Update previews

15 files changed, 257 insertions, 1479 deletions

diff --git a/html/docs/index.html b/html/docs/index.html
index 06df3e1..81ff591 100644
--- a/html/docs/index.html
+++ b/html/docs/index.html
@@ -24,7 +24,8 @@
 <a class="menulink" href="http://bugs.gentoo.org/">Bugs</a> | 
 <a class="menulink" href="http://www.gentoo.org/main/en/where.xml">Get Gentoo!</a> | 
 <a class="menulink" href="http://www.gentoo.org/main/en/support.xml">Support</a> | 
-<a class="menulink" href="http://planet.gentoo.org/">Planet</a>
+<a class="menulink" href="http://planet.gentoo.org/">Planet</a> | 
+<a class="menulink" href="http://wiki.gentoo.org/">Wiki</a>
 </p></td>
 </tr>
 <tr>
@@ -53,6 +54,7 @@ Community<br>
 <a class="altlink" href="http://bugs.gentoo.org">Report Issues</a><br>
 <a class="altlink" href="http://planet.gentoo.org">Planet (Blogs)</a><br>
 <a class="altlink" href="http://packages.gentoo.org/">Online Package Database</a><br>
+<a class="altlink" href="http://wiki.gentoo.org/">Wiki</a><br>
 <a class="altlink" href="http://www.gentoo.org/main/en/contact.xml">Contact Us</a><br>
 <a class="altlink" href="http://www.gentoo.org/main/en/sponsors.xml">Sponsors</a><br><br>
 Get Involved<br>
diff --git a/html/index.html b/html/index.html
index f85729e..584d5db 100644
--- a/html/index.html
+++ b/html/index.html
@@ -66,11 +66,6 @@ Gentoo once they've been tested for security and stability by the Hardened team.
             <td class="tableinfo">Member ( SELinux )</td>
           </tr>
           <tr>
-            <td class="tableinfo">Bryan Stine</td>
-            <td class="tableinfo">battousai</td>
-            <td class="tableinfo">Member ( Bastille Lead )</td>
-          </tr>
-          <tr>
             <td class="tableinfo">Anthony G. Basile</td>
             <td class="tableinfo">blueness</td>
             <td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td>
@@ -81,6 +76,11 @@ Gentoo once they've been tested for security and stability by the Hardened team.
             <td class="tableinfo">Member ( PaX/Grsecurity, Hardened sources )</td>
           </tr>
           <tr>
+            <td class="tableinfo">Francisco Blas Izquierdo Riera</td>
+            <td class="tableinfo">klondike</td>
+            <td class="tableinfo">Member ( Doc, PR )</td>
+          </tr>
+          <tr>
             <td class="tableinfo">Gysbert Wassenaar</td>
             <td class="tableinfo">nixnut</td>
             <td class="tableinfo">Member ( PPC arch team liaison )</td>
@@ -91,6 +91,11 @@ Gentoo once they've been tested for security and stability by the Hardened team.
             <td class="tableinfo">Member ( SELinux )</td>
           </tr>
           <tr>
+            <td class="tableinfo">Matt Thode</td>
+            <td class="tableinfo">prometheanfire</td>
+            <td class="tableinfo">Member ( SELinux )</td>
+          </tr>
+          <tr>
             <td class="tableinfo">Matthew Summers</td>
             <td class="tableinfo">quantumsummers</td>
             <td class="tableinfo">Member ( Hardened sources, Doc )</td>
@@ -117,11 +122,6 @@ project:
 <td class="infohead"><b>Role</b></td>
 </tr>
 <tr>
-<td class="tableinfo">Francisco Blas Izquierdo Riera</td>
-<td class="tableinfo">klondike</td>
-<td class="tableinfo">Documentation writing, support</td>
-</tr>
-<tr>
 <td class="tableinfo">Chris Richards</td>
 <td class="tableinfo">gizmo</td>
 <td class="tableinfo">Policy development, support (SELinux)</td>
@@ -142,7 +142,7 @@ project:
             <td class="tableinfo">
               <a href="selinux/index.html">SELinux</a>
             </td>
-            <td class="tableinfo">Chris PeBenito</td>
+            <td class="tableinfo">Sven Vermeulen</td>
             <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td>
           </tr>
           <tr>
@@ -173,15 +173,6 @@ A kernel which provides patches for hardened subprojects, and stability/security
 oriented patches. Includes Grsecurity and SELinux.
 </td>
           </tr>
-          <tr>
-            <td class="tableinfo">Bastille</td>
-            <td class="tableinfo">Bryan Stine</td>
-            <td class="tableinfo">
-Bastille is an interactive application which gives the user suggestions on
-securing their machine. It will be customized to make suggestions about other
-Hardened Gentoo subprojects.
-</td>
-          </tr>
         </table>
 <p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
             </span>Resources</p>
@@ -307,7 +298,7 @@ GNU Stack Quickstart
           </tr>
           <tr>
             <td class="tableinfo">selinux</td>
-            <td class="tableinfo">blueness, pebenito, swift</td>
+            <td class="tableinfo">blueness, pebenito, prometheanfire, swift</td>
             <td class="tableinfo">Gentoo's Security-Enhanced Linux (SELinux) packages</td>
           </tr>
         </table>
diff --git a/html/index2.html b/html/index2.html
index 6ed1a19..61f6f0b 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -96,11 +96,6 @@ Gentoo once they've been tested for security and stability by the Hardened team.
             <td class="infohead"><b></b></td>
           </tr>
           <tr>
-            <td class="tableinfo">Sven Vermeulen</td>
-            <td class="tableinfo">swift</td>
-            <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
-          </tr>
-          <tr>
             <td class="tableinfo">Anthony G. Basile</td>
             <td class="tableinfo">blueness</td>
             <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
@@ -108,7 +103,17 @@ Gentoo once they've been tested for security and stability by the Hardened team.
           <tr>
             <td class="tableinfo">Chris PeBenito</td>
             <td class="tableinfo">pebenito</td>
-            <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td>
+            <td class="tableinfo">Developer ( Policy development, Userspace tools )</td>
+          </tr>
+          <tr>
+            <td class="tableinfo">Matt Thode</td>
+            <td class="tableinfo">prometheanfire</td>
+            <td class="tableinfo">Developer ( Policy development, Support )</td>
+          </tr>
+          <tr>
+            <td class="tableinfo">Sven Vermeulen</td>
+            <td class="tableinfo">swift</td>
+            <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td>
           </tr>
         </table>
 <p>
@@ -129,7 +134,7 @@ Gentoo once they've been tested for security and stability by the Hardened team.
             <td class="tableinfo">
               <a href="selinux/index.html">SELinux</a>
             </td>
-            <td class="tableinfo">Chris PeBenito</td>
+            <td class="tableinfo">Sven Vermeulen</td>
             <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td>
           </tr>
           <tr>
@@ -280,7 +285,7 @@ GNU Stack Quickstart</a>
           </tr>
           <tr>
             <td class="tableinfo">selinux</td>
-            <td class="tableinfo">blueness, pebenito, swift</td>
+            <td class="tableinfo">blueness, pebenito, prometheanfire, swift</td>
             <td class="tableinfo">Gentoo's Security-Enhanced Linux (SELinux) packages</td>
           </tr>
         </table>
diff --git a/html/roadmap.html b/html/roadmap.html
index c623185..f645ca8 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -258,7 +258,7 @@ is in need for attention.
 The Gentoo Hardened SELinux state is up to date and fully supported (except
 MLS which is considered experimental). The documentation is being updated as 
 the state evolves, but can still improve. Primary focus now is on the quality
-of the packages and improved support for MCS.
+of the packages and standard policies.
 </p>
 <p class="secthead"><a name="doc_chap6_sect2">Goals and Milestones</a></p>
 <table class="ntable">
@@ -270,47 +270,26 @@ of the packages and improved support for MCS.
   <td class="infohead"><b>Related Bugs</b></td>
 </tr>
 <tr>
-  <td class="tableinfo">Add support for MCS (driver is virtualization)</td>
-  <td class="tableinfo">2011-08-15</td>
-  <td class="tableinfo">Done</td>
-  <td class="tableinfo">SwifT</td>
-  <td class="tableinfo"></td>
-</tr>
-<tr>
-  <td class="tableinfo">Stabilize the new SELinux profile structure</td>
-  <td class="tableinfo">2011-08-20</td>
-  <td class="tableinfo">Done</td>
-  <td class="tableinfo">blueness, SwifT</td>
-  <td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
-</tr>
-<tr>
-  <td class="tableinfo">Merge 20110726 policies in ~arch</td>
-  <td class="tableinfo">2011-08-28</td>
-  <td class="tableinfo">Busy</td>
+  <td class="tableinfo">Deprecate old policies</td>
+  <td class="tableinfo">2011-11-10</td>
+  <td class="tableinfo">done</td>
   <td class="tableinfo">SwifT</td>
   <td class="tableinfo"></td>
 </tr>
 <tr>
-  <td class="tableinfo">Stabilize the 20110727 userland tools and libraries</td>
-  <td class="tableinfo">2011-09-30</td>
+  <td class="tableinfo">Deprecate old profiles</td>
+  <td class="tableinfo">2011-12-01</td>
   <td class="tableinfo"></td>
-  <td class="tableinfo">SwifT</td>
+  <td class="tableinfo">blueness</td>
   <td class="tableinfo"></td>
 </tr>
 <tr>
-  <td class="tableinfo">Stabilize the 20110726 policies</td>
-  <td class="tableinfo">2011-09-30</td>
+  <td class="tableinfo">Get mainstream packages the proper dependencies on the SELinux policies</td>
+  <td class="tableinfo">2011-12-31</td>
   <td class="tableinfo"></td>
   <td class="tableinfo">SwifT</td>
   <td class="tableinfo"></td>
 </tr>
-<tr>
-  <td class="tableinfo">Deprecate old profiles</td>
-  <td class="tableinfo">2011-12-01</td>
-  <td class="tableinfo"></td>
-  <td class="tableinfo">blueness</td>
-  <td class="tableinfo"></td>
-</tr>
 </table>
 <br><br>
 </td>
diff --git a/html/selinux-bugreporting.html b/html/selinux-bugreporting.html
new file mode 100644
index 0000000..872a5e6
--- /dev/null
+++ b/html/selinux-bugreporting.html
@@ -0,0 +1,167 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+  Reporting SELinux (policy) bugs</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Reporting SELinux (policy) bugs</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. So you got a bug?</option>
+<option value="#doc_chap2">2. Bugs related to AVC denials (and non-functional applications)</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+            </span>So you got a bug?</p>
+<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
+<p>
+When working with a SELinux-enabled system, you will notice that some policies
+are far from perfect. That is to be expected, since there are a lot more
+policies and SELinux policy modules than we can thoroughly test. That is why bug
+reports are very important for us as they give us much-needed feedback on the
+state of the policies. Also, since we follow the reference policy closely,
+patches are also sent upstream so that other distributions can benefit from the
+updates.
