Drop module information, is now over at wiki.g.o

author: Sven Vermeulen <sven.vermeulen@siphos.be> 2011-12-22 13:57:44 +0100
committer: Sven Vermeulen <sven.vermeulen@siphos.be> 2011-12-22 13:57:44 +0100
commit: e4f04e14465866f91e580ce149eb8c9b9fc05cbf (patch)
tree: 2b0fb0964df163237830677ca6e132fedfcfe37b
parent: Reboot before relabeling, add blurb about etc-update/dispatch-conf (diff)
download: hardened-docs-e4f04e14465866f91e580ce149eb8c9b9fc05cbf.tar.gz
hardened-docs-e4f04e14465866f91e580ce149eb8c9b9fc05cbf.tar.bz2
hardened-docs-e4f04e14465866f91e580ce149eb8c9b9fc05cbf.zip
7 files changed, 0 insertions, 1708 deletions
diff --git a/xml/selinux/modules/apache.xml b/xml/selinux/modules/apache.xml
deleted file mode 100644
index 4d6350e..0000000
--- a/xml/selinux/modules/apache.xml
+++ /dev/null
@@ -1,586 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/apache.xml" lang="en">
-<title>SELinux Apache Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the apache module is responsible for defining the
-web server related domains and privileges. It is not tied to Apache, despite
-its name.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-06-02</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/apachedomain.png" short="General Apache domain overview"
-caption="General Apache domain overview" />
-
-<p>
-The <c>apache</c> module provides the following domains:
-</p>
-
-<table>
-<tr>
-  <th>Domain</th>
-  <th>Process(es)</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>httpd_t</ti>
-  <ti>apache<br />lighttpd</ti>
-  <ti>Webserver processes</ti>
-</tr>
-<tr>
-  <ti>httpd_helper_t</ti>
-  <ti>htsslpass</ti>
-  <ti>Domain for the htsslpass process</ti>
-</tr>
-<tr>
-  <ti>httpd_php_t</ti>
-  <ti>php-cgi</ti>
-  <ti>Domain for PHP support through CGI (php-cgi process)</ti>
-</tr>
-<tr>
-  <ti>httpd_rotatelogs_t</ti>
-  <ti>rotatelogs</ti>
-  <ti>Domain for the rotatelogs process</ti>
-</tr>
-<tr>
-  <ti>httpd_suexec_t</ti>
-  <ti>suexec</ti>
-  <ti>
-    Domain used by the webserver suexec process to switch to another user
-    before calling and executing a script
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_script_t</ti>
-  <ti></ti>
-  <ti>Domain used by the system/package-provided CGI scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_user_script_t</ti>
-  <ti></ti>
-  <ti>Domain used by the user-provided CGI scripts</ti>
-</tr>
-</table>
-
-<impo>
-The <c>apache</c> module allows other modules to define their own domains and
-types for use by the webservers. This is done through templates. The reference
-policy by default enabled two of such templated sets for <e>user</e> and
-<e>sys</e>, which you can see in domains like <c>httpd_sys_script_t</c> and
-<c>httpd_user_script_t</c>. It is very well possible that on your system, more
-of these template-instantiated domains exist.
-</impo>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>apache</c>
-module.
-</p>
-
-<ul>
-  <li>
-    If the function mentions <e>(templated)</e> then it means that the types
-    are generated by the <c>apache</c> module, but that similar others might
-    exist on your system (called through other modules).
-  </li>
-  <li>
-    When talking about <e>scripts</e>, we mean CGI scripts or other scripts that
-    are triggered from the webserver, not from an interactive shell session.
-  </li>
-</ul>
-
-
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>httpd_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the webserver processes</ti>
-</tr>
-<tr>
-  <ti>httpd_initrc_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the webserver init scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_helper_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the webserver helper processes</ti>
-</tr>
-<tr>
-  <ti>httpd_php_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the PHP scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_rotatelogs_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the rotatelog helper</ti>
-</tr>
-<tr>
-  <ti>httpd_suexec_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the suexec wrapper</ti>
-</tr>
-<tr>
-  <ti>httpd_sys_script_exec_t</ti>
-  <ti>Entrypoint (templated)</ti>
-  <ti>
-    Entrypoint for system CGI scripts (or other callable scripts) that need
-    access to the system content files (httpd_sys_content_t)
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_script_exec_t</ti>
-  <ti>Entrypoint (templated)</ti>
-  <ti>
-    Entrypoint for the user-provided scripts callable from the webserver instances
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_squirrelmail_t</ti>
-  <ti>Content</ti>
-  <ti>Squirrelmail files</ti>
-</tr>
-<tr>
-  <ti>squirrelmail_spool_t</ti>
-  <ti>Content</ti>
-  <ti>Squirrelmail attachment location</ti>
-</tr>
-<tr>
-  <ti>httpd_sys_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Readable content for the webservers and system scripts, offered through 
-    the system / packages.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_htaccess_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Label for the htaccess files, readable by the webserver but not from scripts
-    or other webserver related domains.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_rw_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and writeable content for the webservers and system scripts (not user
-    scripts). 
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_sys_ra_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and appendable content for the webservers and system scripts (not user
-    scripts).
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Readable content for the webservers and user scripts, offered by (and
-    writeable by) users.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_htaccess_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Label for the htaccess files, readable by the webserver but not from scripts
-    or other webserver related domains.
