Regenerating HTMLS

1 files changed, 42 insertions, 90 deletions

diff --git a/hardenedfaq.html b/hardenedfaq.html
index 0e8628c..66c843e 100644
--- a/hardenedfaq.html
+++ b/hardenedfaq.html
@@ -23,9 +23,8 @@
         <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Questions</option>
 <option value="#doc_chap2">2. General Questions</option>
 <option value="#doc_chap3">3. PaX Questions</option>
-<option value="#doc_chap4">4. grsecurity Questions</option>
-<option value="#doc_chap5">5. RSBAC Questions</option>
-<option value="#doc_chap6">6. SELinux Questions</option></select>
+<option value="#doc_chap4">4. Grsecurity Questions</option>
+<option value="#doc_chap5">5. SELinux Questions</option></select>
 </form>
 <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
             </span>Questions</p>
@@ -39,27 +38,19 @@ Hardened. It is advisable reading the rest of the documentation on the Gentoo
 Hardened Project page and that on 
 the projects' home pages in order to get a better insight.
 </p>
-<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-Due to the lack of a package maintainer the RSBAC ebuilds have been deprecated
-and removed from the tree, the references to RSBAC in this guide are left for
-historical reasons.
-</p></td></tr></table>
 <p class="secthead">General Questions</p>
 <ul>
 <li><a href="#toolchain">What exactly is the "toolchain"?</a></li>
-<li><a href="#whichisbetter">What should I use: grsecurity, RSBAC or SELinux?</a></li>
-<li><a href="#aclall">Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same
+<li><a href="#whichisbetter">What should I use: Grsecurity or SELinux?</a></li>
+<li><a href="#aclall">Is it possible to use Grsecurity, SELinux and PaX all at the same
 time?</a></li>
 <li><a href="#hardenedcflags">Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
 hardened building?</a></li>
 <li><a href="#hardenedcflagsoff">How do I turn off hardened building?</a></li>
-<li><a href="#fsexec">My kernel compilation fails with the error "error: structure has no
-member named `curr_ip'", how do I fix that?</a></li>
 <li><a href="#hardenedproject">I just found out about the hardened project; do I have to install
 everything on the project page in order to install Hardened Gentoo?</a></li>
 <li><a href="#Othreessp">Why don't my programs work when I use CFLAGS="-O3" and hardened
 gcc?</a></li>
-<li><a href="#cascadebootstrap">What happened to bootstrap-cascade.sh?</a></li>
 <li><a href="#hardenedprofile">How do I switch to the hardened profile?</a></li>
 <li><a href="#hardeneddebug">How do I debug with gdb?</a></li>
 </ul>
@@ -72,17 +63,11 @@ make segment writable for relocation: Permission denied."  What does this
 mean?</a></li>
 <li><a href="#paxjava">Ever since I started using PaX I can't get Java working, why?</a></li>
 </ul>
-<p class="secthead">grsecurity Questions</p>
-<ul>
-<li><a href="#grsecinformation">What is the homepage for grsecurity?</a></li>
-<li><a href="#grsecgentoodoc">What Gentoo documentation exists about grsecurity?</a></li>
-<li><a href="#grsecnew">Can I use grsecurity with a recent kernel not on the tree?</a></li>
-</ul>
-<p class="secthead">RSBAC Questions</p>
+<p class="secthead">Grsecurity Questions</p>
 <ul>
-<li><a href="#rsbacinformation">What is the homepage for RSBAC?</a></li>
-<li><a href="#rsbacgentoodoc">What Gentoo documentation exists about RSBAC?</a></li>
-<li><a href="#rsbacinitrd">How do I use an initial ramdisk with a RSBAC enabled kernel?</a></li>
+<li><a href="#grsecinformation">What is the homepage for Grsecurity?</a></li>
+<li><a href="#grsecgentoodoc">What Gentoo documentation exists about Grsecurity?</a></li>
+<li><a href="#grsecnew">Can I use Grsecurity with a recent kernel not on the tree?</a></li>
 </ul>
 <p class="secthead">SELinux Questions</p>
 <ul><li><a href="#selinuxfaq">Where can I find SELinux related frequently asked questions?</a></li></ul>
@@ -95,7 +80,7 @@ used to build and develop for a particular architecture.  The toolchain you may
 hear referred to in the gentoo-hardened IRC channel consists of the GNU Compiler
 Collection (GCC), binutils, and the GNU C library (glibc).