+</p>
+<p>
+However, debugging and fixing SELinux policies also means that we need to
+identify a proper policy failure, find the root cause of this failure and have
+an optimal solution. Since we are talking about <span class="emphasis">security</span> policies, much
+attention goes into details, but also in the <span class="emphasis">many eyes</span> paradigm to
+validate if a policy fix is correct or not.
+</p>
+<p>
+That is one of the reasons why we created this bugreport as it helps you, as the
+feedback-providing user, to both properly figure out why a failure occurs and
+how to fix it, but also why we are quite strict in the acceptance of patches.
+</p>
+<p class="secthead"><a name="doc_chap1_sect2">Short version</a></p>
+<p>
+When reporting SELinux policy fixes based on AVC denials,
+</p>
+<ul>
+  <li>
+    structure the denials and try to create one bug report per logically
+    coherent set of denials. Don't push all your AVC denials onto us.
+  </li>
+  <li>
+    make sure you can reproduce the issue and that you have the ability to
+    reproduce while we work on the fix. We cannot test all policies ourselves.
+  </li>
+  <li>
+    report the application failure output as well, not only the AVC denial. We
+    need to know what the application is trying to do (and failing to do) to fix
+    the problem.
+  </li>
+</ul>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+            </span>Bugs related to AVC denials (and non-functional applications)</p>
+<p class="secthead"><a name="doc_chap2_sect1">About</a></p>
+<p>
+In this section, we'll go into the details of creating a helpful bug report for
+SELinux policies in case you have an AVC denial (which means SELinux is
+prohibiting a certain privilege request) that results in the failure of the
+application.
+</p>
+<p class="secthead"><a name="doc_chap2_sect2">Structure the denials</a></p>
+<p>
+When you get one or more AVC denials, try to structure them into logically
+coherent sets. We cannot easily deal with several dozen denials. Most of the
+time, you either get multiple denials of the same cause, or the denials are not
+truely related.
+</p>
+<p>
+When we need to fix the SELinux policy, nine out of ten times we focus on one or
+a few related denials and come up with a proper fix. When there is an abundance
+of AVC denials, we need to skim through them (which we usually then do one at a
+time) which puts a lot of stress on you (the reporter) as we will ask you
+hundred-and-one questions and requests for testing.
+</p>
+<p class="secthead"><a name="doc_chap2_sect3">Prepare for testing</a></p>
+<p>
+When you report a SELinux policy related bug, make sure you are ready to test
+the results that we want to put in. We cannot test out all applications
+ourselves. Sometimes, a failure is even only reproducable on a specific setup.
+</p>
+<p class="secthead"><a name="doc_chap2_sect4">Report the application failure</a></p>
+<p>
+More than once, we get bug reports on SELinux policy denials where the user is
+still running in permissive mode. He is reporting the denials because he is
+afraid that he will not be able to run it in enforcing mode without the denials
+being fixed.
+</p>
+<p>
+However, denials can be <span class="emphasis">cosmetic</span>, in which case we should actually hide
+the denials rather than allow their requests. Also, when you run in permissive
+mode, it is very much possible that the denials would never be reached when
+running in enforcing mode because of earlier denials (which, coincidentally,
+might be wrongly hidden from your logs).
+</p>
+<p>
+For this reason, we urge you to give us not only the AVC denial information, but
+also the application failure log output when running in enforcing mode.
+</p>
+<p>
+The <a href="selinux/selinux-handbook.xml">Gentoo Hardened SELinux
+Handbook</a> will guide you through the process of migrating from a permissive
+system into an enforcing mode. If you believe that booting in enforcing is not
+possible yet, just boot in permissive, log on as root, run <span class="code" dir="ltr">setenforce 1</span>
+and only then log on as user(s) to reproduce your situation. There is also a
+<a href="selinux/selinux-handbook.xml?part=2&amp;chap=2">Troubleshooting
+SELinux</a> section that helps you identify common bottlenecks or issues while
+trying to get SELinux running on your system.
+</p>
+<br><p class="copyright">
+	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
+  </p>
+<!--
+  <rdf:RDF xmlns="http://web.resource.org/cc/"
+      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+     <requires rdf:resource="http://web.resource.org/cc/Notice" />
+     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+  </License>
+  </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="swift?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+This guide helps users to create a properly filled out bug report for SELinux
+policy updates.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+  <a href="mailto:swift@gentoo.org" class="altlink"><b>Sven Vermeulen</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+        </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
diff --git a/html/selinux-development.html b/html/selinux-development.html
index 1249769..c56971c 100644
--- a/html/selinux-development.html
+++ b/html/selinux-development.html
@@ -174,9 +174,15 @@ Every time a new revision comes out, you'll need to clean the
 </p></td></tr></table>
 <p class="secthead"><a name="doc_chap2_sect2">Add specific module files</a></p>
 <p>
-To update your policy workspace, use the same tactic as describes
-earlier, but now for the specific SELinux policy module package (like
-<span class="path" dir="ltr">selinux-postfix</span>).
+If you want to or need to work on the policy of a SELinux module (rather than
+the base policy), check its ebuild to see if it holds any additional patches
+(mentioned through the <span class="code" dir="ltr">POLICY_PATCH</span> variable). If not, then you can work
+off the snapshot taken earlier in this guide.
+</p>
+<p>
+However, if a patch (or set of patches) is applied as well, you either need to
+apply those manually on the snapshot, or use the following tactics to create a
+snapshot just for this module:
 </p>
 <a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Updating the dev/hardened workspace</p></td></tr>
@@ -1239,7 +1245,7 @@ it out.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 When planning to help Gentoo Hardened in the development of SELinux policies,
 or when trying to debug existing policies, this document should help you get
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 252906f..caa4c46 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -56,9 +56,7 @@ as well.
 <li><a href="#enable_selinux">How do I enable SELinux?</a></li>
 <li><a href="#switch_status">How do I switch between permissive and enforcing?</a></li>
 <li><a href="#disable_selinux">How do I disable SELinux completely?</a></li>
-<li><a href="#matchcontext">
-  How do I know which file context rule is used for a particular file?
-</a></li>
+<li><a href="#matchcontext">How do I know which file context rule is used for a particular file?</a></li>
 <li><a href="#localpolicy">How do I make small changes (additions) to the policy?</a></li>
 </ul>
 <p class="secthead">SELinux Kernel Error Messages</p>
@@ -71,15 +69,11 @@ as well.
 <li><a href="#no_module">I get a missing SELinux module error when using emerge</a></li>
 <li><a href="#loadpolicy">I get 'FEATURES variable contains unknown value(s): loadpolicy'</a></li>
 <li><a href="#conflicting_types">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></li>
-<li><a href="#portage_libsandbox">
-  During package installation, ld.so complains 'object 'libsandbox.so' from 
-  LD_PRELOAD cannot be preloaded: ignored'
-</a></li>
+<li><a href="#portage_libsandbox">During package installation, ld.so complains 'object 'libsandbox.so'
+from LD_PRELOAD cannot be preloaded: ignored'</a></li>
 <li><a href="#emergefails">Emerge does not work, giving 'Permission denied: /etc/make.conf'</a></li>
-<li><a href="#cronfails">
-  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
-  FAILED (crontabs/root)'
-</a></li>
+<li><a href="#cronfails">Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+FAILED (crontabs/root)'</a></li>
 <li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li>
 <li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li>
 <li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
@@ -211,9 +205,7 @@ while SELinux was disabled might have created new files or removed the labels
 from existing files, causing these files to be available without security
 context.
 </p></td></tr></table>
-<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">
-  How do I know which file context rule is used for a particular file?
-</a></p>
+<p class="secthead"><a name="matchcontext"></a><a name="doc_chap3_sect4">How do I know which file context rule is used for a particular file?</a></p>
 <p>
 If you use the <span class="code" dir="ltr">matchpathcon</span> command, it will tell you what the security
 context for the given path (file or directory) should be, but it doesn't tell
@@ -344,8 +336,8 @@ class (<span class="code" dir="ltr">process</span>) and privilege (<span class="
 the <span class="code" dir="ltr">require { ... }</span> paragraph.
 </p>
 <p>
-When using interface names, make sure that the type (<span class="code" dir="ltr">ssh_t</span> and
-<span class="code" dir="ltr">user_t</span>) is mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph.
+When using interface names, make sure that the types (<span class="code" dir="ltr">ssh_t</span> and
+<span class="code" dir="ltr">user_t</span>) are mentioned in the <span class="code" dir="ltr">require { ... }</span> paragraph.
 </p>
 <p>
 To find the proper interface name (like <span class="code" dir="ltr">corenet_tcp_connect_all_ports</span>
@@ -498,10 +490,8 @@ It is also not a bad idea to report (after verifying if it hasn't been reported
 first) this on <a href="https://bugs.gentoo.org">Gentoo's bugzilla</a> so 
 that the default policies are updated accordingly.