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_rw_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and writeable content for the webservers and user scripts (not system 
-    scripts).
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_user_ra_content_t</ti>
-  <ti>Content (templated)</ti>
-  <ti>
-    Read and appendable content for the webservers and user scripts (not system
-    scripts).
-  </ti>
-</tr>
-<tr>
-  <ti>httpd_php_tmp_t</ti>
-  <ti>Temporary Files</ti>
-  <ti>Temporary files from the PHP scripts</ti>
-</tr>
-<tr>
-  <ti>httpd_suexec_tmp_t</ti>
-  <ti>Temporary Files</ti>
-  <ti>Temporery files for the suexec domain</ti>
-</tr>
-<tr>
-  <ti>httpd_tmp_t<br />httpd_tmpfs_t</ti>
-  <ti>Temporary Files</ti>
-  <ti>Temporary files from the httpd domain</ti>
-</tr>
-
-<tr>
-  <ti>httpd_cache_t</ti>
-  <ti></ti>
-  <ti>Web server cache</ti>
-</tr>
-<tr>
-  <ti>httpd_config_t</ti>
-  <ti></ti>
-  <ti>Configuration files</ti>
-</tr>
-<tr>
-  <ti>httpd_lock_t</ti>
-  <ti></ti>
-  <ti>Lock files</ti>
-</tr>
-<tr>
-  <ti>httpd_log_t</ti>
-  <ti></ti>
-  <ti>Web server log files</ti>
-</tr>
-<tr>
-  <ti>httpd_modules_t</ti>
-  <ti></ti>
-  <ti>Webserver modules</ti>
-</tr>
-<tr>
-  <ti>httpd_var_lib_t</ti>
-  <ti></ti>
-  <ti>Webserver libraries</ti>
-</tr>
-<tr>
-  <ti>httpd_var_run_t</ti>
-  <ti></ti>
-  <ti>Runtime files for httpd</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Apache</title>
-<section>
-<title>File Locations</title>
-<body>
-
-<p>
-The policy offered only contains the right file context rules for the default
-locations. If you deviate from these locations, you'll need to update the
-contexts accordingly.
-</p>
-
-<p>
-The following table provides an overview of common Apache settings (variables in
-<path>httpd.conf</path>) that are often changed by end users, and the file 
-context that it should have. If you use a different webserver you'll need to
-base it on the description instead.
-</p>
-
-<table>
-<tr>
-  <th>Setting in httpd.conf</th>
-  <th>Description</th>
-  <th>Default Location</th>
-  <th>File Context(s)</th>
-</tr>
-<tr>
-  <ti>DocumentRoot</ti>
-  <ti>Location where web content is stored (html pages and such)</ti>
-  <ti>/srv/localhost/www</ti>
-  <ti>system_u:object_r:httpd_sys_content_t</ti>
-</tr>
-<tr>
-  <ti>Document</ti>
-  <ti>Location where CGI scripts are stored</ti>
-  <ti>/srv/localhost/cgi-bin</ti>
-  <ti>system_u:object_r:httpd_sys_script_exec_t</ti>
-</tr>
-<tr>
-  <ti>Directory</ti>
-  <ti>User home directory location where user-provided content is stored</ti>
-  <ti>/home/*/public_html</ti>
-  <ti>system_u:object_r:httpd_user_content_t</ti>
-</tr>
-<tr>
-  <ti>Directory</ti>
-  <ti>User home directory location where user-provided CGI scripts are stored</ti>
-  <ti>/home/*/public_html/cgi-bin</ti>
-  <ti>system_u:object_r:httpd_user_script_exec_t</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Sharing Files</title>
-<body>
-
-<p>
-The SELinux policy (as part of the <c>miscfiles</c> module) supports two
-additional types: <c>public_content_t</c> and <c>public_content_rw_t</c>. These
-are used for what is called <e>anonymous files</e> which are readable by all
-file-serving services. If all services only need to read from it, then
-<c>public_content_t</c> is used. If at least one services needs to write to it,
-use <c>public_content_rw_t</c> and toggle the right SELinux boolean for the
-domain that needs write access to it (<c>allow_DOMAIN_anon_write</c>).
-</p>
-
-<p>
-For instance, if you have files that are shared by Apache, NFS, Samba, ... you
-label these <c>public_content_t</c> (read-only) or <c>public_content_rw_t</c>
-(read-write for some) and then toggle the appropriate booleans:
-</p>
-
-<pre caption="Enable write access for the httpd_sys_script_t domain to the public_content_rw_t domain">
-~# <i>setsebool -P allow_httpd_sys_script_anon_write on</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Booleans</title>
-<body>
-
-<p>
-The <c>apache</c> module has several booleans which manipulate the allowed
-permissions within your installation. The table below gives an overview of the
-booleans, but also mentions which USE flags you <e>could</e> associate with it.
-Note that the booleans are <e>not</e> linked to USE flags. However, if you have
-set a particular USE flag for the webserver environment, then you might want to
-toggle these booleans as well.
