Update previews

17 files changed, 158 insertions, 5532 deletions

diff --git a/html/roadmap.html b/html/roadmap.html
index e35467e..c912578 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -270,13 +270,6 @@ of the packages and standard policies.
   <td class="infohead"><b>Related Bugs</b></td>
 </tr>
 <tr>
-  <td class="tableinfo">Stabilize 20120215 policies</td>
-  <td class="tableinfo">2012-04-30</td>
-  <td class="tableinfo"></td>
-  <td class="tableinfo">SwifT</td>
-  <td class="tableinfo"></td>
-</tr>
-<tr>
   <td class="tableinfo">Have SELinux-enabled stage3 available on the mirrors</td>
   <td class="tableinfo">2012-06-31</td>
   <td class="tableinfo"></td>
@@ -288,7 +281,7 @@ of the packages and standard policies.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated May 26, 2012</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
diff --git a/html/selinux-changes.html b/html/selinux-changes.html
new file mode 100644
index 0000000..bcd9f9b
--- /dev/null
+++ b/html/selinux-changes.html
@@ -0,0 +1,157 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+  Gentoo Hardened SELinux Change Overview</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Gentoo Hardened SELinux Change Overview</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Introduction</option>
+<option value="#doc_chap2">2. Overview of Changes for Stable Users</option>
+<option value="#doc_chap3">3. Overview of Changes for ~Arch Users</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+            </span>Introduction</p>
+<p class="secthead"><a name="doc_chap1_sect1">About this document</a></p>
+<p>
+This document will give an overview of all SELinux documented changes made
+on particular dates and that might be important for users to follow up through.
+</p>
+<p>
+Changes that only affect ~arch users will be documented below and moved up when
+they are stabilized. It is possible though that these changes will be "fixed"
+automatically and as such removed from this page.
+</p>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+            </span>Overview of Changes for Stable Users</p>
+<p class="secthead"><a name="doc_chap2_sect1">2012/05/26 - Support of initramfs</a></p>
+<p>
+Users who boot with an initramfs will need to boot in permissive mode first, and
+later on switch to enforcing mode. This can be done automatically using an
+init script, as documented at <a href="selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap5">Initramfs
+users</a>.
+</p>
+<p class="secthead"><a name="doc_chap2_sect2">2012/05/26 - Support for graphical login managers</a></p>
+<p>
+Users who boot into a graphical environment (such as through GDM) will need to
+edit their PAM configuration files accordingly to support SELinux security
+context settings. This is documented at <a href="selinux/selinux-handbook.xml?part=2&amp;chap=2#doc_chap3">Users
+of a graphical environment</a>.
+</p>
+<p class="secthead"><a name="doc_chap2_sect3">2012/05/18 - No more sandbox configuration needed</a></p>
+<p>
+The previously documented editing of <span class="path" dir="ltr">/etc/sandbox.conf</span> to open
+write access to <span class="path" dir="ltr">/sys/fs/selinux/context</span> can be removed as the
+SELinux profile does this now automatically.
+</p>
+<p class="secthead"><a name="doc_chap2_sect4">2012/04/29 - Edit of lvm-start/stop scripts no longer needed</a></p>
+<p>
+When users install the newly stabilized 2.20120215 policies, the documented
+editing of <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-st*.sh</span> is no longer needed.
+</p>
+<p class="secthead"><a name="doc_chap2_sect5">2012/02/21 - /dev mount line in fstab no longer needed</a></p>
+<p>
+The previously documented /dev mount line in <span class="path" dir="ltr">/etc/fstab</span> is no
+longer needed as <span class="path" dir="ltr">util-linux-2.20.1-r1</span> has been marked stable (which
+contains the correct bug fix).
+</p>
+<p class="secthead"><a name="doc_chap2_sect6">2011/12/10 - Deprecation of selinux/v2refpolicy/* profiles</a></p>
+<p>
+The old SELinux profiles (starting with <span class="code" dir="ltr">selinux/v2refpolicy</span>) are not
+supported anymore. Users are strongly encouraged to switch to the new profiles
+(those ending with <span class="code" dir="ltr">/selinux</span>).
+</p>
+<p class="secthead"><a name="doc_chap2_sect7">2011/07/22 - Introduction of MLS/MCS support</a></p>
+<p>
+We now support MLS and MCS, right next to targeted and strict SELinux policy
+types. When using MLS or MCS, you will need to update the <span class="path" dir="ltr">/tmp</span>
+entry in your <span class="path" dir="ltr">/etc/fstab</span> to use
+<span class="code" dir="ltr">rootcontext=system_u:object_r:tmp_t:s0</span> (note the trailing <span class="code" dir="ltr">:s0</span>).
+</p>
+<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
+            </span>Overview of Changes for ~Arch Users</p>
+<p class="secthead"><a name="doc_chap3_sect1">2012/05/26 - Definition of /run in fstab</a></p>
+<p>
+Users that have a <span class="path" dir="ltr">/run</span> location will need to mark this location in their
+<span class="path" dir="ltr">/etc/fstab</span> to make sure it gets mounted with the right SELinux
+context.
+</p>
+<p>
+For users of the <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> SELinux policy types:
+</p>
+<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: /etc/fstab setting for strict or targeted</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
+</pre></td></tr>
+</table>
+<p>
+For other policy types users:
+</p>
+<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: /etc/fstab setting for other policy type users</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+tmpfs  /run  tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0
+</pre></td></tr>
+</table>
+<br><p class="copyright">
+	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
+  </p>
+<!--
+  <rdf:RDF xmlns="http://web.resource.org/cc/"
+      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
+     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+     <requires rdf:resource="http://web.resource.org/cc/Notice" />
+     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+  </License>
+  </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="sven.vermeulen@siphos.be?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated May 26, 2012</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+As Gentoo is a rolling-release distribution, sometimes changes are being
+introduced which are documented in the main installation instructions but should
+be known by regular users as well. Not all of these changes are sufficiently
+intrusive to be set in a Gentoo news item. This document will contain an
+overview of all changes made in chronological order.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+  <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+        </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
deleted file mode 100644
index 29c7826..0000000
--- a/html/selinux-faq.html
+++ /dev/null
@@ -1,785 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Documentation
---
-  Gentoo Hardened SELinux Frequently Asked Questions</title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<br><h1>Gentoo Hardened SELinux Frequently Asked Questions</h1>
-<form name="contents" action="http://www.gentoo.org">
-<b>Content</b>:
-        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Questions</option>
-<option value="#doc_chap2">2. General SELinux Support Questions</option>
-<option value="#doc_chap3">3. Using SELinux</option>
-<option value="#doc_chap4">4. SELinux Kernel Error Messages</option>
-<option value="#doc_chap5">5. SELinux and Gentoo</option></select>
-</form>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Questions</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Using SELinux requires administrators a more thorough knowledge of their
-system and a good idea on how processes should behave. Next to the <a href="selinux/selinux-handbook.html">Gentoo Hardened SELinux
-handbook</a>, a proper FAQ allows us to inform and help users in their 
-day-to-day SELinux experience.
-</p>
-<p>
-The FAQ is an aggregation of solutions found on IRC, mailinglists, forums
-and elsewhere. It focuses on SELinux integration on Gentoo Hardened, but 
-general SELinux questions that are popping up regularly will be incorporated
-as well.
-</p>
-<p class="secthead">General SELinux Support Questions</p>
-<ul>
-<li><a href="#features">Does SELinux enforce resource limits?</a></li>
-<li><a href="#grsecurity">Can I use SELinux with grsecurity (and PaX)?</a></li>
-<li><a href="#pie-ssp">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></li>
-<li><a href="#rsbac">Can I use SELinux and RSBAC?</a></li>
-<li><a href="#filesystem">Can I use SELinux with any file system?</a></li>
-<li><a href="#nomultilib">Can I use SELinux with AMD64 no-multilib?</a></li>
-<li><a href="#ubac">What is UBAC exactly?</a></li>
-</ul>
-<p class="secthead">Using SELinux</p>
-<ul>
-<li><a href="#enable_selinux">How do I enable SELinux?</a></li>
-<li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
-<li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
-<li><a href="#matchcontext">How do I know which file context rule is used for a particular file?</a></li>
-<li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li>
-</ul>
-<p class="secthead">SELinux Kernel Error Messages</p>
-<ul>
-<li><a href="#register_security">I get a register_security error message when booting</a></li>
-<li><a href="#permission_not_defined">I get a 'Permission ... in class ... not defined' message during booting</a></li>
-</ul>
-<p class="secthead">SELinux and Gentoo</p>
-<ul>
-<li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
-<li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
-<li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li>
-<li><a href="#portage_libsandbox">During package installation, ld.so complains 'object 'libsandbox.so'
-from LD_PRELOAD cannot be preloaded: ignored'</a></li>
-<li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
-<li><a href="#cronfails">Cron fails to load in root's crontab with message '(root) ENTRYPOINT
-FAILED (crontabs/root)'</a></li>
-<li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li>
-<li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li>
-<li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
-<li><a href="#auth-run_init">Why do I always need to re-authenticate when operating init scripts?</a></li>
-<li><a href="#initramfs">How do I use SELinux with initramfs?</a></li>
-<li><a href="#xdm">Logons through xdm (or similar) fail</a></li>
-</ul>
-<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
-            </span>General SELinux Support Questions</p>
-<p class="secthead"><a name="features"></a><a name="doc_chap2_sect1">Does SELinux enforce resource limits?</a></p>
-<p>
-No, resource limits are outside the scope of an access control system. If you 
-are looking for this type of support, take a look at technologies like
-grsecurity, cgroups, pam and the like.
-</p>
-<p class="secthead"><a name="grsecurity"></a><a name="doc_chap2_sect2">Can I use SELinux with grsecurity (and PaX)?</a></p>
-<p>
-Definitely, we even recommend it. However, it is suggested that grsecurity's
-ACL support is not used as it would be redundant to SELinux's access control.
-</p>
-<p class="secthead"><a name="pie-ssp"></a><a name="doc_chap2_sect3">Can I use SELinux and the hardened compiler (with PIE-SSP)?</a></p>
-<p>
-Definitely. We also suggest to use PaX to take full advantage of the PIE
-features of the compiler.
-</p>
-<p class="secthead"><a name="rsbac"></a><a name="doc_chap2_sect4">Can I use SELinux and RSBAC?</a></p>
-<p>
-Yes, SELinux and RSBAC can be used together, but it is not recommended.
-Both frameworks (RSBAC and the SELinux implementation on top of Linux' Linux
-Security Modules framework) have a slight impact on system performance.
-Enabling them both only hinders performance more, for little added value since
-they both offer similar functionality.
-</p>
-<p>
-In most cases, it makes more sense to use RSBAC without SELinux, or SELinux
-without RSBAC.
-</p>
-<p class="secthead"><a name="filesystem"></a><a name="doc_chap2_sect5">Can I use SELinux with any file system?</a></p>
-<p>
-SELinux requires access to a file's security context to operate properly.
-To do so, SELinux uses <span class="emphasis">extended file attributes</span> which needs to be 
-properly supported by the underlying file system. If the file system supports
-extended file attributes and you have configured your kernel to enable this
-support, then SELinux will work on those file systems.
-</p>
-<p>
-General Linux file systems, such as ext2, ext3, ext4, jfs, xfs and btrfs
-support extended attributes (but don't forget to enable it in the kernel
-configuration) as well as tmpfs (for instance used by udev). If your file
-system collection is limited to this set, then you should have no issues.
-</p>
-<p>
-Ancillary file systems such as vfat and iso9660 are supported too, but with
-an important caveat: all files in each file system will have the same SELinux
-security context information since these file systems do not support extended
-file attributes. 
-</p>
-<p>
-Network file systems can be supported in the same manner as ancillary file
-systems (all files share the same security context). However, some development
-has been made in supported extended file attributes on the more popular file
-systems such as NFS. Although this is far from production-ready, it does look
-like we will eventually support these file systems on SELinux fully as well.
-</p>
-<p class="secthead"><a name="nomultilib"></a><a name="doc_chap2_sect6">Can I use SELinux with AMD64 no-multilib?</a></p>
-<p>
-Yes, just use the <span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span> profile
-and you're all set.
-</p>
-<p class="secthead"><a name="ubac"></a><a name="doc_chap2_sect7">What is UBAC exactly?</a></p>
-<p>
-UBAC, or <span class="emphasis">User Based Access Control</span>, introduces additional constraints
-when using SELinux policy. Participating domains / types that are <span class="emphasis">both</span>
-marked as a <span class="code" dir="ltr">ubac_constrained_type</span> (which is an attribute) will only
-have the allowed privileges in effect if they both run with the same SELinux
-user context.
-</p>
-<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Domains and their SELinux user context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># The SELinux allow rule</span>
-allow foo_t bar_t:file { read };
-
-<span class="code-comment"># This will succeed:</span>
-staff_u:staff_r:foo_t reads file with type staff_u:object_r:bar_t
-
-<span class="code-comment"># This will be prohibited:</span>
-user_u:user_r:foo_t reads file with type staff_u:object_r:bar_t
-</pre></td></tr>
-</table>
-<p>
-Of course, this is not always the case. Besides the earlier mentioned
-requirement that both types are <span class="code" dir="ltr">ubac_constrained_type</span>, if the source
-domain is <span class="code" dir="ltr">sysadm_t</span>, then the constraint will not be in effect (the 
-<span class="code" dir="ltr">sysadm_t</span> domain is exempt from UBAC constraints). Also, if the source
-or destination SELinux user is <span class="code" dir="ltr">system_u</span> then the constraint will also
-not be in effect. 
-</p>
-<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
-            </span>Using SELinux</p>
-<p class="secthead"><a name="enable_selinux"></a><a name="doc_chap3_sect1">How do I enable SELinux?</a></p>
-<p>
-This is explained in the <a href="selinux/selinux-handbook.html">SELinux Handbook</a>
-in the chapter on <span class="emphasis">Using Gentoo/Hardened SELinux</span>.
-</p>
-<p class="secthead"><a name="switch_status"></a><a name="doc_chap3_sect2">How do I switch between permissive and enforcing?</a></p>
-<p>
-The easiest way is to use the <span class="code" dir="ltr">setenforce</span> command. With <span class="code" dir="ltr">setenforce 
-0</span> you tell SELinux to run in permissive mode. Similarly, with 
-<span class="code" dir="ltr">setenforce 1</span> you tell SELinux to run in enforcing mode.
-</p>
-<p>
-You can also add a kernel option <span class="code" dir="ltr">enforcing=0</span> or <span class="code" dir="ltr">enforcing=1</span>
-in the bootloader configuration (or during the startup routine of the system). 
-This allows you to run SELinux in permissive or enforcing mode from the start 
-of the system.
-</p>
-<p>
-The default state of the system is kept in <span class="path" dir="ltr">/etc/selinux/config</span>.
-</p>
-<p class="secthead"><a name="disable_selinux"></a><a name="doc_chap3_sect3">How do I disable SELinux completely?</a></p>
-<p>
-It might be possible that running SELinux in permissive mode is not sufficient
-to properly fix any issue you have. To disable SELinux completely, you need to
-edit <span class="path" dir="ltr">/etc/selinux/config</span> and set <span class="code" dir="ltr">SELINUX=disabled</span>. Next,
-reboot your system.
-</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-When you have been running your system with SELinux disabled, you must boot 
-in permissive mode first and relabel your entire file system. Activities ran
-while SELinux was disabled might have created new files or removed the labels
-from existing files, causing these files to be available without security
-context.
-</p></td></tr></table>
-<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">How do I know which file context rule is used for a particular file?</a></p>
-<p>
-If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
-context for the given path (file or directory) should be, but it doesn't tell
-you which rule it used to deduce this. To do that, you can use <span class="code" dir="ltr">findcon</span>:
-</p>
-<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: Using findcon</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">findcon /etc/selinux/strict/contexts/files/file_contexts -p /lib64/rc/init.d</span>
-/.*                          system_u:object_r:default_t
-/lib64/rc/init\.d(/.*)?   system_u:object_r:initrc_state_t
-/lib64/.*                    system_u:object_r:lib_t
-</pre></td></tr>
-</table>
-<p>
-When the SELinux utilities try to apply a context, they try to match the rule
-that is the most specific, so in the above case, it is the one that leads to the
-initrc_state_t context.
-</p>
-<p>
-The most specific means, in order of tests:
-</p>
-<ol>
-  <li>
-    If line A has a regular expression, and line B doesn't, then line B is more
-    specific.
-  </li>
-  <li>
-    If the number of characters before the first regular expression in line A is
-    less than the number of characters before the first regular expression in
-    line B, then line B is more specific
-  </li>
-  <li>
-    If the number of characters in line A is less than in line B, then line B is
-    more specific
-  </li>
-  <li>
-    If line A does not map to a specific SELinux type, and line B does, then
-    line B is more specific
-  </li>
-</ol>
-<p>
-However, when you add your own file contexts (using <span class="code" dir="ltr">semanage</span>), this does
-not apply. Instead, tools like <span class="code" dir="ltr">restorecon</span> will take the <span class="emphasis">last</span> hit
-within the locally added file contexts! You can check the content of the
-locally added rules in <span class="path" dir="ltr">/etc/selinux/strict/contexts/files/file_contexts.local</span>
-(substitute <span class="path" dir="ltr">strict</span> with your SELinux type).
-</p>
-<p class="secthead"><a name="localpolicy"></a><a name="doc_chap3_sect5">How do I make small changes (additions) to the policy?</a></p>
-<p>
-If you are interested in the Gentoo Hardened SELinux development itself, please
-have a look at the <a href="selinux-development.html">SELinux
-Development Guide</a> and other documentation linked from the <a href="selinux/index.html">SELinux project page</a>.
-</p>
-<p>
-However, you will eventually need to keep some changes on your policy, due to
-how you have configured your system or when you need to allow something that is
-not going to be accepted as a distribution-wide policy change. In that case,
-read on.
-</p>
-<p>
-Updates on the policy are only possible as long as you need to <span class="emphasis">allow</span>
-additional privileges. It is not possible to remove rules from the policy, only
-enhance it. To maintain your own set of additional rules, create a file in which
-you will keep your changes. In the next example, I will use the term
-<span class="path" dir="ltr">fixlocal</span>, substitute with whatever name you like - but keep it
-consistent. In the file (<span class="path" dir="ltr">fixlocal.te</span>) put in the following text
-(again, substitute <span class="path" dir="ltr">fixlocal</span> with your chosen name):
-</p>
-<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: fixlocal.te content</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(fixlocal, 1.0)
-
-require {
-<span class="code-comment"># Declarations of types, classes and permissions used</span>
-
-}
-
-<span class="code-comment"># Declaration of policy rules</span>
-</pre></td></tr>
-</table>
-<p>
-In this file, you can add rules as you like. In the next example, we add three
-rules:
-</p>
-<ol>
-  <li>
-    Allow <span class="code" dir="ltr">mozilla_t</span> the <span class="code" dir="ltr">execmem</span> privilege (based on a denial that
-    occurs when mozilla fails to start)
-  </li>
-  <li>
-    Allow <span class="code" dir="ltr">ssh_t</span> to connect to any port rather than just the SSH port
-  </li>
-  <li>
-    Allows the <span class="code" dir="ltr">user_t</span> domain to send messages directly to the system
-    logger
-  </li>
-</ol>
-<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: fixlocal.te content</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(fixlocal, 1.0)
-
-require {
-  type mozilla_t;
-  type ssh_t;
-  type user_t;
-
-  class process { execmem };
-}
-
-<span class="code-comment"># Grant mozilla the execmem privilege</span>
-allow mozilla_t self:process { execmem };
-
-<span class="code-comment"># Allow SSH client to connect to any port (as provided by the user through the 
-# "ssh -p &lt;portnum&gt; ..." command)</span>
-corenet_tcp_connect_all_ports(ssh_t)
-
-<span class="code-comment"># Allow the user_t domain to send messages to the system logger</span>
-logging_send_syslog_msg(user_t)
-</pre></td></tr>
-</table>
-<p>
-If you need to provide raw allow statements (like the one above for the
-<span class="code" dir="ltr">mozilla_t</span> domain), make sure that the type (<span class="code" dir="ltr">mozilla_t</span>), 
-class (<span class="code" dir="ltr">process</span>) and privilege (<span class="code" dir="ltr">execmem</span>) are mentioned in
-the <span class="code" dir="ltr">require { ... }</span> paragraph.
-</p>
-<p>
-When using interface names, make sure that the types (<span class="code" dir="ltr">ssh_t</span> and
-<span class="code" dir="ltr">user_t</span>) are mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph.
-</p>
-<p>
-To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span>
-above), you can either look for it in the <a href="http://oss.tresys.com/docs/refpolicy/api/">SELinux Reference Policy
-API</a> online or, if <span class="code" dir="ltr">sec-policy/selinux-base-policy</span> is built with the
-<span class="emphasis">doc</span> USE flag, in <span class="path" dir="ltr">/usr/share/doc/selinux-base-policy-.*/html</span>.
-Of course, you can also ask for help in <span class="code" dir="ltr">#gentoo-hardened</span> on
-irc.freenode.net, the mailinglist, forums, etc. to find the proper rules and
-statements for your case.
-</p>
-<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
-            </span>SELinux Kernel Error Messages</p>
-<p class="secthead"><a name="register_security"></a><a name="doc_chap4_sect1">I get a register_security error message when booting</a></p>
-<p>
-During boot-up, the following message pops up:
-</p>
-<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel message on register_security</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-There is already a security framework initialized, register_security failed.
-Failure registering capabilities with the kernel
-selinux_register_security: Registering secondary module capability
-Capability LSM initialized
-</pre></td></tr>
-</table>
-<p>
-This is nothing to worry about (and perfectly normal).
-</p>
-<p>
-This means that the Capability LSM module couldn't register as the primary 
-module, since SELinux is the primary module. The third message means that it
-registers with SELinux as a secondary module.
-</p>
-<p class="secthead"><a name="permission_not_defined"></a><a name="doc_chap4_sect2">I get a 'Permission ... in class ... not defined' message during booting</a></p>
-<p>
-During boot-up, the following message is shown:
-</p>
-<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Kernel message on undefined permission(s)</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-SELinux: 2048 avtab hash slots, 16926 rules.
-SELinux: 2048 avtab hash slots, 16926 rules.
-SELinux:  6 users, 6 roles, 1083 types, 34 bools
-SELinux:  77 classes, 16926 rules
-SELinux:  Permission read_policy in class security not defined in policy.
-SELinux:  Permission audit_access in class file not defined in policy.
-SELinux:  Permission audit_access in class dir not defined in policy.
-SELinux:  Permission execmod in class dir not defined in policy.
-...
-SELinux: the above unknown classes and permissions will be denied
-SELinux:  Completing initialization.
-</pre></td></tr>
-</table>
-<p>
-This means that the Linux kernel that you are booting supports permissions that
-are not defined in the policy (as offered through the
-<span class="code" dir="ltr">sec-policy/selinux-base-policy</span> package). If you do not notice any errors
-during regular operations, then this can be ignored (the permissions will be
-made part of upcoming policy definitions).
-</p>
-<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
-            </span>SELinux and Gentoo</p>
-<p class="secthead"><a name="no_module"></a><a name="doc_chap5_sect1">I get a missing SELinux module error when using emerge</a></p>
-<p>
-When trying to use <span class="code" dir="ltr">emerge</span>, the following error message is displayed:
-</p>
-<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Error message from emerge on the SELinux module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-!!! SELinux module not found. Please verify that it was installed.
-</pre></td></tr>
-</table>
-<p>
-This indicates that the portage SELinux module is missing or damaged. Recent 
-Portage versions provide this module out-of-the-box, but the security contexts
-of the necessary files might be wrong on your system. Try relabelling the files
-of the portage package:
-</p>
-<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Relabel all portage files</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">rlpkg portage</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="loadpolicy"></a><a name="doc_chap5_sect2">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></p>
-<p>
-When running emerge, the following error is shown:
-</p>
-<a name="doc_chap5_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.3: Emerge error on loadpolicy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-FEATURES variable contains unknown value(s): loadpolicy
-</pre></td></tr>
-</table>
-<p>
-This is a remnant of the older SELinux policy module set where policy packages
-might require this FEATURE to be available. This has however since long been
-removed from the tree.
-</p>
-<p>
-Please update your profile to a recent SELinux profile (one ending with
-<span class="path" dir="ltr">/selinux</span>) and make sure that <span class="path" dir="ltr">/etc/make.conf</span> does not
-have <span class="code" dir="ltr">FEATURES="loadpolicy"</span> set.
-</p>
-<p class="secthead"><a name="conflicting_types"></a><a name="doc_chap5_sect3">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></p>
-<p>
-When trying to relabel a package (<span class="code" dir="ltr">rlpkg packagename</span>) or system (<span class="code" dir="ltr">rlpkg
--a -r</span>) you get a message similar to the following:
-</p>
-<a name="doc_chap5_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.4: rlpkg complaining about conflicting specifications</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-filespec_add: conflicting specifications for /usr/bin/getconf and 
-/usr/lib64/misc/glibc/getconf/XBS5_LP64_OFF64, using
-system_u:object_r:lib_t
-</pre></td></tr>
-</table>
-<p>
-This is most likely caused by hard linked files. Remember, SELinux uses the
-extended attributes in the file system to store the security context of a file.
