Merge branch 'master' of git+ssh://git.overlays.gentoo.org/proj/hardened-docs

51 files changed, 1791 insertions, 168 deletions

diff --git a/html/capabilities.html b/html/capabilities.html
index 6e8fa7a..daaf5b6 100644
--- a/html/capabilities.html
+++ b/html/capabilities.html
@@ -401,7 +401,7 @@
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="capabilities.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated January 22, 2005</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated January 22, 2005</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 POSIX capabilities are a partitioning of the all powerful root privilege into a
 set of distinct privileges
@@ -422,7 +422,7 @@ set of distinct privileges
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/docs/devel-chroots-intro.html b/html/docs/devel-chroots-intro.html
index 61dbec9..87acdfd 100644
--- a/html/docs/devel-chroots-intro.html
+++ b/html/docs/devel-chroots-intro.html
@@ -426,7 +426,9 @@ of scripts and users for having their work done!
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -439,7 +441,7 @@ of scripts and users for having their work done!
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="devel-chroots-intro.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 6, 2006</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated December 6, 2006</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This guide covers the installation, configuration and set up
 of chroots using a tool developed for the Gentoo dev machines.
@@ -458,7 +460,7 @@ of chroots using a tool developed for the Gentoo dev machines.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/docs/glossary.html b/html/docs/glossary.html
index 610af23..e362ec7 100644
--- a/html/docs/glossary.html
+++ b/html/docs/glossary.html
@@ -127,7 +127,9 @@ rules so that lml can monitor other projects like SELinux.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -140,7 +142,7 @@ rules so that lml can monitor other projects like SELinux.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="docs/glossary.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 7, 2004</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 7, 2004</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This document introduces the Gentoo Hardened project and covers
 each of its subprojects in simple terms.
@@ -159,7 +161,7 @@ each of its subprojects in simple terms.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/docs/index.html b/html/docs/index.html
index 81ff591..769c5c2 100644
--- a/html/docs/index.html
+++ b/html/docs/index.html
@@ -144,7 +144,7 @@ up and running with a PaX kernel and PIE/SSP userland.
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 7, 2004</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 7, 2004</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -156,7 +156,7 @@ up and running with a PaX kernel and PIE/SSP userland.
 </table></td>
 </tr>
 <tr lang="en"><td align="right" class="infohead" colspan="3">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/docs/pax-howto.html b/html/docs/pax-howto.html
index e1c16bd..7c83368 100644
--- a/html/docs/pax-howto.html
+++ b/html/docs/pax-howto.html
@@ -233,7 +233,9 @@ to run.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -246,7 +248,7 @@ to run.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="docs/pax-howto.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 7, 2004</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 7, 2004</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 A quickstart covering PaX and Hardened Gentoo.
 </p></td></tr>
@@ -266,7 +268,7 @@ A quickstart covering PaX and Hardened Gentoo.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/etdyn.html b/html/etdyn.html
index c452472..0ed3663 100644
--- a/html/etdyn.html
+++ b/html/etdyn.html
@@ -180,7 +180,7 @@ GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="etdyn.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 5, 2003</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 5, 2003</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This guide contains documentation and examples on how to create dynamic ELF executables.
 These guidelines are required to achieve full Address Space Layout Randomization.
@@ -207,7 +207,7 @@ These guidelines are required to achieve full Address Space Layout Randomization
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/gnu-stack.html b/html/gnu-stack.html
index 7816043..c697138 100644
--- a/html/gnu-stack.html
+++ b/html/gnu-stack.html
@@ -403,7 +403,7 @@ If no one can seem to answer your question, give me a poke either on irc
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="gnu-stack.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 11, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated June 11, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Handbook for proper GNU Stack management in ELF systems</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:vapier@gentoo.org" class="altlink"><b>Mike Frysinger</b></a>
@@ -427,7 +427,7 @@ If no one can seem to answer your question, give me a poke either on irc
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/grsec-tpe.html b/html/grsec-tpe.html
index f30eac0..e440fb5 100644
--- a/html/grsec-tpe.html
+++ b/html/grsec-tpe.html
@@ -2648,7 +2648,9 @@ still be modified by that user.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -2661,7 +2663,7 @@ still be modified by that user.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="grsec-tpe.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-3-27</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated 2011-3-27</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 TPE tends to be one of the harder to understand parts of GRSecurity as options
 like invert GID can be confusing at times. In this documents we explain how each
@@ -2682,7 +2684,7 @@ suite.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/grsecurity.html b/html/grsecurity.html
index 67980e1..03d2b7a 100644
--- a/html/grsecurity.html
+++ b/html/grsecurity.html
@@ -179,7 +179,7 @@ CONFIG_GRKERNSEC_HIDESYM=y
 </table>
 <p>
 If you are running a non-x86 system you will observe that there is no
-CONFIG_GRKERNSEC_PAX_NOEXEC. You should select CONFIG_GRKERNSEC_PAX_PAGEEXEC 
+CONFIG_GRKERNSEC_PAX_SEGMEXEC. You should select CONFIG_GRKERNSEC_PAX_PAGEEXEC 
 instead as it is the only non-exec implementation around.
 </p>
 <p class="secthead"><a name="doc_chap2_sect3">Controlling PaX</a></p>
@@ -802,7 +802,7 @@ USE variable in <span class="path" dir="ltr">/etc/make.conf</span>.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="grsecurity.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 10, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated December 23, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This document features the grsecurity 2.x security patches, supported kernel
 configuration options and tools provided by the grsecurity project to lift your
@@ -824,7 +824,7 @@ system's security to higher standards.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/hardened-debugging.html b/html/hardened-debugging.html
index 224dc63..014ef3d 100644
--- a/html/hardened-debugging.html
+++ b/html/hardened-debugging.html
@@ -173,7 +173,9 @@ used <span class="code" dir="ltr">paxctl</span> you can reset the flags to defau
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -186,7 +188,7 @@ used <span class="code" dir="ltr">paxctl</span> you can reset the flags to defau
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedfaq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 26, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 26, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 In this document we study the ways to do proper binary debugging when using a
 hardened kernel and toolcahin with PaX/Grsec, PIE and SSP.
@@ -208,7 +210,7 @@ hardened kernel and toolcahin with PaX/Grsec, PIE and SSP.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/hardened-toolchain.html b/html/hardened-toolchain.html
index f6d6043..d72c7b4 100644
--- a/html/hardened-toolchain.html
+++ b/html/hardened-toolchain.html
@@ -315,7 +315,9 @@ The following packages have issues with BIND_NOW at the time of writing, and it
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -328,7 +330,7 @@ The following packages have issues with BIND_NOW at the time of writing, and it
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardened-toolchain.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 31, 2006</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 31, 2006</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Technical description of, and rationale for, the Gentoo Hardened Toolchain modifications.
 </p></td></tr>
@@ -350,7 +352,7 @@ Technical description of, and rationale for, the Gentoo Hardened Toolchain modif
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/hardened-virtualization.html b/html/hardened-virtualization.html
index aadd0d6..2022331 100644
--- a/html/hardened-virtualization.html
+++ b/html/hardened-virtualization.html
@@ -137,7 +137,9 @@ KVM related resources:
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -150,7 +152,7 @@ KVM related resources:
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardened-virtualization.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 31, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 31, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Virtualization is a key component in current IT infrastructure. Although
 one can easily harden a virtualized operating system instance, you still
@@ -171,7 +173,7 @@ insight on how to harden the host using Gentoo Hardened.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/hardenedfaq.html b/html/hardenedfaq.html
index e205b49..9fe06a6 100644
--- a/html/hardenedfaq.html
+++ b/html/hardenedfaq.html
@@ -537,7 +537,7 @@ There is a <a href="selinux-faq.html"> SELinux specific FAQ
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedfaq.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated 2011-3-27</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated 2011-3-27</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
 the gentoo-hardened mailing list.
@@ -568,7 +568,7 @@ the gentoo-hardened mailing list.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/hardenedxorg.html b/html/hardenedxorg.html
index 7d2d916..b7492fe 100644
--- a/html/hardenedxorg.html
+++ b/html/hardenedxorg.html
@@ -118,7 +118,7 @@ The PaX flags -P (PAGEEXEC), -S (SEGMEXEC), -M (MPROTECT) as well as -R (RANDMMA
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardenedxorg.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 23, 2006</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated December 23, 2006</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 How to install and use Xorg on Hardened Gentoo
 </p></td></tr>
@@ -144,7 +144,7 @@ How to install and use Xorg on Hardened Gentoo
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/index.html b/html/index.html
index 584d5db..31c3878 100644
--- a/html/index.html
+++ b/html/index.html
@@ -81,6 +81,11 @@ Gentoo once they've been tested for security and stability by the Hardened team.