-</p>
-
-<table>
-<tr>
-  <th>Boolean</th>
-  <th>Description</th>
-  <th>Gentoo USE flag suggestion</th>
-</tr>
-<tr>
-  <ti>allow_httpd_anon_write</ti>
-  <ti>
-    Allow the webserver to modify public files (labeled
-    <c>public_content_rw_t</c>)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>allow_httpd_sys_script_anon_write</ti>
-  <ti>
-    Allow the system scripts to modify public files
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>allow_httpd_user_script_anon_wriet</ti>
-  <ti>
-    Allow the user scripts to modify public files
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>allow_httpd_mod_auth_pam</ti>
-  <ti>
-    Allow the webserver to use the auth_pam module
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_builtin_scripting</ti>
-  <ti>
-    Needed when your webservers use internal scripting languages like PHP
-    (languages that are read and interpreted by the webserver directly rather than
-    called through separate processes like with CGI)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_network_connect</ti>
-  <ti>
-    Allow the webserver scripts and modules to connect to the network
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_network_connect_db</ti>
-  <ti>
-    Allow the webserver scripts and modules to connect to databases over the
-    network
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_network_relay</ti>
-  <ti>
-    Allow webservers to act as a relay
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_can_sendmail</ti>
-  <ti>
-    Allow webservers to send e-mails
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_dbus_avahi</ti>
-  <ti>
-    Allow webservers to communicate with avahi service via dbus
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_enable_cgi</ti>
-  <ti>
-    Allow webservers to call CGI scripts (labeled <c>httpd_sys_script_exec_t</c>
-    or <c>httpd_user_script_exec_t</c>)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_enable_ftp_server</ti>
-  <ti>
-    Allow webservers to act as an FTP server by listening on the FTP ports
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_enable_homedirs</ti>
-  <ti>
-    Allow webservers to read home directories (<c>user_home_t</c>). Not to be
-    mistaken with <c>httpd_user_content_t</c>, which resides in the users' home
-    directory but is labeled, well, <c>httpd_user_content_t</c> ;-)
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_ssi_exec</ti>
-  <ti>
-    Allow webservers to run SSI executables in the same domain as the CGI
-    scripts
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_tty_com</ti>
-  <ti>
-    Unify webservers to communicate with the terminal. This is needed when you
-    need to enter a passphraze for certificates at the terminal.
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_unified</ti>
-  <ti>
-    When enabled, the various webserver content types (all types with attribute
-    <c>httpdcontent</c> set) are not differentiated anymore, but all considered
-    to be readable, writeable and executable by the webserver.
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_use_cifs</ti>
-  <ti>
-    Allow webservers to access CIFS file systems
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_use_gpg</ti>
-  <ti>
-    Allow webservers to run gpg
-  </ti>
-  <ti />
-</tr>
-<tr>
-  <ti>httpd_use_nfs</ti>
-  <ti>
-    Allow webservers to access NFS file systems
-  </ti>
-  <ti />
-</tr>
-</table>
-
-<p>
-If you want to toggle booleans, you can do so through <c>setsebool</c>:
-</p>
-
-<pre caption="Enabling the gentoo_try_dontaudit boolean">
-<comment>( With the -P flag, the boolean state is persisted across reboots)</comment>
-~# <i>setsebool -P httpd_enable_homedirs on</i>
-</pre>
-
-</body>
-</section>
-<section>
-<title>Ports</title>
-<body>
-
-<p>
-If you need to run the webserver on a non-default port, you can either mark this
-port as an HTTP port (<c>http_port_t</c>) or create the appropriate rule to allow
-it to bind to the specified port.
-</p>
-
-<p>
-To mark a particular port (say 81) as an HTTP port, use <c>semanage</c>:
-</p>
-
-<pre caption="Labeling port 81 as http_port_t">
-~# <i>semanage port -a -t http_port_t -p tcp 81</i>
-</pre>
-
-<p>
-If you need to allow the webserver to bind on a port but are not allowed to
-modify that ports' type, you'll need to create a policy that allows the
-<c>httpd_t</c> domain to bind to the particular port. For instance, to allow it
-to bind on the SMTP port:
-</p>
-
-<pre caption="Allow rules to allow httpd_t to bind on SMTP ports">
-allow httpd_t smtp_port_t:tcp_socket name_bind;
-</pre>
-
-</body>
-</section>
-</chapter>
-</guide>
diff --git a/xml/selinux/modules/bind.xml b/xml/selinux/modules/bind.xml
deleted file mode 100644
index 25c2a11..0000000
--- a/xml/selinux/modules/bind.xml
+++ /dev/null
@@ -1,132 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/bind.xml" lang="en">
-<title>SELinux Bind Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the bind module is responsible for defining the BIND
-domains and interactions.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/binddomain.png" short="General Bind domain overview"
-caption="General Bind domain overview" />
-
-<p>
-The <c>named_t</c> domain can only be transitioned towards through the
-<c>initrc_t</c> domain (i.e. through init scripts). The <c>ndc_t</c> domain
-(for the named domain controller) can be transitioned towards through the
-<c>initrc_t</c> and <c>sysadm_t</c> (general system administration) domains.