-If two separate paths point to the same file using hard links (i.e. the files
-share the same inode) then both files will have the same security context.
-</p>
-<p>
-The solution depends on the particular case; in order of most likely to happen
-and resolve:
-</p>
-<ol>
-  <li>
-    Although both files are the same, they are not used in the same context. 
-    In such cases, it is recommended to remove one of the files and then copy
-    the other file back to the first (<span class="code" dir="ltr">rm B; cp A B</span>). This way, both
-    files have different inodes and can be labelled accordingly.
-  </li>
-  <li>
-    Both files are used for the same purpose; in this case, it might be better
-    to label the file which would not be labelled correctly (say a binary
-    somewhere in a <span class="path" dir="ltr">/usr/lib64</span> location) using <span class="code" dir="ltr">semanage</span>
-    (<span class="code" dir="ltr">semanage fcontext -a -t correct_domain_t /usr/lib64/path/to/file</span>)
-  </li>
-</ol>
-<p>
-It is also not a bad idea to report (after verifying if it hasn't been reported
-first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so 
-that the default policies are updated accordingly.
-</p>
-<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">During package installation, ld.so complains 'object 'libsandbox.so'
-from LD_PRELOAD cannot be preloaded: ignored'</a></p>
-<p>
-During installation of a package, you might see the following error message:
-</p>
-<a name="doc_chap5_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.5: Error message during package installation</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-&gt;&gt; Installing (1 of 1) net-dns/host-991529
-&gt;&gt;&gt; Setting SELinux security labels
-ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
-</pre></td></tr>
-</table>
-<p>
-This message should <span class="emphasis">only</span> occur after the <span class="emphasis">Setting SELinux security
-labels</span> message. It happens because SELinux tells glibc to disable 
-<span class="code" dir="ltr">LD_PRELOAD</span> (and other environment variables that are considered 
-potentially harmful) during domain transitions. Here, portage calls the
-<span class="code" dir="ltr">setfiles</span> command (part of a SELinux installation) and as such 
-transitions from portage_t to setfiles_t, which clears the environment
-variable.
-</p>
-<p>
-We believe that it is safer to trust the SELinux policy here (as setfiles runs
-in its own confined domain anyhow) rather than updating the policy to allow
-transitioning between portage_t to setfiles_t without clearing these 
-environment variables. Note that <span class="emphasis">libsandbox.so is not disabled during builds
-and merges</span>, only during the activity where Portage labels the files it 
-just merged.
-</p>
-<p>
-So the error is in our opinion cosmetic and can be ignored (but sadly not
-hidden).
-</p>
-<p class="secthead"><a name="emergefails"></a><a name="doc_chap5_sect5">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></p>
-<p>
-This is to be expected if you are not using the <span class="code" dir="ltr">sysadm_r</span> role. Any
-Portage related activity requires that you are in the <span class="code" dir="ltr">sysadm_r</span> role. To
-transition to the role, first validate if you are currently known as
-<span class="code" dir="ltr">staff_u</span> (or, if you added your own SELinux identities, a user that has
-the permission to transition to the <span class="code" dir="ltr">sysadm_r</span> role). Then run <span class="code" dir="ltr">newrole
--r sysadm_r</span> to transition.
-</p>
-<a name="doc_chap5_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.6: Transitioning to sysadm_r</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">emerge --info</span>
-Permission denied: '/etc/make.conf'
-~$ <span class="code-input">id -Z</span>
-staff_u:staff_r:staff_t
-~$ <span class="code-input">newrole -r sysadm_r</span>
-Password: <span class="code-comment"># Enter your users' password</span>
-</pre></td></tr>
-</table>
-<p>
-This is also necessary if you logged on to your system as root but through SSH.
-The default behavior is that SSH sets the lowest role for the particular user
-when logged on. And you shouldn't allow remote root logins anyhow.
-</p>
-<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">Cron fails to load in root's crontab with message '(root) ENTRYPOINT
-FAILED (crontabs/root)'</a></p>
-<p>
-When you hit the mentioned error with a root crontab or an administrative
-users' crontab, but not with a regular users' crontab, then check the context of
-the crontab file:
-</p>
-<a name="doc_chap5_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.7: Check context of the crontab file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">ls -Z /var/spool/cron/crontabs/root</span>
-staff_u:object_r:user_cron_spool_t /var/spool/cron/crontabs/root
-</pre></td></tr>
-</table>
-<p>
-Next, check what the default context is for the given user (in this case, root)
-when originating from the <span class="code" dir="ltr">crond_t</span> domain:
-</p>
-<a name="doc_chap5_pre8"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.8: Check default context for user root</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">getseuser root system_u:system_r:crond_t</span>
-seuser:  root, level (null)
-Context 0       root:sysadm_r:cronjob_t
-Context 1       root:staff_r:cronjob_t
-</pre></td></tr>
-</table>
-<p>
-As you can see, the default context is always for the <span class="code" dir="ltr">root</span> SELinux user.
-However, the <span class="path" dir="ltr">/var/spool/cron/crontabs/root</span> file context in the
-above example is for the SELinux user staff_u. Hence, cron will not be able to
-read this file (the <span class="code" dir="ltr">user_cron_spool_t</span> type is a UBAC constrained one).
-</p>
-<p>
-To fix this, change the user of the file to root:
-</p>
-<a name="doc_chap5_pre9"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.9: Change the SELinux user of the root crontab file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">chcon -u root /var/spool/cron/crontabs/root</span>
-</pre></td></tr>
-</table>
-<p>
-Another fix would be to disable UBAC completely. This is accomplished with
-<span class="code" dir="ltr">USE="-ubac"</span>.
-</p>
-<p class="secthead"><a name="missingdatum"></a><a name="doc_chap5_sect7">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></p>
-<p>
-When using <span class="code" dir="ltr">seinfo</span> or <span class="code" dir="ltr">sesearch</span> to query the policy on the system,
-you get errors similar to:
-</p>
-<a name="doc_chap5_pre10"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.10: Triggering the 'could not find datum' error</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">seinfo -tasterisk_t</span>
-ERROR: could not find datum for type asterisk_t
-</pre></td></tr>
-</table>
-<p>
-This is most likely because your tools are using a newer binary policy to
-enforce policy, but an older binary for querying. You can verify if this is the
-case by listing the last modification time on the files:
-</p>
-<a name="doc_chap5_pre11"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.11: Checking last modification time of the policy files</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">ls -ltr /etc/selinux/strict/policy/policy.*</span>
-</pre></td></tr>
-</table>
-<p>
-The file modified last should be the same one as returned by checking
-<span class="path" dir="ltr">/selinux/policyvers</span>:
-</p>
-<a name="doc_chap5_pre12"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.12: Checking the runtime policy version</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">cat /selinux/policyvers; echo</span>
-24
-</pre></td></tr>
-</table>
-<p>
-If this is not the case (which is very likely since you are reading this FAQ
-entry) then try forcing the utilities policy version to the correct version:
-</p>
-<a name="doc_chap5_pre13"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.13: Editing semanage.conf</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">vim /etc/selinux/semanage.conf</span>
-<span class="code-comment"># Look for and uncomment the policy-version line and set it to the right version</span>
-policy-version = <span class="code-input">24</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-If your system is upgrading its kernel, higher version(s) can be supported. In
-this case, either unset the value again to automatically "jump" to a higher
-version, or force set it to the higher version.
-</p></td></tr></table>
-<p class="secthead"><a name="recoverportage"></a><a name="doc_chap5_sect8">Portage fails to label files because "setfiles" does not work anymore</a></p>
-<p>
-Portage uses the <span class="code" dir="ltr">setfiles</span> command to set the labels of the files it
-installs. However, that command is a dynamically linked executable, so any
-update in its depending libraries (<span class="path" dir="ltr">libselinux.so</span>,
-<span class="path" dir="ltr">libsepol.so</span>, <span class="path" dir="ltr">libaudit.so</span> and of course
-<span class="path" dir="ltr">libc.so</span>) might cause for the application to fail. Gentoo's standard
-solution (<span class="code" dir="ltr">revdep-rebuild</span>) will not work, since the tool will try to
-rebuild policycoreutils, which will fail to install because Portage cannot set
-the file labels.
-</p>
-<p>
-The solution is to rebuild policycoreutils while disabling Portage's selinux
-support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on
-the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
-</p>
-<a name="doc_chap5_pre14"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.14: Recovering from Portage installation failures</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span>
-# <span class="code-input">for FILE in $(qlist policycoreutils); do \
-CONTEXT=$(matchpathcon -n ${FILE}); chcon ${CONTEXT} ${FILE}; done</span>
-</pre></td></tr>
-</table>
-<p>
-Now Portage will function properly again, labeling files as they should.
-</p>
-<p class="secthead"><a name="nosuid"></a><a name="doc_chap5_sect9">Applications do not transition on a nosuid-mounted partition</a></p>
-<p>
-If you have file systems mounted with the <span class="code" dir="ltr">nosuid</span> option, then
-applications started from these file systems will not transition into their
-appropriate domain. This is intentional.
-</p>
-<p>
-So, a <span class="code" dir="ltr">passwd</span> binary, although correctly labeled <span class="emphasis">passwd_exec_t</span>,
-will not transition into the <span class="emphasis">passwd_t</span> domain if the binary is stored on a
-file system mounted with <span class="code" dir="ltr">nosuid</span>.
-</p>
-<p class="secthead"><a name="auth-run_init"></a><a name="doc_chap5_sect10">Why do I always need to re-authenticate when operating init scripts?</a></p>
-<p>
-When you, as an administrator, wants to launch or stop daemons, these activities
-need to be done as <span class="code" dir="ltr">system_u:system_r</span>. Switching to this context set is a
-highly privileged operation (since you are effectively leaving the user context
-and entering a system context) and hence the default setup requires the user to
-re-authenticate.
-</p>
-<p>
-You can ask not to re-authenticate if you use PAM by editing
-<span class="path" dir="ltr">/etc/pam.d/run_init</span> and adding the following line on top:
-</p>
-<a name="doc_chap5_pre15"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.15: Setup run_init pam configuration to allow root not to re-authenticate</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-auth     sufficient     pam_rootok.so
-</pre></td></tr>
-</table>
-<p>
-With this in place, you can now prepend your init script activities with
-<span class="code" dir="ltr">run_init</span> and it will not ask for your password anymore:
-</p>
-<a name="doc_chap5_pre16"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.16: Using run_init</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">run_init rc-service local status</span>
-Authenticating swift.
- * status: started
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="initramfs"></a><a name="doc_chap5_sect11">How do I use SELinux with initramfs?</a></p>
-<p>
-We currently do not support booting in enforcing mode with an initramfs image
-(but we are working on it). For the time being, boot in permissive mode. Once
-booted, switch to enforcing mode (<span class="code" dir="ltr">setenforce 1</span>).
-</p>
-<p>
-If you run SELinux on a production system and would not like to have attackers
-be able to switch back to permissive mode (even when they would have the
-necessary privileges otherwise), set the <span class="code" dir="ltr">secure_mode_policyload</span> boolean.
-When enabled, enforcing mode cannot be disabled anymore (until you reboot).
-</p>
-<a name="doc_chap5_pre17"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.17: Toggling secure_mode_policyload</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">setsebool secure_mode_policyload on</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="xdm"></a><a name="doc_chap5_sect12">Logons through xdm (or similar) fail</a></p>
-<p>
-If you log on through xdm, gdm, kdm, slim or any other graphical logon manager,
-you might notice in permissive mode that your context is off, and in enforcing
-mode that you just cannot log on.
-</p>
-<p>
-The reason of this is that PAM needs to be configured to include SELinux
-awareness in your session handling:
-</p>
-<a name="doc_chap5_pre18"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.18: Updating pam setting for gdm</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-...
-session  required   pam_loginuid.so
-session  optional   pam_console.so
-<span class="code-input">session  optional   pam_selinux.so</span>
-</pre></td></tr>
-</table>
-<p>
-Replicate the calls towards <span class="path" dir="ltr">pam_selinux.so</span> in the various
-<span class="path" dir="ltr">/etc/pam.d/gdm*</span> files (or similar depending on your graphical
-logon manager).
-</p>
-<br><br>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr>
-<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
-Frequently Asked Questions on SELinux integration with Gentoo Hardened.
-The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
-elsewhere
-</p></td></tr>
-<tr><td align="left" class="topsep"><p class="alttext">
-  <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a>
-<br><i>Author</i><br><br>
-  <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
-<br><i>Author</i><br></p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-concepts.html
deleted file mode 100644
index 51626aa..0000000
--- a/html/selinux/hb-intro-concepts.html
+++ /dev/null
@@ -1,784 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Introduction</p>
-<p class="secthead"><a name="doc_chap1_sect1">SELinux Concepts</a></p>
-<p>
-Since SELinux is a MAC system, you should already figure out that managing
-SELinux-based permissions and rights might be a bit more challenging than 
-managing the discretionary access control rights generally used on a Linux
-system. What is more is that SELinux works <b>on top of</b> the DAC system
-everybody is used from Linux. As a system administrator, you will need to be
-acquainted with some of the concepts and structures that SELinux has put in
-place in order to manage the access on the SELinux system.
-</p>
-<p>
-Describing those concepts is the purpose of this particular chapter. We will
-give examples on the various concepts from a SELinux enabled Gentoo Hardened
-system. However, do not fear if the use of particular commands is not explained
-sufficiently. They are currently meant as examples (their output is more
-important) and will be discussed further in this document.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">SELinux Policies</a></p>
-<p>
-Within Gentoo (and other distributions as well), SELinux is supported through
-several policy levels. These are, in climbing order of complexity (meaning they
-can offer more security, but are harder to manage):
-</p>
-<ol>
-  <li>
-    <b>targeted</b> is a policy where network-facing services (daemons) are
-    confined (the processes can only execute those actions that are defined
-    in the policy), but other applications are running what is called
-    <span class="emphasis">unconfined</span>, meaning that there are little to no restrictions for
-    those processes.
-  </li>
-  <li>
-    <b>strict</b> is a policy where all processes are confined. There are no
-    unconfined domains. In other distributions, this is still considered the
-    <span class="emphasis">targeted</span> policy but without the unconfined domain definition.
-  </li>
-  <li>
-    <b>multi-category security</b> is a policy where the (confined) domains can
-    be categorized (split up), allowing for multiple processes running in
-    different instances of a confined domain
-  </li>
-  <li>
-    <b>multi-level security</b> is a policy where rules exist regarding the
-    sensitivity of domains and resources. This allows for a "proper"
-    information flow policy (make sure that sensitive data isn't leaked
-    to less privileged domains). Conceptually, one can understand this best
-    if one considers sensitivity levels of Public, Internal, Confidential, 
-    Strictly Confidential, etc.
-  </li>
-</ol>
-<p>
-When using Gentoo Hardened, all these policies are available. However,
-development focuses mainly on <span class="emphasis">strict</span> and <span class="emphasis">mcs</span>. The 
-<span class="emphasis">targeted</span> policy is assumed to work if strict works whereas we know
-that the <span class="emphasis">mls</span> policy is currently not fit yet for production use.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Security Contexts</p>
-<p class="secthead"><a name="doc_chap1_sect1">Users, Roles, Domains, Sensitivities and Categories</a></p>
-<p>
-One of the first concepts you will need to be acquainted with is the concept of
-a <span class="emphasis">security context</span>. This is a state given to a resource that uniquely
-identifies which grants (permissions) are applicable to the resource. This
-context is extremely important for SELinux as it is the definition on which it
-bases its permissions (grants or denials). When a resource has no security
-context assigned, SELinux will try to give it a default security context which -
-in the spirit of lowest privilege - has little permissions to perform any actions.
-</p>
-<p>
-Within SELinux, such a security context is displayed using three to five 
-definitions, depending on the type of policy you are running:
-</p>
-<dl>
-  <dt>user</dt>
-  <dd>
-    This is the <span class="emphasis">SELinux user</span> (which is not the same as the Linux/Unix
-    technical user) assigned to the resource
-  </dd>
-  <dt>role</dt>
-  <dd>
-    This is the SELinux role in which the resource currently works
-  </dd>
-  <dt>type</dt>
-  <dd>
-    This is the type assigned to the resource and is the key to SELinux'
-    enforcement rules
-  </dd>
-  <dt>sensitivity</dt>
-  <dd>
-    This is a level given to a resource informing the system about the
-    sensitivity of this resource. A sensitivity is something akin to 
-    Public, Internal, Restricted, Confidential, Strictly Confidential, ...
-    Sensitivity levels are only supported in MLS policies.
-  </dd>
-  <dt>category</dt>
-  <dd>
-    This is a specific instantiation of a resource. It allows segregation of
-    resources even if they are of the same type. More about categories later - 
-    categories are supported in MLS and MCS policies.
-  </dd>
-</dl>
-<p>
-More information on these particular definitions is given throughout the
-remainder of this chapter. 
-</p>
-<p>
-As an example let's take a look at the security context of a logged on user:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the security context of a logged on user</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">id -Z</span>
-staff_u:staff_r:staff_t
-</pre></td></tr>
-</table>
-<p>
-In this case, the user is identified as the SELinux user <span class="emphasis">staff_u</span>,
-currently in the <span class="emphasis">staff_r</span> role and assigned to the <span class="emphasis">staff_t</span>
-type. The actions the user is allowed to do are based upon this security
-context. Also, you notice that only three identifiers are shown. This is
-because the example is taken on a <span class="emphasis">strict</span> (or <span class="emphasis">targeted</span>) policy
-system. The next example gives the same result, but on an <span class="emphasis">MCS</span> policy
-system.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the security context of a logged on user on an MCS policy system</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">id -Z</span>
-staff_u:staff_r:staff_t:s0-s0:c0.c1023
-</pre></td></tr>
-</table>
-<p>
-Here, the user is running with sensitivity level of s0 (which, in an MCS policy
-system, is the only available sensitivity) and with a category set of c0 up to
-and including c1023. However, note that in an MCS policy system categories are
-optional, so you might just see an output of <span class="emphasis">staff_u:staff_r:staff_t:s0</span>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Access Control Policy</a></p>
-<p>
-As mentioned before, these security contexts are used as the base for the
-permission rules. What SELinux does is check the security context of the source
-(for instance a process) and the destination (for instance a file that that
-process wants to read). It then checks if the requested operation (read) is
-allowed between those two contexts. Keep in mind though that SELinux works on
-top of the standard permission system used by Linux. If a process is not able to
-read a file to begin with, SELinux is not even consulted.
-</p>
-<p>
-Now, where the security context defines the state of a resource, we have not
-spoken about the resources themselves. Within SELinux, the resource types are
-defined as <span class="emphasis">object classes</span>. Common examples are <span class="emphasis">file</span> or <span class="emphasis">dir</span>,
-but SELinux also manages classes such as <span class="emphasis">filesystem</span>, <span class="emphasis">tcp_socket</span>,
-<span class="emphasis">process</span>, <span class="emphasis">sem</span> (semaphores) and more.
-</p>
-<p>
-On each object class, a set of <span class="emphasis">permissions</span> is declared which are possible
-against a resource within this object class. For instance, the <span class="emphasis">process</span>
-object class supports at least the following permissions:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Supported permissions against a 'process' resource</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">ls /selinux/class/process/perms</span>
-dyntransition  getcap      rlimitinh     setpgid        siginh
-execheap       getpgid     setcap        setrlimit      sigkill
-execmem        getsched    setcurrent    setsched       signal
-execstack      getsession  setexec       setsockcreate  signull
-fork           noatsecure  setfscreate   share          sigstop
-getattr        ptrace      setkeycreate  sigchld        transition
-</pre></td></tr>
-</table>
-<p>
-The most common SELinux access control rule (<span class="emphasis">allow</span>) is described as
-follows:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux allow statement</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-allow ACTOR  TARGET:CLASS PRIVILEGE;
-      +-+-+  +-+--+ +-+-+ +---+---+
-        |      |      |       `- Permission to be granted (like "write")
-	|      |      `- Class on which permission is given (like "file")
-	|      `- Resource (label) on which permission is valid (like "portage_conf_t")
-	`- Actor (domain) which gets the privilege (like "sysadm_t")
-</pre></td></tr>
-</table>
-<p>
-Let's take a look at a small example to explain the permission rules and how 
-SELinux uses them. The example user is in the <span class="emphasis">staff_u:staff_r:staff_t</span>
-context and wants to write to its own home directory. As we can expect, this
-should be allowed. Don't worry about the commands here, we'll discuss them more
-properly further in this document.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Seeing if a user can write to its own home directory</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(Show the security context for the users' home directory)</span>
-~$ <span class="code-input">ls -dZ ${HOME}</span>
-staff_u:object_r:user_home_dir_t  /home/swift
-
-<span class="code-comment">(Find the allow-rule which allows the staff_t type to write into a 
- directory with the user_home_dir_t type)</span>
-~$ <span class="code-input">sesearch -s staff_t -t user_home_dir_t -c dir -p write -A</span>
-Found 1 semantic av rules:
-  allow staff_t user_home_dir_t : dir { ioctl read write create ... };
-</pre></td></tr>
-</table>
-<p>
-As expected, the security context of the user (to be more specific, the domain
-in which it resides) has write access to the domain of the target's directories.
-The notion of <span class="emphasis">domain</span> is frequently used in SELinux documentation and
-refers to the type assigned to a process. BTW, as files do not have roles, 
-they are given the default <span class="emphasis">object_r</span> role by SELinux.
-</p>
-<p>
-Now take a look at the following example. Our user, who is inside the portage
-group, wants to write to the <span class="path" dir="ltr">/var/tmp/portage</span> directory:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Seeing if a user can write to the /var/tmp/portage directory</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">id -a</span>
-uid=1001(swift) gid=100(users) groups=100(users),...,250(portage),...
-~$ <span class="code-input">ls -ldZ /var/tmp/portage</span>
-drwxrwxr-x. 3 portage portage  system_u:object_r:portage_tmp_t 4096 Dec  6 21:08 /var/tmp/portage
-</pre></td></tr>
-</table>
-<p>
-From the standard Linux permissions, the user has write access. But does SELinux
-also grant it?
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Trying to write into /var/tmp/portage</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">sesearch -s staff_t -t portage_tmp_t -c dir -p write -A</span>
-~$ 
-<span class="code-comment">(Notice that there is no output given here)</span>
-~$ <span class="code-input">touch /var/tmp/portage/foo</span>
-touch: cannot touch '/var/tmp/portage/foo': Permission denied
-</pre></td></tr>
-</table>
-<p>
-As SELinux could not find a rule that allows the staff_t domain to write to any 
-directory labeled with the portage_tmp_t type, the permission was denied.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Type Enforcements / Domain Types</p>
-<p class="secthead"><a name="doc_chap1_sect1">Types and Domains</a></p>
-<p>
-To explain how the permission rules work and how this is enforced through the
-security contexts, let's start from the last definition in the context (the
-<span class="emphasis">type</span>) and work our way forward through the roles and users.
-</p>
-<ul>
-  <li>
-    A <span class="emphasis">SELinux type</span> is a particular label assigned to a resource. The
-    <span class="code" dir="ltr">passwd</span> command for instance is labeled with the passwd_exec_t type.
-  </li>
-  <li>
-    A <span class="emphasis">SELinux domain</span> is the security state of a process and identifies the rights 
-    and permissions it has. It is most often referred to by its type declaration.
-    For instance, for a running <span class="code" dir="ltr">passwd</span> command, its domain is passwd_t.
-  </li>
-</ul>
-<p>
-The rules that identify the allowed actions for a domain have been described earlier. Again:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Standard SELinux policy rules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-allow &lt;src_domain&gt; &lt;dst_type&gt; : &lt;class&gt; { permission [ permission [ ... ] ] } ;
-</pre></td></tr>
-</table>
-<p>
-An example for the <span class="emphasis">passwd_t</span> domain would be the permissions granted
-between the <span class="emphasis">passwd_t</span> domain and the <span class="emphasis">shadow_t</span> type (used by the
-<span class="path" dir="ltr">/etc/shadow</span> file).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Grants between passwd_t and shadow_t</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-allow passwd_t shadow_t : file { ioctl read write create ... } ;
-</pre></td></tr>
-</table>
-<p>
-This permission syntax is very powerful, but also difficult. To have a secure
-system where normal behavior is allowed, you need to seriously fine-tune these
-rules for each and every application (and thus domain) that your system wants to
-host. Giving too broad permissions to a domain on a particular type might result
-in unauthorized activity being granted. Giving too few permissions might result 
-in loss of efficiency or even effectiveness.