             <td class="tableinfo">Member ( Doc, PR )</td>
           </tr>
           <tr>
+            <td class="tableinfo">Daniel Kuehn</td>
+            <td class="tableinfo">lejonet</td>
+            <td class="tableinfo">Member ( Hardened sources )</td>
+          </tr>
+          <tr>
             <td class="tableinfo">Gysbert Wassenaar</td>
             <td class="tableinfo">nixnut</td>
             <td class="tableinfo">Member ( PPC arch team liaison )</td>
@@ -146,6 +151,13 @@ project:
             <td class="tableinfo">SELinux is a system of mandatory access controls. SELinux can enforce the security policy over all processes and objects in the system.</td>
           </tr>
           <tr>
+            <td class="tableinfo">
+              <a href="rsbac/index.html">RSBAC</a>
+            </td>
+            <td class="tableinfo">Anthony G. Basile</td>
+            <td class="tableinfo">RSBAC is Mandatory Access Control security system based on the GFAC framework logic. It includes standard models, like the Role Compatibility, Access Control Lists and Mandatory Access Control. RSBAC enforces access control rules on your operating system.</td>
+          </tr>
+          <tr>
             <td class="tableinfo">PaX/Grsecurity</td>
             <td class="tableinfo">Anthony G. Basile</td>
             <td class="tableinfo">
@@ -269,6 +281,9 @@ GNU Stack Quickstart
                 <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
               </li>
               <li>
+                <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a>
+              </li>
+              <li>
                 <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
               </li>
               <li>
@@ -279,6 +294,19 @@ GNU Stack Quickstart
               </li>
             </ul>
           </li>
+          <li>
+            <b>Rule Set Based Access Control
+          subproject resources
+        </b>
+            <ul>
+              <li>
+                <a href="rsbac/overview.html">RSBAC Overview</a>
+              </li>
+              <li>
+                <a href="rsbac/quickstart.html">RSBAC Quickstart</a>
+              </li>
+            </ul>
+          </li>
         </ul>
 <p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
             </span>Herds</p>
@@ -293,7 +321,7 @@ GNU Stack Quickstart
           </tr>
           <tr>
             <td class="tableinfo">hardened</td>
-            <td class="tableinfo">blueness, chainsaw, gengor, klondike, nixnut, pebenito, solar, swift, zorry</td>
+            <td class="tableinfo">blueness, chainsaw, gengor, klondike, lejonet, nixnut, pebenito, prometheanfire, solar, swift, zorry</td>
             <td class="tableinfo">Hardened Gentoo project packages and policy</td>
           </tr>
           <tr>
@@ -332,7 +360,7 @@ greatly appreciated.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 12, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 12, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Hardened Gentoo brings advanced security measures to Gentoo Linux.</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
@@ -346,7 +374,7 @@ greatly appreciated.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/index2.html b/html/index2.html
index 61f6f0b..9021b40 100644
--- a/html/index2.html
+++ b/html/index2.html
@@ -256,6 +256,9 @@ GNU Stack Quickstart</a>
                 <a href="selinux-development.html">Gentoo Hardened SELinux Development Guide</a>
               </li>
               <li>
+                <a href="selinux-bugreporting.html">Reporting SELinux (policy) bugs</a>
+              </li>
+              <li>
                 <a href="selinux-policy.html">Gentoo Hardened SELinux Development Policy</a>
               </li>
               <li>
@@ -280,7 +283,7 @@ GNU Stack Quickstart</a>
           </tr>
           <tr>
             <td class="tableinfo">hardened</td>
-            <td class="tableinfo">blueness, chainsaw, gengor, klondike, nixnut, pebenito, solar, swift, zorry</td>
+            <td class="tableinfo">blueness, chainsaw, gengor, klondike, lejonet, nixnut, pebenito, prometheanfire, solar, swift, zorry</td>
             <td class="tableinfo">Hardened Gentoo project packages and policy</td>
           </tr>
           <tr>
@@ -319,7 +322,7 @@ greatly appreciated.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="index.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 25, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 25, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Hardened Gentoo brings advanced security measures to Gentoo Linux.</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">Gentoo Project<br><i>script generated</i><br></p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
@@ -333,7 +336,7 @@ greatly appreciated.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/pax-quickstart.html b/html/pax-quickstart.html
index b55140f..b7e8831 100644
--- a/html/pax-quickstart.html
+++ b/html/pax-quickstart.html
@@ -238,7 +238,9 @@ to run. Often we find that we need the -m -sp combos.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -251,7 +253,7 @@ to run. Often we find that we need the -m -sp combos.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pax-quickstart.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 11, 2007</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated September 11, 2007</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 A quickstart covering PaX and Hardened Gentoo.
 </p></td></tr>
@@ -273,7 +275,7 @@ A quickstart covering PaX and Hardened Gentoo.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/pax-utils.html b/html/pax-utils.html
index 264f52e..07c8b08 100644
--- a/html/pax-utils.html
+++ b/html/pax-utils.html
@@ -650,7 +650,9 @@ struct {
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -663,7 +665,7 @@ struct {
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="swift?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 29, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 29, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This guide provides instruction on securing your system by using the pax-utils
 package to find and identify problematic binaries.
@@ -686,7 +688,7 @@ package to find and identify problematic binaries.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/pic-fix-guide.html b/html/pic-fix-guide.html
index eef91a5..d010132 100644
--- a/html/pic-fix-guide.html
+++ b/html/pic-fix-guide.html
@@ -849,7 +849,7 @@ mmx32_rgb888_mask dd 00ffffffh,00ffffffh
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pic-fix-guide.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 19, 2007</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated August 19, 2007</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>A guide for tracking down and fixing .text relocations (TEXTRELs)</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:vapier@gentoo.org" class="altlink"><b>Mike Frysinger</b></a>
@@ -871,7 +871,7 @@ mmx32_rgb888_mask dd 00ffffffh,00ffffffh
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/pic-guide.html b/html/pic-guide.html
index 8945abc..de96fce 100644
--- a/html/pic-guide.html
+++ b/html/pic-guide.html
@@ -137,7 +137,9 @@ References:
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -150,7 +152,7 @@ References:
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pic-guide.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 11, 2005</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 11, 2005</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>What every developer should understand about using Position Independent Code</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:solar@gentoo.org" class="altlink"><b>solar</b></a>
@@ -168,7 +170,7 @@ References:
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/pic-internals.html b/html/pic-internals.html
index 72fec94..a2da28d 100644
--- a/html/pic-internals.html
+++ b/html/pic-internals.html
@@ -209,7 +209,9 @@ These executables simply do not need the PIC addressing mode for their functions
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -222,7 +224,7 @@ These executables simply do not need the PIC addressing mode for their functions
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pic-internals.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 14, 2004</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated February 14, 2004</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>Understanding the impact of text relocations and explaining the use of PIC in shared libraries</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:a.gabert@fh-trier.de" class="altlink"><b>Alexander Gabert</b></a>
@@ -242,7 +244,7 @@ These executables simply do not need the PIC addressing mode for their functions
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/pie-ssp.html b/html/pie-ssp.html
index f9d7069..9d543c5 100644
--- a/html/pie-ssp.html
+++ b/html/pie-ssp.html
@@ -234,7 +234,7 @@ Lisa Marie Seelye says you need the same hgcc and gcc versions on all distcc hos
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pie-ssp.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 27, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated November 27, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>(This DOC is badly outdated and mostly obsolete) This introductionary guide explains the basic behaviour of the hardened toolchain.</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
         <a href="mailto:a.gabert@fh-trier.de" class="altlink"><b>Alexander Gabert</b></a>
@@ -252,7 +252,7 @@ Lisa Marie Seelye says you need the same hgcc and gcc versions on all distcc hos
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/prelude-ids.html b/html/prelude-ids.html
index e1f0acc..4a17c15 100644
--- a/html/prelude-ids.html
+++ b/html/prelude-ids.html
@@ -596,7 +596,7 @@ $conf{'dbpasswd'}='dbpass';
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="prelude-ids.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 17, 2003</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated July 17, 2003</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 	This guide will assist you in setting up the Prelude Intrustion Detection System along with the rules needed to make it useful.
 </p></td></tr>
@@ -618,7 +618,7 @@ $conf{'dbpasswd'}='dbpass';
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/primer.html b/html/primer.html
index 598463b..ef14ec9 100644
--- a/html/primer.html
+++ b/html/primer.html
@@ -248,7 +248,7 @@
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="primer.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 7, 2007</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated February 7, 2007</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>A Primer on Hardened Gentoo.</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
     <a href="mailto:method@manicmethod.com" class="altlink"><b>Joshua Brindle</b></a>
@@ -268,7 +268,7 @@
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/revdep-pax.html b/html/revdep-pax.html
new file mode 100644
index 0000000..ee4e6d4
--- /dev/null
+++ b/html/revdep-pax.html
@@ -0,0 +1,679 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+  Gentoo revdep-pax introduction</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Gentoo revdep-pax introduction</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What's revdep-pax about?</option>
+<option value="#doc_chap2">2. Using revdep-pax</option>
+<option value="#doc_chap3">3. Listing PaX Flags and Capabilities</option>
+<option value="#doc_chap4">4. Programming with ELF files</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+            </span>What's revdep-pax about?</p>
+<p class="secthead"><a name="doc_chap1_sect1">A quick introduction to PaX markings.</a></p>
+<p>
+There are some programs which won't be able to run in an environment with all
+the PaX features enabled, for example you may have a program which has so called
+<span class="emphasis">text relocations</span> or you may have a language interpreter doing JIT code
+compilation and requiring <span class="emphasis">RWX</span> mappings you may also have a program that
+saves data including internal pointers into an mmaped file and which needs to be
+restored in the same place no matter what. You could also be holding a security
+competition and need to disable the execution restrictions and force it to
+use fixed addresses on a particular program so it can be exploited doing a
+simple nop sled based stack overflow to get to the next level. For taking into
+account these issues binaries can be marked to force on or off some of the PaX
+features.
+</p>
+<p>
+Currently, the PaX features that can be lessened or enforced to allow programs
+to run are:
+</p>
+<dl>
+  <dt><b>PAGEEXEC</b></dt>
+  <dd>Paging based execution restrictions. This is what other OSes know as
+  <span class="emphasis">NX</span>.</dd>
+  <dt><b>EMUTRAMP</b></dt>
+  <dd>Trampoline emulation. Required by for amongst other things code with
+  nested functions.</dd>
+  <dt><b>MPROTECT</b></dt>
+  <dd>Prevents the introduction of new executable code in the task. This is the
+  one you are more likely to need disabling with libraries generating JIT code.
+  </dd>
+  <dt><b>RANDMMAP</b></dt>
+  <dd>Randomizes the addresses where mappings are made unless the program
+  explicitly requests one (using the MAP_FIXED flag).</dd>
+  <dt><b>RANDEXEC</b></dt>
+  <dd>This flag is currently deprecated and was used to enforce random placement
+  of the executable part of the binary.</dd>
+  <dt><b>SEGMEXEC</b></dt>
+  <dd>This flag enables segmentation based execution protection. This feature is
+  not available on the amd64 architecture so in that architecture is disables by
+  default.</dd>
+</dl>
+<p>
+There are various ways in which this advice to lessen the environment can be
+provided to the system, amongst others Mandatory Access Control rules, extended
+attributes and two kinds of markings on the binaries themselves, the legacy ones
+which abuse an unused field in the ELF headers and the new ones which add a new
+specific section to the ELF file with the markings.