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>bind</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>named_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint domain for the named binaries</ti>
-</tr>
-<tr>
-  <ti>named_initrc_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint domain for non-Gentoo init scripts</ti>
-</tr>
-<tr>
-  <ti>named_checkconf_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the checkconf binary</ti>
-</tr>
-<tr>
-  <ti>ndc_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the ndc binaries</ti>
-</tr>
-<tr>
-  <ti>dnssec_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the key files used by the named daemon</ti>
-</tr>
-<tr>
-  <ti>named_zone_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the primary zone files</ti>
-</tr>
-<tr>
-  <ti>named_cache_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the cached zone files</ti>
-</tr>
-<tr>
-  <ti>named_conf_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the named configuration files</ti>
-</tr>
-<tr>
-  <ti>named_log_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the named log files</ti>
-</tr>
-<tr>
-  <ti>named_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the named temporary files</ti>
-</tr>
-<tr>
-  <ti>named_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the named runtime variable data</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Bind</title>
-<section>
-<title>SELinux boolean: named_write_master_zones</title>
-<body>
-
-<p>
-The <c>named</c> policy offers one boolean called
-<c>named_write_master_zones</c> which, when enabled, allows the named daemon to
-write to its master zone files (i.e. <c>named_zone_t</c>). This is used in
-master/slave setups.
-</p>
-
-</body>
-</section>
-</chapter>
-</guide>
diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml
deleted file mode 100644
index e909ff8..0000000
--- a/xml/selinux/modules/cron.xml
+++ /dev/null
@@ -1,389 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/cron.xml" lang="en">
-<title>SELinux cron Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the cron module is responsible for defining the scheduling
-domains and interactions.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
-<license version="3.0"/>
-
-<version>3</version>
-<date>2011-12-14</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/crondomain.png" short="General cron domain overview"
-caption="General cron domain overview" />
-
-<p>
-The cron daemon itself (like <c>vixie-cron</c>) runs in the <e>crond_t</e>
-domain. Depending on the cron daemon used, this daemon either immediately
-executes the jobs (hence its ability to transition to various other domains) or
-does this through an intermediate domain (<e>system_cronjob_t</e> for system
-cronjobs and <e>cronjob_t</e> for user cronjobs).
-</p>
-
-<p>
-The <e>crontab_t</e> and <e>admin_crontab_t</e> domains are used by the users
-(and administrators) for maintaining their crontab files. These files are read
-in by the cron daemon.
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>cron</c>
-module (part of the base policy).
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>cronjob_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for end user cronjobs</ti>
-</tr>
-<tr>
-  <ti>system_cronjob_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for system cronjobs</ti>
-</tr>
-<tr>
-  <ti>crond_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for the cron daemon</ti>
-</tr>
-<tr>
-  <ti>admin_crontab_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for administrator-started crontab commands</ti>
-</tr>
-<tr>
-  <ti>crontab_t</ti>
-  <ti>Domain</ti>
-  <ti>Domain for user-started crontab commands</ti>
-</tr>
-<tr>
-  <ti>crond_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the cron daemon binaries</ti>
-</tr>
-<tr>
-  <ti>crontab_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Entrypoint for the crontab commands</ti>
-</tr>
-<tr>
-  <ti>cron_spool_t</ti>
-  <ti>Configuration</ti>
-  <ti>Spool files (where the user crontab files are in)</ti>
-</tr>
-<tr>
-  <ti>user_cron_spool_t</ti>
-  <ti>Configuration</ti>
-  <ti>Spool files (for the user crontab files)</ti>
-</tr>
-<tr>
-  <ti>system_cron_spool_t</ti>
-  <ti>Configuration</ti>
-  <ti>Spool files (where the system crontab files are in)</ti>
-</tr>
-<tr>
-  <ti>cron_var_lib_t</ti>
-  <ti></ti>
-  <ti>Label for cron's /var/lib items</ti>
-</tr>
-<tr>
-  <ti>cron_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for cron's /var/run items</ti>
-</tr>
-<tr>
-  <ti>cron_log_t</ti>
-  <ti></ti>
-  <ti>Label for cron's logfiles (/var/log/cron)</ti>
-</tr>
-<tr>
-  <ti>crond_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the cron daemon's temporary files</ti>
-</tr>
-<tr>
-  <ti>crond_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the cron daemon's /var/run items</ti>
-</tr>
-<tr>
-  <ti>system_cronjob_lock_t</ti>
-  <ti></ti>
-  <ti>Label for the system cronjobs' lock files</ti>
-</tr>
-<tr>
-  <ti>system_cronjob_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the system cronjobs' temporary files</ti>
-</tr>
-<tr>
-  <ti>admin_crontab_tmp_t</ti>
-  <ti></ti>
-  <ti>
-    Label for temporary files created by a system administrators' crontab
-    command
-  </ti>
-</tr>
-<tr>
-  <ti>crontab_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for temporary files created by a users' crontab command</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Booleans</title>
-<body>
-
-<p>
-The <c>cron</c> domain supports the following SELinux booleans, which can be set
-/ unset using the standard <c>setsebool</c> statements.
-</p>
-
-<table>
-<tr>
-  <th>Boolean</th>
-  <th>Default</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>cron_can_relabel</ti>
-  <ti>false</ti>
-  <ti>
-    Allow jobs running in the <e>system_cronjob_t</e> domain to relabel files
-    and directories. When set, these jobs can also call the <c>setfiles</c> and 
-    <c>restorecon</c> commands.
-  </ti>
-</tr>
-<tr>
-  <ti>fcron_crond</ti>
-  <ti>false</ti>
-  <ti>
-    Needed to set more privileges for the cron domains in case <c>fcron</c> is
-    used as a cron daemon. These privileges are not necessary for other cron
-    daemons and as such are "behind" this boolean.