 </p>
-<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">
-  During package installation, ld.so complains 'object 'libsandbox.so' from 
-  LD_PRELOAD cannot be preloaded: ignored'
-</a></p>
+<p class="secthead"><a name="portage_libsandbox"></a><a name="doc_chap5_sect4">During package installation, ld.so complains 'object 'libsandbox.so'
+from LD_PRELOAD cannot be preloaded: ignored'</a></p>
 <p>
 During installation of a package, you might see the following error message:
 </p>
@@ -559,10 +549,8 @@ This is also necessary if you logged on to your system as root but through SSH.
 The default behavior is that SSH sets the lowest role for the particular user
 when logged on. And you shouldn't allow remote root logins anyhow.
 </p>
-<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">
-  Cron fails to load in root's crontab with message '(root) ENTRYPOINT
-  FAILED (crontabs/root)'
-</a></p>
+<p class="secthead"><a name="cronfails"></a><a name="doc_chap5_sect6">Cron fails to load in root's crontab with message '(root) ENTRYPOINT
+FAILED (crontabs/root)'</a></p>
 <p>
 When you hit the mentioned error with a root crontab or an administrative
 users' crontab, but not with a regular users' crontab, then check the context of
@@ -670,7 +658,7 @@ rebuild policycoreutils, which will fail to install because Portage cannot set
 the file labels.
 </p>
 <p>
-The solution is to rebuild policycoreutils while disabling Portage' selinux
+The solution is to rebuild policycoreutils while disabling Portage's selinux
 support, then label the installed files manually using <span class="code" dir="ltr">chcon</span>, based on
 the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
 </p>
@@ -679,7 +667,7 @@ the feedback received from <span class="code" dir="ltr">matchpathcon</span>.
 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
 # <span class="code-input">FEATURES="-selinux" emerge --oneshot policycoreutils</span>
 # <span class="code-input">for FILE in $(qlist policycoreutils); do \
-CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</span>
+CONTEXT=$(matchpathcon -n ${FILE}); chcon ${CONTEXT} ${FILE}; done</span>
 </pre></td></tr>
 </table>
 <p>
@@ -699,8 +687,8 @@ file system mounted with <span class="code" dir="ltr">nosuid</span>.
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 13, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 25, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using-enforcing.html
deleted file mode 100644
index eb5d08a..0000000
--- a/html/selinux/hb-using-enforcing.html
+++ /dev/null
@@ -1,205 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Switching to Enforcing Mode</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-Switching to enforcing mode doesn't require all policies to be fully
-operational, nor does it require that the system boots in enforcing mode. You
-can first start small by enabling enforcing mode the moment your system is
-booted, then enable enforcing during boot (but with the possibility to disable
-it again when some things fail) and finally reconfigure your kernel so that
-disabling SELinux isn't possible anymore.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Booting, Switch</a></p>
-<p>
-To boot your system before enabling enforcing mode, just boot as you do
-currently. Then, when you believe that you can run your system in enforcing
-mode, run <span class="code" dir="ltr">setenforce 1</span>.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling enforcing mode</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">setenforce 1</span>
-</pre></td></tr>
-</table>
-<p>
-It is wise to ensure that you have booted the system but not logged in anywhere
-except as the root user. Also verify that the session you're currently in (as
-root) uses the <span class="code" dir="ltr">root:sysadm_r:sysadm_t</span> or 
-<span class="code" dir="ltr">unconfined_u:unconfined_r:unconfined_t</span> context (otherwise trying to
-disable enforcing mode might not work).
-</p>
-<p>
-When you realize that things are going very, very wrong, disable SELinux using
-<span class="code" dir="ltr">setenforce 0</span> and try to resolve the failures.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Booting in Enforcing Mode (Once)</a></p>
-<p>
-When you want to boot in enforcing mode, but you don't want to configure SELinux
-(yet) to run always in enforcing mode (say you want to try it once), add
-<span class="code" dir="ltr">enforcing=1</span> as a boot option inside the boot loader configuration.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample GRUB configuration to boot in enforcing mode</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-kernel /vmlinuz root=/dev/md3 rootflags=data=journal <span class="code-input">enforcing=1</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Booting in Enforcing Mode</a></p>
-<p>
-Once you believe that you can always (re)boot in enforcing mode, edit
-<span class="path" dir="ltr">/etc/selinux/config</span> and change <span class="code" dir="ltr">SELINUX=permissive</span> to
-<span class="code" dir="ltr">SELINUX=enforcing</span>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Reconfiguring the Kernel</a></p>
-<p>
-Once you are fully confident that you can always and ever remain in enforcing
-mode, reconfigure your kernel so that SELinux cannot be disabled anymore.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reconfiguring the Linux kernel</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-[*] NSA SELinux Support
-[ ]   NSA SELinux boot parameter
-[ ]   NSA SELinux runtime disable
-<span class="code-comment"># Make sure the following is deselected</span>
-<span class="code-input">[ ]   NSA SELinux Development Support</span>
-[ ]   NSA SELinux AVC Statistics
-(1)   NSA SELinux checkreqprot default value
-[ ]   NSA SELinux maximum supported policy format version
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Analyzing AVC</p>
-<p class="secthead"><a name="doc_chap1_sect1">Intrusion or Not</a></p>
-<p>
-Once you are running in enforcing mode, the role of the
-<span class="path" dir="ltr">/var/log/avc.log</span> logfile starts changing. Whereas it was previously
-used to inform you about denials which might cause functional failures on your
-system, it is now more and more becoming a source of information for the
-behavior of applications - and sometimes, the unexpected behavior of it.
-</p>
-<p>
-Being able to read the AVC logs is important, because in the (near) future you
-should use the AVC logs to identify potential intrusion attempts. Say that you
-are running an Internet-facing web server which is contained within its own
-SELinux domain. Suddenly you start getting weird AVC denials of that SELinux
-domain trying to read files it really shouldn't read, or write stuff in some
-temporary location it shouldn't write anything into. This can be a totally
-expected behavior, but can also be a malicious user that is attempting to run
-some exploit code against your web server.
-</p>
-<p>
-Interpreting the AVC logs can be considered a time-consuming job if you are
-still getting lots of cosmetic (and safe) AVC denials. So let's first see if we
-can ignore those...
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Ignoring Cosmetic AVC Events</a></p>
-<p>
-When you get AVC denials which you believe are harmless for your system, you can
-create a policy module yourself which contains the exact AVC rule, but using the
-<span class="emphasis">dontaudit</span> statement rather than <span class="emphasis">allow</span>.
-</p>
-<p>
-Consider the following AVC denial:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample harmless AVC denial</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Jan  6 19:49:25 hpl kernel: [10482.016339] type=1400 audit(1294339765.865:1527):
-avc:  denied  { use } for  pid=19421 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs
-ino=1552 scontext=system_u:system_r:ifconfig_t
-tcontext=system_u:system_r:wpa_cli_t tclass=fd
-</pre></td></tr>
-</table>
-<p>
-The denial states that the <span class="code" dir="ltr">ifconfig</span> process is trying to use a file
-descriptor within the wpa_cli_t domain. The target file descriptor points to
-<span class="path" dir="ltr">/dev/null</span>. This usually means that the <span class="code" dir="ltr">ifconfig</span> process is
-started from within the wpa_cli_t domain with <span class="code" dir="ltr">&gt; /dev/null</span> to redirect
-its output to the <span class="path" dir="ltr">/dev/null</span> device. Although it is denied (so no output
-will be redirected to <span class="path" dir="ltr">/dev/null</span>) it has no functional impact on the
-system as the intention was to ignore the output anyhow.
-</p>
-<p>
-So how can we ensure that this rule doesn't fill up our AVC logs? Well, we need
-to create a module (like we have seen before in <span title="Link to other book part not available"><font color="#404080">(Creating Specific Allow Rules)</font></span>):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Creating a module to ignore these AVC denials</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cat ignoreavc.te</span>
-module ignoreavc 1.0.0;
-
-require {
-  type ifconfig_t;
-  type wpa_cli_t;
-
-  class fd use;
-}
-
-dontaudit ifconfig_t wpa_cli_t:fd { use };
-
-~$ <span class="code-input">checkmodule -m -o ignoreavc.mod ignoreavc.te</span>
-~$ <span class="code-input">semodule_package -o ignoreavc.pp -m ignoreavc.mod</span>
-~$ <span class="code-input">semodule -i ignoreavc.pp</span>
-</pre></td></tr>
-</table>
-<p>
-Once this module is loaded, you should no longer see these denials in your log.
-However, if you ever feel that you might have <span class="emphasis">dontaudit</span>'ed too many
-things, you can always reload the SELinux policies without the dontaudit
-statements:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Reloading the SELinux policies without dontaudit</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semodule -R -D</span>
-</pre></td></tr>
-</table>
-<p>
-If you are confident to continue with the dontaudit statements again, run the
-same command without the <span class="code" dir="ltr">-D</span>.