+</p>
+<p>
+All this markings though are only read in the executable and not in the
+libraries linked by it to prevent some possible attacks (like libraries being
+injected via LD_PRELOAD) and because it eases a lot the implementation since the
+kernel shouldn't be aware of linking details.
+</p>
+<p>
+This system has a problem: if we have a binary linking to a library which
+requires, for example, trampoline emulation because it uses nested functions how
+can we make sure the binary gets the propper markings? Yeah we could add PaX
+marks to the library to state it needs trampoline emulation but still we haven't
+fixed the issue since the kernel will only read the marks on the binary being
+called. In order to solve this issue we have created <span class="code" dir="ltr">revdep-pax</span>.
+</p>
+<p class="secthead"><a name="doc_chap1_sect2">What's revdep-pax?</a></p>
+<p>
+<span class="code" dir="ltr">revdep-pax</span> is a tool that allows to check for differences in PaX markings
+between elf objects linking to libraries (for example <span class="path" dir="ltr">/bin/bash</span>)
+and the libraries themselves (for example <span class="path" dir="ltr">/lib64/libc.so.6</span>).
+</p>
+<p>
+<span class="code" dir="ltr">revdep-pax</span> is able to do this in various ways, it can check for
+differences <span class="emphasis">forward</span> from one binary to all the libraries it links and it
+can also check for PaX marking differences <span class="emphasis">backwards</span> from one library to
+all the binaries linking to it (which may include other libraries too). In a
+similar way it is possible to have all the forward and reverse mappings in the
+system checked to try finding issues.
+</p>
+<p>
+<span class="code" dir="ltr">revdep-pax</span> is also able to propagate these markings both forward to the
+libraries linked by an object and backwards to the objects linked by a library.
+</p>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
+            </span>Using revdep-pax</p>
+<p class="secthead"><a name="doc_chap2_sect1">Propagating PaX marks backwards from a library to objects that link at it
+</a></p>
+<p>
+This is going to be probably the main way in which you are going to use this
+utility. What it does is check all the libraries linked statically 
+The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
+</p>
+<table class="ntable">
+<tr>
+  <td class="infohead"><b>Option</b></td>
+  <td class="infohead"><b>Long Option</b></td>
+  <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+  <td class="tableinfo">-p</td>
+  <td class="tableinfo">--path</td>
+  <td class="tableinfo">Scan all directories in PATH environment</td>
+</tr>
+<tr>
+  <td class="tableinfo">-l</td>
+  <td class="tableinfo">--ldpath</td>
+  <td class="tableinfo">Scan all directories in /etc/ld.so.conf</td>
+</tr>
+<tr>
+  <td class="tableinfo">-R</td>
+  <td class="tableinfo">--recursive</td>
+  <td class="tableinfo">Scan directories recursively</td>
+</tr>
+<tr>
+  <td class="tableinfo">-m</td>
+  <td class="tableinfo">--mount</td>
+  <td class="tableinfo">Don't recursively cross mount points</td>
+</tr>
+<tr>
+  <td class="tableinfo">-y</td>
+  <td class="tableinfo">--symlink</td>
+  <td class="tableinfo">Don't scan symlinks</td>
+</tr>
+<tr>
+  <td class="tableinfo">-A</td>
+  <td class="tableinfo">--archives</td>
+  <td class="tableinfo">Scan archives (.a files)</td>
+</tr>
+<tr>
+  <td class="tableinfo">-L</td>
+  <td class="tableinfo">--ldcache</td>
+  <td class="tableinfo">Utilize ld.so.cache information (use with -r/-n)</td>
+</tr>
+<tr>
+  <td class="tableinfo">-X</td>
+  <td class="tableinfo">--fix</td>
+  <td class="tableinfo">Try and 'fix' bad things (use with -r/-e)</td>
+</tr>
+<tr>
+  <td class="tableinfo">-z [arg]</td>
+  <td class="tableinfo">--setpax [arg]</td>
+  <td class="tableinfo">Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</td>
+</tr>
+<tr>
+  <td class="infohead"><b>Option</b></td>
+  <td class="infohead"><b>Long Option</b></td>
+  <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+  <td class="tableinfo">-x</td>
+  <td class="tableinfo">--pax</td>
+  <td class="tableinfo">Print PaX markings</td>
+</tr>
+<tr>
+  <td class="tableinfo">-e</td>
+  <td class="tableinfo">--header</td>
+  <td class="tableinfo">Print GNU_STACK/PT_LOAD markings</td>
+</tr>
+<tr>
+  <td class="tableinfo">-t</td>
+  <td class="tableinfo">--textrel</td>
+  <td class="tableinfo">Print TEXTREL information</td>
+</tr>
+<tr>
+  <td class="tableinfo">-r</td>
+  <td class="tableinfo">--rpath</td>
+  <td class="tableinfo">Print RPATH information</td>
+</tr>
+<tr>
+  <td class="tableinfo">-n</td>
+  <td class="tableinfo">--needed</td>
+  <td class="tableinfo">Print NEEDED information</td>
+</tr>
+<tr>
+  <td class="tableinfo">-i</td>
+  <td class="tableinfo">--interp</td>
+  <td class="tableinfo">Print INTERP information</td>
+</tr>
+<tr>
+  <td class="tableinfo">-b</td>
+  <td class="tableinfo">--bind</td>
+  <td class="tableinfo">Print BIND information</td>
+</tr>
+<tr>
+  <td class="tableinfo">-S</td>
+  <td class="tableinfo">--soname</td>
+  <td class="tableinfo">Print SONAME information</td>
+</tr>
+<tr>
+  <td class="tableinfo">-s [arg]</td>
+  <td class="tableinfo">--symbol [arg]</td>
+  <td class="tableinfo">Find a specified symbol</td>
+</tr>
+<tr>
+  <td class="tableinfo">-k [arg]</td>
+  <td class="tableinfo">--section [arg]</td>
+  <td class="tableinfo">Find a specified section</td>
+</tr>
+<tr>
+  <td class="tableinfo">-N [arg]</td>
+  <td class="tableinfo">--lib [arg]</td>
+  <td class="tableinfo">Find a specified library</td>
+</tr>
+<tr>
+  <td class="tableinfo">-g</td>
+  <td class="tableinfo">--gmatch</td>
+  <td class="tableinfo">Use strncmp to match libraries. (use with -N)</td>
+</tr>
+<tr>
+  <td class="tableinfo">-T</td>
+  <td class="tableinfo">--textrels</td>
+  <td class="tableinfo">Locate cause of TEXTREL</td>
+</tr>
+<tr>
+  <td class="tableinfo">-E [arg]</td>
+  <td class="tableinfo">--etype [arg]</td>
+  <td class="tableinfo">Print only ELF files matching etype ET_DYN,ET_EXEC ...</td>
+</tr>
+<tr>
+  <td class="tableinfo">-M [arg]</td>
+  <td class="tableinfo">--bits [arg]</td>
+  <td class="tableinfo">Print only ELF files matching numeric bits</td>
+</tr>
+<tr>
+  <td class="tableinfo">-a</td>
+  <td class="tableinfo">--all</td>
+  <td class="tableinfo">Print all scanned info (-x -e -t -r -b)</td>
+</tr>
+<tr>
+  <td class="infohead"><b>Option</b></td>
+  <td class="infohead"><b>Long Option</b></td>
+  <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+  <td class="tableinfo">-q</td>
+  <td class="tableinfo">--quiet</td>
+  <td class="tableinfo">Only output 'bad' things</td>
+</tr>
+<tr>
+  <td class="tableinfo">-v</td>
+  <td class="tableinfo">--verbose</td>
+  <td class="tableinfo">Be verbose (can be specified more than once)</td>
+</tr>
+<tr>
+  <td class="tableinfo">-F [arg]</td>
+  <td class="tableinfo">--format [arg]</td>
+  <td class="tableinfo">Use specified format for output</td>
+</tr>
+<tr>
+  <td class="tableinfo">-f [arg]</td>
+  <td class="tableinfo">--from [arg]</td>
+  <td class="tableinfo">Read input stream from a filename</td>
+</tr>
+<tr>
+  <td class="tableinfo">-o [arg]</td>
+  <td class="tableinfo">--file [arg]</td>
+  <td class="tableinfo">Write output stream to a filename</td>
+</tr>
+<tr>
+  <td class="tableinfo">-B</td>
+  <td class="tableinfo">--nobanner</td>
+  <td class="tableinfo">Don't display the header</td>
+</tr>
+<tr>
+  <td class="tableinfo">-h</td>
+  <td class="tableinfo">--help</td>
+  <td class="tableinfo">Print this help and exit</td>
+</tr>
+<tr>
+  <td class="tableinfo">-V</td>
+  <td class="tableinfo">--version</td>
+  <td class="tableinfo">Print version and exit</td>
+</tr>
+</table>
+<p>
+The format specifiers for the <span class="code" dir="ltr">-F</span> option are given in the following table.
+Prefix each specifier with <span class="code" dir="ltr">%</span> (verbose) or <span class="code" dir="ltr">#</span> (silent) accordingly.