 </p>
-<p class="secthead"><a name="whichisbetter"></a><a name="doc_chap2_sect2">What should I use: grsecurity, RSBAC or SELinux?</a></p>
+<p class="secthead"><a name="whichisbetter"></a><a name="doc_chap2_sect2">What should I use: Grsecurity or SELinux?</a></p>
 <p>
 The answer to this question is highly subjective, and very dependent on your
 requisites so the hardened Gentoo project
@@ -105,12 +90,12 @@ in the hardened documentation.  However, if you have any specific questions
 about the security model that each provides, feel free to question the relevant
 developer in our IRC channel or on the mailing list.
 </p>
-<p class="secthead"><a name="aclall"></a><a name="doc_chap2_sect3">Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same
+<p class="secthead"><a name="aclall"></a><a name="doc_chap2_sect3">Is it possible to use Grsecurity, SELinux and PaX all at the same
 time?</a></p>
 <p>
-Yes, this combination is quite possible as PaX works with grsecurity, RSBAC
-and SELinux.  The only conflict that arises is you can only use one access
-control system.
+Yes, this combination is quite possible as PaX works with Grsecurity's RBAC and
+SELinux. The only conflict that arises is you can only use one access control
+system.
 </p>
 <p class="secthead"><a name="hardenedcflags"></a><a name="doc_chap2_sect4">Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
 hardened building?</a></p>
@@ -118,14 +103,14 @@ hardened building?</a></p>
 No, the current toolchain implements the equivalent of <span class="code" dir="ltr">CFLAGS="-fPIE
 -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</span>
 automatically through GCC's built-in spec and using the specfiles to disable
-them which is a more proper solution. For older hardened-gcc users, add
-<span class="code" dir="ltr">USE="hardened pic"</span> to your <span class="path" dir="ltr">/etc/make.conf</span> or switch to the
+them which is a more proper solution. For older hardened-gcc users switch to the
 hardened profile and then upgrade with the following commands:
 </p>
 <a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Hardened Toolchain Installation</p></td></tr>
 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
 # <span class="code-input">emerge --oneshot binutils gcc virtual/libc</span>
+# <span class="code-input">emerge -e system</span>
 # <span class="code-input">emerge -e world</span>
 </pre></td></tr>
 </table>
@@ -197,14 +182,7 @@ If you are interested in using per-package CFLAGS with Portage currently then
 you may be interested in reading about the script solar has developed to deal
 with this: <a href="http://article.gmane.org/gmane.linux.gentoo.hardened/1204">http://article.gmane.org/gmane.linux.gentoo.hardened/1204</a>
 </p></td></tr></table>
-<p class="secthead"><a name="fsexec"></a><a name="doc_chap2_sect6">My kernel compilation fails with the error "error: structure has no
-member named `curr_ip'", how do I fix that?</a></p>
-<p>
-This has been fixed since, at least, 2.6.32 kernels so you should try updating
-to a newer version as older versions also have a lot of open security holes.
-Anyway, if you keep hitting this bug try enabling grsecurity also.
-</p>
-<p class="secthead"><a name="hardenedproject"></a><a name="doc_chap2_sect7">I just found out about the hardened project; do I have to install
+<p class="secthead"><a name="hardenedproject"></a><a name="doc_chap2_sect6">I just found out about the hardened project; do I have to install
 everything on the project page in order to install Hardened Gentoo?</a></p>
 <p>
 No, the Hardened Gentoo Project is a collection of subprojects that all have
@@ -212,7 +190,7 @@ common security minded goals.  While many of these projects can be installed
 alongside one another, some conflict as well such as several of the ACL
 implementations that Hardened Gentoo offers.