-</p>
-<p>
-Gentoo Hardened uses a specific boolean called <span class="code" dir="ltr">gentoo_try_dontaudit</span> to 
-show or hide the denials that the developers believe are cosmetic. Thanks to 
-this approach, you can first disable the Gentoo-selected dontaudit statements 
-before showing all of them - which can be quite a lot more.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated March 2, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index 061fe7b..fb5eb85 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -87,19 +87,6 @@ tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<span class="code-input">,rootcontext=
 tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<span class="code-input">,rootcontext=system_u:object_r:tmp_t:s0</span>  0 0
 </pre></td></tr>
 </table>
-<p class="secthead"><a name="doc_chap1_sect1">Enabling ~Arch Packages</a></p>
-<p>
-The current stable SELinux related packages are not fit for use anymore (or are
-even broken) so we seriously recommend to enable ~arch packages for SELinux. Add
-the following settings to the right file (for instance 
-<span class="path" dir="ltr">/etc/portage/package.accept_keywords/selinux</span>):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: SELinux ~arch packages</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-=sys-process/vixie-cron-4.1-r11
-</pre></td></tr>
-</table>
 <p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p>
 <p>
 Now that you have a running Gentoo Linux installation, switch the Gentoo profile
@@ -613,7 +600,7 @@ With that done, enjoy - your first steps into the SELinux world are now made.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 18, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-using-permissive.html
deleted file mode 100644
index 4212a95..0000000
--- a/html/selinux/hb-using-permissive.html
+++ /dev/null
@@ -1,609 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Keeping Track of Denials</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
-<p>
-The moment you start using SELinux in permissive mode, SELinux will start 
-logging all of its denials through your system logger. Based on this
-information, you can and will:
-</p>
-<ul>
-  <li>
-    see if certain domains are missing (for instance, commands are being ran
-    inside a more standard domain whereas you would expect it to run within a
-    more specific one) in which case you'll probably look for a SELinux policy
-    module to introduce the specific domain, 
-  </li>
-  <li>
-    see if some files have wrong security contexts in which case you'll either
-    restore their context or set it yourself,
-  </li>
-  <li>
-    see if some denials are made which you don't expect in which case you'll
-    find out why the denial is made and what the original policy writer intended
-    (a prime example would be a website hosted in the wrong location in the file
-    system)
-  </li>
-</ul>
-<p>
-Of course, several other aspects can be performed the moment you analyze the
-denial messages, but the above ones are the most common.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Configuring System Logger</a></p>
-<p>
-Before we start investigating denials, let's first configure the system logger
-to log the denials in its own log file. If you are running syslog-ng with a
-Gentoo Hardened profile, it will already be configured to log these denials in
-<span class="path" dir="ltr">/var/log/avc.log</span>:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: syslog-ng configuration</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-destination avc { file("http://www.gentoo.org/var/log/avc.log"); };
-[...]
-filter f_avc { message(".*avc: .*"); };
-filter f_audit { message("^(\\[.*\..*] |)audit.*") and not message(".*avc: .*"); };
-[...]
-log { source(kernsrc); filter(f_avc); destination(avc); };
-</pre></td></tr>
-</table>
-<p>
-If you use a different logger, look for the configuration of the kernel audit
-events. Throughout the rest of this document, we assume that the log where the
-denials are logged in is <span class="path" dir="ltr">/var/log/avc.log</span>.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">What is AVC?</a></p>
-<p>
-When we previously showed a few of SELinux' policy allow rules, what you were
-actually looking at was an <span class="emphasis">access vector</span> rule. For instance:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example access vector rule</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-allow sysadm_t portage_t : process transition ;
-</pre></td></tr>
-</table>
-<p>
-Up until now we have seen only the <span class="emphasis">allow</span> permission, but SELinux supports
-others as well:
-</p>
-<ul>
-  <li>
-    <span class="emphasis">auditallow</span> will allow an activity to occur, but will still log it
-    (but then with a "granted" message instead of "denied")
-  </li>
-  <li>
-    <span class="emphasis">dontaudit</span> will not allow an activity to occur but will also not log
-    this. This is particularly useful where the activity is not needed and would
-    otherwise fill the <span class="path" dir="ltr">avc.log</span> file.
-  </li>
-</ul>
-<p>
-To improve efficiency of the policy enforcement, SELinux uses a cache for its
-access vectors - the <span class="emphasis">access vector cache</span> or <span class="emphasis">AVC</span>. Whenever some
-access is requested which isn't in the cache yet, it is first loaded in the
-cache from which the allow/deny is triggered. Hence the "avc" messages and the
-<span class="path" dir="ltr">avc.log</span> log file.
-</p>
-<p class="secthead"><a name="avclog"></a><a name="doc_chap1_sect1">Looking at the AVC Log</a></p>
-<p>
-During regular system operations, you can keep track of the denials through a
-simple <span class="code" dir="ltr">tail</span> session:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Looking at the avc logs</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">tail -f /var/log/avc.log</span>
-Jan  1 09:56:59 hpl kernel: [ 2232.354810] type=1400 audit(1293872219.247:156):
-  avc:  denied  { setattr } for  pid=7419 comm="gorg" name="selinux-handbook.xml" dev=dm-3 ino=159061 
-  scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file
-Jan  1 10:08:52 hpl kernel: [ 2944.664577] type=1400 audit(1293872932.907:157): 
-  avc:  denied  { use } for  pid=9917 comm="ifconfig" path="http://www.gentoo.org/dev/null" dev=tmpfs ino=1546 
-  scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=fd
-Jan  1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): 
-  avc:  denied  { create } for  pid=10016 comm="logger" 
-  scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket
-</pre></td></tr>
-</table>
-<p>
-But how do you interprete such messages? Well, let's take a closer look at the
-first denial from the example.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample denial message</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">[ Standard data within log message, such as date, time, hostname, ...  ]</span>
-Jan  1 09:56:59 hpl kernel: [ 2232.354810] type=1400 
-<span class="code-comment">[ The message is an AVC audit message, telling a deny for the setattr system call ]</span>
-  audit(1293872219.247:156): avc:  denied  { setattr } 
-<span class="code-comment">[ The offending process has PID 7419 and is named "gorg" ]</span>  
-  for  pid=7419 comm="gorg" 
-<span class="code-comment">[ The target for the system call is a file named "selinux-handbook.xml"
-  on the dm-3 device; the file has inode 159061 ]</span>
-  name="selinux-handbook.xml" dev=dm-3 ino=159061 
-<span class="code-comment">[ The source and target security contexts and the class of the target (in this case, a file) ]</span>
-  scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:var_t tclass=file
-</pre></td></tr>
-</table>
-<p>
-A similar one can be found of the last line in the example.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Another sample denial message</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Jan  1 10:08:53 hpl kernel: [ 2945.504956] type=1400 audit(1293872933.749:158): 
-  avc:  denied  { create } for  pid=10016 comm="logger" 
-  scontext=system_u:system_r:wpa_cli_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_stream_socket
-</pre></td></tr>
-</table>
-<p>
-In this particular case, the offending process is <span class="code" dir="ltr">logger</span> (with PID 10016)
-which is trying to create a Unix stream socket (see the <span class="emphasis">tclass</span>
-information).
-</p>
-<p>
-Note though that not all AVC messages imply denials. Some accesses recorded by
-the access vector cache are grants but which have an explicit <span class="emphasis">auditallow</span>
-statement so that this can be tracked in the logs.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Analyzing Denials</p>
-<p class="secthead"><a name="doc_chap1_sect1">A Standard Setup Might Not Work</a></p>
-<p>
-If you have taken a look at your denials, you'll probably think "If I'm going to
-go to enforcing mode, my system will not function properly" and you might be 
-right. At this point, Gentoo Hardened is constantly updating the SELinux 
-policies to get you a working system - but we're not fully there yet. For this 
-reason, being able to analyze the denials (and take corrective actions) is 
-very important.
-</p>
-<p>
-It is not easy to describe what the best option is when you see a denial which
-shouldn't be. But a few ground-rules do apply.
-</p>
-<ul>
-  <li>
-    Verify if the denial is cosmetic or not. Try focusing on denials of which
-    you are <span class="emphasis">sure</span> that they are not cosmetic and will result in a
-    malfunction of your system (or that particular command) if no corrective
-    action is taken.
-  </li>
-  <li>
-    If you see a denial where the source context is a generic one (such as
-    <span class="emphasis">sysadm_t</span> or <span class="emphasis">staff_t</span> or <span class="emphasis">user_t</span>), try to find out if
-    there are specific SELinux policy modules for the offending resource. In the
-    previous example of the <span class="code" dir="ltr">gorg</span> process, we definitely need to check if
-    there is no selinux-gorg SELinux policy. Note that, even if there is none,
-    it doesn't mean there shouldn't be ;-)
-  </li>
-  <li>
-    If the target for the denial is a file, verify if its security context is
-    correct or if no different context should be given. It is also possible that
-    the process is trying to work on the wrong path. Sometimes a simple
-    configuration change of that process is sufficient to make it work properly
-    under its SELinux policy.
-  </li>
-</ul>
-<p>
-During development of the policies, Gentoo Hardened developers will try to 
-hide denials they believe are cosmetic. This hiding can be toggled using the
-SELinux <span class="code" dir="ltr">gentoo_try_dontaudit</span> boolean:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting and setting Gentoo's gentoo_try_dontaudit boolean</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">getsebool gentoo_try_dontaudit</span>
-gentoo_try_dontaudit --&gt; off
-~# <span class="code-input">setsebool -P gentoo_try_dontaudit on</span>
-</pre></td></tr>
-</table>
-<p>
-When set, the denials that are believed to be cosmetic are hidden from your
-audit logs. But if your system is not functioning properly and you do not see
-any denials, it is wise to toggle this boolean again to verify if the denial
-is now shown or not.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Installing Additional SELinux Policy Modules</a></p>
-<p>
-When a denial is found for which you think a SELinux policy module should 
-exist, find out which package provides the offending resource and verify if
-Gentoo offers a SELinux policy for that package. If it does, install it and
-relabel the files of the package.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Finding Gentoo SELinux packages</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">tail -f /var/log/avc.log</span>
-Jan  1 09:42:37 hpl kernel: [ 1372.708172] type=1400 audit(1293871357.972:76):
-  avc:  denied  { search } for  pid=6937 comm="screen" name="selinux" dev=dm-0
-  ino=1053303 scontext=staff_u:staff_r:staff_t
-  tcontext=staff_u:object_r:user_home_t tclass=dir
-
-~# <span class="code-input">whereis screen</span>
-screen: /usr/bin/screen
-
-~# <span class="code-input">qfile /usr/bin/screen</span>
-app-misc/screen (/usr/bin/screen)
-
-~# <span class="code-input">emerge --search selinux-screen</span>
-Searching...    