+</p>
+<table class="ntable">
+<tr>
+  <td class="infohead"><b>Specifier</b></td>
+  <td class="infohead"><b>Full Name</b></td>
+  <td class="infohead"><b>Specifier</b></td>
+  <td class="infohead"><b>Full Name</b></td>
+</tr>
+<tr>
+  <td class="tableinfo">F</td>
+  <td class="tableinfo">Filename</td>
+  <td class="tableinfo">x</td>
+  <td class="tableinfo">PaX Flags</td>
+</tr>
+<tr>
+  <td class="tableinfo">e</td>
+  <td class="tableinfo">STACK/RELRO</td>
+  <td class="tableinfo">t</td>
+  <td class="tableinfo">TEXTREL</td>
+</tr>
+<tr>
+  <td class="tableinfo">r</td>
+  <td class="tableinfo">RPATH</td>
+  <td class="tableinfo">n</td>
+  <td class="tableinfo">NEEDED</td>
+</tr>
+<tr>
+  <td class="tableinfo">i</td>
+  <td class="tableinfo">INTERP</td>
+  <td class="tableinfo">b</td>
+  <td class="tableinfo">BIND</td>
+</tr>
+<tr>
+  <td class="tableinfo">s</td>
+  <td class="tableinfo">Symbol</td>
+  <td class="tableinfo">N</td>
+  <td class="tableinfo">Library</td>
+</tr>
+<tr>
+  <td class="tableinfo">o</td>
+  <td class="tableinfo">Type</td>
+  <td class="tableinfo">p</td>
+  <td class="tableinfo">File name</td>
+</tr>
+<tr>
+  <td class="tableinfo">f</td>
+  <td class="tableinfo">Base file name</td>
+  <td class="tableinfo">k</td>
+  <td class="tableinfo">Section</td>
+</tr>
+<tr>
+  <td class="tableinfo">a</td>
+  <td class="tableinfo">ARCH/e_machine</td>
+  <td class="tableinfo"></td>
+  <td class="tableinfo"></td>
+</tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect2">Using scanelf for Text Relocations</a></p>
+<p>
+As an example, we will use <span class="code" dir="ltr">scanelf</span> to find binaries containing text
+relocations.
+</p>
+<p>
+A relocation is an operation that rewrites an address in a loaded segment. Such
+an address rewrite can happen when a segment has references to a shared object
+and that shared object is loaded in memory. In this case, the references are
+substituted with the real address values. Similar events can occur inside the 
+shared object itself.
+</p>
+<p>
+A text relocation is a relocation in the text segment. Since text segments
+contain executable code, system administrators might prefer not to have these
+segments writable. This is perfectly possible, but since text relocations
+actually write in the text segment, it is not always feasible. 
+</p>
+<p>
+If you want to eliminate text relocations, you will need to make sure
+that the application and shared object is built with <span class="emphasis">Position Independent
+Code</span> (PIC), making references obsolete. This not only increases security,
+but also increases the performance in case of shared objects (allowing writes in
+the text segment requires a swap space reservation and a private copy of the
+shared object for each application that uses it).
+</p>
+<p>
+The following example will search your library paths recursively, without
+leaving the mounted file system and ignoring symbolic links, for any ELF binary
+containing a text relocation:
+</p>
+<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Scanning the system for text relocation binaries</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">scanelf -lqtmyR</span>
+</pre></td></tr>
+</table>
+<p>
+If you want to scan your entire system for <span class="emphasis">any</span> file containing text
+relocations:
+</p>
+<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Scanning the entire system for text relocation files</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">scanelf -qtmyR /</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect3">Using scanelf for Specific Header</a></p>
+<p>
+The scanelf util can be used to quickly identify files that contain a 
+given section header using the -k .section option.
+</p>
+<p>
+In this example we are looking for all files in /usr/lib/debug 
+recursively using a format modifier with quiet mode enabled that have been 
+stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
+to invert the matching logic.
+</p>
+<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Scanning for stripped or non stripped executables</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect4">Using scanelf for Specific Segment Markings</a></p>
+<p>
+Each segment has specific flags assigned to it in the Program Header of the
+binary. One of those flags is the type of the segment. Interesting values are
+PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
+segment contains dynamic linking information), PT_INTERP (the segment 
+contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
+for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
+(a PaX extension for the ELF format, used by the security-minded 
+<a href="http://pax.grsecurity.net/">PaX Project</a>.
+</p>
+<p>
+If we want to scan all executables in the current working directory, PATH
+environment and library paths and report those who have a writable and
+executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
+</p>
+<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">scanelf -lpqe .</span>
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap2_sect5">Using scanelf's Format Modifier Handler</a></p>
+<p>
+A useful feature of the <span class="code" dir="ltr">scanelf</span> utility is the format modifier handler.  
+With this option you can control the output of <span class="code" dir="ltr">scanelf</span>, thereby 
+simplifying parsing the output with scripts.
+</p>
+<p>
+As an example, we will use <span class="code" dir="ltr">scanelf</span> to print the file names that contain
+text relocations:
+</p>
+<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Example of the scanelf format modifier handler</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">scanelf -l -p -R -q -F "%F #t"</span>
+</pre></td></tr>
+</table>
+<p class="chaphead"><a name="pspax"></a><a name="doc_chap3"></a><span class="chapnum">3.
+            </span>Listing PaX Flags and Capabilities</p>
+<p class="secthead"><a name="doc_chap3_sect1">About PaX</a></p>
+<p>
+<a href="http://pax.grsecurity.net">PaX</a> is a project hosted by the <a href="http://www.grsecurity.net">grsecurity</a> project. Quoting the <a href="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</a>, its main 
+goal is "to research various defense mechanisms against the exploitation of 
+software bugs that give an attacker arbitrary read/write access to the 
+attacked task's address space. This class of bugs contains among others 
+various forms of buffer overflow bugs (be they stack or heap based), user
+supplied format string bugs, etc."
+</p>
+<p>
+To be able to benefit from these defense mechanisms, you need to run a Linux
+kernel patched with the latest PaX code. The <a href="http://hardened.gentoo.org">Hardened Gentoo</a> project supports PaX and
+its parent project, grsecurity. The supported kernel package is
+<span class="code" dir="ltr">sys-kernel/hardened-sources</span>.
+</p>
+<p>
+The Gentoo/Hardened project has a <a href="pax-quickstart.html">Gentoo PaX Quickstart Guide</a>
+for your reading pleasure.
+</p>
+<p class="secthead"><a name="doc_chap3_sect2">Flags and Capabilities</a></p>
+<p>
+If your toolchain supports it, your binaries can have additional PaX flags in
+their Program Header. The following flags are supported:
+</p>
+<table class="ntable">
+<tr>
+  <td class="infohead"><b>Flag</b></td>
+  <td class="infohead"><b>Name</b></td>
+  <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+  <td class="tableinfo">P</td>
+  <td class="tableinfo">PAGEEXEC</td>
+  <td class="tableinfo">
+    Refuse code execution on writable pages based on the NX bit
+    (or emulated NX bit)
+  </td>
+</tr>
+<tr>
+  <td class="tableinfo">S</td>
+  <td class="tableinfo">SEGMEXEC</td>
+  <td class="tableinfo">
+    Refuse code execution on writable pages based on the
+    segmentation logic of IA-32
+  </td>
+</tr>
+<tr>
+  <td class="tableinfo">E</td>
+  <td class="tableinfo">EMUTRAMP</td>
+  <td class="tableinfo">
+    Allow known code execution sequences on writable pages that
+    should not cause any harm
+  </td>
+</tr>
+<tr>
+  <td class="tableinfo">M</td>
+  <td class="tableinfo">MPROTECT</td>
+  <td class="tableinfo">
+    Prevent the creation of new executable code to the process
+    address space
+  </td>
+</tr>
+<tr>
+  <td class="tableinfo">R</td>
+  <td class="tableinfo">RANDMMAP</td>
+  <td class="tableinfo">
+    Randomize the stack base to prevent certain stack overflow
+    attacks from being successful
+  </td>
+</tr>
+<tr>
+  <td class="tableinfo">X</td>
+  <td class="tableinfo">RANDEXEC</td>
+  <td class="tableinfo">
+    Randomize the address where the application maps to prevent
+    certain attacks from being exploitable
+  </td>
+</tr>
+</table>
+<p>
+The default Linux kernel also supports certain capabilities, grouped in the
+so-called <span class="emphasis">POSIX.1e Capabilities</span>. You can find a listing of those
+capabilities in our <a href="capabilities.html">POSIX Capabilities</a> document.
+</p>
+<p class="secthead"><a name="doc_chap3_sect3">Using pspax</a></p>
+<p>
+The <span class="code" dir="ltr">pspax</span> application, part of the <span class="code" dir="ltr">pax-utils</span> package, displays the
+run-time capabilities of all programs you have permission for. On Linux kernels
+with additional support for extended attributes (such as SELinux) those
+attributes are shown as well.
+</p>
+<p>
+When ran, <span class="code" dir="ltr">pspax</span> shows the following information:
+</p>
+<table class="ntable">
+<tr>
+  <td class="infohead"><b>Column</b></td>
+  <td class="infohead"><b>Description</b></td>
+</tr>
+<tr>
+  <td class="tableinfo">USER</td>
+  <td class="tableinfo">Owner of the process</td>
+</tr>
+<tr>
+  <td class="tableinfo">PID</td>
+  <td class="tableinfo">Process id</td>
+</tr>
+<tr>
+  <td class="tableinfo">PAX</td>
+  <td class="tableinfo">Run-time PaX flags (if applicable)</td>
+</tr>
+<tr>
+  <td class="tableinfo">MAPS</td>
+  <td class="tableinfo">Write/eXecute markings for the process map</td>
+</tr>
+<tr>
+  <td class="tableinfo">ELF_TYPE</td>
+  <td class="tableinfo">Process executable type: ET_DYN or ET_EXEC</td>
+</tr>
+<tr>
+  <td class="tableinfo">NAME</td>
+  <td class="tableinfo">Name of the process</td>
+</tr>
+<tr>
+  <td class="tableinfo">CAPS</td>
+  <td class="tableinfo">POSIX.1e capabilities (see note)</td>
+</tr>
+<tr>
+  <td class="tableinfo">ATTR</td>
+  <td class="tableinfo">Extended attributes (if applicable)</td>
+</tr>
+</table>
+<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
+<span class="code" dir="ltr">pspax</span> only displays these capabilities when it is linked with
+the external capabilities library. This requires you to build <span class="code" dir="ltr">pax-utils</span>
+with -DWANT_SYSCAP.