 </p>
-<p class="secthead"><a name="Othreessp"></a><a name="doc_chap2_sect8">Why don't my programs work when I use CFLAGS="-O3" and hardened
+<p class="secthead"><a name="Othreessp"></a><a name="doc_chap2_sect7">Why don't my programs work when I use CFLAGS="-O3" and hardened
 gcc?</a></p>
 <p>
 Using the gcc optimization flag <span class="code" dir="ltr">-O3</span> has been known to be problematic with
@@ -221,12 +199,11 @@ optimization flag is not officially supported and is, therefore, discouraged by
 the hardened team. Compile issues where a user uses <span class="code" dir="ltr">CFLAGS="-O3"</span> may be
 closed as INVALID/CANTFIX and/or ignored.
 </p>
-<p class="secthead"><a name="cascadebootstrap"></a><a name="doc_chap2_sect9">What happened to bootstrap-cascade.sh?</a></p>
+<p class="secthead"><a name="hardenedprofile"></a><a name="doc_chap2_sect8">How do I switch to the hardened profile?</a></p>
 <p>
-Recently, the old bootstrap.sh and bootstrap-2.6.sh were deprecated.  In their
-place, bootstrap-cascade.sh has been renamed to bootstrap.sh.
+Read the handbook for how to change profile. 6. Installing the Gentoo Base
+System 
 </p>
-<p class="secthead"><a name="hardenedprofile"></a><a name="doc_chap2_sect10">How do I switch to the hardened profile?</a></p>
 <a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Set make.profile</p></td></tr>
 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
@@ -258,10 +235,11 @@ oolchain so that you have a consistent base:
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Switch to hardened toolchain</p></td></tr>
 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
 # <span class="code-input">emerge --oneshot binutils gcc virtual/libc</span>
+# <span class="code-input">emerge -e system</span>
 # <span class="code-input">emerge -e world</span>
 </pre></td></tr>
 </table>
-<p class="secthead"><a name="hardeneddebug"></a><a name="doc_chap2_sect11">How do I debug with gdb?</a></p>
+<p class="secthead"><a name="hardeneddebug"></a><a name="doc_chap2_sect9">How do I debug with gdb?</a></p>
 <p>
 First gotcha is that GDB can't resolve symbols in PIEs; it doesn't realise that
 the addresses are relative in PIEs not absolute. This shows up when you try to
@@ -384,67 +362,37 @@ set the PAX flags on the binaries.
 </p>
 <table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
 If you are running PaX in conjunction with an additional security implementation
-such as RSBAC, grsecurity, or SELinux you should manage PaX using the kernel
+such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel
 hooks provided for each implementation.
 </p></td></tr></table>
 <p>
 The other way is using your security implementation to do this using the kernel
 hooks.
-On RSBAC, you can label all Java files with the following command.
 </p>
-<a name="doc_chap3_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.5: Java PaX options with RSBAC</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir FILE $i
-pax_flags pmerxs;done</span>
-</pre></td></tr>
-</table>
 <p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
-            </span>grsecurity Questions</p>
-<p class="secthead"><a name="grsecinformation"></a><a name="doc_chap4_sect1">What is the homepage for grsecurity?</a></p>
+            </span>Grsecurity Questions</p>
+<p class="secthead"><a name="grsecinformation"></a><a name="doc_chap4_sect1">What is the homepage for Grsecurity?</a></p>
 <p>
-The homepage for grsecurity is located at <a href="http://www.grsecurity.net">http://www.grsecurity.net</a>.
+The homepage for Grsecurity is located at <a href="http://www.grsecurity.net">http://www.grsecurity.net</a>.
 </p>
-<p class="secthead"><a name="grsecgentoodoc"></a><a name="doc_chap4_sect2">What Gentoo documentation exists about grsecurity?</a></p>
+<p class="secthead"><a name="grsecgentoodoc"></a><a name="doc_chap4_sect2">What Gentoo documentation exists about Grsecurity?</a></p>
 <p>
-The most current documentation for grsecurity is a Grsecurity2 quickstart guide
+The most current documentation for Grsecurity is a Grsecurity2 quickstart guide
 located at <a href="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">http://www.gentoo.org/proj/en/hardened/grsecurity.xml</a>.