-[ Results for search key : selinux-screen ]
-[ Applications found : 1 ]
-
-*  sec-policy/selinux-screen
-      Latest version available: 2.20110726
-      Latest version installed: 2.20110726
-      Size of files: 574 kB
-      Homepage:      http://www.gentoo.org/proj/en/hardened/selinux/
-      Description:   SELinux policy for screen
-      License:       GPL-2
-
-~# <span class="code-input">emerge selinux-screen</span>
-[...]
-
-~# <span class="code-input">rlpkg screen</span>
-Relabeling: app-misc/screen-4.0.3
-</pre></td></tr>
-</table>
-<p>
-If you believe a SELinux policy module should exist but you cannot find one,
-then you can either download the reference policy tarball (which you might find
-in your <span class="path" dir="ltr">distfiles</span> directory - it is called
-<span class="path" dir="ltr">refpolicy-2.YYYYMMDD.tar.bz2</span>) and see if there are already modules
-available (look inside the <span class="path" dir="ltr">refpolicy/policy/modules</span> location) or
-ask around on #gentoo-hardened on irc.freenode.net.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Updating the Security Contexts of Files</a></p>
-<p>
-The most common case of denials when the necessary policies are in place are
-wrongly labeled files or directories (in other words, the security context of
-the target file or directory is not what the policy would expect). This can be
-either because the file has not been (re)labeled after the policy has been
-loaded or because the label has for some reason changed (case 1) or because 
-the path of the file is not in accordance to the file context specifications
-in the SELinux module (case 2).
-</p>
-<p>
-The first possibility (security context correct in policy, but not applied) can
-be easily fixed using the <span class="code" dir="ltr">restorecon</span> command. You can apply it against a
-single file, or run it recursively using the <span class="code" dir="ltr">-R</span> option.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running restorecon to restore a security context</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">restorecon /etc/make.conf</span>
-</pre></td></tr>
-</table>
-<p>
-If the file context definition in the policy however doesn't apply to the file
-(or directory), you can still tell your system to label the file or directory
-accordingly. For instance, say you have your <span class="path" dir="ltr">lvm.conf</span> file inside
-<span class="path" dir="ltr">/etc</span> rather than <span class="path" dir="ltr">/etc/lvm</span> as the policy would expect,
-then you can still label the file correctly using <span class="code" dir="ltr">semanage</span>. With 
-<span class="code" dir="ltr">semanage</span>, you assign a correct security context unrelated to any
-module. It is a local setting - but which is persistent across reboots and
-relabelling activities.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting a new file context using semanage</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semanage fcontext -a -t lvm_etc_t /etc/lvm.conf</span>
-~# <span class="code-input">restorecon /etc/lvm.conf</span>
-</pre></td></tr>
-</table>
-<p>
-If you want to make such a definition part of a module you're writing, you will
-need to create a file context file which contains the definition(s) for the
-files whose context you want to set. Writing policy modules is described later
-in this book in <span title="Link to other book part not available"><font color="#404080">(Adding SELinux Policy
-Modules)</font></span>.
-</p>
-<p class="secthead"><a name="create_module"></a><a name="doc_chap1_sect1">Creating Specific Allow Rules</a></p>
-<p>
-If a denial isn't resolved through an available SELinux policy module or a
-corrective action taken against the target file or directory, or there
-is no such module available, then you might opt to create your own policy. If
-your goal is to allow a specific set of rules (rather than to write a
-full-fledged SELinux policy module) then you can use the <span class="code" dir="ltr">audit2allow</span> tool
-to generate a policy based on the denial logs.
-</p>
-<p>
-With <span class="code" dir="ltr">audit2allow</span>, you can transform an AVC denial message into a SELinux
-policy module definition. This can then be compiled into a binary policy module
-and finally packaged into an easily (re)loadable SELinux policy module. It is
-recommended to keep the (raw) AVC logs that you use to build the SELinux policy
-module as this will allow you to continuously update the module when new denials
-occur.
-</p>
-<p>
-For instance, to allow some <span class="code" dir="ltr">sudo</span>-related denials, you can do the
-following steps...
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Generating, building and inserting a SELinux policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-<span class="code-comment">[ We append the AVC messages to the sudo.raw file so that, in the future, we can
-  add additional denial messages inside the same raw file which will be used to
-  build a new SELinux policy module ]</span>
-~# <span class="code-input">grep 'comm="sudo"' /var/log/avc.log &gt;&gt; sudo.raw</span>
-
-<span class="code-comment">[ We generate a module definition called 'fixsudo' based on the captured AVC denials ]</span>
-~# <span class="code-input">cat sudo.raw | audit2allow -m fixsudo &gt; fixsudo.te</span>
-
-<span class="code-comment">[ Next we build the SELinux module ]</span>
-~# <span class="code-input">checkmodule -m -o fixsudo.mod fixsudo.te</span>
-~# <span class="code-input">semodule_package -o fixsudo.pp -m fixsudo.mod</span>
-</pre></td></tr>
-</table>
-<p>
-The generated policy module (with the <span class="path" dir="ltr">.pp</span> suffix) can then be
-dynamically loaded into the SELinux policy store:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Loading the generated module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semodule -i fixsudo.pp</span>
-</pre></td></tr>
-</table>
-<p>
-The module definition (in our example called <span class="path" dir="ltr">fixsudo.te</span>) can be
-modified as you please - it's content is standard ASCII, human readable.
-</p>
-<p>
-Not all denials that you might get are bugs in the default security policy. 
-It is very probable that you use your system in a slightly different way than
-intended within the Gentoo Hardened SELinux default policy. However, if you
-believe that you had to change your runtime policy due to a bug in the
-current policy, please report it on <a href="https://bugs.gentoo.org">Bugzilla</a> so that the Gentoo Hardened 
-SELinux developers can take a look at it. Also, don't hesitate to contact
-the Gentoo Hardened SELinux developers if you are uncertain about things.
-</p>
-<p>
-They don't bite. They get fed regularly so they don't have to.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Working with SELinux</p>
-<p class="secthead"><a name="doc_chap1_sect1">Loading and Unloading of Modules</a></p>
-<p>
-We have already crossed SELinux modules quite a few times. You even saw that, in
-order to load a module, you can use <span class="code" dir="ltr">semodule -i modulename.pp</span>. The
-<span class="code" dir="ltr">semodule</span> command offers the following functions:
-</p>
-<ul>
-  <li>
-    With <span class="code" dir="ltr">semodule -i modulename.pp</span> you (re)install a module (or install
-    a higher version of said module)
-  </li>
-  <li>
-    With <span class="code" dir="ltr">semodule -u modulename.pp</span> you upgrade an existing installed
-    module with a new version of this module
-  </li>
-  <li>
-    With <span class="code" dir="ltr">semodule -r modulename.pp</span> you remove a module from the SELinux
-    policy store. It will not be reloaded, not even after a reboot.
-  </li>
-  <li>
-    With <span class="code" dir="ltr">semodule -R</span> you reload the policies. An interesting feature here
-    is that you can add <span class="code" dir="ltr">-D</span> which will <span class="emphasis">disable</span> the <span class="emphasis">dontaudit</span>
-    rules from the policy. This can be useful, especially later in enforcing
-    mode, to find out why something is failing even though you get no denials.
-  </li>
-  <li>
-    With <span class="code" dir="ltr">semodule -B</span> you force a rebuild of the policy (which includes by
-    default a reload of the policy as well). Amongst some other things, such a
-    rebuild will read up on the existing users' and their home directories and
-    create the associated domains.
-  </li>
-</ul>
-<p class="secthead"><a name="doc_chap1_sect1">Listing Modules</a></p>
-<p>
-With the <span class="code" dir="ltr">semodule -l</span> command you can get an overview of the installed
-modules, together with their current version. When you have issues with SELinux
-policies and are trying to get online help on the matter, knowing the version of
-the particular module is important to help you troubleshoot problems.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the installed modules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">semodule -l</span>
-dbus    1.14.0
-dnsmasq 1.9.0
-hal     1.13.0
-[...]
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap1_sect1">Switching Roles</a></p>
-<p>
-When you are working with a SELinux system, your default users will be using the
-user_u SELinux login (and as such the user_r SELinux role) so they will not need
-to perform any role switching: there are no other roles they can switch to.
-</p>
-<p>
-Accounts that you use to perform more administrative tasks however are most
-likely mapped to the staff_u SELinux login or have their own login but with the
-same roles supported: staff_r and sysadm_r. These accounts should by default
-start within the staff_r role. Although still restricted, it has more
-possibilities (with respect to supported target domains to transition to)
-than the user_r role.
-</p>
-<p>
-The major difference however is that these users will also have to switch roles
-from time to time. For instance, if you want to use Portage - even just for
-querying the tree - you will need to be in the sysadm_r role. To switch roles,
-use the <span class="code" dir="ltr">newrole</span> command:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching roles</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">newrole -r sysadm_r</span>
-Password: <span class="code-comment">(Enter your personal password)</span>
-~$
-</pre></td></tr>
-</table>
-<p>
-With <span class="code" dir="ltr">id -Z</span> you can verify that you have indeed successfully switched
-roles.