+</p></td></tr></table>
+<p>
+By default, <span class="code" dir="ltr">pspax</span> does not show any kernel processes. If you want those
+to be taken as well, use the <span class="code" dir="ltr">-a</span> switch.
+</p>
+<p class="chaphead"><a name="dumpelf"></a><a name="doc_chap4"></a><span class="chapnum">4.
+            </span>Programming with ELF files</p>
+<p class="secthead"><a name="doc_chap4_sect1">The dumpelf Utility</a></p>
+<p>
+With the <span class="code" dir="ltr">dumpelf</span> utility you can convert a ELF file into human readable C
+code that defines a structure with the same image as the original ELF file.
+</p>
+<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: dumpelf example</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+$ <span class="code-input">dumpelf /bin/hostname</span>
+#include &lt;elf.h&gt;
+
+<span class="code-comment">/*
+ * ELF dump of '/bin/hostname'
+ *     10276 (0x2824) bytes
+ */</span>
+
+struct {
+        Elf32_Ehdr ehdr;
+        Elf32_Phdr phdrs[8];
+        Elf32_Shdr shdrs[26];
+} dumpedelf_0 = {
+
+.ehdr = {
+<span class="code-comment">(... Output stripped ...)</span>
+</pre></td></tr>
+</table>
+<br><p class="copyright">
+	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
+  </p>
+<!--
+  <rdf:RDF xmlns="http://web.resource.org/cc/"
+      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
+     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+     <requires rdf:resource="http://web.resource.org/cc/Notice" />
+     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+  </License>
+  </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="klondike?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated February 19, 2012</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+This guide provides an introduction to revdep-pax and how to use it to propagate
+the PaC markings caused by libraries requiring them, for example, libraries
+requiring RWX memory in order to process JIT code.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+  <a href="mailto:klondike@gentoo.org" class="altlink"><b>Francisco Blas Izquierdo Riera</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+        </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>
diff --git a/html/roadmap.html b/html/roadmap.html
index f645ca8..17be1a3 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -279,7 +279,7 @@ of the packages and standard policies.
 <tr>
   <td class="tableinfo">Deprecate old profiles</td>
   <td class="tableinfo">2011-12-01</td>
-  <td class="tableinfo"></td>
+  <td class="tableinfo">done</td>
   <td class="tableinfo">blueness</td>
   <td class="tableinfo"></td>
 </tr>
@@ -290,12 +290,19 @@ of the packages and standard policies.
   <td class="tableinfo">SwifT</td>
   <td class="tableinfo"></td>
 </tr>
+<tr>
+  <td class="tableinfo">Have SELinux-enabled stage3 available on the mirrors</td>
+  <td class="tableinfo">2012-01-31</td>
+  <td class="tableinfo"></td>
+  <td class="tableinfo"></td>
+  <td class="tableinfo"></td>
+</tr>
 </table>
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated August 24, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated December 10, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
@@ -336,7 +343,7 @@ Hardened Gentoo project.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/rsbac/index.html b/html/rsbac/index.html
index d0c4886..9c4601e 100644
--- a/html/rsbac/index.html
+++ b/html/rsbac/index.html
@@ -158,7 +158,7 @@ The required tool for the policies is still being developped.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/rsbac/intro.html b/html/rsbac/intro.html
index b7ae327..04b00cd 100644
--- a/html/rsbac/intro.html
+++ b/html/rsbac/intro.html
@@ -72,7 +72,9 @@ ITSEC funtional criteria, extended by two privacy goals.  </p>
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -85,7 +87,7 @@ ITSEC funtional criteria, extended by two privacy goals.  </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="intro.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2004</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated June 2, 2004</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> This document should introduce you to the RSBAC
 access control system.	</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
@@ -106,7 +108,7 @@ access control system.	</p></td></tr>
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/rsbac/overview.html b/html/rsbac/overview.html
index e04a343..b2092ae 100644
--- a/html/rsbac/overview.html
+++ b/html/rsbac/overview.html
@@ -183,7 +183,9 @@ Orange Book (TCSEC) B1 level.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -196,7 +198,7 @@ Orange Book (TCSEC) B1 level.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="overview.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 11, 2005</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 11, 2005</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This document should give you an overview of RSBAC access control system.
 </p></td></tr>
@@ -218,7 +220,7 @@ This document should give you an overview of RSBAC access control system.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/rsbac/quickstart.html b/html/rsbac/quickstart.html
index f04955a..ddcc9fd 100644
--- a/html/rsbac/quickstart.html
+++ b/html/rsbac/quickstart.html
@@ -314,7 +314,9 @@ Please also check the <a href="hardenedfaq.html">hardened FAQ</a> as your questi
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -327,7 +329,7 @@ Please also check the <a href="hardenedfaq.html">hardened FAQ</a> as your questi
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="rsbac/quickstart.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 27, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated November 27, 2010</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>This document will guide you through the installation of the
 RSBAC on Gentoo Linux</p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
@@ -346,7 +348,7 @@ RSBAC on Gentoo Linux</p></td></tr>
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/rsbac/transition.html b/html/rsbac/transition.html
index 0d5395e..869b9b5 100644
--- a/html/rsbac/transition.html
+++ b/html/rsbac/transition.html
@@ -53,7 +53,9 @@ Transition from rsbac-sources to hardened-sources </h1>
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -66,7 +68,7 @@ Transition from rsbac-sources to hardened-sources </h1>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="transition.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 15, 2006</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated February 15, 2006</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> This document will help you transioning from
 rsbac-sources to hardened-sources </p></td></tr>
 <tr><td align="left" class="topsep"><p class="alttext">
@@ -83,7 +85,7 @@ rsbac-sources to hardened-sources </p></td></tr>
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux-bugreporting.html b/html/selinux-bugreporting.html
index 872a5e6..78fd4f0 100644
--- a/html/selinux-bugreporting.html
+++ b/html/selinux-bugreporting.html
@@ -124,12 +124,15 @@ SELinux</a> section that helps you identify common bottlenecks or issues while
 trying to get SELinux running on your system.
 </p>
 <br><p class="copyright">
-	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
+	The contents of this document, unless otherwise expressly stated, are
+	licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
   </p>
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <License rdf:about="http://creativecommons.org/licenses/by-sa/3.0/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -142,7 +145,7 @@ trying to get SELinux running on your system.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="swift?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated November 22, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This guide helps users to create a properly filled out bug report for SELinux
 policy updates.
@@ -161,7 +164,7 @@ policy updates.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux-development.html b/html/selinux-development.html
index c56971c..c54b522 100644
--- a/html/selinux-development.html
+++ b/html/selinux-development.html
@@ -1232,7 +1232,9 @@ it out.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -1245,7 +1247,7 @@ it out.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-development.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 22, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated November 22, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 When planning to help Gentoo Hardened in the development of SELinux policies,
 or when trying to debug existing policies, this document should help you get
@@ -1265,7 +1267,7 @@ acquainted with the necessary resources, trips and tricks to get along.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index caa4c46..41695b4 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -77,6 +77,8 @@ FAILED (crontabs/root)'</a></li>
 <li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li>
 <li><a href="#recoverportage">Portage fails to label files because "setfiles" does not work anymore</a></li>
 <li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
+<li><a href="#auth-run_init">Why do I always need to re-authenticate when operating init scripts?</a></li>
+<li><a href="#initramfs">How do I use SELinux with initramfs?</a></li>
 </ul>
 <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
             </span>General SELinux Support Questions</p>
@@ -434,19 +436,13 @@ FEATURES variable contains unknown value(s): loadpolicy
 </table>
 <p>
 This is a remnant of the older SELinux policy module set where policy packages
-might require this FEATURE to be available. Although the more recent packages
-do not support this FEATURE value anymore, these are still in the ~arch phase 
-so the current SELinux profile still offers this value. Portage however already
-knows that this FEATURE is not supported anymore and complains.
+might require this FEATURE to be available. This has however since long been
+removed from the tree.
 </p>
 <p>
-We recommend you to use the ~arch versions of all packages in the sec-policy
-category, and set <span class="code" dir="ltr">FEATURES="-loadpolicy"</span> to disable this (cosmetic)
-error.
-</p>
-<p>
-Once the newer policy modules are stabilized, the SELinux profile will be updated
-to remove this setting.
+Please update your profile to a recent SELinux profile (one ending with
+<span class="path" dir="ltr">/selinux</span>) and make sure that <span class="path" dir="ltr">/etc/make.conf</span> does not
+have <span class="code" dir="ltr">FEATURES="loadpolicy"</span> set.
 </p>
 <p class="secthead"><a name="conflicting_types"></a><a name="doc_chap5_sect3">During rlpkg I get 'conflicting specifications for ... and ..., using ...'</a></p>
 <p>
@@ -684,11 +680,59 @@ So, a <span class="code" dir="ltr">passwd</span> binary, although correctly labe
 will not transition into the <span class="emphasis">passwd_t</span> domain if the binary is stored on a
 file system mounted with <span class="code" dir="ltr">nosuid</span>.
 </p>
+<p class="secthead"><a name="auth-run_init"></a><a name="doc_chap5_sect10">Why do I always need to re-authenticate when operating init scripts?</a></p>
+<p>
+When you, as an administrator, wants to launch or stop daemons, these activities
+need to be done as <span class="code" dir="ltr">system_u:system_r</span>. Switching to this context set is a
+highly privileged operation (since you are effectively leaving the user context
+and entering a system context) and hence the default setup requires the user to
+re-authenticate.
+</p>
+<p>
+You can ask not to re-authenticate if you use PAM by editing
+<span class="path" dir="ltr">/etc/pam.d/run_init</span> and adding the following line on top:
+</p>
+<a name="doc_chap5_pre15"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.15: Setup run_init pam configuration to allow root not to re-authenticate</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+auth     sufficient     pam_rootok.so
+</pre></td></tr>
+</table>
+<p>
+With this in place, you can now prepend your init script activities with
+<span class="code" dir="ltr">run_init</span> and it will not ask for your password anymore:
+</p>
+<a name="doc_chap5_pre16"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.16: Using run_init</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">run_init rc-service local status</span>
+Authenticating swift.