-</p>
-<p>
-To support easier grant rules, SELinux allows grouping of types using type
-attributes. For instance, the attribute <span class="emphasis">exec_type</span> bundles all types 
-that are assigned to executable files (such as <span class="emphasis">bin_t</span>, <span class="emphasis">ssh_exec_t</span>,
-...), whereas the <span class="emphasis">file_type</span> attribute bundles all types that are
-assigned to regular files. Although this can simplify rule management, it makes
-it easier to grant too many permissions.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Domain Transitions</a></p>
-<p>
-So far for types, domain definitions and their permissions. We have stated before
-that permissions are based on the domain in which a process resides. But how
-does a process become part of the domain? You might think that this happens by
-default (starting the <span class="code" dir="ltr">passwd</span> command would automatically bring the
-process in the <span class="emphasis">passwd_t</span> domain), but this is in fact a combination of
-three specific privileges that need to be granted:
-</p>
-<ol>
-  <li>
-    The current domain must be allowed to transition to a domain
-  </li>
-  <li>
-    The target domain should have an <span class="emphasis">entry point</span>, which is an executable
-    that is allowed to start in the domain
-  </li>
-  <li>
-    The source domain should have <span class="emphasis">execute</span> rights on (the domain of) that 
-    executable
-  </li>
-</ol>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-Not being allowed to transition does not mean that you cannot
-execute the binary. The binary can still be executed, but will not run inside
-the target domain. Instead, it will inherit the domain of the executor and hence
-the rights and permissions of this domain.
-</p></td></tr></table>
-<p>
-Through these rules, the security administrator of a system can more
-specifically control who and under which conditions particular actions can be
-taken.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Roles and Rights</p>
-<p class="secthead"><a name="doc_chap1_sect1">The Role of a Role</a></p>
-<p>
-The previously discussed domains and domain rules is quite powerful. However,
-this is not where SELinux stops. After all, you want to be able to deny access
-towards particular domains from unauthorized users. One requirement is of course
-not to allow transitions from the user domain to that restricted domain, but how
-can you enforce one set of users to be allowed and another to be denied?
-</p>
-<p>
-Enter the roles. By using roles, you can tell SELinux which domains are allowed
-for a role and which aren't. An example would be the <span class="emphasis">ifconfig_t</span> domain.
-This domain has the rights to change the networking interface definitions - not
-something you want to allow your users. And in fact, if you would verify,
-SELinux does not allow the user role <span class="emphasis">user_r</span> to be assigned with the
-<span class="emphasis">ifconfig_t</span> domain.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: ifconfig_t domain and user_r versus sysadm_r</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">seinfo -ruser_r -x</span>
-  user_r
-    Dominated Roles:
-      user_r
-    Types:
-      ...
-~$ <span class="code-input">seinfo -rsysadm_r -x</span>
-  sysadm_r
-    Dominated Roles:
-      sysadm_r
-    Types:
-      ...
-      ifconfig_t
-      ...
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-Again, not being able to be associated with a domain does not mean that the
-<span class="emphasis">user_r</span> role cannot <span class="emphasis">execute</span> the <span class="code" dir="ltr">ifconfig</span> binary. It can, but
-it will execute the binary within its own domain (<span class="emphasis">user_t</span>) and as such
-will not have the rights to manipulate the networking interface (but will still
-be able to read the interface information albeit with limited output).
-</p></td></tr></table>
-<p>
-Roles are often used in access control systems to group permissions to a single
-functional set (the role) which can then be assigned to individuals (accounts). 
-For instance, such access control systems create roles for accountants, 
-operators, managers, ... and grant the appropriate privileges to these roles.
-Then, their users are assigned one (or sometimes multiple) roles and the users
-inherit the permissions assigned to these roles.
-</p>
-<p>
-With SELinux, the idea remains the same (use roles to functionally differentiate
-privileges) but is implemented differently: roles are assigned target domains
-in which a role is allowed to "be in". The permissions remain assigned to the
-domains.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Role Transitions</a></p>
-<p>
-Users (and processes) have the ability to switch roles. This is allowed by
-SELinux, but of course only when the switch itself is granted. By default,
-the SELinux policy used by Gentoo Hardened offers five roles on a SELinux 
-system:
-</p>
-<dl>
-  <dt>object_r</dt>
-  <dd>
-    The <span class="emphasis">object_r</span> role is the only role by default available through
-    SELinux. It is usually only assigned to resources where roles have no
-    benefit or value (such as files and directories).
-  </dd>
-  <dt>system_r</dt>
-  <dd>
-    The <span class="emphasis">system_r</span> role is used for highly privileged system services. 
-    The <span class="emphasis">system_r</span> role is allowed to switch to any other "default" role. 
-    No role exception <span class="emphasis">sysadm_r</span> can switch to the <span class="emphasis">system_r</span> role.
-  </dd>
-  <dt>sysadm_r</dt>
-  <dd>
-    The <span class="emphasis">sysadm_r</span> role is used for system administration activities. The
-    <span class="emphasis">sysadm_r</span> role is allowed to switch to any other "default" role. Only
-    the <span class="emphasis">system_r</span> and <span class="emphasis">staff_r</span> roles are allowed to switch to the
-    <span class="emphasis">sysadm_r</span> role.
-  </dd>
-  <dt>staff_r</dt>
-  <dd>
-    The <span class="emphasis">staff_r</span> role is used for system operators who might have the
-    rights to perform system administration tasks. The <span class="emphasis">staff_r</span> role is
-    only allowed to switch to the <span class="emphasis">sysadm_r</span> role. Only <span class="emphasis">sysadm_r</span> and
-    <span class="emphasis">system_r</span> can switch to the <span class="emphasis">staff_r</span> role.
-  </dd>
-  <dt>user_r</dt>
-  <dd>
-    The <span class="emphasis">user_r</span> role is used for standard, unprivileged users. It is not
-    allowed to transition towards any other role; only <span class="emphasis">sysadm_r</span> and
-    <span class="emphasis">system_r</span> roles are allowed to switch to the <span class="emphasis">user_r</span> role.
-  </dd>
-</dl>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-A "default" role is any of <span class="emphasis">user_r</span>, <span class="emphasis">staff_r</span>, <span class="emphasis">sysadm_r</span> or
-<span class="emphasis">system_r</span>. If you create additional roles yourself, they are not part of
-the "default" roles.
-</p></td></tr></table>
-<p>
-Using these definitions, a user inside the <span class="emphasis">user_r</span> role will never be able
-to execute <span class="code" dir="ltr">ifconfig</span> within the <span class="emphasis">ifconfig_t</span> domain. The use of the
-word <span class="emphasis">never</span> here is important: not even if the user is able to become
-root using <span class="code" dir="ltr">sudo</span> or any other command will he be able to run the
-<span class="code" dir="ltr">ifconfig</span> command in the <span class="emphasis">ifconfig_t</span> domain because, even after
-running <span class="code" dir="ltr">sudo</span>, he is still inside the <span class="emphasis">user_r</span> role.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">SELinux Users</a></p>
-<p>
-A SELinux user is not the same as the Linux user. Whereas standard Linux user
-accounts can be switched using commands such as <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span>, a
-SELinux user can not be changed. Even when you successfully execute <span class="code" dir="ltr">sudo</span>,
-your SELinux user will remain the same.
-</p>
-<p>
-When you look at a SELinux powered system, you might notice that that system
-doesn't use many SELinux users. For instance, Gentoo Hardened's default setup
-defines the users <span class="emphasis">root</span>, <span class="emphasis">user_u</span>, <span class="emphasis">staff_u</span>, <span class="emphasis">sysadm_u</span> and
-<span class="emphasis">system_u</span> and some systems never introduce any other SELinux user. But if
-that is the case, is the above advantage of SELinux users (once a user is logged
-on, he cannot change his SELinux user) the only one?
-</p>
-<p>
-Well, no. SELinux users are also used to categorize accounts which have the 
-permission to use a particular role.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux users and their associated roles</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semanage user -l</span>
-SELinux User    SELinux Roles
-
-root            staff_r sysadm_r
-staff_u         staff_r sysadm_r
-sysadm_u        sysadm_r
-system_u        system_r
-user_u          user_r
-</pre></td></tr>
-</table>
-<p>
-Standard Linux users are mapped to these SELinux users:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Linux users and their SELinux user mappings</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semanage login -l</span>
-Login Name          SELinux User
-
-__default__         user_u
-root                root
-swift               staff_u
-</pre></td></tr>
-</table>
-<p>
-In this example, only logins of the Linux user <span class="emphasis">swift</span> (through 
-<span class="emphasis">staff_u</span>) and <span class="emphasis">root</span> (through the <span class="emphasis">root</span> SELinux user) 
-will be able to eventually run inside the <span class="emphasis">sysadm_r</span> role. All other
-Linux accounts will be by default mapped to the <span class="emphasis">user_u</span> user (and 
-this <span class="emphasis">user_r</span> role).
-</p>
-<p>
-This is <span class="emphasis">only</span> applicable for interactive logins. Processes that are
-launched through an init script or otherwise do not automatically become part of
-the SELinux user <span class="emphasis">user_u</span>: depending on the security context of whatever
-process is starting them, they can become anything. Of course, if the security
-context of the process that is starting them is <span class="emphasis">user_u:user_r:user_t</span> then
-they will not be able to transform into anything other than
-<span class="emphasis">user_u:user_r:*</span> with <span class="emphasis">*</span> a domain supported by the <span class="emphasis">user_r</span>
-role.
-</p>
-<p>
-SELinux users are also used to implement <span class="emphasis">User Based Access Control</span> or
-<span class="emphasis">UBAC</span>. This SELinux functionality allows for domains to be SELinux user
-aware: a process running in the context of a particular SELinux user can then -
-for instance - only work with files of the same SELinux user. This offers a
-finer grained access method, because that process might run within a domain
-which has write access to the domain of the file, but can still not write to the
-file because the SELinux users' differ.
-</p>
-<p>
-At this moment, Gentoo Hardened SELinux' supports both policies with and
-without UBAC, although we strongly recommend to use UBAC. This is controlled
-through the <span class="code" dir="ltr">ubac</span> USE flag.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Multi Level Security / Multi Category Security</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Next to the type enforcement feature, SELinux also offers MLS and MCS support.
-This allows administrators to define a hierarchical confidentiality policy.
-For instance, you can ensure that a user or process within a certain
-security domain and level can write to files with the same level (or higher), or
-read files with the same level (or lower), but not write files to a lower level.
-This allows administrators to implement some sort of 
-public/internal/confidential/strictly confidential hierarchical security level
-for files.
-</p>
-<p>
-Although implementation of MLS is possible with the type enforcement rules we
-have previously explained, it would lead to an unmanageable collection of types
-and permissions. The MLS implementation simplifies this.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Multi-Level Security</a></p>
-<p>
-The most flexible - but also most challenging to manage - method offered by
-SELinux is MLS, or <span class="emphasis">Multi-Level Security</span>. When using this policy type, 
-security administrators can assign sensitivity labels to resources and define
-which domains (and which sensitivity levels) are able to read/write to which
-level. A level is always given as a range, showing the lowest and highest level
-that a particular domain is running in.
-</p>
-<p>
-Next to the sensitivity level, MLS supports categories on a per-level basis.
-These categories allow the security administrator to make different, possibly
-independent "containers" for sensitive resources. To give an example, the
-administrator can support the levels Public up to Strictly Confidential, and
-categories of "Finance", "Risk Analysis", "Acquisitions", "IT Systems", ...
-</p>
-<p>
-With such categories, one can then allow one role to have access to all
-sensitivity levels for a particular category (say "IT Systems") but still only
-have access to the Public and Internal documents of all other categories.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Multi-Category Security</a></p>
-<p>
-The MCS or <span class="emphasis">Multi-Category Security</span> policy is a subset of the MLS policy.
-It supports the various categories, but without using the multiple security
-levels for the resources. 
-</p>
-<p>
-The use of MCS has become popular because it is far less difficult to manage
-while still retaining some of the flexibilities offered by the MLS policy.
-Where MLS is more chosen for business purposes (and as such has some influence
-on the organization of the business), MCS is often used for <span class="emphasis">multitenancy</span>
-architectures. In a multi-tenant architecture, systems are running processes for
-various clients simultaneously. Categorisation allows for separation of
-privileges across these processes without introducing multiple domains (which
-would require the development of new policies for each new client that a system
-wants to serve).
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Reference Policy</p>
-<p class="secthead"><a name="doc_chap1_sect1">About refpolicy</a></p>
-<p>
-As described previously, SELinux uses type enforcement to describe the state of
-your system. This is done by giving each resource on your system (be it a
-process, a network port, a file or directory) a specific type and describe the
-rules how types can work with each other. 
-</p>
-<p>
-Managing such a policy is not easy. Unlike some other MAC systems, which rely
-on a learning mode and do not use domain definitions (they rather keep track of
-which commands a process is allowed to execute), a proper SELinux definition
-requires lots (thousands and thousands) of permission lines.
-</p>
-<p>
-To ensure that no duplicate effort is made, and to help distributions like
-Gentoo, Fedora, RedHat, Debian, ... with their SELinux integration efforts, a
-project is launched called <span class="emphasis">The Reference Policy</span>.
-</p>
-<p>
-This project, managed by <a href="http://oss.tresys.com/projects/refpolicy">Tresys</a>, is used by almost
-all SELinux supporting distributions, including Gentoo Hardened, Fedora, RedHat
-Enterprise Linux, Debian, Ubuntu and more. This implementation not only offers
-the modular policies that users are looking for, but also enhances the SELinux
-experience with additional development tools that make it easier to work with
-the SELinux policies on your system. Updates in the reference policy eventually
-make it in all supported distributions. The same goes for Gentoo Hardened, which
-aims to use a policy as close as possible to the reference policy, and submits
-its own patches to the reference policy as well, which benefits the entire
-community.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Reference Policy API</a></p>
-<p>
-One major advantage of the reference policy is its API. To help policy writers,
-the reference policy uses a macro language which generates the necessary allow
-(and other) rules. This macro language makes it a lot easier to add rights to
-particular domains. You can find the API documented <a href="http://oss.tresys.com/docs/refpolicy/api/">online</a>, but if you have
-USE="doc" set, it will be stored on your system as well the moment you install
-and configure SELinux.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Modular Approach</a></p>
-<p>
-Another feature of the reference policy is its use of <span class="emphasis">modules</span>. If you
-would build all rules in a single policy (a binary file readable by the Linux
-kernel, allowing it to interpret and enforce SELinux rules), the file would
-quickly become too huge and inefficient.
-</p>
-<p>
-Instead, the reference policy defines the rules in what it calls modules, which
-define one domain (like <span class="code" dir="ltr">portage_t</span>) or more (if they are all tightly
-related) and the rights and privileges that that domain would need in order to
-function properly. Any right that the domain needs with respect to another
-domain needs to be defined through that domains' interfaces (see earlier),
-forcing the modules to be specific and manageable.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example overview of installed SELinux modules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -l</span>
-alsa    1.11.0
-apache  2.3.0
-audioentropy    1.6.0
-dbus    1.15.0
-dmidecode       1.4.0
-<span class="code-comment">(...)</span>
-</pre></td></tr>
-</table>
-<p>
-By using a modular approach, one only needs to load the base policy (kernel
-layer as well as other, core definitions) and the modules related to his system.
-You can then safely ignore the other modules. This improves performance (smaller
-policy, which also causes rebuilds to be a lot less painful) and manageability
-(properly defined boundaries for policy rules).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Tunables and Conditionals</a></p>
-<p>
-But wait, there's more. The reference policy also supports <span class="emphasis">booleans</span>.
-Those are flags that a security administrator can enable or disable to change
-the active policy. Properly defined booleans allow security administrators to
-fine-tune the policy for their system.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Overview of available booleans</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">getsebool -a</span>
-allow_execheap --&gt; off
-allow_execmem --&gt; off
-allow_execmod --&gt; off
-allow_execstack --&gt; off
-allow_gssd_read_tmp --&gt; on
-allow_httpd_anon_write --&gt; off
-</pre></td></tr>
-</table>
-<p>
-Booleans are an important part to make a generic reference policy which is still
-usable for the majority of SELinux users. Although they have specific
-requirements (such as allowing ptrace, or disallowing execmem) they can still
-use the same reference policy and only need to toggle the booleans they need.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Versions</a></p>
-<p>
-The SELinux policy infrastructure that is used (i.e. the capabilities and
-functionalities that it offers) isn't in its first version. Currently, SELinux
-deployments use a binary version of 24 or 26 (depending on the kernel version
-used).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the binary policy version</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">sestatus</span>
-SELinux status:                 enabled
-SELinuxfs mount:                /selinux
-Current mode:                   enforcing
-Mode from config file:          enforcing
-Policy version:                 24
-Policy from config file:        strict
-</pre></td></tr>
-</table>
-<p>
-Every time functionalities or capabilities are added which require
-changes to the internal structure of the compiled policy, this version is
-incremented. The following is an overview of the policy versions' history. 
-</p>
-<dl>
-  <dt>Version 12</dt>
-  <dd>"Old API" for SELinux, which is now deprecated</dd>
-  <dt>Version 15</dt>
-  <dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd>
-  <dt>Version 16</dt>
-  <dd>Conditional policy extensions added (2.6.5)</dd>
-  <dt>Version 17</dt>
-  <dd>IPV6 support added (2.6.6 - 2.6.7)</dd>
-  <dt>Version 18</dt>
-  <dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd>
-  <dt>Version 19</dt>
-  <dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd>
-  <dt>Version 20</dt>
-  <dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd>
-  <dt>Version 21</dt>
-  <dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd>
-  <dt>Version 22</dt>
-  <dd>Policy capabilities (features) (2.6.25)</dd>
-  <dt>Version 23</dt>
-  <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
-  <dt>Version 24</dt>
-  <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
-  <dt>Version 25</dt>
-  <dd>Filename based transition support (2.6.39)</dd>
-  <dt>Version 26</dt>
-  <dd>Role transition support for non-process classes (3.0)</dd>
-</dl>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Next Steps</p>
-<p class="secthead"><a name="doc_chap1_sect1">What Next</a></p>
-<p>
-It might be difficult to understand now, but the concepts are important because,
-if something fails on your system when SELinux is enabled, but it doesn't fail
-when SELinux is disabled, then you will need to dive into the security contexts,
-rules, types and domain transitions to find out why.
-</p>
-<p>
-The next chapter in line will give you some background resource information
-(online resources, books, FAQs, etc.) After that, we'll dive into the
-installation and configuration of SELinux on your Gentoo Hardened system. Then,
-we'll configure and tune the SELinux policy to our needs.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated July 21, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-intro-enhancingsecurity.html b/html/selinux/hb-intro-enhancingsecurity.html
deleted file mode 100644
index 09b8c12..0000000
--- a/html/selinux/hb-intro-enhancingsecurity.html
+++ /dev/null
@@ -1,219 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Introduction</p>
-<p class="secthead"><a name="doc_chap1_sect1">A Warm Welcome</a></p>
-<p>
-Welcome to the Gentoo SELinux handbook. In this resource, we will bring you up 
-to speed with Gentoo Hardened's implementation of SELinux and the policies
-involved. Part of this exercise is to help you understand why SELinux was
-brought to life and which concept is behind the development of the SELinux
-patches. We will cover the SELinux concepts, the reference policy that Gentoo
-Hardened uses and elaborate on how to work with the various SELinux tools.
-</p>
-<p>
-The purpose of this book is not to explain SELinux itself in great detail. There
-are many references available on the Internet and in the better bookstores that
-help you with the SELinux topic. Instead, we will focus on SELinux integration
-within Gentoo Hardened. Of course, we will give a quick introduction to SELinux
-to allow you to understand how it works, what it is and help you identify which
-actions you will need to take in order to properly secure your system using the
-SELinux tools.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Securing Linux</p>
-<p class="secthead"><a name="doc_chap1_sect1">Security In General</a></p>
-<p>
-Security is often seen as a vague concept. What is security in general? How do
-you measure security? What is the benefit and how do you make sure you do not
-put too much effort in securing your system?
-</p>
-<p>
-Well, security zealots will tell you that there is no such thing as too much
-security. If properly implemented, security does not restrict functionality or
-performance. It does not give you too much overhead in order to do your tasks.
-But implementing security properly is a different and time-consuming task. That
-is also why you often hear that security is as good as its administrator.
-</p>
-<p>
-So, how can you look at security? A good practice on security is to define your
-security goals. List what you want to achieve and why. By tracking the threats
-that you want to minimize, you build up a security model that is appropriate for
-your environment. Such threats can be very broad, such as "Ensure no-one is able
-to work around our security measures".
-</p>
-<p>
-In case of a Linux system powered with SELinux, this would at least mean that
-you want to protect critical system files, such as kernel image(s) and boot
-loader configuration, passwords and the SELinux policy binary itself from being
-written by anyone or anything except trusted processes.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Access Control</a></p>
-<p>
-A decent access control system (or group of systems) ensures that only
-authorized individuals or processes are granted access to the resources they are
-tring to work with.
-</p>
-<p>
-Before one can implement an access control system, you first need to have proper
-authentication in place. If your authentication schemes are flawed, your access
-control system might not be able to differentiate legitimate users from 
-malicious ones.
-</p>
-<p>
-Authenticating users within Linux is often done through PAM (<span class="emphasis">Pluggable
-Authentication Modules</span>), a powerful mechanism to integrate multiple
-low-level authentication schemes into a high-level interface.
-</p>
-<p>
-Authorizing access to resources however is often done through a simple
-permission scheme. Most resources are not hidden by default, although 
-patches and updates exist (such as those offered by Gentoo Hardened's 
-kernel sources with grSecurity patches which includes support for this 
-kind of measures). File-system wise, you can hide the existence of files 
-by ensuring the directory in which the file resides is not readable nor 
-"executable" by unauthorized accounts.
-</p>
-<p>
-This default permission scheme has major drawbacks. It does not allow you to
-define very flexible authorizations (it only allows permissions on three levels:
-owner, group-owner and everybody else) and is limited to read/write/execute
-rights (although a few additional attributes are supported nowadays as well).
-</p>
-<p>
-Another drawback is that the permission scheme is <span class="emphasis">discretionary</span>, meaning
-that users and processes are able to change the security policy in place.
-</p>
-<p>
-For the majority of uses, this permission scheme is sufficient and has proven to
-offer a decent method for managing access authorizations. But the drawbacks have
-shown to be a major hole in the Linux' offering.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Mandatory Access Control</p>
-<p class="secthead"><a name="doc_chap1_sect1">Enter SELinux</a></p>
-<p>
-If the above mentioned discretionary access control, abbreviated to <span class="emphasis">DAC</span>,
-is not sufficient (and if you are keen on security, you will not find it
-sufficient), you need a <span class="emphasis">Mandatory</span> Access Control, or <span class="emphasis">MAC</span> system.
-</p>
-<p>
-When using a MAC system, activities that a process wants to perform on another
-resource need to be explicitly allowed. It offers a higher granularity on
-permissions as well as resources. They often support not only files, but also
-sockets, ports, memory segments, queues, processes, kernel services, system
-calls, devices, file systems and more. The granularity of activities supported
-is also quite large. For files, this can be append, create, execute, write,
-link, ioctl, get- and setattr, read, rename, lock, ... whereas for sockets this
-might be append, bind, connect, create, write, sendto, accept, ... Also, when
-using a MAC system, no user or process can manipulate the security policy
-itself: what the security administrator has defined cannot be overturned.
-</p>
-<p>
-This is where SELinux comes to play. SELinux is a Linux kernel feature which
-implements, amongst other things, a MAC system for controlling and governing
-access to various resources. It uses a deny-by-default permission scheme, so any
-access that a process wants to perform needs to be explicitly granted.
-</p>
-<p>
-SELinux also allows you to put a finer-grained permission model <b>on top 
-of</b> the traditional DAC system (which is still in use when using SELinux 
-- in other words, if the traditional system does not allow certain activities,
-it will not be allowed even if there are SELinux policies granting the 
-permission).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">What is SELinux</a></p>
-<p>
-To support this finer-grained permission model, you would think that changes 
-are needed to the Linux kernel. Yet thanks to the Linux kernel <span class="emphasis">LSM</span> 
-interface (<span class="emphasis">Linux Security Modules</span>), support for SELinux was easily added
-and since the 2.6 kernel series, SELinux has been integrated in the mainstream
-kernel release. But supporting SELinux and using SELinux are very different topics.
-</p>
-<p>
-In order to properly identify resources, SELinux needs to assign labels to these
-resources. When the resources are in-memory, this is mostly supported by the
-Linux kernel itself, but for persistent resources such as files, these labels
-need to be placed somewhere. SELinux has chosen to use a file's extended
-attributes (which is stored on the file system itself). The advantage here is
-that a label remains on the file even if the file is renamed. A disadvantage of
-this approach is that the file system must support <span class="emphasis">extended attributes</span>,
-which not all file systems do (or have activated).
-</p>
-<p>
-SELinux also uses roles to govern resource access. A user that does not have
-access to the system administration role should never be allowed to execute any
-system administration activities even if he is able to escalate its privileges
-(say through a set-uid application). To support roles, SELinux requires changes
-to the authentication services (PAM) and needs to store role definitions and
-authorizations somewhere. 