 </p>
-<p class="secthead"><a name="grsecnew"></a><a name="doc_chap4_sect3">Can I use grsecurity with a recent kernel not on the tree?</a></p>
+<p class="secthead"><a name="grsecnew"></a><a name="doc_chap4_sect3">Can I use Grsecurity with a recent kernel not on the tree?</a></p>
 <p>
-Yes, but you may have to patch it by yourself. You can download the patches from
-<a href="http://grsecurity.net/download.php">http://grsecurity.net/download.php</a>
+Usually we release a new version of hardened sources not long after a new
+PaX/Grsecurity patch isreleased, so the best option is just waiting a bit for
+the kernel team to adapt the patches and then test them. Anyway if you are very 
+impatient, you can download the patches from
+<a href="http://grsecurity.net/download.php">http://grsecurity.net/download.php</a> and try to patch the sources
+yourself. Keep in mind, though, that we won't support kernel sources out of the
+tree.
 </p>
 <p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
-            </span>RSBAC Questions</p>
-<p class="secthead"><a name="rsbacinformation"></a><a name="doc_chap5_sect1">What is the homepage for RSBAC?</a></p>
-<p>
-The homepage for RSBAC is located at <a href="http://www.rsbac.org">http://www.rsbac.org</a>.
-</p>
-<p class="secthead"><a name="rsbacgentoodoc"></a><a name="doc_chap5_sect2">What Gentoo documentation exists about RSBAC?</a></p>
-<p>
-All Gentoo RSBAC documentation is located at the RSBAC subproject page found at:
-<a href="http://www.gentoo.org/proj/en/hardened/rsbac/index.xml">http://www.gentoo.org/proj/en/hardened/rsbac/index.xml</a>
-</p>
-<p>
-Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handbook,
-found at: <a href="http://www.rsbac.org/documentation/rsbac_handbook">http://www.rsbac.org/documentation/rsbac_handbook</a>
-</p>
-<p class="secthead"><a name="rsbacinitrd"></a><a name="doc_chap5_sect3">How do I use an initial ramdisk with a RSBAC enabled kernel?</a></p>
-<p>
-To use an initial ramdisk with a RSBAC enabled kernel, a special kernel option
-must be enabled or else RSBAC will treat the initrd as the root device:
-</p>
-<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Menuconfig Options</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-General RSBAC options  ---&gt;
-    [*] Delayed init for initial ramdisk
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
             </span>SELinux Questions</p>
-<p class="secthead"><a name="selinuxfaq"></a><a name="doc_chap6_sect1">Where can I find SELinux related frequently asked questions?</a></p>
+<p class="secthead"><a name="selinuxfaq"></a><a name="doc_chap5_sect1">Where can I find SELinux related frequently asked questions?</a></p>
 <p>
 A SELinux specific FAQ can be found at <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;%0Achap=3">
 http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;
@@ -454,7 +402,7 @@ chap=3</a>.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="/proj/en/hardened/hardenedfaq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 24, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated November 12, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
 the gentoo-hardened mailing list.
@@ -469,6 +417,10 @@ the gentoo-hardened mailing list.
   <a href="mailto:pageexec@freemail.hu" class="altlink"><b>The PaX Team</b></a>
 <br><i>Contributor</i><br><br>
   <a href="mailto:klondike@xiscosoft.es" class="altlink"><b>klondike</b></a>
+<br><i>Contributor</i><br><br>
+  <a href="mailto:zorry@gentoo.org" class="altlink"><b>Magnus Granberg</b></a>
+<br><i>Contributor</i><br><br>
+  <a href="mailto:blueness@gentoo.org" class="altlink"><b>Anthony G. Basile</b></a>
 <br><i>Contributor</i><br></p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.