+ * status: started
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="initramfs"></a><a name="doc_chap5_sect11">How do I use SELinux with initramfs?</a></p>
+<p>
+We currently do not support booting in enforcing mode with an initramfs image
+(but we are working on it). For the time being, boot in permissive mode. Once
+booted, switch to enforcing mode (<span class="code" dir="ltr">setenforce 1</span>).
+</p>
+<p>
+If you run SELinux on a production system and would not like to have attackers
+be able to switch back to permissive mode (even when they would have the
+necessary privileges otherwise), set the <span class="code" dir="ltr">secure_mode_policyload</span> boolean.
+When enabled, enforcing mode cannot be disabled anymore (until you reboot).
+</p>
+<a name="doc_chap5_pre17"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.17: Toggling secure_mode_policyload</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+# <span class="code-input">setsebool secure_mode_policyload on</span>
+</pre></td></tr>
+</table>
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 25, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated February 26, 2012</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
@@ -710,7 +754,7 @@ elsewhere
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux-policy.html b/html/selinux-policy.html
index 88d2d70..e500375 100644
--- a/html/selinux-policy.html
+++ b/html/selinux-policy.html
@@ -182,7 +182,9 @@ of the packages clean.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -195,7 +197,7 @@ of the packages clean.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-policy.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 4, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated September 4, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Developing a set of security rules is or should always be done with a common set
 of principles and rules in mind. This document explains the policy used by
@@ -215,7 +217,7 @@ Gentoo Hardened in order to consistenly develop its security policy rules.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-intro-concepts.html b/html/selinux/hb-intro-concepts.html
index c5cf801..51626aa 100644
--- a/html/selinux/hb-intro-concepts.html
+++ b/html/selinux/hb-intro-concepts.html
@@ -766,7 +766,7 @@ we'll configure and tune the SELinux policy to our needs.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated July 21, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated July 21, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -778,7 +778,7 @@ we'll configure and tune the SELinux policy to our needs.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-intro-enhancingsecurity.html b/html/selinux/hb-intro-enhancingsecurity.html
index 1f39ee7..09b8c12 100644
--- a/html/selinux/hb-intro-enhancingsecurity.html
+++ b/html/selinux/hb-intro-enhancingsecurity.html
@@ -201,7 +201,7 @@ run and manage a SELinux hardened Gentoo system.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 25, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated May 25, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -213,7 +213,7 @@ run and manage a SELinux hardened Gentoo system.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-intro-referencepolicy.html b/html/selinux/hb-intro-referencepolicy.html
index 3adc3f9..acfd4b9 100644
--- a/html/selinux/hb-intro-referencepolicy.html
+++ b/html/selinux/hb-intro-referencepolicy.html
@@ -224,7 +224,7 @@ following is an overview of the policy versions' history.
 </dl>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated June 2, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -236,7 +236,7 @@ following is an overview of the policy versions' history.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-intro-resources.html b/html/selinux/hb-intro-resources.html
index 3f27720..ff88fae 100644
--- a/html/selinux/hb-intro-resources.html
+++ b/html/selinux/hb-intro-resources.html
@@ -79,7 +79,7 @@ implementation.
 </ul>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated May 31, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated May 31, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -91,7 +91,7 @@ implementation.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-intro-virtualization.html b/html/selinux/hb-intro-virtualization.html
index 0095084..46ffa48 100644
--- a/html/selinux/hb-intro-virtualization.html
+++ b/html/selinux/hb-intro-virtualization.html
@@ -24,7 +24,7 @@ This is a place-holder for future expansion.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated December 1, 2010</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated December 1, 2010</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -36,7 +36,7 @@ This is a place-holder for future expansion.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-using-commands.html b/html/selinux/hb-using-commands.html
index dfbe3b3..468df7a 100644
--- a/html/selinux/hb-using-commands.html
+++ b/html/selinux/hb-using-commands.html
@@ -434,7 +434,7 @@ require you to enter the regular users' password.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -446,7 +446,7 @@ require you to enter the regular users' password.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-using-configuring.html b/html/selinux/hb-using-configuring.html
index 05bd80b..d583184 100644
--- a/html/selinux/hb-using-configuring.html
+++ b/html/selinux/hb-using-configuring.html
@@ -901,7 +901,7 @@ by Portage. Instead, you will need to remove the module manually:
 </table>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 30, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated September 30, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -913,7 +913,7 @@ by Portage. Instead, you will need to remove the module manually:
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index fb5eb85..fc61177 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -18,20 +18,20 @@
 <tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
 <td width="99%" class="content" valign="top" align="left">
 <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
-            </span>Installing Gentoo Hardened</p>
+            </span>Installing Gentoo (Hardened)</p>
 <p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
 <p>
-Getting a Gentoo Hardened SELinux installation doesn't require weird actions.
+Getting a SELinux-powered Gentoo installation doesn't require weird actions.
 What you need to do is install Gentoo Linux with the correct profile, correct
 kernel configuration and some file system relabelling. We seriously recommend to
 use SELinux together with other hardening improvements (such as PaX /
 grSecurity).
 </p>
 <p>
-This chapter will describe the steps to install Gentoo Hardened with SELinux. We
+This chapter will describe the steps to install Gentoo with SELinux. We
 assume that you have an existing Gentoo Linux system which you want to convert
-to Gentoo Hardened with SELinux. If this is not the case, you should still read
-on: you can install Gentoo Hardened with SELinux immediately if you make the
+to Gentoo with SELinux. If this is not the case, you should still read
+on: you can install Gentoo with SELinux immediately if you make the
 correct decisions during the installation process, based on the information in
 this chapter.
 </p>
@@ -90,10 +90,10 @@ tmpfs  /tmp  tmpfs  defaults,noexec,nosuid<span class="code-input">,rootcontext=
 <p class="secthead"><a name="doc_chap1_sect1">Change the Gentoo Profile</a></p>
 <p>
 Now that you have a running Gentoo Linux installation, switch the Gentoo profile
-to the right SELinux hardened profile (for instance, 
+to the right SELinux profile (for instance, 
 <span class="path" dir="ltr">hardened/linux/amd64/no-multilib/selinux</span>). Note that the older
-profiles (like <span class="path" dir="ltr">selinux/v2refpolicy/amd64/hardened</span>) are still
-supported though.
+profiles (like <span class="path" dir="ltr">selinux/v2refpolicy/amd64/hardened</span>) are not 
+supported anymore.
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching the Gentoo profile</p></td></tr>
@@ -101,25 +101,19 @@ supported though.
 ~# <span class="code-input">eselect profile list</span>
 Available profile symlink targets:
   [1]   default/linux/amd64/10.0
-  [2]   default/linux/amd64/10.0/desktop
-  [3]   default/linux/amd64/10.0/desktop/gnome
-  [4]   default/linux/amd64/10.0/desktop/kde
-  [5]   default/linux/amd64/10.0/developer
-  [6]   default/linux/amd64/10.0/no-multilib
-  [7]   default/linux/amd64/10.0/server
-  [8]   hardened/linux/amd64
-  [9]   hardened/linux/amd64/selinux
-  [10]  hardened/linux/amd64/no-multilib *
-  [11]  hardened/linux/amd64/no-multilib/selinux
-  [12]  selinux/2007.0/amd64
-  [13]  selinux/2007.0/amd64/hardened
-  [14]  selinux/v2refpolicy/amd64
-  [15]  selinux/v2refpolicy/amd64/desktop
-  [16]  selinux/v2refpolicy/amd64/developer
-  [17]  selinux/v2refpolicy/amd64/hardened
-  [18]  selinux/v2refpolicy/amd64/server
+  [2]   default/linux/amd64/10.0/selinux
+  [3]   default/linux/amd64/10.0/desktop
+  [4]   default/linux/amd64/10.0/desktop/gnome
+  [5]   default/linux/amd64/10.0/desktop/kde
+  [6]   default/linux/amd64/10.0/developer
+  [7]   default/linux/amd64/10.0/no-multilib
+  [8]   default/linux/amd64/10.0/server
+  [9]   hardened/linux/amd64
+  [10]  hardened/linux/amd64/selinux
+  [11]  hardened/linux/amd64/no-multilib *
+  [12]  hardened/linux/amd64/no-multilib/selinux
 
-~# <span class="code-input">eselect profile set 11</span>
+~# <span class="code-input">eselect profile set 12</span>
 </pre></td></tr>
 </table>
 <table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
@@ -195,7 +189,9 @@ tools or configurations that apply.
     <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-start.sh</span> (or <span class="path" dir="ltr">/lib64/..</span>)
     and <span class="path" dir="ltr">lvm-stop.sh</span> and set the config location from
     <span class="path" dir="ltr">/dev/.lvm</span> to <span class="path" dir="ltr">/etc/lvm/lock</span>. Next, create the 
-    <span class="path" dir="ltr">/etc/lvm/lock</span> directory.
+    <span class="path" dir="ltr">/etc/lvm/lock</span> directory. Finally, add
+    <span class="path" dir="ltr">/lib(64)/rcscripts/addons</span> to <span class="code" dir="ltr">CONFIG_PROTECT</span> in your
+    <span class="path" dir="ltr">make.conf</span> file.
   </li>
   <li>
     Check if you have <span class="path" dir="ltr">*.old</span> files in <span class="path" dir="ltr">/bin</span>. If you do,
@@ -362,7 +358,9 @@ it yet).
 Next, rebuild those packages affected by the profile change we did previously
 through a standard world update, taking into account USE-flag changes (as the 
 new profile will change many default USE flags, including enabling the 
-<span class="code" dir="ltr">selinux</span> USE flag).
+<span class="code" dir="ltr">selinux</span> USE flag). Don't forget to use <span class="code" dir="ltr">etc-update</span> or
+<span class="code" dir="ltr">dispatch-conf</span> afterwards as some changes to configuration files need to
+be made.