-</p>
-<p>
-Next to the kernel support and labels assigned to the resources and support
-within the authorization system, SELinux also requires particular tools to
-support the SELinux features. Examples are administrative tools to view and
-manipulate labels, privilege management tools (like <span class="code" dir="ltr">sudo</span>), system
-services (like SysVInit) etc. This is reflected in a set of patches
-against these (and more) tools which are not always part of the applications'
-main source code.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Gentoo Hardened and SELinux</a></p>
-<p>
-What Gentoo Hardened offers is SELinux integrated in the distribution. When you
-select SELinux support, Gentoo Hardened will apply the necessary patches against
-the applications and help you (re)label your files and other resources to become
-SELinux-manageable. Gentoo Hardened also integrates SELinux support inside 
-Portage, allowing for newly installed files to be automatically labeled and to 
-use a SELinux-supporting sandbox environment for
-safe package building.
-</p>
-<p>
-Next to the pure technological support, we hope that you will also find the
-necessary supporting documents, guides, experience and on-line support for using
-SELinux within Gentoo. Never hesitate to come and say hi on the
-<span class="code" dir="ltr">#gentoo-hardened</span> chat channel in the Freenode IRC network or on our
-mailing lists.
-</p>
-<p>
-If you believe that SELinux is the right thing for you and you want to try it
-out using Gentoo Hardened, please read on. The next chapter will inform you how
-SELinux security is "designed" and how it is conceptually structured. Further
-chapters will then help you with the authorization language and the "base"
-policies that most distributions start from, and finally help you install,
-run and manage a SELinux hardened Gentoo system.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated May 25, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html
deleted file mode 100644
index acfd4b9..0000000
--- a/html/selinux/hb-intro-referencepolicy.html
+++ /dev/null
@@ -1,242 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>About SELinux Policies</p>
-<p class="secthead"><a name="doc_chap1_sect1">SELinux Policy Language</a></p>
-<p>
-As described previously, SELinux uses type enforcement to describe the state of
-your system. This is done by giving each resource on your system (be it a
-process, a network port, a file or directory) a specific type and describe the
-rules how types can work with each other.
-</p>
-<p>
-For instance, the allow-rule to allow all regular users (which are in the
-user_t domain) to execute files with the bin_t label:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Allow rule to execute bin_t files</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-allow user_t bin_t:file { read execute open };
-</pre></td></tr>
-</table>
-<p>
-Other supported rules are
-</p>
-<ul>
-  <li>
-    <span class="emphasis">dontaudit</span> will disable the logging of the denial message(s) 
-  </li>
-  <li>
-    <span class="emphasis">auditallow</span> will allow the access but will also log it (by default,
-    allowances are not logged)
-  </li>
-  <li>
-    <span class="emphasis">neverallow</span> forces that a certain allow rule cannot be granted. Even
-    though SELinux is a positive security model (white listing), sometimes
-    neverallow rules might be needed. But generally you will not often see them.
-  </li>
-</ul>
-<p>
-As you can imagine, defining the rules for an entire system is very
-resource-intensive if you want to do it right. It not only requires a deep
-insight in how the system works, but also a lot of rule writing and testing. But
-even more time consuming is that you will write the same rules over and over
-again for different domains. To help developers with policy writing, a
-<span class="emphasis">reference policy</span> has been brought to life with the following required
-functionalities:
-</p>
-<ul>
-  <li>
-    development of SELinux policy rules should be centralized even for different
-    distributions
-  </li>
-  <li>
-    a macro language should be supported that makes it easier to write new
-    policies
-  </li>
-  <li>
-    the policies should be modular, allowing for additional rules to be added or
-    removed 
-  </li>
-</ul>
-<p>
-By centralizing the SELinux policy rule development, SELinux users will have the
-same domain naming conventions as on other distributions. This makes debugging a
-lot easier, documenting a lot less distribution-specific and makes it a bit
-easier for end users to get acquainted with SELinux.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Tresys Reference Policy</a></p>
-<p>
-The reference policy by choice is the <a href="http://oss.tresys.com/projects/refpolicy">Tresys SELinux Reference
-Policy</a>. This reference policy - currently at major version 2 - is used by
-almost all SELinux supporting distributions, including Gentoo Hardened, Fedora,
-RedHat Enterprise Linux, Debian, Ubuntu and more. This implementation not only
-offers the modular policies that users are looking for, but also enhances the
-SELinux experience with additional development tools that make it easier to
-work with the SELinux policies on your system.
-</p>
-<p>
-The reference policy starts off with a <span class="emphasis">base</span> policy called
-<span class="path" dir="ltr">base.pp</span>. This is a collection of policies needed to get a system up
-and running and also offers the necessary functions towards the policy modules.
-In Gentoo Hardened, this base policy is offered by <span class="code" dir="ltr">selinux-base-policy</span>.
-</p>
-<p>
-The policy modules themselves also use the <span class="path" dir="ltr">.pp</span> extension, but are
-named more appropriately towards their content. For instance, the policy module
-that contains all policy rules for the <span class="code" dir="ltr">screen</span> application is called
-<span class="path" dir="ltr">screen.pp</span>. However, don't count on all policy modules to be named
-after the tool: the policy module that contains the <span class="code" dir="ltr">wpa_supplicant</span>
-specific rules is called <span class="path" dir="ltr">networkmanager.pp</span>. In Gentoo Hardened, the
-modular policies are available in the <span class="path" dir="ltr">sec-policy</span> category and are
-named <span class="path" dir="ltr">selinux-&lt;module&gt;</span>.
-</p>
-<p>
-To get a list of running modules, run <span class="code" dir="ltr">semodule</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the running SELinux policy modules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semodule -l</span>
-dbus    1.14.0
-dnsmasq 1.9.0
-hal     1.13.0
-[...]
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Toggle Policy States</a></p>
-<p>
-As policies are built off from a "deny all" perspective, you can imagine that
-there are thousands of rules already available in the reference policy.
-Sometimes the developers know that particular rules will be active on one system
-and inactive on another. Although this can be accomplished by developing two
-different modules, SELinux development has opted to support <span class="emphasis">SELinux
-booleans</span>. 
-</p>
-<p>
-SELinux booleans allow for rules to be conditionally applied, based on the
-administrator's requirements. You can get a list of supported booleans through
-<span class="code" dir="ltr">getsebool</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a list of supported booleans and their current state</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">getsebool -a</span>
-allow_execheap --&gt; off
-allow_execmem --&gt; off
-[...]
-fcron_crond --&gt; off
-global_ssp --&gt; on
-[...]
-</pre></td></tr>
-</table>
-<p>
-If you need to change a boolean, you can use <span class="code" dir="ltr">togglesebool</span> to switch its
-value, or <span class="code" dir="ltr">setsebool</span> so explicitly set its state:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Toggling boolean states</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">getsebool user_dmesg</span>
-user_dmesg --&gt; off
-~# <span class="code-input">togglesebool user_dmesg</span>
-user_dmesg: active 
-<span class="code-comment">(Now, the state is set to 'on')</span>
-~# <span class="code-input">getsebool user_dmesg</span>
-user_dmesg --&gt; on
-<span class="code-comment">(Explicitly set the value to 'off')</span>
-~# <span class="code-input">setsebool user_dmesg off</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Files and Locations</a></p>
-<p>
-On Gentoo Hardened, the SELinux policy files are stored in
-<span class="path" dir="ltr">/usr/share/selinux/strict</span> or
-<span class="path" dir="ltr">/usr/share/selinux/targeted</span> (depending on your SELinux
-configuration). Within this location, you will find:
-</p>
-<ul>
-  <li>
-    a file called <span class="path" dir="ltr">base.pp</span>, which is the SELinux base policy, 
-  </li>
-  <li>
-    one or more files with extension <span class="path" dir="ltr">.pp</span>, which are the SELinux
-    policy modules, and
-  </li>
-  <li>
-    an <span class="path" dir="ltr">include/</span> folder which contains the necessary files for
-    SELinux module developers to build additional modules for this system
-  </li>
-</ul>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Versions</a></p>
-<p>
-The SELinux policy infrastructure that is used (i.e. the capabilities and
-functionalities that it offers) isn't in its first version. If you would run
-<span class="code" dir="ltr">sestatus</span> now, you'll notice that we are using policy version 24. Every
-time functionalities or capabilities are added which require changes to the
-internal structure of the compiled policy, this version is incremented. The
-following is an overview of the policy versions' history.
-</p>
-<dl>
-  <dt>Version 12</dt>
-  <dd>"Old API" for SELinux, which is now deprecated</dd>
-  <dt>Version 15</dt>
-  <dd>"New API" for SELinux, merged in Linux kernel 2.6.0 (until 2.6.5)</dd>
-  <dt>Version 16</dt>
-  <dd>Conditional policy extensions added (2.6.5)</dd>
-  <dt>Version 17</dt>
-  <dd>IPV6 support added (2.6.6 - 2.6.7)</dd>
-  <dt>Version 18</dt>
-  <dd>Fine-grained netlink socket support added (2.6.8 - 2.6.11)</dd>
-  <dt>Version 19</dt>
-  <dd>Enhanced multi-level security (2.6.12 - 2.6.13)</dd>
-  <dt>Version 20</dt>
-  <dd>Access vector table size optimizations (2.6.14 - 2.6.18)</dd>
-  <dt>Version 21</dt>
-  <dd>Object classes in range transitions (2.6.19 - 2.6.24)</dd>
-  <dt>Version 22</dt>
-  <dd>Policy capabilities (features) (2.6.25)</dd>
-  <dt>Version 23</dt>
-  <dd>Per-domain permissive mode (2.6.26 - 2.6.27)</dd>
-  <dt>Version 24</dt>
-  <dd>Explicit hierarchy (type bounds) (2.6.28 - 2.6.38)</dd>
-  <dt>Version 25</dt>
-  <dd>Filename based transition support (2.6.39)</dd>
-  <dt>Version 26</dt>
-  <dd>Role transition support for non-process classes (3.0)</dd>
-</dl>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated June 2, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-intro-resources.html b/html/selinux/hb-intro-resources.html
deleted file mode 100644
index ff88fae..0000000
--- a/html/selinux/hb-intro-resources.html
+++ /dev/null
@@ -1,97 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../../css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/../../../favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Background</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction to SELinux</a></p>
-<ul>
-  <li>
-    <a href="http://www.nsa.gov/research/_files/selinux/papers/inevit-abs.shtml">The Inevitability of Failure:
-    The Flawed Assumption of Security in Modern Computing Environments</a>
-    explains the need for mandatory access controls.
-  </li>
-  <li>
-    <a href="http://www.nsa.gov/research/_files/selinux/papers/flask-abs.shtml">The Flask Security Architecture:
-    System Support for Diverse Security Policies</a>
-    explains the security architecture of Flask, the architecture used by SELinux.
-  </li>
-  <li>
-    <a href="http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml">Implementing SELinux as a Linux Security Module</a>
-    has specifics about SELinux access checks in the kernel.
-  </li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>SELinux Policy</p>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Related References</a></p>
-<ul>
-  <li>
-    <a href="http://www.nsa.gov/research/_files/selinux/papers/policy2-abs.shtml">Configuring the SELinux Policy</a>
-  </li>
-  <li>
-    <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>
-  </li>
-  <li>
-    SELinux <a href="http://www.selinuxproject.org/page/ObjectClassesPerms">Object Classes and Permissions</a> Overview
-  </li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Books</p>
-<p class="secthead"><a name="doc_chap1_sect1">Paper Books</a></p>
-<ul>
-  <li>
-    <span class="code" dir="ltr">SELinux by Example: Using Security Enhanced Linux</span>, Frank Mayer,
-    Karl MacMillan, and David Caplan, Prentice Hall, 2006; ISBN 0131963694
-  </li>
-  <li>
-    <span class="code" dir="ltr">SELinux: NSA's Open Source Security Enhanced Linux</span>, Bill McCarty,
-    O'Reilly Media, 2004; ISBN 0596007167
-  </li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Gentoo Specific Resources</p>
-<p class="secthead"><a name="doc_chap1_sect1">Gentoo Hardened</a></p>
-<p>
-The following resources are specific towards Gentoo Hardened's SELinux
-implementation. 
-</p>
-<ul>
-  <li>
-    <a href="selinux-faq.html">SELinux Frequently Asked
-    Questions</a>
-  </li>
-  
-</ul>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated May 31, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-intro-virtualization.html b/html/selinux/hb-intro-virtualization.html
deleted file mode 100644
index 46ffa48..0000000
--- a/html/selinux/hb-intro-virtualization.html
+++ /dev/null
@@ -1,42 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>TODO</p>
-<p>
-This is a place-holder for future expansion.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated December 1, 2010</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html
deleted file mode 100644
index 468df7a..0000000
--- a/html/selinux/hb-using-commands.html
+++ /dev/null
@@ -1,452 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>SELinux Information Commands</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-You should currently have a SELinux enabled system (but running in permissive
-mode, so it will not enforce its policy rules). So before we introduce you to
-the world of SELinux and how you can add more rules to make sure your system
-remains functional when you switch to enforcing mode, we first give a quick
-overview of the various SELinux related commands.
-</p>
-<p>
-We start off with state commands where you can get global information on SELinux
-state (is it running in enforcing mode or not, versions etc.)
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Getting SELinux Status</a></p>
-<p>
-The first command we will talk about is <span class="code" dir="ltr">sestatus</span>.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running sestatus</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">sestatus</span>
-SELinux status:                 enabled
-SELinuxfs mount:                /selinux
-Current mode:                   permissive
-Mode from config file:          permissive
-Policy version:                 24
-Policy from config file:        strict
-</pre></td></tr>
-</table>
-<p>
-The output of this command shows you that SELinux is enabled and is currently in
-the <span class="emphasis">permissive</span> mode. It also tells you that the system is configured to
-run in <span class="emphasis">strict</span> mode - so no unconfined_t domain here.
-</p>
-<p>
-The <span class="code" dir="ltr">sestatus</span> command also has an extended output if you run it with the
-<span class="code" dir="ltr">-v</span> option. When this is done, the command returns the contexts of
-important processes and files:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running sestatus -v</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">sestatus -v</span>
-SELinux status:                 enabled
-SELinuxfs mount:                /selinux
-Current mode:                   enforcing
-Mode from config file:          enforcing
-Policy version:                 24
-Policy from config file:        strict
-
-Process contexts:
-Current context:                staff_u:sysadm_r:sysadm_t
-Init context:                   system_u:system_r:init_t
-/sbin/agetty                    system_u:system_r:getty_t
-/usr/sbin/sshd                  system_u:system_r:sshd_t
-
-File contexts:
-Controlling term:               staff_u:object_r:user_devpts_t
-/sbin/init                      system_u:object_r:init_exec_t
-/sbin/agetty                    system_u:object_r:getty_exec_t
-/bin/login                      system_u:object_r:login_exec_t
-/sbin/rc                        system_u:object_r:rc_exec_t
-/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
-/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
-/etc/passwd                     system_u:object_r:etc_t
-/etc/shadow                     system_u:object_r:shadow_t
-/bin/sh                         system_u:object_r:bin_t -&gt; system_u:object_r:shell_exec_t
-/bin/bash                       system_u:object_r:shell_exec_t
-/usr/bin/newrole                system_u:object_r:newrole_exec_t
-/lib/libc.so.6                  system_u:object_r:lib_t -&gt; system_u:object_r:lib_t
-/lib/ld-linux.so.2              system_u:object_r:lib_t -&gt; system_u:object_r:ld_so_t
-</pre></td></tr>
-</table>
-<p>
-Another general SELinux status command is <span class="code" dir="ltr">getenforce</span>, which allows you to
-quickly see if your SELinux is running in enforcing mode (SELinux policies are
-enforced), permissive (SELinux policies are checked and logged, but not
-enforced) or disabled (SELinux policy is not loaded and thus not checked).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using the getenforce command</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">getenforce</span>
-Enforcing
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Getting SELinux Object Information</a></p>
-<p>
-Next on the table is the <span class="code" dir="ltr">seinfo</span> command. This command allows you to query
-the running policy for all objects (types, roles, attributes, users, booleans
-...) defined.
-</p>
-<p>
-Common usages are:
-</p>
-<ul>
-  <li>
-    checking if a specific domain is defined on your system (in case you're
-    wondering if you need to load an additional SELinux policy module or not) 
-  </li>
-  <li>
-    checking which domains a particular role can be in (in case you're wondering
-    if your regular users are allowed by SELinux policies to even be
-    transitioned towards a specific domain)
-  </li>
-  <li>
-    checking which attributes are assigned to a specific domain (or vice versa,
-    which domains have a specific attribute set) as some SELinux policy rules
-    work on attributes rather than domains
-  </li>
-</ul>
-<p>
-As an example, we query if the crontab_t domain is known, if the user_r role can
-use the contab_t domain and finally which domains have the cron_spool_type
-attribute set.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using seinfo</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">seinfo -tcrontab_t</span>
-  crontab_t
-# <span class="code-input">seinfo -ruser_r -x</span>
-  user_r
-    Dominated Roles:
-      user_r
-    Types:
-      [...]
-      crontab_t
-      [...]
-# <span class="code-input">seinfo -acron_spool_type -x</span>
-  cron_spool_type
-    user_cron_spool_t
-    system_cron_spool_t
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Querying SELinux Policy Rules</a></p>
-<p>
-A command which you will often use is <span class="code" dir="ltr">sesearch</span>. This command allows you
-to query the current policy allow rules and is a huge help when trying to find
-out if something is allowed (or why something isn't allowed).
-</p>
-<p>
-The <span class="code" dir="ltr">sesearch</span> command is most often used with a source domain (<span class="code" dir="ltr">-s</span>),
-target domain (<span class="code" dir="ltr">-t</span>) or both, the class for which you want to query allow
-rules for (file, dir, socket, process ...) and the privilege you want to query
-for (read, write, open, transition, execute ...).
-</p>
-<p>
-For instance, to find out which domains can write the files that have the
-shadow_t domain:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying allow rules with sesearch</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">sesearch -t shadow_t -c file -p write -A</span>
-Found 8 semantic av rules:
-  [...]
-  allow portage_t shadow_t : file { ioctl read write ... };
-  allow useradd_t shadow_t : file { ioctl read write ... };
-  ...
-</pre></td></tr>
-</table>
-<p>
-You will notice that there are sometimes results based on attributes rather than
-domains:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Allow rule based on attribute</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-  allow portage_t file_type : file { ioctl read write ... };
-</pre></td></tr>
-</table>
-<p>
-In this case, the source domain (portage_t) is allowed to write to files whose
-domain have the file_type attribute set. If you get the feeling of these things,
-you'll wonder if the above rule is not a flagrant security issue as almost all
-domains for files have the file_type set. Yes and no - if we take a look at
-which domains have file write privileges to file_type domains, you'll notice
-that this is only portage:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying domains with file-write privileges to file_type domains</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">sesearch -t file_type -c file -p write -A -d</span>
-Found 1 semantic av rules:
-  allow portage_t file_type : file { ioctl read write ... };
-</pre></td></tr>
-</table>
-<p>
-Note that we had one command without the <span class="code" dir="ltr">-d</span> option and one with. When
-<span class="code" dir="ltr">-d</span> is given, the search will perform an exact search without resolving
-the attributes. When <span class="code" dir="ltr">-d</span> is not given, it will resolve the attribute. In
-the last command example, dropping <span class="code" dir="ltr">-d</span> would result in hundreds of allow
-rules: for each domain that has file_type set, the search tries to find rules
-that allow file-write access to that particular domain.
-</p>
-<p>
-Another interesting functionality of the <span class="code" dir="ltr">sesearch</span> command is to show you
-the rules that are applicable depending on the state of a boolean. If you want
-to query on a particular boolean, use <span class="code" dir="ltr">-b</span>. If you want to see the logic
-that the policy uses, use <span class="code" dir="ltr">-C</span> (and yes, both can be combined).
-</p>
-<p>
-As an example, we'll check what we allow (or deny) when the <span class="code" dir="ltr">global_ssp</span>
-boolean is set:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the policy regarding the global_ssp boolean</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">sesearch -b global_ssp -A -C -d</span>
-Found 2 semantic av rules:
-ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
-ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
-</pre></td></tr>
-</table>
-<p>
-The prefix you see shows two letters, relating to two important definitions:
-</p>
-<ul>
-  <li>
-    Is the rule currently <b>E</b>nabled or <b>D</b>isabled?
-  </li>
-  <li>
-    Does the boolean need to be set to <b>T</b>rue or <b>F</b>alse to enable the rule?
-  </li>
-</ul>
-<p class="secthead"><a name="doc_chap1_sect1">Getting Security Context Information</a></p>
-<p>
-During administrative tasks, and especially when you are checking if a SELinux
-denial could be made, it is important to find out what the security context is
-for a particular resource. Luckily, Gentoo Hardened - if properly installed -
-has already patched some tools to allow you to get this information using your
-standard tools.
-</p>
-<p>
-To get the security context of a file, use <span class="code" dir="ltr">ls -Z</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file security context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">ls -Z /etc/make.conf</span>
-system_u:object_r:portage_conf_t /etc/make.conf
-</pre></td></tr>
-</table>
-<p>
-To get the security context of a process, use <span class="code" dir="ltr">ps -Z</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a process security context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">ps -Z $(pidof init)</span>
-LABEL                             PID TTY      STAT   TIME COMMAND
-system_u:system_r:init_t            1 ?        Ss     0:00 init [3]  
-</pre></td></tr>
-</table>
-<p>
-To get the security context of the current user, use <span class="code" dir="ltr">id -Z</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a user security context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">id -Z</span>
-staff_u:staff_r:staff_t
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Managing SELinux</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Managing SELinux objects (booleans, users, ports, contexts ...) is most often
-done using <span class="code" dir="ltr">semanage</span>. As this application offers the interface towards
-various SELinux configurations, we dedicate an entire section on it, but will
-also cover the commands that offer similar functionality (and are sometimes
-easier to remember).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Booleans</a></p>
-<p>
-We have already covered SELinux booleans earlier in this book as well as the
-<span class="code" dir="ltr">getsebool</span> and <span class="code" dir="ltr">setsebool</span> commands. With <span class="code" dir="ltr">semanage</span> you can too
-manage the booleans and, as an added bonus, listing the booleans will also show
-the description of the boolean (even though there is still work to be done in
-this area).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the available SELinux booleans</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage boolean -l</span>
-SELinux boolean                 Description
-
-allow_ptrace            -&gt; off  allow_ptrace
-rsync_export_all_ro     -&gt; off  rsync_export_all_ro
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-As you will notice, most descriptions are just the boolean name, but you will
-find more and more booleans with a better description as you get acquainted with
-- and install more - SELinux policy modules.
-</p></td></tr></table>
-<p>
-You can set a boolean with both <span class="code" dir="ltr">setsebool</span> and <span class="code" dir="ltr">semanage</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting SELinux boolean values</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage boolean -m --on -F user_dmesg</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="users"></a><a name="doc_chap1_sect1">SELinux Users and Logins</a></p>
-<p>
-SELinux users and logins are different from Unix accounts. SELinux logins allow
-you to map a Unix account to a SELinux user:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the SELinux logins</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -l</span>
-Login Name          SELinux User
-
-__default__         user_u
-root                root
-swift               staff_u
-system_u            system_u
-</pre></td></tr>
-</table>
-<p>
-The default behavior is that users are logged on as the <span class="emphasis">user_u</span> SELinux
-user. This SELinux user is a non-administrator user: it has no specific
-privileges and should be used for every account that never requires elevated
-privileges (so no <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> rights for anything).
-</p>
-<p>
-The account you use to administer your system should be mapped to the
-<span class="code" dir="ltr">staff_u</span> SELinux user (or its own user with the appropriate roles). This
-can be accomplished as follows (example with the Unix account <span class="emphasis">anna</span>):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Letting 'anna' log on as 'staff_u'</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -a -s staff_u anna</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-Make sure that whatever account you use to administer your system is mapped to
-the <span class="code" dir="ltr">staff_u</span> user, or has the ability to switch to the <span class="code" dir="ltr">sysadm_r</span>
-role. Portage only works from within the <span class="code" dir="ltr">sysadm_r</span> role.
-</p></td></tr></table>
-<p>
-As mentioned, SELinux users are configured to be able to join in on one or more
-roles. To list the available roles, you can use <span class="code" dir="ltr">semanage user -l</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing login / role mappings</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage user -l</span>
-SELinux User        SELinux Roles
-
-root                staff_r sysadm_r
-staff_u             staff_r sysadm_r
-[...]
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Managing Ports</a></p>
-<p>
-Even network ports (like port 22 for SSH) are 'protected' by SELinux. To get an
-overview of which domains are assigned to which ports (or port ranges) use
-<span class="code" dir="ltr">semanage port -l</span>.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing SELinux managed ports</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage port -l | grep '22$'</span>
-ssh_port_t             tcp     22
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Using SELinux</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Up until now we've covered getting SELinux related information as well as
-managing SELinux settings. However, users on a SELinux hardened system will also
-need to know a few things about working with SELinux, including (but not limited
-to) roles and role transitions.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Switching Roles</a></p>
-<p>
-As a type enforcement access control system, SELinux allows particular roles to
-be within a set of domains. If you are using a role which is not allowed within
-a particular domain, you will not be successful in using that domain and will be
-denied the actions assigned to that domain.
