" align="center"><p class="alttext">Updated April 22, 2011</p></td></tr> |
| 123 |
+<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr> |
| 124 |
<tr lang="en"><td align="center" class="topsep"> |
| 125 |
<p class="alttext"><b>Donate</b> to support our development efforts. |
| 126 |
</p> |
Archives