-  </ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Cron</title>
-<section>
-<title>System Administration</title>
-<body>
-
-<p>
-If you want to perform system administrative tasks using cronjobs, you will need
-to take special care that the domain in which the job runs has sufficient
-privileges.
-</p>
-
-<p>
-First, make sure that your cronjobs run in the <e>system_cronjob_t</e> domains.
-This means that the cronjobs must be defined as either
-</p>
-
-<ul>
-  <li>
-    scripts in the <path>/etc/cron.hourly</path>, <path>/etc/cron.daily</path>,
-    ... directories
-  </li>
-  <li>
-    crontab entries in the <path>/etc/cron.d</path> directory
-  </li>
-  <li>
-    crontab entries in the <path>/etc/crontab</path> file
-  </li>
-</ul>
-
-<p>
-Second, make sure that your <path>/etc/crontab</path> uses <c>HOME=/</c>.
-Setting this to another <c>HOME</c> directory might confuse some applications.
-With SELinux enabled, this could cause those applications to try and read the
-root users' home directory, which isn't allowed by policy.
-</p>
-
-<p>
-Next, verify that the commands you want to run (and thus their target domain in
-which they will run) are allowed for the <e>system_cronjob_t</e> domain.
-</p>
-
-<pre caption="Validationg the system_cronjob_t privileges">
-<comment># Example to verify if we can call emerge</comment>
-~# <i>sesearch -s system_cronjob_t -t portage_t -A</i>
-Found 1 semantic av rules:
-  allow system_cronjob_t portage_t : process transition;
-</pre>
-
-<p>
-If the domain does not have the necessary privileges, you need to update the
-policy. More information on maintaining the SELinux policy can be found in the
-<uri link="http://hardened.gentoo.org/selinux/selinux-handbook.xml">Gentoo
-Hardened SELinux Handbook</uri>. 
-</p>
-
-<p>
-An example policy file to allow executing <c>dmesg</c>:
-</p>
-
-<pre caption="Allowing system_cronjob_t to execute dmesg">
-policy_module(fixcron, 1.0)
-
-require {
-  type dmesg_t;
-}
-
-cron_system_entry(dmesg_t)
-</pre>
-
-<p>
-For more information or help with managing your policies, do not hesitate to
-drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>.
-</p>
-
-</body>
-</section>
-<section>
-<title>User (incl. root) Cronjobs</title>
-<body>
-
-<impo>
-Part of this is for vixie-cron users with USE="ubac" set, but even if this is
-not the case it is still pertinent (cfr. the default_contexts issue).
-</impo>
-
-<p>
-When working with end user crontabs (those triggered / managed through the
-<c>crontab</c> command), you must take care that you do this as the <e>SELinux
-user</e> which is associated with the file (this is a result of the SELinux User
-Based Access Control, aka <e>UBAC</e>). In other words, if you want to edit the
-root users' <path>crontab</path> file, you need to be the <c>root</c> SELinux
-user (and not a staff user that <c>su</c>/<c>sudo</c>'ed into root).
-</p>
-
-<p>
-If this was not done correctly, you will get the following error:
-</p>
-
-<pre caption="Error due to mismatch on SELinux user">
-cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
-</pre>
-
-<p>
-Verify that the file's user and SELinux user match:
-</p>
-
-<pre caption="Verify that the SELinux user and file user ownership matches">
-~# <i>ls -Z /var/spool/cron/crontabs/root</i>
-staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
-
-~# <i>semanage login -l | grep root</i>
-root              root
-</pre>
-
-<p>
-In the above case, the root Unix account (cfr filename of the crontab file) is
-mapped to the root SELinux user (cfr second "root" in the <c>semanage login
--l</c> output). However, the SELinux user of the crontab file is <e>staff_u</e>
-instead of <e>root</e>, which is why the failure occurred.
-</p>
-
-<p>
-To fix this, use <c>chcon</c>:
-</p>
-
-<pre caption="Fix the crontab SELinux user ownership">
-~# <i>chcon -u root /var/spool/cron/crontabs/root</i>
-</pre>
-
-<p>
-Another problem that you might see is immediately at startup:
-</p>
-
-<pre caption="Entrypoint failure on crontab">
-cron[26653]: (system_u) ENTRYPOINT FAILED (/etc/crontab)
-</pre>
-
-<p>
-In this case, even if the user of the file is correct, it is most likely due to
-the <path>/etc/selinux/*/contexts/default_context</path> file containing an
-incorrect definition. Look at the cron-related line and verify that each
-mentioned context is valid. For instance:
-</p>
-
-<pre caption="Verify if contexts are valid">
-<comment># Verify the context "system_r:cronjob_t:s0"</comment>
-~# <i>seinfo -rsystem_r -x | grep cronjob</i>
-  system_cronjob_t
-</pre>
-
-<p>
-In the above case, <e>cronjob_t</e> is not valid, but <e>system_cronjob_t</e> is.
