release-notes/devel/en_US Security.xml,1.30,1.31

Mon Apr 7 10:44:56 UTC 2008

Author: mdious

Update of /cvs/docs/release-notes/devel/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv366/en_US

Modified Files:
	Security.xml 
Log Message:
updating content as per wiki



Index: Security.xml
===================================================================
RCS file: /cvs/docs/release-notes/devel/en_US/Security.xml,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31

--- Security.xml	17 Mar 2008 22:43:03 -0000	1.30
+++ Security.xml	7 Apr 2008 10:44:54 -0000	1.31
@@ -27,9 +27,13 @@
       <ulink url="http://fedoraproject.org/wiki/Security/Features">security
       features</ulink>.
     </para>
+</section>
+
+    <section id="Support-for-SHA-256-and-SHA-512-passwords">
+	    <title>Support for SHA-256 and SHA-512 passwords</title>
 
     <para>
-      The <package>glibc</package> package in Fedora 8 had support for
+	    The <package>glibc</package> package in Fedora 8 had <ulink url="http://people.redhat.com/drepper/sha-crypt.html">support</ulink> for
       passwords using SHA-256 and SHA-512 hashing. Previously, only DES
       and MD5 were available. These tools have been extended in Fedora
       9. Password hashing using the SHA-256 and SHA-512 hash functions
@@ -97,6 +101,51 @@
       </listitem>
     </itemizedlist>
   </section>
+  
+  <section id="FORTIFY_SOURCE-extended-to-cover-more-functions">
+	  <title>FORTIFY_SOURCE extended to cover more functions</title>
+	  <para>
+		  <ulink url="http://fedoraproject.org/wiki/Security/Features#FORTIFY_SOURCE">FORTIFY_SOURCE</ulink> protection now covers <computeroutput>asprintf</computeroutput>, <computeroutput>dprintf</computeroutput>, <computeroutput>vasprintf</computeroutput>, <computeroutput>vdprintf</computeroutput>, <computeroutput>obstack_printf</computeroutput> and <computeroutput>obstack_vprintf</computeroutput>. This is particularly useful for application that use the <package>glib2</package> library, as various functions from it use <computeroutput>vasprintf</computeroutput>.
+	  </para>
+  </section>
+  
+  <section id="SELinux-Enhancements">
+	  <title>SELinux Enhancements</title>
+	  <para>
+		  Different roles are now available, to allow finer-grained access control:
+	  </para>
+	  <itemizedlist>
+		  <listitem>
+			  <para>
+				  <computeroutput>guest_t</computeroutput> does not allow running setuid binaries, making network connections, or using a GUI
+			  </para>
+		  </listitem>
+		  <listitem>
+			  <para>
+				  <computeroutput>xguest_t</computeroutput> disallows network access except for HTTP via a Web browser, and no setuid binaries
+			  </para>
+		  </listitem>
+		  <listitem>
+			  <para>
+				  <computeroutput>user_t</computeroutput> is ideal for office users: prevents becoming root via setuid applications
+			  </para>
+		  </listitem>
+		  <listitem>
+			  <para>
+				  <computeroutput>staff_t</computeroutput> is same as <computeroutput>user_t</computeroutput>, except that root access via <command>sudo</command> is allowed
+			  </para>
+		  </listitem>
+		  <listitem>
+			  <para>
+				  <computeroutput>unconfined_t</computeroutput> provides full access, the same as when not using SELinux
+			  </para>
+		  </listitem>
+	  </itemizedlist>
+	  <para>
+		  As well, browser plug-ins wrapped with <computeroutput>nspluginwrapper</computeroutput>, which is the default, now run confined.
+	  </para>
+  </section>
+
 
   <section id="sn-General-Information">
     <title>General Information</title>


