diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-02-26 18:04:49 +0100 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-02-26 18:04:49 +0100 |
| commit | 1f162c021d59aabceee16140559627ef2f605458 (patch) | |
| tree | b338916f78767ced689d13f89f3463f29ac6e1e1 | |
| parent | Add edited lvm-* scripts to CONFIG_PROTECT location (diff) | |
| download | hardened-docs-1f162c021d59aabceee16140559627ef2f605458.tar.gz hardened-docs-1f162c021d59aabceee16140559627ef2f605458.tar.bz2 hardened-docs-1f162c021d59aabceee16140559627ef2f605458.zip | |
Update on documents, including adding FAQ about initramfs
| -rw-r--r-- | xml/selinux-bugreporting.xml | 4 | ||||
| -rw-r--r-- | xml/selinux-faq.xml | 27 | ||||
| -rw-r--r-- | xml/selinux/modules/NFS | 5 |
3 files changed, 27 insertions, 9 deletions
diff --git a/xml/selinux-bugreporting.xml b/xml/selinux-bugreporting.xml index becc591..7d2ce99 100644 --- a/xml/selinux-bugreporting.xml +++ b/xml/selinux-bugreporting.xml @@ -15,8 +15,8 @@ policy updates. </abstract> <!-- The content of this document is licensed under the CC-BY-SA license --> -<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> -<license/> +<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> +<license version="3.0" /> <version>1</version> <date>2011-11-22</date> diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml index d4aeb18..62c2c28 100644 --- a/xml/selinux-faq.xml +++ b/xml/selinux-faq.xml @@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or elsewhere </abstract> -<version>19</version> -<date>2011-12-27</date> +<version>20</version> +<date>2012-02-26</date> <faqindex> <title>Questions</title> @@ -839,5 +839,28 @@ Authenticating swift. </body> </section> +<section id="initramfs"> +<title>How do I use SELinux with initramfs?</title> +<body> + +<p> +We currently do not support booting in enforcing mode with an initramfs image +(but we are working on it). For the time being, boot in permissive mode. Once +booted, switch to enforcing mode (<c>setenforce 1</c>). +</p> + +<p> +If you run SELinux on a production system and would not like to have attackers +be able to switch back to permissive mode (even when they would have the +necessary privileges otherwise), set the <c>secure_mode_policyload</c> boolean. +When enabled, enforcing mode cannot be disabled anymore (until you reboot). +</p> + +<pre caption="Toggling secure_mode_policyload"> +# <i>setsebool secure_mode_policyload on</i> +</pre> + +</body> +</section> </chapter> </guide> diff --git a/xml/selinux/modules/NFS b/xml/selinux/modules/NFS deleted file mode 100644 index aa87288..0000000 --- a/xml/selinux/modules/NFS +++ /dev/null @@ -1,5 +0,0 @@ -Important doclet: -- if mounting multiple locations with different context= options, but the - master file system (on the NFS server) is the same file system, then the - mount must use "nosharecache" as an option (IPv4) - |