-</p>
-<p>
-If your standard users are all SELinux user_u users (with the only supported
-role being user_r) then those users will never need to switch roles (nor are
-they allowed to). But users that are staff_u (or other users that have multiple
-roles) those users should be made clear how they switch between roles. We have
-already covered how to map such users to the correct SELinux user (see <a href="#users">SELinux Users and Logins</a>).
-</p>
-<p>
-The command that accomplishes switching roles is called <span class="code" dir="ltr">newrole</span>. It's
-use is pretty straight forward.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using newrole</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">newrole -r sysadm_r</span>
-Password: <span class="code-comment">(Enter the users' password - not root's!)</span>
-</pre></td></tr>
-</table>
-<p>
-When performing a role transition, SELinux will ask the user to re-authenticate
-through its users' password. If you are logged on as a regular user and used
-<span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> to become the root user, then <span class="code" dir="ltr">newrole</span> will still
-require you to enter the regular users' password.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-configuring.html b/html/selinux/hb-using-configuring.html
deleted file mode 100644
index d583184..0000000
--- a/html/selinux/hb-using-configuring.html
+++ /dev/null
@@ -1,919 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Administering Users</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-During the installation, we already covered how to map a Linux user to a SELinux
-user. In the example, we used a hypothetical user "john" and mapped him to the
-SELinux user "staff_u". If you are running a multi-user system, managing the
-right mappings is important. A user that is mapped to the SELinux user "user_u"
-will not get any additional rights. Even if you would give that user additional
-rights through commands such as <span class="code" dir="ltr">sudo</span>, the SELinux policy will not allow
-this user to do anything that is administration related.
-</p>
-<p>
-For this reason, it is important to go over the SELinux user mappings and the
-Linux users on your system.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">User Mappings</a></p>
-<p>
-Run <span class="code" dir="ltr">semanage login -l</span> to show the current mappings between Linux logins
-and SELinux users.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running semanage login -l</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -l</span>
-
-Login Name                SELinux User
-
-__default__               user_u
-root                      root
-john                      staff_u
-system_u                  system_u
-</pre></td></tr>
-</table>
-<p>
-The "user_u" SELinux user is for regular accounts. As such, the special
-<span class="emphasis">__default__</span> mapping is defined by SELinux to denote every login that is
-not defined otherwise. This makes sure that a newly defined account does not get
-elevated privileges by default.
-</p>
-<p>
-The next table gives an overview of the standard SELinux users available after
-an installation.
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>SELinux User</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">user_u</td>
-  <td class="tableinfo">
-    Default regular SELinux user, which should be used by end-user accounts that
-    are not going to administer any service(s) on the system
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">staff_u</td>
-  <td class="tableinfo">
-    SELinux user for administrators. This user has the right to switch roles and
-    as such gain elevated privileges
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">root</td>
-  <td class="tableinfo">
-    SELinux user for the root account. It differs little from the staff_u
-    account beyond being a different ID. This ensures that files protected by
-    the user based access control for root cannot be handled by the staff_u
-    (and other) users
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">sysadm_u</td>
-  <td class="tableinfo">
-    SELinux user for system administration. By default, this account is not
-    immediately used as this user immediately gets the administrative role
-    (whereas staff_u and root still need to switch roles).
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">system_u</td>
-  <td class="tableinfo">
-    SELinux user for system services. It should never be used for end users or
-    administrators as it provides direct access to the system role (and
-    privileges)
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">unconfined_u</td>
-  <td class="tableinfo">
-    Used when the policy is <span class="emphasis">targeted</span>, this SELinux user has many
-    privileges (it is essentially not limited in its actions, although it is
-    still handled through SELinux - just through a "wide open" policy).
-  </td>
-</tr>
-</table>
-<p>
-To map a user to a specific SELinux user, use <span class="code" dir="ltr">semanage login -a</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping a user 'sophie' to the staff_u user</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -a -s staff_u sophie</span>
-</pre></td></tr>
-</table>
-<p>
-However, when you update such mapping, the files in that users' home directory
-will be owned by a wrong SELinux user. It is therefor important to relabel the
-files of that user:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling sophie's files</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">restorecon -R -F /home/sophie</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Additional SELinux Accounts</a></p>
-<p>
-It is perfectly possible to create additional SELinux accounts, and then map the
-Linux logins to these new accounts. This can be necessary when you want a more
-thorough auditing (on end user level) or when you will be enhancing the policy
-with additional roles. Also, if you want to use the User Based Access Control
-feature, using different SELinux users is important to enforce the control on
-different users (if they all use the same SELinux user, then UBAC has little to
-no effect).
-</p>
-<p>
-Managing the SELinux accounts is done through <span class="code" dir="ltr">semanage user</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a SELinux user</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage user -a -R "staff_r sysadm_r" sophie</span>
-</pre></td></tr>
-</table>
-<p>
-Let's verify how the SELinux users are currently configured:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the SELinux user identities</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage user -l</span>
-SELinux User    SELinux Roles
-
-root            staff_r sysadm_r
-sophie          staff_r sysadm_r
-staff_u         staff_r sysadm_r
-sysadm_u        sysadm_r
-system_u        system_r
-unconfined_u    unconfined_r
-user_u          user_r
-
-# <span class="code-input">semanage login -l</span>
-Login Name                SELinux User
-
-__default__               user_u
-root                      root
-sophie                    staff_u
-swift                     staff_u
-system_u                  system_u
-</pre></td></tr>
-</table>
-<p>
-Now that a new SELinux user called "sophie" exists, we can now update the Linux
-user mapping for "sophie" towards the new SELinux user "sophie":
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Updating the Linux user mapping</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage login -m -s sophie sophie</span>
-# <span class="code-input">semanage login -l</span>
-Login Name                SELinux User
-
-__default__               user_u
-root                      root
-sophie                    sophie
-swift                     staff_u
-system_u                  system_u
-</pre></td></tr>
-</table>
-<p>
-Again, do not forget to relabel this users' files.
-</p>
-<p>
-As you can see, managing SELinux users means defining the roles to which the
-user has access to. We already gave a high-level introduction to the default
-roles in <span title="Link to other book part not available"><font color="#404080">(SELinux Concepts)</font></span>, but as roles are
-important when using a Mandatory Access Control system, let's refresh our memory
-again:
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>SELinux Role</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">user_r</td>
-  <td class="tableinfo">
-    Default end-user role. This role provides access to regular applications and
-    activities, but does not allow any system or service administration beyond
-    what is expected for a regular user.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">staff_r</td>
-  <td class="tableinfo">
-    Default administration role for day-to-day activities. This role has some
-    additional privileges beyond what is offered through user_r, but is not a
-    full system administrative role. It is meant for the non-administrative
-    activities done by operators and administrators
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">sysadm_r</td>
-  <td class="tableinfo">
-    System administration role. This role is highly privileged (since it also
-    contains the privileges to update the policy) and should only be given to
-    fully trusted administrators. It is almost never immediately granted to
-    users (they first need to switch roles) except for direct root access (for
-    instance through the console) 
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">system_r</td>
-  <td class="tableinfo">
-    System service role, which is used for the runtime services (processes). It
-    is never granted to users directly.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">unconfined_r</td>
-  <td class="tableinfo">
-    The unconfined role is used when the <span class="emphasis">targeted</span> policy is supported.
-    This role is given to unconfined users (such as the SELinux unconfined_u
-    user) which have very wide privileges (they almost run without constraints).
-  </td>
-</tr>
-</table>
-<p>
-It should be noted that these roles are the default ones, but the security
-administrator - yes, that means you - can create additional roles and add
-particular privileges to it. We will discuss this later in this book as it means
-you'll need to update the Gentoo Hardened SELinux policy.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Reading Audit Logs</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-When working with a SELinux-enabled system, you will eventually notice that
-things behave differently, but without giving any meaningful error message.
-Usually, when SELinux "denies" a particular access, it logs it into the audit
-log of the system, but for the application itself, it is perfectly possible that
-it just silently dies. If not, you're most likely to get a <span class="emphasis">permission
-denied</span> error message.
-</p>
-<p>
-Initially, SELinux is running in <span class="code" dir="ltr">permissive</span> mode, which means that
-SELinux will log what it <span class="emphasis">would</span> deny, but still let it through.
-This mode is perfect for getting the system in shape without having too
-much problems keeping it running. Once you think your security settings are
-in order, then this mode can be switched from <span class="code" dir="ltr">permissive</span> to
-<span class="code" dir="ltr">enforcing</span>. We'll talk about these modes later.
-</p>
-<p>
-First, let's take a look at the audit log and see what it is saying...
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Audit Log Location(s)</a></p>
-<p>
-The SELinux kernel code writes its denials (and sometimes even allowed but
-audited activities) into the audit log. If you are running on a Gentoo Hardened
-installation with the <span class="code" dir="ltr">syslog-ng</span> system logger, then the logger is already
-configured to place these audit lines in <span class="path" dir="ltr">/var/log/avc.log</span>. However,
-different system loggers or system logger configurations might put the entries
-in a different log location (such as <span class="path" dir="ltr">/var/log/audit.log</span>).
-</p>
-<p>
-Below, you'll find the appropriate lines for the syslog-ng system logger
-configuration for writing the events in <span class="path" dir="ltr">/var/log/avc.log</span>.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng.conf excerpt for SELinux AVC entries</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># The following lines are only /part/ of the configuration file!</span>
-source kernsrc  { file("http://www.gentoo.org/proc/kmsg");       };
-destination avc { file("http://www.gentoo.org/var/log/avc.log"); };
-filter f_avc    { message(".*avc: .*");     };
-
-log {
-  source(kernsrc);
-  filter(f_avc);
-  destination(avc);
-};
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p>
-<p>
-As we mentioned, SELinux writes its entries in the audit log. These entries are
-called <span class="emphasis">avc messages</span> or <span class="emphasis">avc log entries</span>. The abbreviation AVC
-stands for <span class="emphasis">Access Vector Cache</span> and, like the name sais, is a caching
-system.
-</p>
-<p>
-Using an access vector cache improves performance on dealing with (and
-enforcing) activities and privileges. Since SELinux offers a very detailed
-approach on privileges and permissions, it would become quite painful
-(performance-wise) if each call means that the SELinux code needs to look up the
-domain, the target resource label, the privilege and if it is allowed or not
-over and over again. Instead, SELinux uses the Access Vector Cache to store past
-requests/responses. It is the AVC subsystem that is responsible for checking
-accesses and (if necessary) logging it.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Reading an AVC Denial Message</a></p>
-<p>
-Below you'll find a typical AVC denial message.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example AVC denial message</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
-  avc:  denied  { module_request } for  pid=14561 comm="firefox" kmod="net-pf-10"
-  scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
-</pre></td></tr>
-</table>
-<p>
-Let's analyze each part of this message one by one.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: Timestamp and location information</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-input">Oct 15 13:04:54 hpl kernel: [963185.177043]</span> type=1400 audit(1318676694.660:2472): 
-  avc:  denied  { module_request } for  pid=14561 comm="firefox" kmod="net-pf-10"
-  scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
-</pre></td></tr>
-</table>
-<p>
-This first part of the message informs you when the message was written (Oct 15
-13:04:54), on which host (hpl) and how many seconds since the system was booted
-(963185.177043).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: source information</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
-  avc:  denied  { module_request } for  <span class="code-input">pid=14561 comm="firefox"</span> kmod="net-pf-10"
-  <span class="code-input">scontext=staff_u:staff_r:mozilla_t</span> tcontext=system_u:system_r:kernel_t tclass=system
-</pre></td></tr>
-</table>
-<p>
-Next is the source of the denial, i.e. what process is trying to do something.
-In this case, the process is firefox, with PID 14561, which is running in the
-source domain staff_u:staff_r:mozilla_t.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: target resource</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
-  avc:  denied  { module_request } for  pid=14561 comm="firefox" <span class="code-input">kmod="net-pf-10"</span>
-  scontext=staff_u:staff_r:mozilla_t <span class="code-input">tcontext=system_u:system_r:kernel_t</span> tclass=system
-</pre></td></tr>
-</table>
-<p>
-The target of the activity is a kernel module (net-pf-10, which is the internal
-name given for IPv6), labeled system_u:system_r:kernel_t
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial: denied action</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
-  avc:  denied  { <span class="code-input">module_request</span> } for  pid=14561 comm="firefox" kmod="net-pf-10"
-  scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t <span class="code-input">tclass=system</span>
-</pre></td></tr>
-</table>
-<p>
-Finally, the action that is denied (module_request) and its class (system).
-These classes help you to identify what is denied, because a read on a file is
-different from a read on a directory.
-</p>
-<p>
-For instance, in the following case, a process <span class="code" dir="ltr">gorg</span> with PID 13935 is
-trying to read a file called <span class="path" dir="ltr">localtime</span> with inode 130867 which
-resides on the device <span class="path" dir="ltr">/dev/md3</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: AVC denial example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Oct 15 14:40:30 hpl kernel: [968909.807802] type=1400 audit(1318682430.323:2614):
-  avc:  denied  { read } for  pid=13935 comm="gorg" name="localtime" dev=md3 ino=130867
-  scontext=staff_u:sysadm_r:gorg_t tcontext=system_u:object_r:locale_t tclass=file
-</pre></td></tr>
-</table>
-<p>
-In this case, it might be obvious that the file is <span class="path" dir="ltr">/etc/localtime</span>,
-but when that isn't the case, then you can find the following two commands
-useful:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding out the target resource based on inode and device</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(Find out which device /dev/md3 is)</span>
-# <span class="code-input">mount | grep /dev/md3</span>
-/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=1,nodelalloc,data=journal)
-
-<span class="code-comment">(Find out what file has inode 130867)</span>
-# <span class="code-input">find / -xdev -inum 130867</span>
-/etc/localtime
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Handling AVC denials</a></p>
-<p>
-The major part of configuring SELinux is reading the denials, finding out what
-needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully, the
-rest of this handbook will help you figure out what is causing a denial.
-</p>
-<p>
-Denials can be cosmetic (an activity that is denied, but has no effect on the
-application's functional behaviour). If that is the case, the denial can be
-marked as <span class="emphasis">dontaudit</span>, meaning that the denial is not logged by default
-anymore. If you think that a denial is occurring but you do not see it in the
-logs, try disabling the <span class="emphasis">dontaudit</span> rules:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disabling dontaudit</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(The command can also be abbreviated to "semodule -DB")</span>
-# <span class="code-input">semodule --build --disable_dontaudit</span>
-</pre></td></tr>
-</table>
-<p>
-In most cases though, denials need to be acted upon. Actions that might need to
-happen are:
-</p>
-<ul>
-  <li>
-    relabeling the target resource (wrong labels might cause legitimate actions
-    to be denied)
-  </li>
-  <li>
-    relabeling the source (process' binary file) as a wrong label might cause
-    the application to run in the wrong domain
-  </li>
-  <li>
-    loading a necessary SELinux module, since the modules contain the rules to
-    allow (and label) resources. Without the appropriate module loaded, you will
-    notice denials since no other module gives the necessary grants (allow
-    statements)
-  </li>
-  <li>
-    granting the right role to the user executing the application. We have
-    covered users and their roles initially but we will go deeper into this
-    subject later in the handbook.
-  </li>
-  <li>
-    adding your own SELinux policy statements, most likely because no SELinux
-    policy module exists for the application you are trying to run
-  </li>
-</ul>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Using (File) Labels</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Within SELinux, access privileges are based on the label given on the
-originating part (called the <span class="emphasis">domain</span>) and its target resource. For
-instance, a process running in the passwd_t domain wants to read (= privilege)
-the file <span class="path" dir="ltr">/etc/shadow</span> which is labeled shadow_t (= the target
-resource). It comes to no surprise then that the majority of SELinux
-administration is (re)labeling the resources correctly (and ensuring their label
-stays correct).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Getting File Label(s)</a></p>
-<p>
-There are many ways to relabel commands, and none of them are equal to another.
-But before we explain this in more detail, let's first take a look at a few file
-labels (and how you can query them).
-</p>
-<p>
-In SELinux, labels are given on a file level through the file systems' ability
-to keep <span class="emphasis">extended attributes</span>. For SELinux, the attribute is called
-<span class="code" dir="ltr">security.selinux</span> and can be obtained through <span class="code" dir="ltr">getfattr</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file's extended attribute for SELinux</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">getfattr -n security.selinux /etc/hosts</span>
-# file: etc/hosts
-security.selinux="system_u:object_r:net_conf_t"
-</pre></td></tr>
-</table>
-<p>
-Of course, getting the file attribute this way is time consuming and not that
-flexible. For this purpose, most important applications (including
-<span class="code" dir="ltr">coreutils</span>) are made SELinux-aware. These applications mostly use the
-<span class="code" dir="ltr">-Z</span> option to display the SELinux context information. In case of files,
-this means the extended attribute content:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting the context of a file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">ls -Z /etc/hosts</span>
-system_u:object_r:net_conf_t   /etc/hosts
-</pre></td></tr>
-</table>
-<p>
-Other commands exist that display the context as it should be, like
-<span class="code" dir="ltr">matchpathcon</span>. However, their purpose is to query the SELinux policy on
-your system to find out what the policy ought to be, not what it is:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Difference between context and matchpathcon result</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">ls -Z /etc/make.conf</span>
-staff_u:object_r:etc_t    /etc/make.conf
-$ <span class="code-input">matchpathcon /etc/make.conf</span>
-/etc/make.conf            system_u:object_r:portage_conf_t
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Setting File Label(s)</a></p>
-<p>
-Now how can you manipulate file labels? Well, first of all: you will not be
-allowed to change the file labels of any possible file (not even if you are the
-owner of that file) unless the SELinux policy allows you to. These allow rules
-are made on two privilege types: which labels are you allowed to change
-(<span class="code" dir="ltr">relabelfrom</span>) and to which labels are you allowed to change
-(<span class="code" dir="ltr">relabelto</span>). You can query these rules through <span class="code" dir="ltr">sesearch</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying the relabelto/relabelfrom types</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># From which label on files (-c) is user_t (-s) allowed (-A) to relabel from (-p)?</span>
-$ <span class="code-input">sesearch -s user_t -c file -p relabelfrom -A</span>
-<span class="code-comment">[...]</span>
-allow user_t mozilla_home_t : file { <span class="code-comment">...</span> relabelfrom relabelto } ;
-</pre></td></tr>
-</table>
-<p>
-If you have the permission, then you can use <span class="code" dir="ltr">chcon</span> to <span class="emphasis">ch</span>ange the
-<span class="emphasis">con</span>text of a file:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing a file context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">ls -Z strace.log</span>
-staff_u:object_r:user_home_t  strace.log
-$ <span class="code-input">chcon -t mutt_home_t strace.log</span>
-$ <span class="code-input">ls -Z strace.log</span>
-staff_u:object_r:mutt_home_t  strace.log
-</pre></td></tr>
-</table>
-<p>
-If you do not hold the right privileges, you will get a descriptive error
-message:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Trying to change file context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">chcon -t shadow_t strace.log</span>
-chcon: failed to change context of `strace.log' to `staff_u:object_r:shadow_t': Permission denied
-</pre></td></tr>
-</table>
-<p>
-Now, if you now think that <span class="code" dir="ltr">chcon</span> is all you need, you're wrong. The
-<span class="code" dir="ltr">chcon</span> command does nothing more than what it sais - change context. But
-when the system relabels files, these changes are gone. Relabeling files is
-often done to ensure that the file labels are correct (as in: the labels match
-what the SELinux policy sais they ought to be). The SELinux policy contains, for
-each policy module, the list of files, directories, sockets, ... and their
-appropriate file context (label).
-</p>
-<p>
-We will look at SELinux policy modules later, but below you'll find an excerpt
-from such a definition, for the <span class="code" dir="ltr">mozilla</span> module:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Excerpt of the mozilla module file contexts</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/usr/bin/firefox-bin                            -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla-[0-9].*                        -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla-bin-[0-9].*                    -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/galeon/galeon                     -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib(64)?/netscape/base-4/wrapper           -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/plugin-container     -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib64/[^/]*firefox[^/]*/plugin-container   -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-</pre></td></tr>
-</table>
-<p>
-To put the right label on a file, you can use the <span class="code" dir="ltr">setfiles</span> or
-<span class="code" dir="ltr">restorecon</span> commands. Since they are both the same command (but with a
-slightly different way of using) we'll only talk about <span class="code" dir="ltr">restorecon</span> for now
-- more information on the <span class="code" dir="ltr">setfiles</span> command can be found in its man page.
-</p>
-<p>
-When you use <span class="code" dir="ltr">restorecon</span>, the application will query the SELinux policy to
-find out what the right label of the file should be. If it differs, it will
-change the label to the right setting. That means that you do not need to
-provide the label for a file in order for the command to work. Also,
-<span class="code" dir="ltr">restorecon</span> supports recursivity, so you do not need to relabel files one
-by one.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using restorecon</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">ls -Z /etc/make.conf</span>
-staff_u:object_r:etc_t            /etc/make.conf
-$ <span class="code-input">restorecon /etc/make.conf</span>
-$ <span class="code-input">ls -Z /etc/make.conf</span>
-system_u:object_r:portage_conf_t  /etc/make.conf
-</pre></td></tr>
-</table>
-<p>
-Finally, Gentoo also provides a useful application: <span class="code" dir="ltr">rlpkg</span>. This script
-relabels the files of a Gentoo package (<span class="code" dir="ltr">rlpkg &lt;packagename&gt;</span>) or,
-given the right arguments, all files on the file system:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using rlpkg</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Relabel the files of the firefox-bin package:</span>
-# <span class="code-input">rlpkg firefox</span>
-
-<span class="code-comment"># Relabel all files on the file system:</span>
-# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Overriding the SELinux Policy File Labels</a></p>
-<p>
-You might not always agree with the label that the SELinux policy enforces on
-the files: you might have your files located elsewhere (a different location for
-your Portage tree is a nice example) or you need to label them differently in
-order for other applications to work. To not have to <span class="code" dir="ltr">chcon</span> these files
-over and over again, you can enhance the SELinux policy on your system with
-additional file context rules. These rules are used when you call
-<span class="code" dir="ltr">restorecon</span> as well and override the rules provided by the SELinux policy.
-</p>
-<p>
-To add additional file context rules, you need to use the <span class="code" dir="ltr">semanage</span>
-command. This command is used to manage, manipulate and update the local SELinux
-policy on your system. In this particular case, we will use the <span class="code" dir="ltr">semanage
-fcontext</span> command:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using semanage to add a file context rule</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Mark /mnt/gentoo/etc/make.conf as a portage_conf_t type</span>
-# <span class="code-input">semanage fcontext -a -t portage_conf_t /mnt/gentoo/etc/make.conf</span>
-
-<span class="code-comment"># Mark /mnt/gentoo/usr/portage as portage_ebuild_t</span>
-# <span class="code-input">semanage fcontext -a -t portage_ebuild_t "http://www.gentoo.org/mnt/gentoo/usr/portage(/.*)?"</span>
-</pre></td></tr>
-</table>
-<p>
-As you can see from the example, you can use wildcards. But beware about using
-wildcards: when a rule holds a wildcard, it has a lower priority than a rule
-without a wildcard. And the priority on rules with a wildcard is based on how
-"down" the string the first occurance of a wildcard is. For more information,
-please check out our <a href="../selinux-faq.xml#matchcontext">FAQ on "How do
-I know which file context rule is used for a particular file?."</a>
-</p>
-<p>
-If you want to delete a file context definition, you use <span class="code" dir="ltr">semanage fcontext
--d</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Deleting a file context definition</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage fcontext -d -t portage_ebuild_t /mnt/gentoo/etc/make.conf</span>
-</pre></td></tr>
-</table>
-<p>
-Finally, to view all file context definitions (both user-set and SELinux policy
-provided), you can use <span class="code" dir="ltr">semanage fcontext -l</span>. To only see the locally set,
-add <span class="code" dir="ltr">-C</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Viewing user-set file context enhancements</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semanage fcontext -C -l</span>
-SELinux fcontext                          type             Context
-/opt/xxe/bin/.*\.jar                      all files        system_u:object_r:lib_t
-/srv/virt/gentoo(/.*)?                    all files        system_u:object_r:qemu_image_t
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Customizable types</a></p>
-<p>
-Labels on files are not that hard to understand, but you might come into some
-surprises if you do not know that there are also customizable types.
-</p>
-<p>
-A <span class="emphasis">customizable type</span> is a specific type which is not touched by the
-SELinux administration tools by default. If you want to relabel a file that
-currently holds a customizable type, you will need to force this through the
-commands (such as <span class="code" dir="ltr">restorecon -F</span>).