-</p>
-<p>
-Now how do you know that you need to switch roles? Generally, you will get a
-<span class="emphasis">Permission denied</span> statement on one or more files:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting to know when to switch roles</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">emerge --info</span>
-Permission denied: '/etc/make.conf'
-</pre></td></tr>
-</table>
-<p>
-You might not be able, from within your current role, to find out if switching
-roles is sufficient to gain read access. Within your current role, you might not
-be able to get to view the current security context or query the SELinux AV
-rules. But if you switch to the sysadm_r role and run the necessary queries, you
-might get the information you need:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Verifying read access against the /etc/make.conf file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">id -Z</span>
-staff_u:staff_r:staff_t
-~$ <span class="code-input">newrole -r sysadm_r</span>
-Password: <span class="code-comment">(Enter your personal password)</span>
-~$ <span class="code-input">id -Z</span>
-staff_u:sysadm_r:sysadm_t
-~$ <span class="code-input">ls -Z /etc/make.conf</span>
-system_u:object_r:portage_conf_t /etc/make.conf
-~$ <span class="code-input">sesearch -t portage_conf_t -c file -p read -A -d</span>
-Found 8 semantic av rules:
-   allow portage_t portage_conf_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
-   <span class="code-comment"># This is the one we are looking for</span>
-   allow sysadm_t portage_conf_t : file { ioctl read write ... } ; 
-   allow portage_fetch_t portage_conf_t : file { ioctl read getattr lock open } ; 
-   allow restorecond_t portage_conf_t : file { ioctl read getattr lock relabelfrom relabelto open } ; 
-   allow gcc_config_t portage_conf_t : file { ioctl read getattr lock open } ; 
-   allow portage_sandbox_t portage_conf_t : file { ioctl read getattr lock open } ; 
-   allow rsync_t portage_conf_t : file { ioctl read getattr lock open } ; 
-   allow mount_t portage_conf_t : file { ioctl read getattr lock open } ; 
-</pre></td></tr>
-</table>
-<p>
-As you can see, the sysadm_t domain (which is affiliated with the sysadm_r role)
-has the necessary read access, whereas there is no sign of any read access for
-the staff_t domain.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Using File Labels</a></p>
-<p>
-During regular system usage, you will get into situations where you need to set
-file labels (security contexts). We have already covered the use of
-<span class="code" dir="ltr">semanage</span> and <span class="code" dir="ltr">restorecon</span> to do so, but a few other methods exist as
-well, each of them for specific purposes...
-</p>
-<p>
-With <span class="code" dir="ltr">chcon</span> users (and not only administrators) can relabel files (if they
-have the necessary privileges to do so) to the type they want. As an example,
-consider the domains and rules for the Mozilla applications (such as firefox).
-By default, this domain has no ability to create new files in the user home
-directory. However, a specific domain has been created (mozilla_home_t) in which
-the application can create files. By creating a folder (say
-<span class="path" dir="ltr">Downloads</span>) and relabeling it correctly, the application is able to
-create new files inside this location.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling a directory</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">ls -Zd ~/Downloads</span>
-staff_u:object_r:user_home_t  Downloads/
-~$ <span class="code-input">chcon -t mozilla_home_t ~/Downloads</span>
-~$ <span class="code-input">ls -Zd ~/Downloads</span>
-staff_u:object_r:mozilla_home_t
-</pre></td></tr>
-</table>
-<p>
-It is important to understand that relabeling is a specific privilege which is
-also governed by SELinux policies (the staff_t domain has this privilege on the
-user_home_t domain). Also, the target domain (mozilla_home_t) is still
-manageable by the staff_t domain (including relabeling) so that the relabeling
-activity doesn't lower the privileges that staff_t has on this folder. This
-isn't always the case, so be careful when you relabel.
-</p>
-<p>
-Relabelling files is governed by the relabelfrom and relabelto privileges.
-Consider the following two hypothetical rules:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling rules</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-allow staff_t foo_t : dir { relabelfrom relabelto };
-allow staff_t bar_t : dir { relabelto };
-</pre></td></tr>
-</table>
-<p>
-In the first rule, the staff_t domain has the ability to relabel directories
-that are currently in the foo_t domain (relabelfrom) and to relabel directories
-to the foo_t domain (if their source domain has a correct relabelfrom
-privilege). In the second rule, the staff_t domain is only able to relabel
-directories to the bar_t domain. However, once a directory has the bar_t domain,
-the staff_t domain has no ability to relabel it to something else (no
-relabelfrom privilege).
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Relabelling Gentoo Package Content</a></p>
-<p>
-As a last section let's talk about Gentoo support for relabeling files. By
-default, Portage will relabel all files of a package once it is installed. This
-is governed by the FEATURES="selinux" setting which is enabled when you select
-the selinux profiles. An administrator can also relabel the contents of a
-package using the (Gentoo-specific) <span class="code" dir="ltr">rlpkg</span> command (installed through 
-the policycoreutils package):
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling the files and directories of a package</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">rlpkg net-tools</span>
-Relabeling: sys-apps/net-tools-1.60_p20090728014017-r1
-</pre></td></tr>
-</table>
-<p>
-The same tool can be used to relabel the entire system:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Relabelling the entire (file) system</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~# <span class="code-input">rlpkg -a -r</span>
-</pre></td></tr>
-</table>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-policymodules.html b/html/selinux/hb-using-policymodules.html
deleted file mode 100644
index 9a098cc..0000000
--- a/html/selinux/hb-using-policymodules.html
+++ /dev/null
@@ -1,541 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
-<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
-<title>Gentoo Linux Handbook Page
---
-  </title>
-</head>
-<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
-<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
-<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
-<td width="99%" class="content" valign="top" align="left">
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Writing Simple Policies</p>
-<p class="secthead"><a name="doc_chap1_sect1">Writing a TE File</a></p>
-<p>
-Let us summarize our previous experiences with writing simple policies. We have
-already covered how to write a <span class="path" dir="ltr">.te</span> file and convert it to a
-loadable SELinux module. Let's go over this once again with a simple example:
-allowing execmem for the mozilla_t domain.
-</p>
-<p>
-When using the <span class="path" dir="ltr">selinux-mozilla</span> provided SELinux module, you might
-still get a failure if you are using the 32-bit binary firefox package
-(<span class="path" dir="ltr">www-client/firefox-bin</span>) and if you do not allow memexec (see the
-<span class="code" dir="ltr">allow_memexec</span> boolean). You will probably find an AVC denial telling you
-this exact same thing. If you want to allow just mozilla_t to run execmem, you
-can write the following <span class="path" dir="ltr">fixmozilla.te</span> module:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Content of fixmozilla.te</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-module fixmozilla 1.0.0;
-
-require {
-  type mozilla_t;
-  class process execmem;
-}
-
-allow mozilla_t self:process { execmem };
-</pre></td></tr>
-</table>
-<p>
-This simple policy sais that the module is called <span class="emphasis">fixmozilla</span> with module
-version <span class="emphasis">1.0.0</span> (it is wise to update this version every time you update
-the content of the module so that you can quickly verify with <span class="code" dir="ltr">semodule -l</span>
-if the new version is loaded or not). It requires the <span class="emphasis">mozilla_t</span> domain
-(if <span class="path" dir="ltr">sec-policy/selinux-mozilla</span> isn't installed, loading of this
-policy will fail as it will not find the mozilla_t domain) and the
-<span class="emphasis">process</span> class with the <span class="emphasis">execmem</span> operation. The policy itself 
-(the AVC statement) is to allow the mozilla_t domain to use execmem on its 
-own processes.
-</p>
-<p>
-To convert this source into a loadable policy, we first convert it into a
-<span class="path" dir="ltr">.mod</span> file:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Converting a .te file to a .mod file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">checkmodule -m -o fixmozilla.mod fixmozilla.te</span>
-</pre></td></tr>
-</table>
-<p>
-In this particular command, we create a non-base (<span class="code" dir="ltr">-m</span>) module file
-(<span class="path" dir="ltr">fixmozilla.mod</span>) which contains the statements offered by the
-<span class="path" dir="ltr">fixmozilla.te</span> file. If you are running an MLS/MCS system you will
-need to add the <span class="code" dir="ltr">-M</span> option.
-</p>
-<p>
-Next we package this module into a loadable SELinux module:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Packaging the .mod file to a loadable SELinux module</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">semodule_package -o fixmozilla.pp -m fixmozilla.mod</span>
-</pre></td></tr>
-</table>
-<p>
-This final module file (<span class="path" dir="ltr">fixmozilla.pp</span>) can then be loaded into the
-SELinux policy store using <span class="code" dir="ltr">semodule -i fixmozilla.pp</span>.
-</p>
-<p>
-Using this relatively simple method, you can create all the policy rules you
-want. However, you most likely want to add information on file labeling as
-well...
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Writing an FC File</a></p>
-<p>
-An FC file (<span class="emphasis">File Context</span>) contains the file labels (security contexts)
-that should be assigned to particular files. If you structure your modules
-correctly, you most likely have policies for particular programs, and you would
-like to label the program files and binaries accordingly. This is what the
-<span class="path" dir="ltr">.fc</span> files are for.
-</p>
-<p>
-Let's take a look at a sample .fc file which contains the various types of
-context definitions that are supported:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample .fc file</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/var/.*                   gen_context(system_u:object_r:var_t)
-/dev/.*tty[^/]*     -c    gen_context(system_u:object_r:tty_device_t)
-/dev/p[fg][0-3]     -b    gen_context(system_u:object_r:removable_device_t)
-/vmlinuz.*          -l    gen_context(system_u:object_r:boot_t)
-/usr/bin/firefox    --    gen_context(system_u:object_r:mozilla_exec_t)
-/tmp/\.ICE-unix/.*  -s    &lt;&lt;none&gt;&gt;
-/dev/initctl        -p    gen_context(system_u:object_r:initctl_t)
-/mnt(/[^/]*)?       -d    gen_context(system_u:object_r:mnt_t)
-</pre></td></tr>
-</table>
-<p>
-The first column (in every line) starts with a regular expression to match
-against a file's path. This is usually sufficient to match any possible file.
-SELinux does support some special variables like ROLE, HOME_DIR, HOME_ROOT and
-USER which are substituted with their corresponding values when the file context
-is (re)compiled (for instance when you add or delete SELinux users or rebuild
-the policy using <span class="code" dir="ltr">semodule</span>).
-</p>
-<p>
-The second column, if available, starts with a dash followed by the file type:
-<span class="code" dir="ltr">c</span>haracter device, <span class="code" dir="ltr">b</span>lock device, symbolic <span class="code" dir="ltr">l</span>ink,
-<span class="code" dir="ltr">s</span>ocket, <span class="code" dir="ltr">d</span>irectory, named <span class="code" dir="ltr">p</span>ipe or a regular file (<span class="code" dir="ltr">-</span>).