-</p>
-
-</body>
-</section>
-<section>
-<title>Reporting Cron and SELinux Issues</title>
-<body>
-
-<p>
-If you have an issue with cron and believe that it is related to SELinux, please
-also give the output of the following command:
-</p>
-
-<pre caption="Getting the initial context from crond_t">
-<comment># Get the domain under which system-level jobs will run</comment>
-~# <i>getseuser system_u system_u:system_r:crond_t</i>
-seuser:  system_u, level (null)
-Context 0        system_u:system_r:system_cronjob_t
-
-<comment># Get the domain under which user-level jobs will run</comment>
-~# <i>getseuser john system_u:system_r:crond_t</i>
-seuser:  user_u, level (null)
-Context 0        user_u:user_r:cronjob_t
-</pre>
-
-<note>
-The <c>getseuser</c> command usually takes a Unix account name for the first
-argument, but treats <c>system_u</c> as a special case.
-</note>
-
-</body>
-</section>
-</chapter>
-</guide>
diff --git a/xml/selinux/modules/index.xml b/xml/selinux/modules/index.xml
deleted file mode 100644
index d93bf05..0000000
--- a/xml/selinux/modules/index.xml
+++ /dev/null
@@ -1,69 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/index.xml" lang="en">
-<title>SELinux Modules</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-SELinux aggregates its permissions in modules to make the entire policy more
-manageable. To help users work with these modules, we document the common
-modules and how to work with them.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Modules</title>
-<section>
-<body>
-
-<p>
-If you use Gentoo Hardened with SELinux, then you'll eventually need to
-configure your system to work with the policies (or update the policies to work
-with your system). To help you tune the policy, insight in how the modules are
-structured and what they contain is necessary.
-</p>
-
-<p>
-Gentoo Hardened tries to document the common modules as well as how they are
-structured. Also, we document what configuration changes are often requested and
-how to deal with them. If a module contains booleans, we explain them in more
-detail.
-</p>
-
-</body>
-</section>
-<section>
-<title>Administrative Modules</title>
-<body>
-
-<ul>
-  <li><uri link="portage.xml">Portage</uri></li>
-</ul>
-
-</body>
-</section>
-<section>
-<title>Services (Daemons)</title>
-<body>
-
-<ul>
-  <li><uri link="bind.xml">BIND server</uri> (bind)</li>
-  <li><uri link="cron.xml">Cron service</uri> (vixie-cron)</li>
-  <li><uri link="ldap.xml">LDAP servers</uri> (openldap)</li>
-  <li><uri link="apache.xml">Web servers</uri> (apache, lighttpd)</li>
-</ul>
-
-</body>
-</section>
-</chapter>
-</guide>
diff --git a/xml/selinux/modules/ldap.xml b/xml/selinux/modules/ldap.xml
deleted file mode 100644
index 4da1c55..0000000
--- a/xml/selinux/modules/ldap.xml
+++ /dev/null
@@ -1,105 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/ldap.xml" lang="en">
-<title>SELinux LDAP Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the ldap module is responsible for defining the openldap
-domains and interactions.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/ldapdomain.png" short="General LDAP domain overview"
-caption="General LDAP domain overview" />
-
-<p>
-The <c>slapd</c> daemon runs within the <c>slapd_t</c> domain and can only be
-transitioned towards through the <c>sysadm_t</c> (general system administrative
-domain) or <c>initrc_t</c> (init script launched) domains.
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>ldap</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>slapd_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Executable entry point for the slapd daemon binaries</ti>
-</tr>
-<tr>
-  <ti>slapd_etc_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for OpenLDAP configuration files</ti>
-</tr>
-<tr>
-  <ti>slapd_cert_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for certificate keystores used by OpenLDAP</ti>
-</tr>
-<tr>
-  <ti>slapd_db_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the OpenLDAP database files (backend content)</ti>
-</tr>
-<tr>
-  <ti>slapd_replog_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the slurpd replication log location</ti>
-</tr>
-<tr>
-  <ti>slapd_lock_t</ti>
-  <ti></ti>
-  <ti>Label for the lock files (runtime)</ti>
-</tr>
-<tr>
-  <ti>slapd_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the temporary files</ti>
-</tr>
-<tr>
-  <ti>slapd_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the runtime variable data</ti>
-</tr>
-<tr>
-  <ti>slapd_initrc_exec_t</ti>
-  <ti></ti>
-  <ti>Label for non-Gentoo init script</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-</guide>
diff --git a/xml/selinux/modules/portage.xml b/xml/selinux/modules/portage.xml
deleted file mode 100644
index 293b8b0..0000000
--- a/xml/selinux/modules/portage.xml
+++ /dev/null
@@ -1,325 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/portage.xml" lang="en">
-<title>SELinux Portage Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the portage module is responsible for defining the
-Gentoo-related domains and privileges, including those for the Portage package
-manager, Gentoo-specific file system locations and the command-line wrappers.