-</p>
-<p>
-There are not that many customizable types by default. The list of types that
-SELinux considers as customizable are mentioned in the
-<span class="path" dir="ltr">customizable_types</span> file within the
-<span class="path" dir="ltr">/etc/selinux/*/contexts</span> location:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the customizable types</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">cat /etc/selinux/strict/contexts/customizable_types</span>
-mount_loopback_t
-public_content_rw_t
-public_content_t
-swapfile_t
-textrel_shlib_t
-</pre></td></tr>
-</table>
-<p>
-Such types exist because these types are used for files whose location is known
-not to be fixed (and as such, the SELinux policy cannot without a doubt know if
-the label on the files is correct or not). The <span class="code" dir="ltr">public_content_t</span> one,
-which is used for files that are readable by several services (like FTP, web
-server, ...), might give you a nice example for such a case.
-</p>
-<p>
-If you look at the <span class="code" dir="ltr">restorecon</span> man page, it mentions both customizable
-types as well as the user section. The latter is for rules that are identified
-in the SELinux policy as being files for an end user, like the following
-definitions in the <span class="code" dir="ltr">mozilla</span> policy module:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: User section definition within mozilla module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-HOME_DIR/\.mozilla(/.*)?      gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)?     gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)?      gen_context(system_u:object_r:mozilla_home_t,s0)
-</pre></td></tr>
-</table>
-<p>
-Although in the above example, forcing <span class="code" dir="ltr">restorecon</span> on the files is
-probably correct, there are examples where you do not want this. For instance,
-the firefox policy by default only allows the application to write to
-directories labeled <span class="code" dir="ltr">mozilla_home_t</span>. If you want to download something,
-this isn't possible (unless you download it into <span class="path" dir="ltr">~/.mozilla</span>). The
-solution there is to label a directory (say <span class="path" dir="ltr">~/Downloads</span>) as
-<span class="code" dir="ltr">mozilla_home_t</span>. 
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>SELinux Policy and Booleans</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-We have dealt with users and labels now, but there is still a third aspect that
-we haven't touched: the SELinux policy itself.
-</p>
-<p>
-The SELinux policy as offered by Gentoo Hardened is a carefully tuned SELinux
-policy, based on the reference policy (a distribution-agnostic SELinux policy)
-with minor changes. Hopefully, you will not need to rewrite the policy to suit
-it for your needs, but changes are very likely to occur here and there.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Changing the SELinux Policy Behavior: Booleans</a></p>
-<p>
-A common and user friendly way of tweaking the SELinux policy is through
-booleans. A <span class="emphasis">SELinux boolean</span>, also known as a conditional, changes how the
-SELinux policy behaves based on the setting that the user provides. To make this
-a bit more clear, let's look at a few booleans available:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting SELinux booleans</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">getsebool -a | grep ^user</span>
-user_direct_mouse --&gt; off
-user_dmesg --&gt; off
-user_ping --&gt; on
-user_rw_noexattrfile --&gt; off
-user_tcp_server --&gt; off
-user_ttyfile_stat --&gt; off
-</pre></td></tr>
-</table>
-<p>
-Although they might not say much on first sight, these booleans alter how the
-SELinux policy enforces user activity (hence the booleans starting with
-<span class="path" dir="ltr">user_</span>). For instance, <span class="code" dir="ltr">user_ping</span> is set to <span class="code" dir="ltr">on</span>, so a
-user is allowed to use <span class="code" dir="ltr">ping</span>. If it was set to <span class="code" dir="ltr">off</span>, the SELinux
-policy would not allow a user to execute <span class="code" dir="ltr">ping</span>.
-</p>
-<p>
-Booleans can be toggled on or off using <span class="code" dir="ltr">setsebool</span> or <span class="code" dir="ltr">togglesebool</span>.
-With <span class="code" dir="ltr">setsebool</span> you need to give the value (on or off) whereas
-<span class="code" dir="ltr">togglesebool</span> switches the value.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Disallowing the use of ping by users</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">setsebool user_ping off</span>
-</pre></td></tr>
-</table>
-<p>
-By default, <span class="code" dir="ltr">setsebool</span> does not store the boolean values - after a reboot,
-the old values are used again. To persist such changes, you need to add the
-<span class="code" dir="ltr">-P</span> option:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Persistedly allow users to run dmesg</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">setsebool -P user_dmesg on</span>
-</pre></td></tr>
-</table>
-<p>
-Booleans allow administrators to tune the policy, and allow security
-administrators to write policies that are flexible enough for a more widespread
-use. In terms of Gentoo flexibility, these booleans might not be used enough (it
-would be nice to couple these booleans on USE flags, so that a server build with
-USE="ldap" gets the SELinux policy to use ldap, whereas USE="-ldap" disallows
-it). But still, the use of booleans is a popular method for making a more
-flexible SELinux policy.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Managing SELinux Policy Modules</a></p>
-<p>
-In this last part, we'll cover SELinux policy modules. We mentioned before that
-the SELinux policy used by Gentoo Hardened is based on the reference policy,
-which offers a modular approach to SELinux policies. There is one base policy,
-which is mandatory on every system and is kept as small as possible. The rest
-are SELinux policy modules, usually providing the declarations, rules and file
-contexts for a single application (or type of applications).
-</p>
-<p>
-With <span class="code" dir="ltr">semodule -l</span> you can see the list of SELinux policy modules loaded:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the loaded SELinux modules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -l</span>
-alsa       1.11.0
-apache     2.3.0
-entropyd   1.6.0
-dbus       1.15.0
-dnsmasq    1.9.0
-<span class="code-comment">(...)</span>
-</pre></td></tr>
-</table>
-<p>
-Within Gentoo Hardened, each module is provided by the package
-<span class="path" dir="ltr">sec-policy/selinux-&lt;modulename&gt;</span>. For instance, the first
-module encountered in the above example is provided by
-<span class="path" dir="ltr">selinux-alsa</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELinux policy module package in Gentoo</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">emerge --search selinux-alsa</span>
-Searching...
-[ Results for search key : selinux-alsa ]
-[ Applications found : 1]
-
-* sec-policy/selinux-alsa
-    Latest version available: 2.20110726
-    Latest version installed: 2.20110726
-    Size of files: 574 kB
-    Homepage:      http://www.gentoo.org/proj/en/hardened/selinux/
-    Description:   SELinux policy for alsa
-    License:       GPL-2
-</pre></td></tr>
-</table>
-<p>
-If you need a module that isn't installed on your system, this is considered a
-bug (packages that need it should depend on the SELinux policy package if the
-selinux USE flag is set). But once you install the package yourself, the module
-will be loaded automatically:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing a SELinux policy package</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge selinux-screen</span>
-</pre></td></tr>
-</table>
-<p>
-If you want to remove a module from your system though, uninstalling the package
-will not suffice: the SELinux policy module itself is copied to the policy store
-earlier (as part of the installation process) and is not removed from this store
-by Portage. Instead, you will need to remove the module manually:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Uninstalling a SELinux policy module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">emerge -C selinux-screen</span>
-# <span class="code-input">semodule -r screen</span>
-</pre></td></tr>
-</table>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated September 30, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
deleted file mode 100644
index 9e97553..0000000
--- a/html/selinux/hb-using-install.html
+++ /dev/null
@@ -1,632 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="../../favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Installing Gentoo (Hardened)</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Getting a SELinux-powered Gentoo installation doesn't require weird actions.
-What you need to do is install Gentoo Linux with the correct profile, correct
-kernel configuration and some file system relabelling. We seriously recommend to
-use SELinux together with other hardening improvements (such as PaX /
-grSecurity).
-</p>
-<p>
-This chapter will describe the steps to install Gentoo with SELinux. We
-assume that you have an existing Gentoo Linux system which you want to convert
-to Gentoo with SELinux. If this is not the case, you should still read
-on: you can install Gentoo with SELinux immediately if you make the
-correct decisions during the installation process, based on the information in
-this chapter.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Performing a Standard Installation</a></p>
-<p>
-Install Gentoo Linux according to the <a href="http://www.gentoo.org/doc/en/handbook">Gentoo
-Handbook</a> installation instructions. We recommend the use of the hardened
-stage 3 tarballs and <span class="code" dir="ltr">hardened-sources</span> kernel instead of the standard
-ones, but standard stage installations are also supported for SELinux.
-Perform a full installation to the point that you have booted your system
-into a (primitive) Gentoo base installation.
-</p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-If you are an XFS user, make sure that the inode sizes of the XFS file
-system is 512 byte. Since the default is 256, you will need to run the
-<span class="code" dir="ltr">mkfs.xfs</span> command with the <span class="code" dir="ltr">-i size=512</span> arguments, like so:
-<span class="code" dir="ltr">mkfs.xfs -i size=512 /dev/sda3</span>
-</p></td></tr></table>
-<p class="secthead"><a name="doc_chap1_sect1">Switching to Python 2</a></p>
-<p>
-For now, the SELinux management utilities are not compatible with Python 3 so
-we recommend to switch to Python 2 until the packages are updated and fixed.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching to python 2</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">emerge '&lt;=dev-lang/python-3.0'</span>
-~# <span class="code-input">eselect python list</span>
-Available Python interpreters:
-  [1]   python2.7
-  [2]   python3.1 *
-
-~# <span class="code-input">eselect python set 1</span>
-~# <span class="code-input">source /etc/profile</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Optional: Setting the filesystem contexts</a></p>
-<p>
-If your <span class="path" dir="ltr">/tmp</span> location is a tmpfs-mounted file system, then you need
-to tell the kernel that the root context of this location is <span class="code" dir="ltr">tmp_t</span>
-instead of <span class="code" dir="ltr">tmpfs_t</span>. Many SELinux policy objects (including various
-server-level policies) assume that <span class="path" dir="ltr">/tmp</span> is <span class="code" dir="ltr">tmp_t</span>.
-</p>
-<p>
-To configure the <span class="path" dir="ltr">/tmp</span> mount, edit your <span class="path" dir="ltr">/etc/fstab</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update /etc/fstab for /tmp</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># For a "targeted" or "strict" policy type:</span>
-tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t</span>  0 0
-
-<span class="code-comment"># For an "mls" or "mcs" policy type:</span>
-tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t:s0</span>  0 0
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p>
-<p>
-Now that you have a running Gentoo Linux installation, switch the Gentoo profile
-to the right SELinux profile (for instance, 
-<span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span>). Note that the older
-profiles (like <span class="path" dir="ltr">selinux/v2refpolicy/amd64/hardened</span>) are not 
-supported anymore.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching the Gentoo profile</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">eselect profile list</span>
-Available profile symlink targets:
-  [1]   default/linux/amd64/10.0
-  [2]   default/linux/amd64/10.0/selinux
-  [3]   default/linux/amd64/10.0/desktop
-  [4]   default/linux/amd64/10.0/desktop/gnome
-  [5]   default/linux/amd64/10.0/desktop/kde
-  [6]   default/linux/amd64/10.0/developer
-  [7]   default/linux/amd64/10.0/no-multilib
-  [8]   default/linux/amd64/10.0/server
-  [9]   hardened/linux/amd64
-  [10]  hardened/linux/amd64/selinux
-  [11]  hardened/linux/amd64/no-multilib *
-  [12]  hardened/linux/amd64/no-multilib/selinux
-
-~# <span class="code-input">eselect profile set 12</span>
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-Starting from the profile change, Portage will warn you after every installation
-that it was "Unable to set SELinux security labels". This is to be expected,
-because the tools and capabilities that Portage requires to set the security
-labels aren't available yet. This warning will vanish the moment the SELinux
-installation is completed.
-</p></td></tr></table>
-<p>
-Don't update your system yet - we will need to install a couple of packages in a
-particular order which Portage isn't aware of in the next couple of sections. 
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Update make.conf</a></p>
-<p>
-Next, take a look at the following USE flags and decide if you want to enable
-or disable them.
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>USE flag</b></td>
-  <td class="infohead"><b>Default Value</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">peer_perms</td>
-  <td class="tableinfo">Enabled</td>
-  <td class="tableinfo">
-    The peer_perms capability controls the SELinux policy network peer controls.
-    If set, the access control mechanisms that SELinux uses for network based
-    labelling are consolidated. This setting is recommended as the policy is
-    also updated to reflect this. If not set, the old mechanisms (NetLabel and
-    Labeled IPsec) are used side by side.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">open_perms</td>
-  <td class="tableinfo">Enabled</td>
-  <td class="tableinfo">
-    The open_perms capability enables the SELinux permission "open" for files
-    and file-related classes. Support for the "open" call was added a bit later
-    than others so support was first made optional. However, the policies have
-    matured sufficiently to have the open permission set.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">ubac</td>
-  <td class="tableinfo">Enabled</td>
-  <td class="tableinfo">
-    When disabled, the SELinux policy is built without user-based access control.
-  </td>
-</tr>
-</table>
-<p>
-Make your choice and update the <span class="code" dir="ltr">USE</span> variable in
-<span class="path" dir="ltr">/etc/make.conf</span>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Manual System Changes</a></p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>
-Most, if not all of the next few changes will be resolved through regular
-packages as soon as possible. However, these fixes have impact beyond the Gentoo
-Hardened installations. As such, these changes will be incorporated a bit slower
-than the SELinux-specific updates. For the time being, manually correcting these
-situations is sufficient (and a one-time operation).
-</p></td></tr></table>
-<p>
-The following changes <span class="emphasis">might</span> be necessary on your system, depending on the
-tools or configurations that apply.
-</p>
-<ul>
-  
-  <li>
-    If you use LVM for one or more file systems, you need to edit
-    <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-start.sh</span> (or <span class="path" dir="ltr">/lib64/..</span>)
-    and <span class="path" dir="ltr">lvm-stop.sh</span> and set the config location from
-    <span class="path" dir="ltr">/dev/.lvm</span> to <span class="path" dir="ltr">/etc/lvm/lock</span>. Next, create the 
-    <span class="path" dir="ltr">/etc/lvm/lock</span> directory. Finally, add
-    <span class="path" dir="ltr">/lib(64)/rcscripts/addons</span> to <span class="code" dir="ltr">CONFIG_PROTECT</span> in your
-    <span class="path" dir="ltr">make.conf</span> file.
-  </li>
-  <li>
-    Check if you have <span class="path" dir="ltr">*.old</span> files in <span class="path" dir="ltr">/bin</span>. If you do,
-    either remove those or make them a copy of their counterpart so that they
-    get their own security context. The <span class="path" dir="ltr">.old</span> files are hard links
-    which mess up the file labelling. For instance, <span class="code" dir="ltr">cp /bin/hostname 
-    /bin/hostname.old</span>.
-  </li>
-  
-  <li>
-    Edit <span class="path" dir="ltr">/etc/sandbox.conf</span> and add in
-    <span class="path" dir="ltr">/sys/fs/selinux/context</span> to the <span class="code" dir="ltr">SANDBOX_WRITE</span> parameter.
-    This is currently needed to work around bug <a href="https://bugs.gentoo.org/410687">410687</a>.
-  </li>
-</ul>
-<p class="secthead"><a name="doc_chap1_sect1">Installing a SELinux Kernel</a></p>
-<p>
-Although the default Linux kernels offer SELinux support, we recommend the use
-of the <span class="path" dir="ltr">sys-kernel/hardened-sources</span> package.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing hardened-sources</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(Only if you have not installed it previously of course)</span>
-~# <span class="code-input">emerge hardened-sources</span>
-</pre></td></tr>
-</table>
-<p>
-Next, reconfigure the kernel with the appropriate security settings. This
-includes, but is not limited to
-</p>
-<ul>
-  <li>Support for extended attributes in the various file systems</li>
-  <li>Support system-call auditing</li>
-  <li>Support for SELinux</li>
-</ul>
-<p>
-Below you can find a quick overview of the recommended settings.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recommended settings for the Linux kernel configuration</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">Under "General setup"</span>
-[*] Prompt for development and/or incomplete code/drivers
-[*] Auditing support
-[*]   Enable system-call auditing support
-
-<span class="code-comment">Under "File systems"</span>
-<span class="code-comment">(For each file system you use, make sure extended attribute support is enabled)</span>
-&lt;*&gt; Second extended fs support
-[*]   Ext2 extended attributes
-[ ]     Ext2 POSIX Access Control Lists
-[*]     Ext2 Security Labels
-[ ]   Ext2 execute in place support
-
-&lt;*&gt; Ext3 journalling file system support
-[ ]   Default to 'data=ordered' in ext3
-[*]   Ext3 extended attributes
-[ ]     Ext3 POSIX Access Control Lists
-[*]     Ext3 Security Labels
-
-&lt;*&gt; The Extended 4 (ext4) filesystem
-[*]   Ext4 extended attributes
-[ ]     Ext4 POSIX Access Control Lists
-[*]     Ext4 Security Labels
-
-&lt;*&gt; JFS filesystem support
-[ ]   JFS POSIX Access Control Lists
-[*]   JFS Security Labels
-[ ]   JFS debugging
-[ ]   JFS statistics
-
-&lt;*&gt; XFS filesystem support
-[ ]   XFS Quota support
-[ ]   XFS POSIX ACL support
-[ ]   XFS Realtime subvolume support (EXPERIMENTAL)
-[ ]   XFS Debugging Support
-
-&lt;*&gt; Btrfs filesystem (EXPERIMENTAL)
-[ ]   Btrfs POSIX Access Control Lists
-
-<span class="code-comment">Under "Security options"</span>
-[*] Enable different security models
-[*] Socket and Networking Security Hooks
-[*] NSA SELinux Support
-[ ]   NSA SELinux boot parameter
-[ ]   NSA SELinux runtime disable
-[*]   NSA SELinux Development Support
-[ ]   NSA SELinux AVC Statistics
-(1)   NSA SELinux checkreqprot default value
-[ ]   NSA SELinux maximum supported policy format version
-    Default security module (SELinux) ---&gt;
-</pre></td></tr>
-</table>
-<p>
-We recommend to use PaX as well. More information on PaX within Gentoo Hardened
-can be found in the <a href="pax-quickstart.html">Hardened
-Gentoo PaX Quickstart Guide</a>.
-</p>
-<p>
-Build and install the new Linux kernel and its modules.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Update fstab</a></p>
-<p>
-Next, edit <span class="path" dir="ltr">/etc/fstab</span> and add the following two lines:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling selinux-specific file system options</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># The udev mount is due to bug #373381</span>
-udev   /dev        tmpfs        rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755  0 0
-none   /selinux    selinuxfs    defaults    0 0
-</pre></td></tr>
-</table>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-In case of an MLS/MCS policy, you need to have the context with sensitivity
-level, so <span class="code" dir="ltr">...:device_t:s0</span>.
-</p></td></tr></table>
-<p>
-Make the <span class="path" dir="ltr">/selinux</span> mountpoint as well:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating the /selinux mountpoint</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">mkdir /selinux</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Reboot</a></p>
-<p>
-With the above changes made, reboot your system. Assert yourself that you are
-now running a Linux kernel with SELinux enabled (the <span class="path" dir="ltr">/selinux</span> file
-system should be mounted). Don't worry - SELinux is at this point not activated.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Configure SELinux</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Next we will need to configure SELinux by installing the appropriate
-utilities, label our file system and configure the policy.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Install Policies and Utilities</a></p>
-<p>
-First, install the <span class="path" dir="ltr">sys-apps/checkpolicy</span> and 
-<span class="path" dir="ltr">sys-apps/policycoreutils</span> packages. Although these will be pulled in
-as dependencies of the SELinux policy packages themselves, we need to install
-these one time first - hence the <span class="code" dir="ltr">-1</span> option.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux policy core utilities</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">emerge -1 checkpolicy policycoreutils</span>
-</pre></td></tr>
-</table>
-<p>
-Next, install the SELinux policy package 
-(<span class="path" dir="ltr">sec-policy/selinux-base-policy</span>). This package contains the base
-SELinux policy needed to get your system up and running using SELinux. 
-As Portage will try to label and reload policies (since the installation of
-<span class="path" dir="ltr">sys-apps/policycoreutils</span>) we need to temporarily disable SELinux
-support (as Portage wouldn't be able to label anything as it doesn't understand
-it yet).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing the SELinux policy packages</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">FEATURES="-selinux" emerge selinux-base-policy</span>
-</pre></td></tr>
-</table>
-<p>
-Next, rebuild those packages affected by the profile change we did previously
-through a standard world update, taking into account USE-flag changes (as the 
-new profile will change many default USE flags, including enabling the 
-<span class="code" dir="ltr">selinux</span> USE flag). Don't forget to use <span class="code" dir="ltr">etc-update</span> or
-<span class="code" dir="ltr">dispatch-conf</span> afterwards as some changes to configuration files need to
-be made.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update your Gentoo Linux system</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">emerge -uDN world</span>
-</pre></td></tr>
-</table>
-<p>
-Next, install the additional SELinux tools that you might need in the future to
-debug or help with your SELinux installation. These packages are optional, but
-recommended.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing additional SELinux packages</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">emerge setools sepolgen checkpolicy</span>
-</pre></td></tr>
-</table>
-<p>
-Finally, install the policy modules for those utilities you think you need
-policies for. In the near future, this will be done automatically for you (the
-packages will have an optional dependency on it, triggered by the selinux USE
-flag), but until that time, you will need to install them yourself.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing SELinux modules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">emerge --search selinux-</span>
-[...]
-<span class="code-comment">(Select the modules you want to install)</span>
-~# <span class="code-input">emerge selinux-screen selinux-gnupg selinux-sudo selinux-ntp selinux-networkmanager ...</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Configure the SELinux Policy</a></p>
-<p>
-Inside <span class="path" dir="ltr">/etc/selinux/config</span> you can configure how SELinux is
-configured at boot time.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Editing the /etc/selinux/config file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-#       enforcing - SELinux security policy is enforced.
-#       permissive - SELinux prints warnings instead of enforcing.
-#       disabled - No SELinux policy is loaded.
-SELINUX=<span class="code-input">permissive</span>
-
-# SELINUXTYPE can take one of these four values:
-#       targeted - Only targeted network daemons are protected.
-#       strict   - Full SELinux protection.
-#       mls      - Full SELinux protection with Multi-Level Security
-#       mcs      - Full SELinux protection with Multi-Category Security
-#                  (mls, but only one sensitivity level)
-SELINUXTYPE=<span class="code-input">strict</span>
-</pre></td></tr>
-</table>
-<p>
-Within this configuration file, two variables can be set:
-</p>
-<ul>
-  <li>
-    <span class="code" dir="ltr">SELINUX</span> sets how SELinux should behave:
-    <ul>
-      <li>
-        <span class="code" dir="ltr">enforcing</span> will enable and enforce policies. This is where we want
-        to go for, but you should probably start with <span class="code" dir="ltr">permissive</span>.
-      </li>
-      <li>
-        <span class="code" dir="ltr">permissive</span> will enable policies, but not enforce them. Any
-        violation is reported but not denied. This is where you should start
-        from as it will not impact your system yet allow you to get acquainted
-        with SELinux - and validate the warnings to see if you can switch
-        towards <span class="code" dir="ltr">enforcing</span> or not.
-      </li>
-      <li>
-        <span class="code" dir="ltr">disabled</span> will completely disable the policies. As this will not
-        show any violations as well, it is not recommended.
-      </li>
-    </ul>
-  </li>
-  <li>
-    <span class="code" dir="ltr">SELINUXTYPE</span> selects the SELinux policy type to load.
-    Gentoo Hardened recommends the use of <span class="code" dir="ltr">strict</span> for servers, and
-    <span class="code" dir="ltr">targeted</span> for desktops. The <span class="code" dir="ltr">mcs</span> type is supported, <span class="code" dir="ltr">mls</span>
-    is currently still considered experimental.
-  </li>
-</ul>
-<p>
-The differentiation between <span class="code" dir="ltr">strict</span> and <span class="code" dir="ltr">targeted</span> is based upon the
-<span class="emphasis">unconfined</span> domain. When loaded, the processes on your system that are not
-specifically confined within a particular policy module will be part of the
-unconfined_t domain whose purpose is to allow most activities by default (rather
-than deny by default). As a result, processes that run inside the unconfined_t
-domain have no restrictions apart from those already enforced by standard Linux
-security. Although running without the unconfined_t domain is considered more
-secure, it will also be more challenging for the administrator to make sure the
-system still functions properly as there are no policy modules for each and
-every application "out there".
-</p>
-<p>
-Next to <span class="code" dir="ltr">targeted</span> and <span class="code" dir="ltr">strict</span>, you can opt for <span class="code" dir="ltr">mcs</span> to allow
-categorization of the process domains. This is useful on multi-tenant systems
-such as web servers, virtualization hosts, ... where multiple processes will be
-running, most of them in the same security domain, but in different categories.
-</p>
-<p>
-Finally, you can also select <span class="code" dir="ltr">mls</span> to differentiate security domains on
-a sensitivity level. However, MLS is currently still considered experimental
-in Gentoo and as such not recommended.