-</p>
-<p>
-The last column gives the security context (label) that should be assigned to
-the resource(s) that match the regular expression. You should always see the
-"standard three" (user, role, domain), but you might also see the security level
-and even category if MLS/MCS is used or supported by the module.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample file context with MLS/MCS support</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/usr/tmp    -d  gen_context(system_u:object_r:tmp_t,s0-s15,c0.c255)
-</pre></td></tr>
-</table>
-<p>
-You can write your own FC file. For instance, Gentoo adds the following
-definition to the <span class="path" dir="ltr">sec-policy/selinux-mozilla</span> package to support the
-binary firefox package:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example .fc content</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/usr/bin/firefox-bin           -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/libxul\.so        -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/firefox/firefox           -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/run-mozilla.sh    -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/firefox-bin       -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/opt/firefox/plugin-container  -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-</pre></td></tr>
-</table>
-<p>
-If you want to add such a file to your policy, add it during the
-<span class="code" dir="ltr">semodule_package</span> phase:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding file context information to a policy</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">semodule_package -o fixmozilla.pp -m fixmozilla.mod -f fixmozilla.fc</span>
-</pre></td></tr>
-</table>
-<p>
-Once this policy is loaded, you can use tools like <span class="code" dir="ltr">matchpathcon</span>,
-<span class="code" dir="ltr">restorecon</span> and more as they now know how to deal with the files you have
-mentioned in your file context file.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Building a Reference Policy Module</p>
-<p class="secthead"><a name="doc_chap1_sect1">Introduction to the Reference Policy</a></p>
-<p>
-Initially we have already covered the fact that Gentoo Hardened bases its
-policies on the reference policy maintained by Tresys. This reference policy
-offers an important additional functionality during module development:
-interfaces.
-</p>
-<p>
-By creating an interface, you actually create a function of some sort which can
-be used in other modules. Such interfaces allow module writers to generate rules
-to interact with the domain of their module without knowing what the other
-domains are. For instance, the mozilla module has an interface definition like
-so:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Example interface definition</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-interface(`mozilla_read_user_home_files',`
-  gen_require(`
-    type mozilla_home_t;
-  ')
-
-  allow $1 mozilla_home_t:dir list_dir_perms;
-  allow $1 mozilla_home_t:file read_file_perms;
-  allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
-  userdom_search_user_home_dirs($1)
-')
-</pre></td></tr>
-</table>
-<p>
-This interface allows other modules to use the
-<span class="code" dir="ltr">mozilla_read_user_home_files</span> function if they want their domain to be
-able to (in this case) read the files in the mozilla_home_t domain. Of course,
-they can add all statements inside their own definition, but then they would
-have to require that the mozilla module is loaded, which might be a wrong
-assumption, and duplicate the same allow statements for each application.
-The use of interfaces makes policy development easier.
-</p>
-<p>
-Also, the reference policy allows the use of <span class="emphasis">optional</span> statements:
-a module can call an interface of another module, but this may not fail if
-the other module is not available on a users' system.
-</p>
-<p>
-For instance, in the evolution policy:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Extract from evolution.te</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-optional_policy(`
-  mozilla_read_user_home_files(evolution_t)
-  mozilla_domtrans(evolution_t)
-')
-</pre></td></tr>
-</table>
-<p>
-In this extract we see that the previously defined interface is called with
-argument evolution_t (the Evolution domain) within an <span class="code" dir="ltr">optional_policy</span>
-clause. As a result, building this policy will attempt to call this interface,
-but if the interface is missing (because the mozilla module isn't installed) it
-will not fail the build of the evolution module.
-</p>
-<p>
-Using the interfaces allows for a clean separation of the various modules.
-Within the reference policy, the following guidelines are used:
-</p>
-<ul>
-  <li>
-    Inside a <span class="path" dir="ltr">.te</span> file, the only domains that are allowed to be
-    mentioned are those defined in the same <span class="path" dir="ltr">.te</span> file. Any
-    interaction with other domains need to happen through interfaces offered by
-    that domain.
-  </li>
-  <li>
-    Inside an <span class="path" dir="ltr">.if</span> file, where the interfaces are defined, an XML
-    like syntax is used to document each interface, allowing for developers to
-    read easily what an interface is meant to do (because honestly, there are
-    far more complex interfaces than the one we have previously shown)
-  </li>
-  <li>
-    Distribution-specific aspects of modules should be enclosed within a
-    <span class="code" dir="ltr">ifdef(`distro_gentoo',`...')</span> statement (example for Gentoo). This
-    statement is supported in all three files (<span class="path" dir="ltr">.te</span>,
-    <span class="path" dir="ltr">.if</span> and <span class="path" dir="ltr">.fc</span>).
-  </li>
-</ul>
-<p class="secthead"><a name="doc_chap1_sect1">Building the Reference Policy Module</a></p>
-<p>
-If you want to build a module using the reference policy interfaces, you first
-need to create the <span class="path" dir="ltr">.te</span> file and, optionally (but most likely
-needed) <span class="path" dir="ltr">.if</span> and <span class="path" dir="ltr">.fc</span> file. It is wise to start from an
-example set of files for a similar application. If you want to or need to use
-interfaces of different modules, you can find the interfaces that are valid on
-your system inside <span class="path" dir="ltr">/usr/share/selinux/strict/include</span>.
-</p>
-<p>
-Once you want to build the module, copy the
-<span class="path" dir="ltr">/usr/share/selinux/strict/include/Makefile</span> file inside the
-directory where your policy definition(s) are stored. Then, call the <span class="code" dir="ltr">make</span>
-command to build the policy modules. 
-</p>
-<p>
-The result should be one (or more) loadable SELinux modules.
-</p>
-<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Example: Start Building the Skype Policy</p>
-<p class="secthead"><a name="doc_chap1_sect1">Labelling</a></p>
-<p>
-Let's start to create a sample reference policy based SELinux module for the <span class="code" dir="ltr">skype</span>
-application. This application is a well-known application used to perform voice-
-and video chats across the Internet. We will not finish the module in this
-chapter (as the exercise will become a repetitive try-and-correct cycle which
-isn't the purpose to document here) but rather show an approach on how to deal
-with such policy building exercises.
-</p>
-<p>
-First get acquainted with the application.
-</p>
-<p>
-The usual way of interacting with <span class="code" dir="ltr">skype</span> is from an end-user point (not
-administrator). From interacting with it in permissive mode (or from a
-non-SELinux system) we know it creates a <span class="path" dir="ltr">~/.Skype</span> folder for its
-configuration, chat history and more.
-</p>
-<p>
-Given this above information, let's take a look at the content of the
-<span class="path" dir="ltr">net-im/skype</span> package:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Content of the skype package</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">qlist skype</span>
-<span class="code-comment">(Output shortened for clarity)</span>
-/usr/bin/skype
-/usr/share/... <span class="code-comment"># Unrelated to the application but used by distribution</span>
-/opt/skype/skype
-/opt/skype/sounds/...
-/opt/skype/lang/...
-/opt/skype/avatars/...
-</pre></td></tr>
-</table>
-<p>
-Given this information, we could create the following file context definition:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Sample file context for skype</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-/usr/bin/skype         -- gen_context(system_u:object_r:skype_exec_t,s0)
-/opt/skype/skype       -- gen_context(system_u:object_r:skype_exec_t,s0)
-HOME_DIR/\.Skype(/.*)?    gen_context(system_u:object_r:skype_home_t,s0)
-</pre></td></tr>
-</table>
-<p>
-We will not give the various skype files a specific label - they are all
-read-only files so can keep the default label assigned to them.
-</p>
-<p>
-Within the <span class="path" dir="ltr">skype.te</span> file, we define the necessary domains and 
-also use the first interfaces which are often associated with this kind of
-domains (for reasoning you can read the sources for the apache module or 
-other services). A sample module to base our definition from could be
-telepathy...
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Initial skype module definition</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-policy_module(skype, 1.0.0)
-
-type skype_t;
-type skype_exec_t;
-application_domain(skype_t, skype_exec_t)
-
-type skype_home_t;
-userdom_user_home_content(skype_home_t)
-
-# Allow skype_t to put files in the skype_home_t location(s)
-manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
-manage_files_pattern(skype_t, skype_home_t, skype_home_t)
-userdom_user_home_dir_filetrans(skype_t, skype_home_t, { dir file })
-userdom_search_user_home_dirs(skype_t)
-</pre></td></tr>
-</table>
-<p>
-Again, we're not going to cover the various interfaces and explain them. They
-are documented and available on the system, and there are plenty of examples to
-use.
-</p>
-<p>
-Finally, we are going to create an interface to allow users to transition to the
-skype_t domain. The idea here is that you add <span class="code" dir="ltr">skype_role(role, domain)</span> in
-the <span class="path" dir="ltr">.te</span> definition of the users' domain or within your own policy.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Defining the skype_role interface</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-interface(`skype_role',`
-  gen_require(`
-    type skype_t, skype_exec_t;
-  ')
-
-  role $1 types skype_t;
-
-  domain_auto_trans($2, skype_exec_t, skype_t)
-')
-</pre></td></tr>
-</table>
-<p>
-Build the module and load it in the SELinux module store. Next, create a small
-policy to allow users (user_r, user_t) to access skype:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Adding access to skype for users</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">cat skypeusers.te</span>
-policy_module(skypeusers, 1.0.0)
-
-gen_require(`
-  type user_t;
-  role user_r;
-  type staff_t;
-  role staff_r;
-')
-
-optional_policy(`
-  skype_role(user_r, user_t)
-  skype_role(staff_r, staff_t)
-')
-</pre></td></tr>
-</table>
-<p>
-Build that module as well and load it. A regular SELinux user should now have
-the ability to execute skype_exec_t and transition to the skype_t domain.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Dry Run</a></p>
-<p>
-With the policy loaded, do a dry run. Relabel the files of the
-<span class="path" dir="ltr">net-im/skype</span> package (and if you have previously ran skype yourself,
-relabel the <span class="path" dir="ltr">~/.Skype</span> folder as well), then start <span class="code" dir="ltr">skype</span> and both 
-watch skype's output as well as the AVC denials.