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>4</version>
-<date>2011-07-21</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/portagedomain.png" short="General Portage domain overview"
-caption="General Portage domain overview" />
-
-<p>
-The <c>portage</c> module provides the following domains:
-</p>
-
-<table>
-<tr>
-  <th>Domain</th>
-  <th>Process(es)</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>portage_t</ti>
-  <ti>emerge, ebuild, quickpkg, ebuild.sh, regenworld, sandbox</ti>
-  <ti>Gentoo's package manager domain</ti>
-</tr>
-<tr>
-  <ti>portage_sandbox_t</ti>
-  <ti>sandbox</ti>
-  <ti>Portage compile sandbox domain</ti>
-</tr>
-<tr>
-  <ti>portage_fetch_t</ti>
-  <ti>rsync</ti>
-  <ti>
-    Domain responsible for fetching ebuilds and sources and storing them on
-    the system
-  </ti>
-</tr>
-<tr>
-  <ti>gcc_config_t</ti>
-  <ti>gcc-config</ti>
-  <ti>Domain for the gcc-config wrapper</ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>portage</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>portage_exec_t</ti>
-  <ti>
-    Entrypoints for the portage and protage-related domains. Used for binaries
-    or scripts such as sandbox, emerge, ...
-  </ti>
-</tr>
-<tr>
-  <ti>gcc_config_exec_t</ti>
-  <ti>
-    Entrypoints for the gcc-config wrapper domain
-  </ti>
-</tr>
-<tr>
-  <ti>portage_ebuild_t</ti>
-  <ti>
-    Type assigned to the ebuild files and directories
-  </ti>
-</tr>
-<tr>
-  <ti>portage_srcrepo_t</ti>
-  <ti>
-    Type assigned to the live repository pulls (git, svn, cvs, ...) used by live
-    ebuilds
-  </ti>
-</tr>
-<tr>
-  <ti>portage_fetch_tmp_t</ti>
-  <ti>
-    Type used by the portage_fetch_t domain when storing files in a temporary
-    location
-  </ti>
-</tr>
-<tr>
-  <ti>portage_db_t</ti>
-  <ti>
-    Type used by Portage' data files
-  </ti>
-</tr>
-<tr>
-  <ti>portage_conf_t</ti>
-  <ti>
-    Type used by Portage' configuration files
-  </ti>
-</tr>
-<tr>
-  <ti>portage_cache_t</ti>
-  <ti>
-    Type used for the Portage cache
-  </ti>
-</tr>
-<tr>
-  <ti>portage_log_t</ti>
-  <ti>
-    Type used by Portage for its log files
-  </ti>
-</tr>
-<tr>
-  <ti>portage_tmp_t<br />portage_tmpfs_t</ti>
-  <ti>
-    Type used by Portage for temporary files
-  </ti>
-</tr>
-</table>
-
-</body>
-</section>
-<section>
-<title>Other Types</title>
-<body>
-
-<p>
-Besides the file and file location types, the following types are also defined:
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>portage_devpts_t</ti>
-  <ti>
-    Type used for the terminal output device/location
-  </ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-<chapter>
-<title>Using Portage</title>
-<section>
-<title>File Locations</title>
-<body>
-
-<p>
-The policy offered only contains the right file context rules for the default
-locations. If you deviate from these locations, you'll need to update the
-contexts accordingly.
-</p>
-
-<p>
-The following table provides an overview of the Portage settings (variables in
-<path>make.conf</path>) that are commonly changed by end users, and the file 
-context that it should have.
-</p>
-
-<table>
-<tr>
-  <th>Variable in make.conf</th>
-  <th>Default Location</th>
-  <th>File Context(s)</th>
-</tr>
-<tr>
-  <ti>
-    ${PORTDIR}
-  </ti>
-  <ti>
-    <path>/usr/portage</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_ebuild_t
-  </ti>
-</tr>
-<tr>
-  <ti>
-    ${DISTDIR}/svn-src<br />
-    ${DISTDIR}/git-src<br />
-    ${DISTDIR}/cvs-src
-  </ti>
-  <ti>
-    <path>/usr/portage/distfiles/svn-src</path><br />
-    <path>/usr/portage/distfiles/git-src</path><br />
-    <path>/usr/portage/distfiles/cvs-src</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_srcrepo_t
-  </ti>
-</tr>
-<tr>
-  <ti>${PKGDIR}</ti>
-  <ti>
-    <path>/usr/portage/packages</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_ebuild_t
-  </ti>
-</tr>
-<tr>
-  <ti>${PORT_LOGDIR}</ti>
-  <ti>
-    <path>/var/log/portage</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_log_t
-  </ti>
-</tr>
-<tr>
-  <ti>${PORTAGE_TMPDIR}</ti>
-  <ti>
-    <path>/var/tmp/portage</path>
-  </ti>
-  <ti>
-    system_u:object_r:portage_tmp_t
-  </ti>
-</tr>
-</table>
-
-<p>
-If you use different locations, use the following commands to update the file
-contexts accordingly:
-</p>
-
-<pre caption="Updating file contexts">
-<comment>( Example for a different PORTDIR location, say /var/repo/portage )</comment>
-~# <i>semanage -a -t portage_ebuild_t /var/repo/portage</i>
-~# <i>restorecon -R /var/repo/portage</i>
-</pre>
-
-<p>
-Don't forget that Portage uses subdirectories with different labels (think
-distfiles or the repositories for the live ebuilds) so take care when
-relabelling locations!
-</p>
-
-<p>
-If you are using different mounts, you might need to use the 
-<c>rootcontext=</c> mount option to set the initial context. If the file system
-does not suppor SELinux contexts (like NFS), you can use the <c>context=</c>
-mount option to force the context of all files on the mounted location.