-</p>
-<p>
-When you have made your choice between the SELinux policy types, save
-this in your <span class="path" dir="ltr">/etc/make.conf</span> file as well. That way, Portage will 
-only install the policy modules for that SELinux type.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting the policy type in make.conf</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">nano /etc/make.conf</span>
-POLICY_TYPES="<span class="code-input">strict</span>"
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Reboot, and Label the File System</a></p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
-Repeat these steps every time you have rebooted from a non-SELinux enabled
-kernel into a SELinux enabled kernel, as running with a non-SELinux enabled
-kernel will not update the security attributes of the files you create or
-manipulate during your day-to-day activities on your system.
-</p></td></tr></table>
-<p>
-First reboot your system so that the installed policies are loaded. Now we
-need to relabel your devices and openrc related files. This will apply the
-correct security contexts (labels) onto the necessary files.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel /dev structure</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">mkdir /mnt/gentoo</span>
-~# <span class="code-input">mount -o bind / /mnt/gentoo</span>
-
-<span class="code-comment">(Substitute the "strict" in the next command with "targeted" if that is your SELINUXTYPE selection)</span>
-~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev</span>
-~# <span class="code-input">setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib64</span>
-~# <span class="code-input">umount /mnt/gentoo</span>
-</pre></td></tr>
-</table>
-<p>
-Next, if you have a swapfile rather than a swap partition, label it accordingly:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Labelling the swap file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semanage fcontext -a -t swapfile_t "http://www.gentoo.org/swapfile"</span>
-~# <span class="code-input">restorecon /swapfile</span>
-</pre></td></tr>
-</table>
-<p>
-Now relabel your entire file system. The next command will apply the correct
-security context onto the files on your file system, based on the security
-context information provided by the SELinux policy modules installed.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabel the entire file system</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-<p>
-If you ever have to install a SELinux policy module for a package after that
-that particular package is installed, you need to run <span class="code" dir="ltr">rlpkg</span> for that
-package to make sure that the security contexts for these files are set
-correctly. For instance, if you have installed
-<span class="path" dir="ltr">sec-policy/selinux-screen</span> after discovering that you have
-<span class="code" dir="ltr">screen</span> on your system:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the files for a single package</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(Make sure no screen sessions are running as their security contexts will not be adapted)</span>
-~# <span class="code-input">rlpkg -t screen</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p>
-<p>
-Reboot your system so that the newly applied file contexts are used. Log on
-and, if you have indeed installed Gentoo using the hardened sources (as we
-recommended), enable the SSP SELinux boolean, allowing every domain read
-access to the <span class="path" dir="ltr">/dev/urandom</span> device:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling the global_ssp boolean</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">setsebool -P global_ssp on</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
-<p>
-If the <span class="code" dir="ltr">SELINUXTYPE</span> is set to <span class="code" dir="ltr">strict</span>, then we 
-need to map the account(s) you use to manage your system (those
-that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none
-of your accounts will be able to succesfully manage the system (except for
-<span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not
-through <span class="code" dir="ltr">sudo</span> or <span class="code" dir="ltr">su</span>.) By default, users are mapped to the
-<span class="code" dir="ltr">user_u</span> SELinux user who doesn't have the appropriate rights (nor access
-to the appropriate roles) to manage a system. Accounts that are mapped to
-<span class="code" dir="ltr">staff_u</span> can, but might need to switch roles from <span class="code" dir="ltr">staff_r</span> to
-<span class="code" dir="ltr">sysadm_r</span> before they are granted the appropriate privileges.
-</p>
-<p>
-Assuming that your account name is <span class="emphasis">john</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Mapping the Linux account john to the SELinux user staff_u</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semanage login -a -s staff_u john</span>
-~# <span class="code-input">restorecon -R -F /home/john</span>
-</pre></td></tr>
-</table>
-<p>
-If you later log on as <span class="emphasis">john</span> and want to manage your system, you will
-probably need to switch your role. You can use <span class="code" dir="ltr">newrole</span> for this:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">id -Z</span>
-staff_u:staff_r:staff_t
-~$ <span class="code-input">newrole -r sysadm_r</span>
-Password: <span class="code-comment">(Enter your password)</span>
-~$ <span class="code-input">id -Z</span>
-staff_u:sysadm_r:sysadm_t
-</pre></td></tr>
-</table>
-<p>
-If you however use a <span class="code" dir="ltr">targeted</span> policy, then the user you work with will be
-of type <span class="emphasis">unconfined_t</span> and will already have the necessary privileges to
-perform system administrative tasks.
-</p>
-<p>
-With that done, enjoy - your first steps into the SELinux world are now made.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-policies.html b/html/selinux/hb-using-policies.html
deleted file mode 100644
index 0163b42..0000000
--- a/html/selinux/hb-using-policies.html
+++ /dev/null
@@ -1,359 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>SELinux Policy Language</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-By default, Gentoo provides a generic, yet tightly controlled policy which is
-deemed a good start policy for the majority of users. However, the purpose
-behind a Mandatory Access Control system is to put the security administrator in
-control. As such, a handbook on SELinux without information on how to write
-policies wouldn't be complete.
-</p>
-<p>
-In this chapter, we'll talk a bit about the language behind SELinux policies and
-give some pointers on how to create your own policies, roles, etc.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Building a SELinux Module</a></p>
-<p>
-First, before we go into the art of SELinux policy writing, let's first make a
-small SELinux module with a rule we can test, build the module and see if things
-work. Although these steps are fairly easy, they are important nonetheless.
-Modifying the SELinux policy as offered by Gentoo is best done through
-additional SELinux policy modules. Only when the core policy (the base policy)
-is not to your liking should you see on using a totally different policy.
-</p>
-<p>
-Let's start with a skeleton for a policy module we'll call <span class="emphasis">testmod</span>. You
-should use simple names for the modules as the build infrastructure is quite
-sensitive to special constructs. Use only letters a-z and numbers, and never
-start a module name with a number.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Policy module skeleton</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(testmod, 1.0.0)
-</pre></td></tr>
-</table>
-<p>
-Yes, that's it. But as you can see, it is fairly empty. So let's add a rule that
-allows a regular user (in the user_t domain) to read ebuild files (of type
-portage_ebuild_t).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Policy module testmod</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(testmod, 1.0.0)
-
-require {
-  type user_t;
-  type portage_ebuild_t;
-  class file { read open getattr };
-  class dir { read search open getattr };
-}
-
-allow user_t portage_ebuild_t:file { read open getattr };
-allow user_t portage_ebuild_t:dir { read search open getattr };
-</pre></td></tr>
-</table>
-<p>
-As you can see, something as simple as allowing a user to read a file requires
-quite a few privileges. The directory privileges are needed to allow a user to
-navigate through the Portage tree structure whereas the file privileges are
-needed for a user to be able to access and open the ebuilds. Save this file as
-<span class="path" dir="ltr">testmod.te</span>.
-</p>
-<p>
-To build the policy and convert it into the binary module that we can load into
-the SELinux policy store, we can use the <span class="path" dir="ltr">Makefile</span> available in
-<span class="path" dir="ltr">/usr/share/selinux/strict/include</span> (substitute strict with the
-SELinux policy type you are using).
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Building a binary policy module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">make -f /usr/share/selinux/struct/include/Makefile testmod.pp</span>
-</pre></td></tr>
-</table>
-<p>
-The filename (<span class="path" dir="ltr">testmod.pp</span>) is the destination binary SELinux module
-name. The <span class="path" dir="ltr">Makefile</span> will automatically look for the
-<span class="path" dir="ltr">testmod.te</span> file you have in the working directory.
-</p>
-<p>
-As a result, you should now have a file called <span class="path" dir="ltr">testmod.pp</span>. This
-module file can now be loaded in the SELinux policy store as follows:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Loading a binary module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">semodule -i /path/to/testmod.pp</span>
-</pre></td></tr>
-</table>
-<p>
-Congratulations! You have now build your first SELinux policy module. If you
-want to disable it, remove it through <span class="code" dir="ltr">semodule -r testmod</span>.
-</p>
-<p>
-This method of building a policy (using the <span class="path" dir="ltr">Makefile</span> and
-<span class="code" dir="ltr">semodule</span>) is something that you will need to do every time you want to
-update the SELinux policy on your system. The contents of the policy however
-does change as we will see in the rest of this document.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Getting the SELinux Policy Interfaces</a></p>
-<p>
-To streamline policy development, the SELinux policy based on the reference
-policy uses interfaces to access privileges within a module. If you have built
-<span class="path" dir="ltr">selinux-base-policy</span> with <span class="code" dir="ltr">USE="doc"</span> then this information is
-available at
-<span class="path" dir="ltr">/usr/share/doc/selinux-base-policy-&lt;version&gt;/html</span>. It is
-recommended to have this information at hand, since most policy
-development/updates will be done through the interfaces offered by the policy.
-</p>
-<p>
-If you are just interested, you can also find these interface definitions <a href="http://oss.tresys.com/docs/refpolicy/api/">online</a>. Mind you though,
-the online resource is only the reference policy and might differ a bit from the
-policy available within Gentoo.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Using Policy Interfaces</a></p>
-<p>
-Using the policy interfaces allows you to update the policy with more readable
-functions. For instance, to allow the user_t domain to call and use Portage
-applications, the module could look like so:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example policy to allow user_t to use portage</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(testmod, 1.0.0)
-
-require {
-  type user_t;
-  role user_r;
-}
-
-portage_run(user_t, user_r)
-</pre></td></tr>
-</table>
-<p>
-Of course, this makes the user_t domain much more privileged than the previously
-defined rules to read ebuild files: it allows the user to call portage, update
-the system, etc. Of course, the user still requires the proper regular Linux
-permissions (so he needs to be part of the portage group or become root).
-Needless to say, we do not recommend to grant this to a regular user ;-)
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Full SELinux Policy Modules</p>
-<p class="secthead"><a name="doc_chap1_sect1">Checking Out an Isolated Module</a></p>
-<p>
-With the above in mind, we can now go one step further and investigate a full
-policy module, with both the type enforcement rules (<span class="path" dir="ltr">.te</span> file),
-file contexts (<span class="path" dir="ltr">.fc</span>) and interfaces (<span class="path" dir="ltr">.if</span>).
-</p>
-<p>
-You should know that writing a module requires you to get intimate with the
-application. It isn't a matter of just hoping for the best: as a security
-administrator, you will be responsible for defining what accesses are allowed
-and which not. If you forget one, the application might break under the users'
-hands. But if you add too much, you might grant privileges that can be abused
-later on. And it will be a lot more difficult to track and remove privileges
-later as you will be hesitating if the privilege is needed or not.
-</p>
-<p>
-In this section, we will not divulge in how to write one. We have an excellent
-<a href="selinux-development.html">Gentoo Hardened SELinux
-Development</a> resource that guides you in that. However, we will look into
-such a full module to explain the other aspects of policy development.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Type Enforcement File</a></p>
-<p>
-The <span class="path" dir="ltr">.te</span> file we wrote earlier is a <span class="emphasis">type enforcement file</span>.
-Its purpose is to define the access rules related to the module that you are
-building, but also - and more importantly - define new types (or even roles).
-</p>
-<p>
-The example below is a snippet from a module for the skype application.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from skype.te</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(skype, 1.0.0)
-
-type skype_t;
-type skype_exec_t;
-application_domain(skype_t, skype_exec_t)
-
-type skype_home_t;
-userdom_user_home_content(skype_home_t)
-
-manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
-manage_files_pattern(skype_t, skype_home_t, skype_home_t)
-</pre></td></tr>
-</table>
-<p>
-In the above example, three new types are declared: <span class="code" dir="ltr">skype_t</span> (which will
-be used for the application), <span class="code" dir="ltr">skype_exec_t</span> (which is the label given to
-the application binary) and <span class="code" dir="ltr">skype_home_t</span> (which will be used for the
-users' <span class="path" dir="ltr">~/.Skype</span> location). Also, the <span class="code" dir="ltr">skype_t</span> domain is given
-some privileges with respect to the <span class="code" dir="ltr">skype_home_t</span> label (manage
-directories and files).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">File Context File</a></p>
-<p>
-In the <span class="path" dir="ltr">.fc</span> file (which stands for <span class="emphasis">file context file</span>) the
-module's resources (files, directories, sockets, ...) are defined. Once the
-module is loaded, these rules are added so that file system relabeling will put
-the correct context on the files.
-</p>
-<p>
-The example below is a snippet from the skype modules' file context file.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from skype.fc</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-HOME_DIR/\.Skype(/.*)?    gen_context(system_u:object_r:skype_home_t,s0)
-/opt/skype/skype       -- gen_context(system_u:object_r:skype_exec_t,s0)
-/usr/bin/skype         -- gen_context(system_u:object_r:skype_exec_t,s0)
-</pre></td></tr>
-</table>
-<p>
-The format of the file context file has the following syntax:
-</p>
-<ol>
-  <li>
-    The regular expression that matches the file(s) and directorie(s) affected
-    by that line
-  </li>
-  <li>
-    An optional identifier to differentiate the type of files (file, directory,
-    socket, symbolic link, ...)
-  </li>
-  <li>
-    A <span class="code" dir="ltr">gen_context</span> line that contains the context to assign to the file(s)
-    and directorie(s)
-  </li>
-</ol>
-<p class="secthead"><a name="doc_chap1_sect1">Interface File</a></p>
-<p>
-In the <span class="path" dir="ltr">.if</span> file (for <span class="emphasis">interface file</span>) interfaces are declared
-which can be used by other modules. It is through interfaces that a nicely
-defined policy can be built on top of other, existing policy modules.
-</p>
-<p>
-One interface could be to allow users to call and execute an application. For
-instance, the following interface can be found in the skype module.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from skype.if</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-interface(`skype_role',`
-        gen_require(`
-                type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
-        ')
-
-        role $1 types skype_t;
-
-        domtrans_pattern($2, skype_exec_t, skype_t)
-
-        allow $2 skype_t:process { ptrace signal_perms };
-
-        manage_dirs_pattern($2, skype_home_t, skype_home_t)
-        manage_files_pattern($2, skype_home_t, skype_home_t)
-        manage_lnk_files_pattern($2, skype_home_t, skype_home_t)
-
-        relabel_dirs_pattern($2, skype_home_t, skype_home_t)
-        relabel_files_pattern($2, skype_home_t, skype_home_t)
-        relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
-
-        ps_process_pattern($2, skype_t)
-')
-</pre></td></tr>
-</table>
-<p>
-Through this <span class="code" dir="ltr">skype_role</span>, we can then allow users to call skype, as can be
-found in the <span class="path" dir="ltr">unprivuser.te</span> file (which defines the user_t domain):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Snippet from unprivuser.te to call skype</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-optional_policy(`
-	skype_role(user_r, user_t)
-')
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Using audit2allow</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-When reading online resources on SELinux, you will notice that there are many
-references to a tool called <span class="code" dir="ltr">audit2allow</span>. This tools' purpose is to read
-AVC denial messages from the audit log file and transform them into a policy
-module that you can load. The advantage is that it makes it a lot easier to
-write policies. The downside is that the output (unless you use the <span class="code" dir="ltr">-R</span>
-option) is not usable for the <span class="path" dir="ltr">Makefile</span> we used earlier to build
-modules.
-</p>
-<p>
-Another disadvantage is that the tool does not intelligently cope with changes.
-It blindly accepts denials and treats them as if they need to be allowed, rather
-than investigate if no other context should be given to the file, etc.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Using audit2allow</a></p>
-<p>
-Using <span class="code" dir="ltr">audit2allow</span> is pretty straightforward. You send it the denials you
-want to fix and store the result in a <span class="path" dir="ltr">.te</span> file. You then convert it
-into an intermediary format which can then be translated into a <span class="path" dir="ltr">.pp</span>
-file for final loading by <span class="code" dir="ltr">semodule</span>.
-</p>
-<p>
-For instance, to catch all denials and transform them into allowed statements
-from firefox-related denials:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Generate a new policy using audit2allow</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">grep firefox /var/log/avc.log | audit2allow -m firefoxmod &gt; firefoxmod.te</span>
-# <span class="code-input">checkmodule -m -o firefoxmod.mod firefoxmod.te</span>
-# <span class="code-input">semodule_package -o firefoxmod.pp -m firefoxmod.mod</span>
-# <span class="code-input">semodule -i firefoxmod.pp</span>
-</pre></td></tr>
-</table>
-<p>
-Keep the module name (given through the <span class="code" dir="ltr">-m</span> option) simple: only use
-characters (<span class="code" dir="ltr">[a-z]</span>) and numbers (<span class="code" dir="ltr">[0-9]</span>), and start the module name
-with a character.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated March 1, 2012</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html
deleted file mode 100644
index bd2398f..0000000
--- a/html/selinux/hb-using-states.html
+++ /dev/null
@@ -1,299 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>SELinux States</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-When SELinux is available, it will generally be in one of three states on your
-system: disabled, permissive or enforcing.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Disabled</a></p>
-<p>
-When <span class="code" dir="ltr">getenforce</span> returns "Disabled", then SELinux is not running on your
-system. Even though it might be built in your kernel, it is definitely disabled.
-Your system will still run with regular discretionary access controls (the usual
-permission rules for standard Linux environments) but the mandatory access
-controls are not active.
-</p>
-<p>
-When SELinux is disabled, it also means that files, directories, etc that are
-modified or created will not get the proper SELinux context assigned to them.
-When you later start your system with SELinux enabled (permissive or enforcing),
-issues will arise since the SELinux subsystem will not know which label the
-files have (it will default the label to one that is not accessible by most
-domains).
-</p>
-<p>
-The best way to go forward in such case is to boot in permissive mode and then
-relabel the entire file system:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabeling the entire file system</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Permissive</a></p>
-<p>
-When SELinux is enabled in permissive mode (<span class="code" dir="ltr">getenforce</span> returns
-"Permissive"), then SELinux is enabled and it has a policy loaded. Every access
-a process makes is checked against the policy rules and, if an access is not
-allowed, it will be logged (unless the denial is marked as dontaudit) but it
-will <span class="emphasis">not</span> be prohibited.
-</p>
-<p>
-The permissive mode is perfect to get acquainted with SELinux and have the
-system made ready for future "enforcing" mode. While running in permissive mode,
-applications <span class="emphasis">that are not SELinux aware</span> will behave as if SELinux is not
-running. This is perfect to validate if a problem is caused by SELinux or not:
-if in permissive mode the problem still persists, then it is not caused by
-SELinux.
-</p>
-<p>
-There is one caveat though: if the application is <span class="emphasis">SELinux-aware</span> (it knows
-that it can run in a SELinux environment and is able to make SELinux-specific
-calls) it might still react differently. Although this is often (but not always)
-a bad programming practice, some applications check if SELinux is enabled and
-base their functional flow on the results, regardless of the state being
-permissive or enforcing.
-</p>
-<p>
-To find out if an application is SELinux aware, simply check if it is linked
-against libselinux (with <span class="code" dir="ltr">ldd</span> or <span class="code" dir="ltr">scanelf</span> - part of
-<span class="path" dir="ltr">app-misc/pax-utils</span>):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if /bin/ls is SELinux-aware</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -n /bin/ls</span>
- TYPE     NEEDED FILE
-ET_DYN   libselinux.so.1,librt.so.1,libc.so.6   /bin/ls
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Enforcing</a></p>
-<p>
-If <span class="code" dir="ltr">getenforce</span> returns "Enforcing", then SELinux is loaded and will act
-based on the policy. When a process tries some activity that is not allowed by
-the policy, it will be logged (unless a dontaudit is set) and the activity will
-not go through. This is the only mode where you can truely say that SELinux is
-active, because it is only now that the policy is acted upon.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Switching States</a></p>
-<p>
-Depending on your Linux kernel configuration, you can switch between states
-using one of the following methods. The kernel configuration however can be made
-so that some of these options are disabled (for instance, a fully hardened
-system will not allow disabling SELinux in any way).
-</p>
-<p>
-Using the command <span class="code" dir="ltr">setenforce</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(Switching to permissive mode)</span>
-# <span class="code-input">setenforce 0</span>
-
-<span class="code-comment">(Switching to enforcing mode)</span>
-# <span class="code-input">setenforce 1</span>
-</pre></td></tr>
-</table>
-<p>
-Using the kernel boot option <span class="code" dir="ltr">enforcing</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching between enforcing and permissive through boot options</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">(The following GRUB kernel line would boot in permissive mode)</span>
-kernel /kernel-2.6.39-hardened-r8 root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=0</span>
-</pre></td></tr>
-</table>
-<p>
-Using the <span class="path" dir="ltr">/etc/selinux/config</span> <span class="code" dir="ltr">SELINUX</span> variable:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: /etc/selinux/config SELINUX setting</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">cat /etc/selinux/config</span>
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-#       enforcing - SELinux security policy is enforced.
-#       permissive - SELinux prints warnings instead of enforcing.
-#       disabled - No SELinux policy is loaded.
-<span class="code-input">SELINUX=enforcing</span>
-
-# SELINUXTYPE can take one of these four values:
-#       targeted - Only targeted network daemons are protected.
-#       strict   - Full SELinux protection.
-#       mls      - Full SELinux protection with Multi-Level Security
-#       mcs      - Full SELinux protection with Multi-Category Security 
-#                  (mls, but only one sensitivity level)
-SELINUXTYPE=strict
-</pre></td></tr>
-</table>
-<p>
-When you want to switch from permissive to enforcing, it is recommended to do so
-in the order given above:
-</p>
-<ol>
-  <li>
-    First boot up in permissive mode, log on, verify that your context is
-    correct (<span class="code" dir="ltr">id -Z</span>) and then switch to enforcing (<span class="code" dir="ltr">setenforce 1</span>).
-    You can now test if your system is still working properly.
-  </li>
-  <li>
-    Next, boot with <span class="code" dir="ltr">enforcing=1</span> as kernel parameter. This way, your
-    system will boot in enforcing mode, but if things go haywire, you can just
-    reboot, leave out the option and be back in permissive mode
-  </li>
-  <li>
-    Finally, edit <span class="path" dir="ltr">/etc/selinux/config</span> to persist this change.
-  </li>
-</ol>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>SELinux Policy Types</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Next to the SELinux state, SELinux also offers different policy types. These
-types differentiate themselves in specific SELinux features that are enabled or
-disabled. Within Gentoo, three are supported (and a fourth is available):
-<span class="code" dir="ltr">targeted</span>, <span class="code" dir="ltr">strict</span>, <span class="code" dir="ltr">mcs</span> (and <span class="code" dir="ltr">mls</span>).
-</p>
-<p>
-The type used on a system is declared in <span class="path" dir="ltr">/etc/selinux/config</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: The SELINUXTYPE information in /etc/selinux/config</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">cat /etc/selinux/config</span>
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-#       enforcing - SELinux security policy is enforced.
-#       permissive - SELinux prints warnings instead of enforcing.
-#       disabled - No SELinux policy is loaded.
-SELINUX=enforcing
-
-# SELINUXTYPE can take one of these four values:
-#       targeted - Only targeted network daemons are protected.
-#       strict   - Full SELinux protection.
-#       mls      - Full SELinux protection with Multi-Level Security
-#       mcs      - Full SELinux protection with Multi-Category Security 
-#                  (mls, but only one sensitivity level)
-<span class="code-input">SELINUXTYPE=strict</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">strict (without unconfined domains)</a></p>
-<p>
-The <span class="code" dir="ltr">strict</span> policy type is the policy type that was described in the
-earlier chapters, and coincidentally the type that is the easiest to understand.
-With the strict policy type, each and every application runs in a domain that
-has limited privileges. Although there are highly privileged domains, they are
-never truely unlimited in their privileges.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">targeted (using unconfined domains)</a></p>
-<p>
-The <span class="code" dir="ltr">targeted</span> policy type is similar to the strict one, with one major
-addition: support for unconfined domains. Applications (or users) that run in an
-unconfined domain are almost unlimited in their privileges. The unconfined
-domains are usually used for users and user applications, but also the init
-system and other domains are marked as "unconfined" domains.
-</p>
-<p>
-The idea behind the targeted policy is that network-facing services are running
-in (confined) regular domains whereas the rest uses the standard discretionary
-access controls offered by Linux. These other domains are running as
-"unconfined".
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">mcs (using multiple categories)</a></p>
-<p>
-The introduction of <span class="code" dir="ltr">mls</span> and <span class="code" dir="ltr">mcs</span> offers the ability for
-<span class="emphasis">multi-tenancy</span>: multiple instances of the same application should be able
-to run, but each instance should be confined with respect to the others (instead
-of all these processes running in the same domain and, hence, the same
-privileges).
-</p>
-<p>
-A simple example is virtualization: a virtual guest which runs in the
-<span class="code" dir="ltr">qemu_t</span> domain needs write privileges on the image file that contains the
-guest operating system. However, if you run two guests, you do not want each
-guest to write to the other guests' file. With regular domains, you will need to
-provide this. With <span class="code" dir="ltr">mcs</span>, you can give each running instance a specific
-category (number) and only grant it write privileges to the guest file with the
-correct category (number).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">mls (using multiple security levels)</a></p>
-<p>
-The <span class="code" dir="ltr">mls</span> policy type is available but not yet supported by Gentoo
-Hardened. With this policy type, it is possible to give sensitivity levels on
-files and resources as well as domains. Sensitivity levels can best be expressed
-in terms of <span class="emphasis">public</span>, <span class="emphasis">private</span>, <span class="emphasis">confidential</span> or <span class="emphasis">strictly
-confidential</span>. With MLS, you can mark a file as one (or a set of)
-sensitivity level(s) and ensure that only domains with the right sensitivity
-level can access it.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p>
-<p>
-It is not recommended to switch between types often. At best, you choose your
-policy type at install time and stick with it. But it is not impossible (nor
-that hard) to switch between types.