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Update your Gentoo Linux system</p></td></tr>
@@ -473,7 +471,7 @@ running, most of them in the same security domain, but in different categories.
 <p>
 Finally, you can also select <span class="code" dir="ltr">mls</span> to differentiate security domains on
 a sensitivity level. However, MLS is currently still considered experimental
-in Gentoo Hardened and as such not recommended.
+in Gentoo and as such not recommended.
 </p>
 <p>
 When you have made your choice between the SELinux policy types, save
@@ -487,7 +485,7 @@ only install the policy modules for that SELinux type.
 POLICY_TYPES="<span class="code-input">strict</span>"
 </pre></td></tr>
 </table>
-<p class="secthead"><a name="doc_chap1_sect1">Label the File System</a></p>
+<p class="secthead"><a name="doc_chap1_sect1">Reboot, and Label the File System</a></p>
 <table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
 Repeat these steps every time you have rebooted from a non-SELinux enabled
 kernel into a SELinux enabled kernel, as running with a non-SELinux enabled
@@ -495,7 +493,8 @@ kernel will not update the security attributes of the files you create or
 manipulate during your day-to-day activities on your system.
 </p></td></tr></table>
 <p>
-First relabel your devices and openrc related files. This will apply the
+First reboot your system so that the installed policies are loaded. Now we
+need to relabel your devices and openrc related files. This will apply the
 correct security contexts (labels) onto the necessary files.
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
@@ -548,9 +547,10 @@ correctly. For instance, if you have installed
 </table>
 <p class="secthead"><a name="doc_chap1_sect1">Reboot and Set SELinux Booleans</a></p>
 <p>
-Reboot your system. Log on and, if you have indeed installed Gentoo using the
-hardened sources (as we recommended), enable the SSP SELinux boolean, allowing
-every domain read access to the <span class="path" dir="ltr">/dev/urandom</span> device:
+Reboot your system so that the newly applied file contexts are used. Log on
+and, if you have indeed installed Gentoo using the hardened sources (as we
+recommended), enable the SSP SELinux boolean, allowing every domain read
+access to the <span class="path" dir="ltr">/dev/urandom</span> device:
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Enabling the global_ssp boolean</p></td></tr>
@@ -600,7 +600,7 @@ With that done, enjoy - your first steps into the SELinux world are now made.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 18, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated January 29, 2012</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -612,7 +612,7 @@ With that done, enjoy - your first steps into the SELinux world are now made.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-using-policies.html b/html/selinux/hb-using-policies.html
index a40c051..0163b42 100644
--- a/html/selinux/hb-using-policies.html
+++ b/html/selinux/hb-using-policies.html
@@ -41,7 +41,10 @@ additional SELinux policy modules. Only when the core policy (the base policy)
 is not to your liking should you see on using a totally different policy.
 </p>
 <p>
-Let's start with a skeleton for a policy module we'll call <span class="emphasis">testmod</span>.
+Let's start with a skeleton for a policy module we'll call <span class="emphasis">testmod</span>. You
+should use simple names for the modules as the build infrastructure is quite
+sensitive to special constructs. Use only letters a-z and numbers, and never
+start a module name with a number.
 </p>
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Policy module skeleton</p></td></tr>
@@ -331,9 +334,14 @@ from firefox-related denials:
 # <span class="code-input">semodule -i firefoxmod.pp</span>
 </pre></td></tr>
 </table>
+<p>
+Keep the module name (given through the <span class="code" dir="ltr">-m</span> option) simple: only use
+characters (<span class="code" dir="ltr">[a-z]</span>) and numbers (<span class="code" dir="ltr">[0-9]</span>), and start the module name
+with a character.
+</p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated March 1, 2012</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -345,7 +353,7 @@ from firefox-related denials:
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-using-states.html b/html/selinux/hb-using-states.html
index 98817d2..bd2398f 100644
--- a/html/selinux/hb-using-states.html
+++ b/html/selinux/hb-using-states.html
@@ -281,7 +281,7 @@ mode back to "enforcing".
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated October 15, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -293,7 +293,7 @@ mode back to "enforcing".
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/hb-using-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html
index d73d50a..983cc5a 100644
--- a/html/selinux/hb-using-troubleshoot.html
+++ b/html/selinux/hb-using-troubleshoot.html
@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
-<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
+<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
 <link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
@@ -192,9 +192,82 @@ contexts</span> that you see in the output with the next table.
   </td>
 </tr>
 </table>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
+            </span>Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)</p>
+<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
+<p>
+When trying to install software with Portage, you get a huge python stacktrace
+and finally the error message <span class="emphasis">OSError: [Errno 22] Invalid argument</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Stacktrace dump when portage fails to install software</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+Traceback (most recent call last):
+  File "http://www.gentoo.org/usr/bin/emerge", line 43, in &lt;module&gt;
+    retval = emerge_main()
+  File "http://www.gentoo.org/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main
+    myopts, myaction, myfiles, spinner)
+  File "http://www.gentoo.org/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build
+    retval = mergetask.merge()
+...
+  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn
+    return spawn(cmd, settings, **kwargs)
+  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn
+    return spawn_func(mystring, env=mysettings.environ(), **keywords)
+  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
+    setexec(con)
+  File "http://www.gentoo.org/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
+    if selinux.setexeccon(ctx) &lt; 0: 
+OSError: [Errno 22] Invalid argument
+</pre></td></tr>
+</table>
+<p class="secthead"><a name="doc_chap1_sect1">Wrong Context</a></p>
+<p>
+The above error comes when you launch portage (through <span class="code" dir="ltr">emerge</span>) while you
+are not in <span class="code" dir="ltr">sysadm_t</span> context. You can verify this with <span class="code" dir="ltr">id -Z</span>:
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking current context</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">id -Z</span>
+system_u:system_r:local_login_t
+</pre></td></tr>
+</table>
+<p>
+As long as the context isn't <span class="code" dir="ltr">sysadm_t</span>, then Portage will break. This is
+because Portage wants to switch its execution context from <span class="code" dir="ltr">portage_t</span> to
+<span class="code" dir="ltr">portage_sandbox_t</span> but fails (it isn't in <span class="code" dir="ltr">portage_t</span> to begin with
+because the user who launched Portage isn't in <span class="code" dir="ltr">sysadm_t</span>).
+</p>
+<p>
+Please check <a href="#doc_chap2">Unable to Log On</a> above first. Also
+make sure that you can <span class="code" dir="ltr">dispatch-conf</span> or <span class="code" dir="ltr">etc-update</span> after
+installing SELinux so that <span class="path" dir="ltr">/etc/pam.d/system-login</span> is updated with
+the right <span class="path" dir="ltr">pam_selinux.so</span> calls.
+</p>
+<p class="secthead"><a name="doc_chap1_sect1">Forcing Installation</a></p>
+<p>
+If you need to force Portage to continue regardless (for instance, you were in
+the middle of a SELinux installation so cannot properly resolve such issues
+now), run the <span class="code" dir="ltr">emerge</span> command but with <span class="code" dir="ltr">FEATURES="-selinux"</span>. This
+will effectively disable Portage' SELinux integration, but allows you to
+continue installing software.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running emerge without selinux support</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">FEATURES="-selinux" emerge -u world</span>
+</pre></td></tr>
+</table>
+<p>
+Make sure that you relabel the entire file system after using this approach!
+Portage will not label the files installed on the system correctly if you
+disable its SELinux support. To relabel the entire file system, use <span class="code" dir="ltr">rlpkg -a
+-r</span>.
+</p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 24, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated December 11, 2011</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
@@ -206,7 +279,7 @@ contexts</span> that you see in the output with the next table.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/index.html b/html/selinux/index.html
index b61b1b8..60e3ac5 100644
--- a/html/selinux/index.html
+++ b/html/selinux/index.html
@@ -210,7 +210,7 @@ reassigned by the team.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/selinux/selinux-handbook.html b/html/selinux/selinux-handbook.html
index a903353..038daf2 100644
--- a/html/selinux/selinux-handbook.html
+++ b/html/selinux/selinux-handbook.html
@@ -124,7 +124,9 @@ them.
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -138,7 +140,7 @@ them.
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View all handbook in one page" class="altlink" href="pebenito@gentoo.org?full=1">View all</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated September 18, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated September 18, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 This is the Gentoo SELinux Handbook.
 </p></td></tr>
@@ -160,7 +162,7 @@ This is the Gentoo SELinux Handbook.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/support-state.html b/html/support-state.html
index a42568c..facf1be 100644
--- a/html/support-state.html
+++ b/html/support-state.html
@@ -235,7 +235,7 @@ reports and feedback).
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated November 17, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated November 17, 2011</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 The support state of the Gentoo Hardened project describes the supported
 platforms, setups and additional requirements for each of the subprojects
@@ -255,7 +255,7 @@ involved.
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/html/toolchain-upgrade-guide.html b/html/toolchain-upgrade-guide.html
index ad0e75b..1eb72de 100644
--- a/html/toolchain-upgrade-guide.html
+++ b/html/toolchain-upgrade-guide.html
@@ -242,7 +242,9 @@ Technical Description of the Gentoo Hardened Toolchain</a></li>
 <!--
   <rdf:RDF xmlns="http://web.resource.org/cc/"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+  
+  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+    
      <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
      <permits rdf:resource="http://web.resource.org/cc/Distribution" />
      <requires rdf:resource="http://web.resource.org/cc/Notice" />
@@ -255,7 +257,7 @@ Technical Description of the Gentoo Hardened Toolchain</a></li>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="toolchain-upgrade-guide.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Updated February 22, 2007</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated February 22, 2007</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Guide for upgrading from hardened gcc-3/glibc-2.3/binutils-2.16 to gcc-4/glibc-2.5/binutils-2.17.