-</p>
-
-</body>
-</section>
-<section>
-<title>Booleans</title>
-<body>
-
-<p>
-The Portage module within Gentoo defines three booleans, called
-<c>gentoo_try_dontaudit</c>, <c>gentoo_portage_use_nfs</c> and
-<c>gentoo_wait_requests</c>. 
-</p>
-
-<p>
-When <c>gentoo_try_dontaudit</c> is enabled, the policy will hide the AVC
-denials of which the Gentoo developers believe they are harmless (cosmetic).
-If this boolean is enabled and you are experiencing permission problems, it
-is wise to first disable the boolean and see if you now get any denials that
-could explain the problem.
-</p>
-
-<p>
-When <c>gentoo_portage_use_nfs</c> is enabled, then the Portage-related
-domains will be able to manage the <c>nfs_t</c> and as such, allow for the 
-Portage tree and other locations to be NFS-mounted without correcting their
-label (which is still supported when using the <c>context=</c> mount option).
-</p>
-
-<p>
-When <c>gentoo_wait_requests</c> is enabled, then policy rules that are
-introduced to get things working, but which are temporary until the upstream
-project enhances its application (and a bug report is opened for it), are
-active. Disabling this boolean is only recommended if you are running the
-system with the proper patches and is more used for development traceability.
-</p>
-
-<p>
-To switch booleans, use <c>setsebool</c> or <c>togglesebool</c>.
-</p>
-
-<pre caption="Enabling the gentoo_try_dontaudit boolean">
-<comment>( With the -P flag, the boolean state is persisted across reboots)</comment>
-~# <i>setsebool -P gentoo_try_dontaudit on</i>
-</pre>
-
-</body>
-</section>
-</chapter>
-</guide>
diff --git a/xml/selinux/modules/ssh.xml b/xml/selinux/modules/ssh.xml
deleted file mode 100644
index 20edf7a..0000000
--- a/xml/selinux/modules/ssh.xml
+++ /dev/null
@@ -1,102 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardened-debugging.xml,v 1.1 2010/11/25 20:25:59 zorry Exp $ -->
-
-<guide link="/proj/en/hardened/selinux/modules/ssh.xml" disclaimer="draft" lang="en">
-<title>SELinux SSH Module</title>
-<author title="Author">
-  <mail link="sven.vermeulen@siphos.be">Sven Vermeulen</mail>
-</author>
-
-<abstract>
-Within SELinux, the SSH module is responsible for defining what openssh can do
-</abstract>
-
-<!-- The content of this document is licensed under the CC-BY-SA license -->
-<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
-<license/>
-
-<version>1</version>
-<date>2011-07-09</date>
-
-<chapter>
-<title>Structure</title>
-<section>
-<title>Domains</title>
-<body>
-
-<figure link="./images/sshdomain.png" short="General SSH domain overview"
-caption="General SSH domain overview" />
-
-<p>
-The...
-</p>
-
-</body>
-</section>
-<section>
-<title>File Types/Labels</title>
-<body>
-
-<p>
-The following table lists the file type/labels defined in the <c>ldap</c>
-module.
-</p>
-
-<table>
-<tr>
-  <th>Type</th>
-  <th>Function</th>
-  <th>Description</th>
-</tr>
-<tr>
-  <ti>slapd_exec_t</ti>
-  <ti>Entrypoint</ti>
-  <ti>Executable entry point for the slapd daemon binaries</ti>
-</tr>
-<tr>
-  <ti>slapd_etc_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for OpenLDAP configuration files</ti>
-</tr>
-<tr>
-  <ti>slapd_cert_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for certificate keystores used by OpenLDAP</ti>
-</tr>
-<tr>
-  <ti>slapd_db_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the OpenLDAP database files (backend content)</ti>
-</tr>
-<tr>
-  <ti>slapd_replog_t</ti>
-  <ti>Configuration</ti>
-  <ti>Label for the slurpd replication log location</ti>
-</tr>
-<tr>
-  <ti>slapd_lock_t</ti>
-  <ti></ti>
-  <ti>Label for the lock files (runtime)</ti>
-</tr>
-<tr>
-  <ti>slapd_tmp_t</ti>
-  <ti></ti>
-  <ti>Label for the temporary files</ti>
-</tr>
-<tr>
-  <ti>slapd_var_run_t</ti>
-  <ti></ti>
-  <ti>Label for the runtime variable data</ti>
-</tr>
-<tr>
-  <ti>slapd_initrc_exec_t</ti>
-  <ti></ti>
-  <ti>Label for non-Gentoo init script</ti>
-</tr>
-</table>
-
-</body>
-</section>
-</chapter>
-</guide>
author	Sven Vermeulen <sven.vermeulen@siphos.be>	2011-12-22 13:57:44 +0100
committer	Sven Vermeulen <sven.vermeulen@siphos.be>	2011-12-22 13:57:44 +0100
commit	e4f04e14465866f91e580ce149eb8c9b9fc05cbf (patch)
tree	2b0fb0964df163237830677ca6e132fedfcfe37b
parent	Reboot before relabeling, add blurb about etc-update/dispatch-conf (diff)
download	hardened-docs-e4f04e14465866f91e580ce149eb8c9b9fc05cbf.tar.gz hardened-docs-e4f04e14465866f91e580ce149eb8c9b9fc05cbf.tar.bz2 hardened-docs-e4f04e14465866f91e580ce149eb8c9b9fc05cbf.zip