diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-05-03 22:09:22 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-05-03 22:09:22 +0200 |
| commit | 37823f895ec2add96e802cedcf0d13d909bfa08e (patch) | |
| tree | d062155c46ae80203ba4f54a234c5ce18716e5fa /xml/selinux/hb-using-install.xml | |
| parent | Update previews (diff) | |
| download | hardened-docs-37823f895ec2add96e802cedcf0d13d909bfa08e.tar.gz hardened-docs-37823f895ec2add96e802cedcf0d13d909bfa08e.tar.bz2 hardened-docs-37823f895ec2add96e802cedcf0d13d909bfa08e.zip | |
Add information on ubac USE flag as well as other SELinux-related USE flags
Diffstat (limited to 'xml/selinux/hb-using-install.xml')
| -rw-r--r-- | xml/selinux/hb-using-install.xml | 56 |
1 files changed, 54 insertions, 2 deletions
diff --git a/xml/selinux/hb-using-install.xml b/xml/selinux/hb-using-install.xml index 30dc495..a6a61a3 100644 --- a/xml/selinux/hb-using-install.xml +++ b/xml/selinux/hb-using-install.xml @@ -197,14 +197,66 @@ installation is completed. </note> <p> +Don't update your system yet - we will need to install a couple of packages in a +particular order which Portage isn't aware of in the next couple of sections. +</p> + +</body> +</subsection> +<subsection> +<title>Update make.conf</title> +<body> + +<p> Edit your <path>/etc/make.conf</path> file and set <c>FEATURES="-loadpolicy"</c>. The current SELinux profile enables the loadpolicy feature, but this isn't supported anymore so can be safely ignored. </p> <p> -Don't update your system yet - we will need to install a couple of packages in a -particular order which Portage isn't aware of in the next couple of sections. +Next, take a look at the following USE flags and decide if you want to enable +or disable them. +</p> + +<table> +<tr> + <th>USE flag</th> + <th>Default Value</th> + <th>Description</th> +</tr> +<tr> + <ti>peer_perms</ti> + <ti>Enabled</ti> + <ti> + The peer_perms capability controls the SELinux policy network peer controls. + If set, the access control mechanisms that SELinux uses for network based + labelling are consolidated. This setting is recommended as the policy is + also updated to reflect this. If not set, the old mechanisms (NetLabel and + Labeled IPsec) are used side by side. + </ti> +</tr> +<tr> + <ti>open_perms</ti> + <ti>Disabled</ti> + <ti> + The open_perms capability enables the SELinux permission "open" for files + and file-related classes. + </ti> +</tr> +<tr> + <ti>ubac</ti> + <ti>Disabled</ti> + <ti> + When enabled, the SELinux policy is built with user-based access control + enabled. This is optional as it introduces constraints that might be + difficult to notice at first when you hit them. + </ti> +</tr> +</table> + +<p> +Make your choice and update the <c>USE</c> variable in +<path>/etc/make.conf</path>. </p> </body> |