-</p>
-<p>
-First, you need to edit <span class="path" dir="ltr">/etc/selinux/config</span> so that it both
-switches the policy type as well as put the mode in <span class="emphasis">permissive</span>. This is
-necessary, since at your next reboot, many labels might (or will) be incorrect.
-</p>
-<p>
-Next, edit <span class="path" dir="ltr">/etc/fstab</span> and make sure that the domains you use there
-are updated accordingly. For instance, the line for <span class="path" dir="ltr">/tmp</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Changing /etc/fstab</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment"># Example when switching from strict to mcs</span>
-tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t<span class="code-input">:c0</span>  0 0
-</pre></td></tr>
-</table>
-<p>
-When this is done, reboot your system. Log on as root, and relabel your entire
-file system using <span class="code" dir="ltr">rlpkg -a -r</span>. Finally, reboot again and then validate if
-your context (such as when logged on as a user) is correct again. Once you are
-confident that the domains and contexts are correct, switch the SELinux policy
-mode back to "enforcing".
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html
deleted file mode 100644
index c18afc1..0000000
--- a/html/selinux/hb-using-troubleshoot.html
+++ /dev/null
@@ -1,310 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Unable To Load SELinux Policy</p>
-<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
-<p>
-If you notice that SELinux is not functioning at all, a quick run of
-<span class="code" dir="ltr">sestatus</span> should give you closure if SELinux is enabled and loaded or not.
-If you get the following output, no SELinux policy is loaded:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: sestatus output</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-SELinux status:                disabled
-</pre></td></tr>
-</table>
-<p>
-If this is the case, read on in this section to find out how to troubleshoot and
-resolve this.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">No Policy Installed</a></p>
-<p>
-One potential reason would be that there is no policy to load to begin with.
-Take a look inside <span class="path" dir="ltr">/usr/share/selinux/strict</span> or
-<span class="path" dir="ltr">/usr/share/selinux/targeted</span> (depending on your configuration) and
-look for a file called <span class="path" dir="ltr">base.pp</span>. If no such file exists, you will
-need to install the base policy. This policy is offered by the
-<span class="path" dir="ltr">sec-policy/selinux-base-policy</span> package, but it is better to read up
-on the chapter regarding <span title="Link to other book part not available"><font color="#404080">(Gentoo SELinux
-Installation / Conversion)</font></span> as more important changes might be missing.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Not Loaded</a></p>
-<p>
-If the <span class="path" dir="ltr">base.pp</span> file exists in
-<span class="path" dir="ltr">/usr/share/selinux/strict</span> (or <span class="path" dir="ltr">targeted/</span>), take a look
-inside <span class="path" dir="ltr">/etc/selinux/strict/policy</span>. This location too should contain
-a <span class="path" dir="ltr">base.pp</span> policy module (when a SELinux policy is loaded, it is
-copied from the first location to the second).
-</p>
-<p>
-If no <span class="path" dir="ltr">base.pp</span> file exists, install and load the policy:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing the base policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semodule -n -B</span>
-</pre></td></tr>
-</table>
-<p>
-This is a one-time operation - once installed and loaded, it will be reloaded
-upon every reboot.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Init Can Not Load the SELinux Policy</a></p>
-<p>
-During system boot, the <span class="code" dir="ltr">init</span> process is responsible for loading and
-interacting with the SELinux policy in memory. If <span class="code" dir="ltr">init</span> does not support
-SELinux, you will get no SELinux support in your environment.
-</p>
-<p>
-To verify if <span class="code" dir="ltr">init</span> supports SELinux, we need to check if it uses the
-<span class="path" dir="ltr">libselinux.so</span> shared object:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if init supports SELinux</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">ldd /sbin/init</span>
-        linux-vdso.so.1 =&gt;  (0x00006ace30e84000)
-	<span class="code-comment">( You should see something similar to the following line: )</span>
-        libselinux.so.1 =&gt; /lib/libselinux.so.1 (0x00006ace30a46000)
-        libc.so.6 =&gt; /lib/libc.so.6 (0x00006ace306e9000)
-        libdl.so.2 =&gt; /lib/libdl.so.2 (0x00006ace304e5000)
-        /lib64/ld-linux-x86-64.so.2 (0x00006ace30c68000)
-</pre></td></tr>
-</table>
-<p>
-If this is not the case, make sure that <span class="code" dir="ltr">emerge --info</span> shows that the
-selinux USE flag is in place, and reinstall <span class="path" dir="ltr">sys-apps/sysvinit</span>. If
-the selinux USE flag is not in place, check your Gentoo profile and make sure it
-points to a <span class="path" dir="ltr">selinux/v2refpolicy/...</span> profile.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Policy Store is Corrupt</a></p>
-<p>
-If you encounter problems during boot-up or <span class="code" dir="ltr">semodule</span> operations which
-fail with loading problems, but cannot be resolved with the above solution, then
-you might need to reinstall the policies after eliminating the corrupt store.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recovering from store corruption</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semodule -n -B</span>
-libsemanage.semanage_load_module: Error while reading from module file
-/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)
-
-~# <span class="code-input">setenforce 0</span>
-~# <span class="code-input">mv /etc/selinux/targeted /etc/selinux/targeted.old</span>
-~# <span class="code-input">FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)</span>
-~# <span class="code-input">restorecon -R /etc/selinux</span>
-</pre></td></tr>
-</table>
-<p>
-This will effectively disable the current, corrupted SELinux policy store and
-then use Portage to reinstall all SELinux policy packages that are installed on
-the system. When done, the file contexts of <span class="path" dir="ltr">/etc/selinux</span> are
-restored, after which you should be able to continue.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Unable to Log On</p>
-<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
-<p>
-If you are unable to log on in a particular situation (remote, local, as root,
-as regular user, ...) there are a few possible problems which you might have
-hit. However, to resolve them you'll need to be able to log on to the system as
-<span class="emphasis">sysadm_r</span> in one way or the other.
-</p>
-<p>
-If you can not log in as a <span class="emphasis">sysadm_r</span> user, disable SELinux (boot with
-<span class="code" dir="ltr">enforcing=0</span>) so that no SELinux enforcements are made. Changes that you
-make in permissive mode are equally effective as in enforcing mode.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Incorrect Context</a></p>
-<p>
-In the majority of cases will you find that a security context is incorrect. Run
-<span class="code" dir="ltr">sestatus -v</span> and compare the <span class="emphasis">Process contexts</span> or <span class="emphasis">File
-contexts</span> that you see in the output with the next table.
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>Process</b></td>
-  <td class="infohead"><b>Context</b></td>
-  <td class="infohead"><b>If wrong context...</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">Init context</td>
-  <td class="tableinfo">system_u:system_r:init_t</td>
-  <td class="tableinfo">
-    First, verify that init itself is correclty labeled. Check the output of
-    the previously run <span class="code" dir="ltr">sestatus -v</span> command for the
-    <span class="path" dir="ltr">/sbin/init</span> file and make sure that it is set to
-    system_u:object_r:init_exec_t. If that is not the case, relabel
-    <span class="path" dir="ltr">sys-apps/sysvinit</span> using <span class="code" dir="ltr">rlpkg sysvinit</span>. Also make the
-    same checks as in the <a href="#doc_chap1">Unable To Load SELinux
-    Policy</a> section. Reboot your system and retry.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">agetty context</td>
-  <td class="tableinfo">system_u:system_r:getty_t</td>
-  <td class="tableinfo">
-    Make sure that the <span class="path" dir="ltr">/sbin/agetty</span> binary is labeled
-    system_u:object_r:getty_exec_t. If not, relabel the
-    <span class="path" dir="ltr">sys-apps/util-linux</span> package using <span class="code" dir="ltr">rlpkg util-linux</span>. Then
-    restart all the agetty processes using <span class="code" dir="ltr">pkill agetty</span> (they will
-    automatically respawn).
-  </td>
-</tr>
-<tr>
-  <td class="infohead"><b>File</b></td>
-  <td class="infohead"><b>Context</b></td>
-  <td class="infohead"><b>If wrong context...</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">/bin/login</td>
-  <td class="tableinfo">system_u:object_r:login_exec_t</td>
-  <td class="tableinfo">
-    The login binary is part of <span class="path" dir="ltr">sys-apps/shadow</span>. Run <span class="code" dir="ltr">rlpkg
-    shadow</span> to relabel the files of that package and retry logging in.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">/sbin/unix_chkpwd</td>
-  <td class="tableinfo">system_u:object_r:chkpwd_exec_t</td>
-  <td class="tableinfo">
-    This binary is part of the <span class="path" dir="ltr">sys-libs/pam</span> package and is used by
-    SSH when it is configured to use PAM for user authentication. Relabel the
-    package using <span class="code" dir="ltr">rlpkg pam</span> and retry logging in.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">/etc/passwd</td>
-  <td class="tableinfo">system_u:object_r:etc_t</td>
-  <td class="tableinfo" rowspan="2">
-    The <span class="path" dir="ltr">/etc/passwd</span> and <span class="path" dir="ltr">/etc/shadow</span> must be labeled
-    correctly, otherwise PAM will not be able to authenticate any user. Relabel
-    the files through <span class="code" dir="ltr">restorecon /etc/passwd /etc/shadow</span> and retry
-    logging in.
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">/etc/shadow</td>
-  <td class="tableinfo">system_u:object_r:shadow_t</td>
-</tr>
-<tr>
-  <td class="tableinfo">/bin/bash</td>
-  <td class="tableinfo">system_u:object_r:shell_exec_t</td>
-  <td class="tableinfo">
-    The users' shell (in this case, <span class="code" dir="ltr">bash</span>) must be labeled correctly so
-    the user can transition into the user domain when logging in. To do so,
-    relabel the <span class="path" dir="ltr">app-shells/bash</span> package using <span class="code" dir="ltr">rlpkg bash</span>.
-    Then, try logging in again.
-  </td>
-</tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)</p>
-<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
-<p>
-When trying to install software with Portage, you get a huge python stacktrace
-and finally the error message <span class="emphasis">OSError: [Errno 22] Invalid argument</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Stacktrace dump when portage fails to install software</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Traceback (most recent call last):
-  File "http://www.gentoo.org/usr/bin/emerge", line 43, in &lt;module&gt;
-    retval = emerge_main()
-  File "http://www.gentoo.org/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main
-    myopts, myaction, myfiles, spinner)
-  File "http://www.gentoo.org/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build
-    retval = mergetask.merge()
-...
-  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn
-    return spawn(cmd, settings, **kwargs)
-  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn
-    return spawn_func(mystring, env=mysettings.environ(), **keywords)
-  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
-    setexec(con)
-  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
-    if selinux.setexeccon(ctx) &lt; 0: 
-OSError: [Errno 22] Invalid argument
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Wrong Context</a></p>
-<p>
-The above error comes when you launch portage (through <span class="code" dir="ltr">emerge</span>) while you
-are not in <span class="code" dir="ltr">sysadm_t</span> context. You can verify this with <span class="code" dir="ltr">id -Z</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking current context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">id -Z</span>
-system_u:system_r:local_login_t
-</pre></td></tr>
-</table>
-<p>
-As long as the context isn't <span class="code" dir="ltr">sysadm_t</span>, then Portage will break. This is
-because Portage wants to switch its execution context from <span class="code" dir="ltr">portage_t</span> to
-<span class="code" dir="ltr">portage_sandbox_t</span> but fails (it isn't in <span class="code" dir="ltr">portage_t</span> to begin with
-because the user who launched Portage isn't in <span class="code" dir="ltr">sysadm_t</span>).
-</p>
-<p>
-Please check <a href="#doc_chap2">Unable to Log On</a> above first. Also
-make sure that you can <span class="code" dir="ltr">dispatch-conf</span> or <span class="code" dir="ltr">etc-update</span> after
-installing SELinux so that <span class="path" dir="ltr">/etc/pam.d/system-login</span> is updated with
-the right <span class="path" dir="ltr">pam_selinux.so</span> calls.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Forcing Installation</a></p>
-<p>
-If you need to force Portage to continue regardless (for instance, you were in
-the middle of a SELinux installation so cannot properly resolve such issues
-now), run the <span class="code" dir="ltr">emerge</span> command but with <span class="code" dir="ltr">FEATURES="-selinux"</span>. This
-will effectively disable Portage' SELinux integration, but allows you to
-continue installing software.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running emerge without selinux support</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">FEATURES="-selinux" emerge -u world</span>
-</pre></td></tr>
-</table>
-<p>
-Make sure that you relabel the entire file system after using this approach!
-Portage will not label the files installed on the system correctly if you
-disable its SELinux support. To relabel the entire file system, use <span class="code" dir="ltr">rlpkg -a
--r</span>.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/index.html b/html/selinux/index.html
deleted file mode 100644
index 60e3ac5..0000000
--- a/html/selinux/index.html
+++ /dev/null
@@ -1,216 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Projects
---
-  SELinux</title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<br><h1>SELinux</h1>
-<form name="contents" action="http://www.gentoo.org">
-<b>Content</b>:
-        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Project Description</option>
-<option value="#doc_chap2">2. Project Goals</option>
-<option value="#doc_chap3">3. Developers</option>
-<option value="#doc_chap4">4. Contributors</option>
-<option value="#doc_chap5">5. Resources</option>
-<option value="#doc_chap6">6. I Want to Participate</option></select>
-</form>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Project Description</p>
-<p>
-This project manages SELinux support in Gentoo.  This includes providing
-kernels with SELinux support, providing patches to userland utilities, writing
-strong Gentoo-specific default profiles, and maintaining a good default set of
-policies.
-</p>
-<p>
-<a href="http://www.nsa.gov/research/selinux/index.shtml">Security-Enhanced
-Linux</a> (SELinux) is a Mandatory Access Control system using type
-enforcement and role-based access control. It is integrated within Linux as a 
-<a href="http://lsm.immunix.org/">Linux Security Module</a> (LSM) 
-implementation. In addition to the kernel portion, SELinux consists of a library
-(libselinux) and userland utilities for compiling policy (checkpolicy), and loading
-policy (policycoreutils), in addition to other user programs.
-</p>
-<p>
-One common misconception is that SELinux is a complete security solution. It is
-not.  SELinux only provides access control on system objects.  It can work well
-with other Hardened projects, such as PaX, for a more complete solution.
-</p>
-<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
-            </span>Project Goals</p>
-<p>
-Our goal is to make SELinux (with Gentoo Hardened) available to more users.
-As a result, we
-</p>
-<ul>
-  <li>
-    develop, improve and maintain the proper documentation and learning
-    material for end users to master SELinux
-  </li>
-  <li>
-    maintain a stable yet progressive set of userland tools that are needed
-    to interoperate with SELinux on a Linux system (such as the core utilities,
-    libselinux and more)
-  </li>
-  <li>
-    focus on the integration of SELinux and SELinux-awareness within the Gentoo
-    distribution, offering the necessary feedback on Portage and other utilities
-  </li>
-  <li>
-    develop, improve and maintain a good and secure default policy, based on the
-    reference policy, so that end users have no difficulties working with and
-    enhancing SELinux within their environment
-  </li>
-</ul>
-<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
-            </span>Developers</p>
-<table class="ntable">
-          <tr>
-            <td class="infohead"><b>Developer</b></td>
-            <td class="infohead"><b>Nickname</b></td>
-            <td class="infohead"><b>Role</b></td>
-          </tr>
-          <tr>
-            <td class="tableinfo">Sven Vermeulen</td>
-            <td class="tableinfo">swift</td>
-            <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td>
-          </tr>
-          <tr>
-            <td class="tableinfo">Anthony G. Basile</td>
-            <td class="tableinfo">blueness</td>
-            <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
-          </tr>
-          <tr>
-            <td class="tableinfo">Chris PeBenito</td>
-            <td class="tableinfo">pebenito</td>
-            <td class="tableinfo">Developer ( Policy development, Userspace tools )</td>
-          </tr>
-          <tr>
-            <td class="tableinfo">Matt Thode</td>
-            <td class="tableinfo">prometheanfire</td>
-            <td class="tableinfo">Developer ( Policy development, Support )</td>
-          </tr>
-        </table>
-<p>
-       All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>.
-      </p>
-<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
-            </span>Contributors</p>
-<p>
-The following people, although non-developer, are actively contributing to the project:
-</p>
-<table class="ntable">
-<tr>
-<td class="infohead"><b>Contributor</b></td>
-<td class="infohead"><b>Nickname</b></td>
-<td class="infohead"><b>Role</b></td>
-</tr>
-<tr>
-<td class="tableinfo">Chris Richards</td>
-<td class="tableinfo">gizmo</td>
-<td class="tableinfo">Policy development, support</td>
-</tr>
-</table>
-<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
-            </span>Resources</p>
-<p>Resources offered by the
-			SELinux
-			project are:</p>
-<ul>
-          <li>
-            <a href="selinux/selinux-handbook.html">Gentoo SELinux Handbook (concepts, installation, maintenance)</a>
-          </li>
-          <li>
-            <a href="selinux-faq.html">Gentoo SELinux FAQ</a>
-          </li>
-          <li>
-            <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
-          </li>
-          <li>
-            <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a>
-          </li>
-          <li>
-            <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
-          </li>
-          <li>
-            <a href="roadmap.html">Gentoo Hardened Roadmap (includes SELinux development)</a>
-          </li>
-          <li>
-            <a href="support-state.html">Gentoo Hardened Support Matrices (includes SELinux)</a>
-          </li>
-        </ul>
-<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
-            </span>I Want to Participate</p>
-<p>
-To participate in the SELinux project first join the mailing list at
-<span class="code" dir="ltr">gentoo-hardened@gentoo.org</span>. Then ask if there are plans to support
-something that you are interested in, propose a new subproject that you are
-interested in or choose one of the planned subprojects to work on. You may talk
-to the developers and users in the IRC channel <span class="code" dir="ltr">#gentoo-hardened</span> on
-<span class="code" dir="ltr">irc.freenode.net</span> for more information or just to chat about the project
-or any subprojects. If you don't have the ability to actively help by
-contributing work we will always need testers to use and audit the SELinux
-policies. All development, testing, feedback, and productive comments will
-be greatly appreciated.
-</p>
-<p class="secthead"><a name="doc_chap6_sect2">Policy Submissions</a></p>
-<p>
-The critical component of a SELinux system is having a strong policy.  The
-team does its best to support as many daemons as possible.  However, we cannot
-create policies for daemons with which we are unfamiliar.  But we are happy
-to receive policy submissions for consideration.  There are a few requirements:
-</p>
-<ul>
-  <li>
-    Make comments (in the policy and/or bug), so we can understand changes
-    from the Reference Policy example policy.
-  </li>
-  <li>
-    The policy should cover common installations.  Please do not submit policies
-    for odd or nonstandard daemon configurations.
-  </li>
-  <li>
-    We need to know if the policy is dependent on another policy (for example
-    rpcd is dependent on portmap) other than base-policy.
-  </li>
-</ul>
-<p>
-The policy should be submitted on <a href="http://bugs.gentoo.org/">bugzilla</a>.
-Please attach the .te and .fc files separately to the bug, not as a tarball.
-The bug should be Cc'ed to <span class="code" dir="ltr">selinux@gentoo.org</span> and will be properly
-reassigned by the team.
-</p>
-<br><br>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</p></td></tr>
-<tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html
deleted file mode 100644
index 038daf2..0000000
--- a/html/selinux/selinux-handbook.html
+++ /dev/null
@@ -1,168 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Documentation
---
-  Gentoo SELinux Handbook</title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<hr>
-<p>
-          [ &lt;&lt; ]
-        
-          [ &lt; ]
-        
-      [ <a href="pebenito@gentoo.org">Home</a> ]
-      
-        [ <a href="pebenito@gentoo.org?part=1">&gt;</a> ]
-      
-        [ <a href="pebenito@gentoo.org?part=1">&gt;&gt;</a> ]
-      </p>
-<hr>
-<h1>Gentoo SELinux Handbook</h1>
-<p>Content:</p>
-<ul>
-<li>
-<b><a href="?part=1">Introduction to Gentoo/Hardened SELinux</a></b><br>
-In this part we cover what SELinux is and how it is positioned within the
-Gentoo/Hardened project.
-<ol>
-<li>
-<b><a href="?part=1&amp;chap=1">Enhancing Linux Security</a></b><br>
-Security is more than enabling a certain framework or installing a different
-Linux kernel. It is a way of working / administrating your Gentoo Linux system.
-We cover a few (generic) best practices, and then elaborate on what Mandatory 
-Access Control is and how SELinux fills in this gap.
-</li>
-<li>
-<b><a href="?part=1&amp;chap=2">SELinux Concepts</a></b><br>
-To be able to properly work with SELinux, it is vital that you understand a few
-of its concepts like domains, domain transitions and file contexts. Without 
-a basic understanding of these aspects, it will be difficult to understand
-how SELinux policies work and how to troubleshoot if things go wrong.
-</li>
-<li>
-<b><a href="?part=1&amp;chap=3">SELinux Resources</a></b><br>
-To get more acquainted with SELinux, many resources exist on the Internet.
-In this chapter we give a quick overview of the various resources as well
-as places where you can get more help when you are fighting with SELinux.
-</li>
-</ol>
-</li>
-<li>
-<b><a href="?part=2">Using Gentoo/Hardened SELinux</a></b><br>
-With the theoretic stuff behind us, let us start by installing Gentoo/Hardened
-with a SELinux kernel as well as the SELinux tools.
-<ol>
-<li>
-<b><a href="?part=2&amp;chap=1">Gentoo SELinux Installation / Conversion</a></b><br>
-To set up SELinux within Gentoo/Hardened, you first need to install Gentoo with
-the correct Hardened profile (or convert to the Hardened profile) and then
-update your system to become a SELinux-managed system. This chapter will guide
-you through this process.
-</li>
-<li>
-<b><a href="?part=2&amp;chap=2">Configuring SELinux For Your Needs</a></b><br>
-With SELinux now "installed" and enabled (although in permissive mode), we now
-configure it to suit your particular needs. After all, SELinux is a Mandatory
-Access Control system where you, as security administrator, define what is
-allowed and what not.
-</li>
-<li>
-<b><a href="?part=2&amp;chap=3">SELinux Commands</a></b><br>
-Let's take a step back and get to know a few more commands. We covered most of
-them in the previous section, but we will now dive a bit deeper in its
-syntax, features and potential pitfalls.
-</li>
-<li>
-<b><a href="?part=2&amp;chap=4">Permissive, Unconfined, Disabled or What Not...</a></b><br>
-Your system can be in many SELinux states. In this chapter, we help you switch
-between the various states / policies.
-</li>
-<li>
-<b><a href="?part=2&amp;chap=5">Modifying the Gentoo Hardened SELinux Policy</a></b><br>
-Gentoo Hardened offers a default policy, but this might not allow what you want
-(or allows too much). In this chapter we tell you how you can tweak Gentoo's
-policy, or even run your own.
-</li>
-<li>
-<b><a href="?part=2&amp;chap=6">Troubleshooting SELinux</a></b><br>
-Everything made by a human can and will fail. In this chapter we will try to
-keep track of all potential issues you might come across and how to resolve
-them. 
-</li>
-</ol>
-</li>
-</ul>
-<hr>
-<p>
-          [ &lt;&lt; ]
-        
-          [ &lt; ]
-        
-      [ <a href="pebenito@gentoo.org">Home</a> ]
-      
-        [ <a href="pebenito@gentoo.org?part=1">&gt;</a> ]
-      
-        [ <a href="pebenito@gentoo.org?part=1">&gt;&gt;</a> ]
-      </p>
-<hr>
-<p class="copyright">
-	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
-  </p>
-<!--
-  <rdf:RDF xmlns="http://web.resource.org/cc/"
-      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  
-  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
-    
-     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
-     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
-     <requires rdf:resource="http://web.resource.org/cc/Notice" />
-     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
-     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
-     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
-  </License>
-  </rdf:RDF>
--->
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="pebenito@gentoo.org?full=1">View all</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated September 18, 2011</p></td></tr>
-<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
-This is the Gentoo SELinux Handbook.
-</p></td></tr>
-<tr><td align="left" class="topsep"><p class="alttext">
-  <a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a>
-<br><i>Author</i><br><br>
-  <a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
-<br><i>Author</i><br><br>
-  Chris Richards
-<br><i>Author</i><br></p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/pdf/selinux-handbook.pdf b/pdf/selinux-handbook.pdf
deleted file mode 100644
index cdb8c9b..0000000
--- a/pdf/selinux-handbook.pdf
+++ /dev/null