release-notes/devel/en_US Security.xml,1.34,1.35
Paul W. Frields (pfrields)
fedora-docs-commits at redhat.com
Tue Apr 8 17:11:43 UTC 2008
Author: pfrields
Update of /cvs/docs/release-notes/devel/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29324
Modified Files:
Security.xml
Log Message:
- Resync for editorial changes
- Retag some areas for clarity
Index: Security.xml
===================================================================
RCS file: /cvs/docs/release-notes/devel/en_US/Security.xml,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- Security.xml 7 Apr 2008 21:38:13 -0000 1.34
+++ Security.xml 8 Apr 2008 17:11:41 -0000 1.35
@@ -27,13 +27,13 @@
<ulink url="http://fedoraproject.org/wiki/Security/Features">security
features</ulink>.
</para>
-</section>
+ </section>
- <section id="Support-for-SHA-256-and-SHA-512-passwords">
- <title>Support for SHA-256 and SHA-512 passwords</title>
+ <section id="Support-for-SHA-256-and-SHA-512-passwords">
+ <title>Support for SHA-256 and SHA-512 passwords</title>
<para>
- The <package>glibc</package> package in Fedora 8 had <ulink url="http://people.redhat.com/drepper/sha-crypt.html">support</ulink> for
+ The <package>glibc</package> package in Fedora 8 had <ulink url="http://people.redhat.com/drepper/sha-crypt.html">support</ulink> for
passwords using SHA-256 and SHA-512 hashing. Previously, only DES
and MD5 were available. These tools have been extended in Fedora
9. Password hashing using the SHA-256 and SHA-512 hash functions
@@ -103,54 +103,76 @@
</section>
<section id="FORTIFY_SOURCE-extended-to-cover-more-functions">
- <title>FORTIFY_SOURCE extended to cover more functions</title>
- <para>
- <ulink url="http://fedoraproject.org/wiki/Security/Features#FORTIFY_SOURCE">FORTIFY_SOURCE</ulink> protection now covers <computeroutput>asprintf</computeroutput>, <computeroutput>dprintf</computeroutput>, <computeroutput>vasprintf</computeroutput>, <computeroutput>vdprintf</computeroutput>, <computeroutput>obstack_printf</computeroutput> and <computeroutput>obstack_vprintf</computeroutput>. This is particularly useful for application that use the <package>glib2</package> library, as various functions from it use <computeroutput>vasprintf</computeroutput>.
- </para>
+ <title>FORTIFY_SOURCE extended to cover more functions</title>
+ <para>
+ <ulink
+ url="http://fedoraproject.org/wiki/Security/Features#FORTIFY_SOURCE">FORTIFY_SOURCE</ulink>
+ protection now covers <systemitem>asprintf</systemitem>,
+ <systemitem>dprintf</systemitem>,
+ <systemitem>vasprintf</systemitem>,
+ <systemitem>vdprintf</systemitem>,
+ <systemitem>obstack_printf</systemitem> and
+ <systemitem>obstack_vprintf</systemitem>. This improvement is
+ particularly useful for applications that use the
+ <package>glib2</package> library, as several of its functions
+ use <systemitem>vasprintf</systemitem>.
+ </para>
</section>
<section id="SELinux-Enhancements">
- <title>SELinux Enhancements</title>
- <para>
- Different roles are now available, to allow finer-grained access control:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <computeroutput>guest_t</computeroutput> does not allow running setuid binaries, making network connections, or using a GUI.
- </para>
- </listitem>
- <listitem>
- <para>
- <computeroutput>xguest_t</computeroutput> disallows network access except for HTTP via a Web browser, and no setuid binaries.
- </para>
- </listitem>
- <listitem>
- <para>
- <computeroutput>user_t</computeroutput> is ideal for office users: prevents becoming root via setuid applications.
- </para>
- </listitem>
- <listitem>
- <para>
- <computeroutput>staff_t</computeroutput> is same as <computeroutput>user_t</computeroutput>, except that root access via <command>sudo</command> is allowed.
- </para>
- </listitem>
- <listitem>
- <para>
- <computeroutput>unconfined_t</computeroutput> provides full access, the same as when not using SELinux.
- </para>
- </listitem>
- </itemizedlist>
- <para>
- As well, browser plug-ins wrapped with <package>nspluginwrapper</package>, which is the default, now run confined.
- </para>
+ <title>SELinux Enhancements</title>
+ <para>
+ Different roles are now available, to allow finer-grained access
+ control:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <systemitem>guest_t</systemitem> does not allow
+ running setuid binaries, making network connections, or
+ using a GUI.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <systemitem>xguest_t</systemitem> disallows network access
+ except for HTTP via a Web browser, and no setuid binaries.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <systemitem>user_t</systemitem> is ideal for office
+ users: prevents becoming root via setuid applications.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <systemitem>staff_t</systemitem> is same as
+ <systemitem>user_t</systemitem>, except that root
+ access via <command>sudo</command> is allowed.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <systemitem>unconfined_t</systemitem> provides full
+ access, the same as when not using SELinux.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ As well, browser plug-ins wrapped with
+ <package>nspluginwrapper</package>, which is the default, now
+ run confined.
+ </para>
</section>
<section id="Default-Firewall-Behavior">
- <title>Default Firewall Behavior</title>
- <para>
- In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by <package>Anaconda</package>.
- </para>
+ <title>Default Firewall Behavior</title>
+ <para>
+ In Fedora 9, the default firewall behavior has changed. There
+ are no default ports open, except for SSH (22), which is opened
+ by <application>Anaconda</application>.
+ </para>
</section>
<section id="sn-General-Information">
More information about the Fedora-docs-commits
mailing list