-</p>
-<p>
-We notice that the binary (skype) hangs and cannot be killed. In the AVC denial
-logs, we notice the following denials:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Shown denials while running skype</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-Jan  6 22:01:56 hpl kernel: [18418.420427] type=1400 audit(1294347716.358:2221):
-avc:  denied  { read write } for  pid=25540 comm="skype" name="1" dev=devpts
-ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:object_r:user_devpts_t
-tclass=chr_file
-Jan  6 22:01:56 hpl kernel: [18418.420455] type=1400 audit(1294347716.358:2222):
-avc:  denied  { use } for  pid=25540 comm="skype" path="http://www.gentoo.org/dev/pts/1" dev=devpts
-ino=4 scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t
-tclass=fd
-Jan  6 22:01:56 hpl kernel: [18418.420563] type=1400 audit(1294347716.358:2225):
-avc:  denied  { sigchld } for  pid=6532 comm="bash"
-scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:staff_t tclass=process
-</pre></td></tr>
-</table>
-<p>
-Note that the attempt is done in enforcing mode - running in permissive mode
-will yield more AVC denials and is also a plausible way to create the necessary
-rules.
-</p>
-<p>
-From the denials, we see that skype attempts to use the pts in which the command
-is ran (notice that this fails because we didn't explicitly allow it) and also
-fails to exit properly (a sigchld signal isn't allowed to be submitted).
-</p>
-<p>
-By looking into the example policies already around, we notice that they have
-interfaces in use such as <span class="code" dir="ltr">userdom_use_user_terminals</span> as well as generic
-allowances such as <span class="code" dir="ltr">ps_process_pattern</span> (to allow users to view a process
-and kill it). This is a nice example of how a type enforcement MAC system works:
-nothing is assumed by default.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Next Dry Run</a></p>
-<p>
-So after adding some interfaces to allow the use of the user terminals, file
-descriptors and also allow process signals to be sent, we try to run the
-application again. Now, we get:
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Output of running the skype command</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">skype</span>
-Killed
-
-~$ <span class="code-input">cat /var/log/avc.log</span>
-Jan  6 22:27:41 hpl kernel: [19961.313321] type=1400
-audit(1294349261.991:9089017): avc:  denied  { execmem } for  pid=27256
-comm="skype" scontext=staff_u:staff_r:skype_t tcontext=staff_u:staff_r:skype_t
-tclass=process
-</pre></td></tr>
-</table>
-<p>
-At least <span class="code" dir="ltr">skype</span> now exits. From the AVC log, we see that it wants to call
-execmem (which isn't something we like, but have seen in the past for mozilla as
-well). Okay, let's allow this, rebuild the modules and retry.
-</p>
-<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Output of running the skype command again</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-~$ <span class="code-input">skype</span>
-./skype: error while loading shared libraries: libasound.so.2: cannot open
-shared object file: Permission denied
-
-~$ <span class="code-input">cat /var/log/avc.log</span>
-Jan  6 22:33:41 hpl kernel: [20319.960127] type=1400
-audit(1294349621.275:9089042): avc:  denied  { read } for  pid=27536
-comm="skype" name="libasound.so.2" dev=dm-1 ino=525098
-scontext=staff_u:staff_r:skype_t tcontext=system_u:object_r:usr_t
-tclass=lnk_file
-</pre></td></tr>
-</table>
-<p>
-Okay, we need to grant it read rights to links within the usr_t domain (and most
-likely then load libraries from the lib_t domain, so we need to add
-<span class="code" dir="ltr">files_read_usr_symlinks</span> and <span class="code" dir="ltr">libs_use_ld_so</span>, etc.
-</p>
-<p class="secthead"><a name="doc_chap1_sect1">Finishing Up</a></p>
-<p>
-After running into the standard "can't start" issues, you'll notice that the
-application then wants to bind and connect to ports - which are also protected
-by SELinux and can be manipulated by various interfaces. It wants to access your
-soundcard and webcam, etc.
-</p>
-<p>
-As you can see from the above information, writing policies correctly isn't
-easy. You need to constantly keep in mind what you are allowing - aren't you
-granting too much? Are you forgetting something? Also, the first time(s) you
-create policies it will take lots of time, but over time you will grow better in
-it. You'll start realizing what all those standard things are that you need to
-allow and what not.
-</p>
-<p>
-Writing SELinux policies isn't hard, but it's far more difficult than setting
-the standard Linux permissions on files and directories. It requires a decent
-knowledge of how the application behaves and what the SELinux reference policy
-interfaces grant when you select them.
-</p>
-<p>
-If you ever feel like writing these policies, don't hesitate to read up on the
-various resources at the end of this book.
-</p>
-</td>
-<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated March 2, 2011</p></td></tr>
-<tr lang="en"><td align="center" class="topsep">
-<p class="alttext"><b>Donate</b> to support our development efforts.
-        </p>
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
-</form>
-</td></tr>
-<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
-</table></td>
-</tr></table></td></tr>
-<tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
-</td></tr>
-</table></body>
-</html>
diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html
index 41e19bd..98817d2 100644
--- a/html/selinux/hb-using-states.html
+++ b/html/selinux/hb-using-states.html
@@ -253,7 +253,7 @@ level can access it.
 <p class="secthead"><a name="doc_chap1_sect1">Switching Types</a></p>
 <p>
 It is not recommended to switch between types often. At best, you choose your
-policy type at install type and stick with it. But it is not impossible (nor
+policy type at install time and stick with it. But it is not impossible (nor
 that hard) to switch between types.
 </p>
 <p>
diff --git a/html/selinux/index.html b/html/selinux/index.html
index c9ffd77..b61b1b8 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -84,20 +84,25 @@ As a result, we
             <td class="infohead"><b>Role</b></td>
           </tr>
           <tr>
-            <td class="tableinfo">Chris PeBenito</td>
-            <td class="tableinfo">pebenito</td>
-            <td class="tableinfo">Lead ( Policy, x86, AMD64 )</td>
-          </tr>
-          <tr>
             <td class="tableinfo">Sven Vermeulen</td>
             <td class="tableinfo">swift</td>
-            <td class="tableinfo">Developer ( Documentation, Userspace tools, Policy development )</td>
+            <td class="tableinfo">Lead ( Documentation, Userspace tools, Policy development )</td>
           </tr>
           <tr>
             <td class="tableinfo">Anthony G. Basile</td>
             <td class="tableinfo">blueness</td>
             <td class="tableinfo">Developer ( Policy development, Proxy (non developer contributors) )</td>
           </tr>
+          <tr>
+            <td class="tableinfo">Chris PeBenito</td>
+            <td class="tableinfo">pebenito</td>
+            <td class="tableinfo">Developer ( Policy development, Userspace tools )</td>
+          </tr>
+          <tr>
+            <td class="tableinfo">Matt Thode</td>
+            <td class="tableinfo">prometheanfire</td>
+            <td class="tableinfo">Developer ( Policy development, Support )</td>
+          </tr>
         </table>
 <p>
        All developers can be reached by e-mail using <span class="code" dir="ltr">nickname@gentoo.org</span>.
@@ -135,6 +140,9 @@ The following people, although non-developer, are actively contributing to the p
             <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
           </li>
           <li>
+            <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a>
+          </li>
+          <li>
             <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
           </li>
           <li>
diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html
index bd04178..a903353 100644
--- a/html/selinux/selinux-handbook.html
+++ b/html/selinux/selinux-handbook.html
@@ -23,11 +23,11 @@
         
           [ &lt; ]
         
-      [ <a href="selinux-handbook.xml">Home</a> ]
+      [ <a href="pebenito@gentoo.org">Home</a> ]
       
-        [ <a href="selinux-handbook.xml?part=1">&gt;</a> ]
+        [ <a href="pebenito@gentoo.org?part=1">&gt;</a> ]
       
-        [ <a href="selinux-handbook.xml?part=1">&gt;&gt;</a> ]
+        [ <a href="pebenito@gentoo.org?part=1">&gt;&gt;</a> ]
       </p>
 <hr>
 <h1>Gentoo SELinux Handbook</h1>
@@ -111,11 +111,11 @@ them.
         
           [ &lt; ]
         
-      [ <a href="selinux-handbook.xml">Home</a> ]
+      [ <a href="pebenito@gentoo.org">Home</a> ]
       
-        [ <a href="selinux-handbook.xml?part=1">&gt;</a> ]
+        [ <a href="pebenito@gentoo.org?part=1">&gt;</a> ]
       
-        [ <a href="selinux-handbook.xml?part=1">&gt;&gt;</a> ]
+        [ <a href="pebenito@gentoo.org?part=1">&gt;&gt;</a> ]
       </p>
 <hr>
 <p class="copyright">
@@ -136,8 +136,8 @@ them.
 -->
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-handbook.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="selinux-handbook.xml?full=1">View all</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="pebenito@gentoo.org?full=1">View all</a></p></td></tr>
 <tr><td class="topsep" align="center"><p class="alttext">Updated September 18, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This is the Gentoo SELinux Handbook.
diff --git a/html/support-state.html b/html/support-state.html
index 94aad74..a42568c 100644
--- a/html/support-state.html
+++ b/html/support-state.html
@@ -178,12 +178,12 @@ reports and feedback).
 <tr>
   <td class="tableinfo">x86</td>
   <td class="tableinfo">In place</td>
-  <td class="tableinfo">Still ~arch for the time being</td>
+  <td class="tableinfo"></td>
 </tr>
 <tr>
   <td class="tableinfo">amd64 / x86_64</td>
   <td class="tableinfo">In place</td>
-  <td class="tableinfo">Still ~arch for the time being</td>
+  <td class="tableinfo"></td>
 </tr>
 <tr>
   <td class="tableinfo">ppc</td>
@@ -235,7 +235,7 @@ reports and feedback).
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 25, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 17, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 The support state of the Gentoo Hardened project describes the supported
 platforms, setups and additional requirements for each of the subprojects