 </p></td></tr>
@@ -273,7 +275,7 @@ Guide for upgrading from hardened gcc-3/glibc-2.3/binutils-2.16 to gcc-4/glibc-2
 </table></td>
 </tr></table></td></tr>
 <tr><td colspan="2" align="right" class="infohead">
-Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
+Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
 </td></tr>
 </table></body>
 </html>
diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml
new file mode 100644
index 0000000..ba9f822
--- /dev/null
+++ b/xml/revdep-pax.xml
@@ -0,0 +1,740 @@
+<?xml version='1.0' encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: $ -->
+
+<guide>
+<title>Gentoo revdep-pax introduction</title>
+
+<author title="Author">
+  <mail link="klondike"/>
+</author>
+
+<abstract>
+This guide provides an introduction to revdep-pax and how to use it to propagate
+the PaC markings caused by libraries requiring them, for example, libraries
+requiring RWX memory in order to process JIT code.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2012-02-19</date>
+
+<chapter>
+<title>What's <c>revdep-pax</c> about?</title>
+
+<p by="Geroge Orwell">
+Since the early days of PaX it was known that all programs were equal although
+some were more equal than others and needed an environment with less
+restrictions in order to be able to run. Thus, in order to have a secure way of
+allowing system administrators and users telling the system which binaries
+needed this lessened environment the PaX marks were created.
+</p>
+
+<section>
+<title>A quick introduction to PaX markings.</title>
+<body>
+
+<p>
+There are some programs which won't be able to run in an environment with all
+the PaX features enabled, for example you may have a program which has so called
+<e>text relocations</e> or you may have a language interpreter doing JIT code
+compilation and requiring <e>RWX</e> mappings you may also have a program that
+saves data including internal pointers into an mmaped file and which needs to be
+restored in the same place no matter what. You could also be holding a security
+competition and need to disable the execution restrictions and force it to
+use fixed addresses on a particular program so it can be exploited doing a
+simple nop sled based stack overflow to get to the next level. For taking into
+account these issues binaries can be marked to force on or off some of the PaX
+features.
+</p>
+
+<p>
+Currently, the PaX features that can be lessened or enforced to allow programs
+to run are:
+</p>
+
+<dl>
+  <dt><b>PAGEEXEC</b></dt>
+  <dd>Paging based execution restrictions. This is what other OSes know as
+  <e>NX</e>.</dd>
+  <dt><b>EMUTRAMP</b></dt>
+  <dd>Trampoline emulation. Required by for amongst other things code with
+  nested functions.</dd>
+  <dt><b>MPROTECT</b></dt>
+  <dd>Prevents the introduction of new executable code in the task. This is the
+  one you are more likely to need disabling with libraries generating JIT code.
+  </dd>
+  <dt><b>RANDMMAP</b></dt>
+  <dd>Randomizes the addresses where mappings are made unless the program
+  explicitly requests one (using the MAP_FIXED flag).</dd>
+  <dt><b>RANDEXEC</b></dt>
+  <dd>This flag is currently deprecated and was used to enforce random placement
+  of the executable part of the binary.</dd>
+  <dt><b>SEGMEXEC</b></dt>
+  <dd>This flag enables segmentation based execution protection. This feature is
+  not available on the amd64 architecture so in that architecture is disables by
+  default.</dd>
+</dl>
+
+<p>
+There are various ways in which this advice to lessen the environment can be
+provided to the system, amongst others Mandatory Access Control rules, extended
+attributes and two kinds of markings on the binaries themselves, the legacy ones
+which abuse an unused field in the ELF headers and the new ones which add a new
+specific section to the ELF file with the markings.
+</p>
+
+<p>
+All this markings though are only read in the executable and not in the
+libraries linked by it to prevent some possible attacks (like libraries being
+injected via LD_PRELOAD) and because it eases a lot the implementation since the
+kernel shouldn't be aware of linking details.
+</p>
+
+<p>
+This system has a problem: if we have a binary linking to a library which
+requires, for example, trampoline emulation because it uses nested functions how
+can we make sure the binary gets the propper markings? Yeah we could add PaX
+marks to the library to state it needs trampoline emulation but still we haven't
+fixed the issue since the kernel will only read the marks on the binary being
+called. In order to solve this issue we have created <c>revdep-pax</c>.
+</p>
+
+</body>
+</section>
+<section>
+<title>What's <c>revdep-pax</c>?</title>
+<body>
+
+<p>
+<c>revdep-pax</c> is a tool that allows to check for differences in PaX markings
+between elf objects linking to libraries (for example <path>/bin/bash</path>)
+and the libraries themselves (for example <path>/lib64/libc.so.6</path>).
+</p>
+
+<p>
+<c>revdep-pax</c> is able to do this in various ways, it can check for
+differences <e>forward</e> from one binary to all the libraries it links and it
+can also check for PaX marking differences <e>backwards</e> from one library to
+all the binaries linking to it (which may include other libraries too). In a
+similar way it is possible to have all the forward and reverse mappings in the
+system checked to try finding issues.
+</p>
+
+<p>
+<c>revdep-pax</c> is also able to propagate these markings both forward to the
+libraries linked by an object and backwards to the objects linked by a library.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Using <c>revdep-pax</c></title>
+
+<p by="The Emperor">
+In order to witness the firepower of this fully ARMED and OPERATIONAL tool
+you'll first need to learn how to use it, once you are done, you'll be
+able to fire at will.
+</p>
+
+<section>
+<title>Propagating PaX marks backwards from a library to objects that link at it
+</title>
+<body>
+
+<p>
+This is going to be probably the main way in which you are going to use this
+utility. What it does is check all the libraries linked statically 
+The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
+</p>
+
+<table>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-p</ti>
+  <ti>--path</ti>
+  <ti>Scan all directories in PATH environment</ti>
+</tr>
+<tr>
+  <ti>-l</ti>
+  <ti>--ldpath</ti>
+  <ti>Scan all directories in /etc/ld.so.conf</ti>
+</tr>
+<tr>
+  <ti>-R</ti>
+  <ti>--recursive</ti>
+  <ti>Scan directories recursively</ti>
+</tr>
+<tr>
+  <ti>-m</ti>
+  <ti>--mount</ti>
+  <ti>Don't recursively cross mount points</ti>
+</tr>
+<tr>
+  <ti>-y</ti>
+  <ti>--symlink</ti>
+  <ti>Don't scan symlinks</ti>
+</tr>
+<tr>
+  <ti>-A</ti>
+  <ti>--archives</ti>
+  <ti>Scan archives (.a files)</ti>
+</tr>
+<tr>
+  <ti>-L</ti>
+  <ti>--ldcache</ti>
+  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
+</tr>
+<tr>
+  <ti>-X</ti>
+  <ti>--fix</ti>
+  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
+</tr>
+<tr>
+  <ti>-z [arg]</ti>
+  <ti>--setpax [arg]</ti>
+  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
+</tr>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-x</ti>
+  <ti>--pax</ti>
+  <ti>Print PaX markings</ti>
+</tr>
+<tr>
+  <ti>-e</ti>
+  <ti>--header</ti>
+  <ti>Print GNU_STACK/PT_LOAD markings</ti>
+</tr>
+<tr>
+  <ti>-t</ti>
+  <ti>--textrel</ti>
+  <ti>Print TEXTREL information</ti>
+</tr>
+<tr>
+  <ti>-r</ti>
+  <ti>--rpath</ti>
+  <ti>Print RPATH information</ti>
+</tr>
+<tr>
+  <ti>-n</ti>
+  <ti>--needed</ti>
+  <ti>Print NEEDED information</ti>
+</tr>
+<tr>
+  <ti>-i</ti>
+  <ti>--interp</ti>
+  <ti>Print INTERP information</ti>
+</tr>
+<tr>
+  <ti>-b</ti>
+  <ti>--bind</ti>
+  <ti>Print BIND information</ti>
+</tr>
+<tr>
+  <ti>-S</ti>
+  <ti>--soname</ti>
+  <ti>Print SONAME information</ti>
+</tr>
+<tr>
+  <ti>-s [arg]</ti>
+  <ti>--symbol [arg]</ti>
+  <ti>Find a specified symbol</ti>
+</tr>
+<tr>
+  <ti>-k [arg]</ti>
+  <ti>--section [arg]</ti>
+  <ti>Find a specified section</ti>
+</tr>
+<tr>
+  <ti>-N [arg]</ti>
+  <ti>--lib [arg]</ti>
+  <ti>Find a specified library</ti>
+</tr>
+<tr>
+  <ti>-g</ti>
+  <ti>--gmatch</ti>
+  <ti>Use strncmp to match libraries. (use with -N)</ti>
+</tr>
+<tr>
+  <ti>-T</ti>
+  <ti>--textrels</ti>
+  <ti>Locate cause of TEXTREL</ti>
+</tr>
+<tr>
+  <ti>-E [arg]</ti>
+  <ti>--etype [arg]</ti>
+  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
+</tr>
+<tr>
+  <ti>-M [arg]</ti>
+  <ti>--bits [arg]</ti>
+  <ti>Print only ELF files matching numeric bits</ti>
+</tr>
+<tr>
+  <ti>-a</ti>
+  <ti>--all</ti>
+  <ti>Print all scanned info (-x -e -t -r -b)</ti>
+</tr>
+<tr>
+  <th>Option</th>
+  <th>Long Option</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>-q</ti>
+  <ti>--quiet</ti>
+  <ti>Only output 'bad' things</ti>
+</tr>
+<tr>
+  <ti>-v</ti>
+  <ti>--verbose</ti>
+  <ti>Be verbose (can be specified more than once)</ti>
+</tr>
+<tr>
+  <ti>-F [arg]</ti>
+  <ti>--format [arg]</ti>
+  <ti>Use specified format for output</ti>
+</tr>
+<tr>
+  <ti>-f [arg]</ti>
+  <ti>--from [arg]</ti>
+  <ti>Read input stream from a filename</ti>
+</tr>
+<tr>
+  <ti>-o [arg]</ti>
+  <ti>--file [arg]</ti>
+  <ti>Write output stream to a filename</ti>
+</tr>
+<tr>
+  <ti>-B</ti>
+  <ti>--nobanner</ti>
+  <ti>Don't display the header</ti>
+</tr>
+<tr>
+  <ti>-h</ti>
+  <ti>--help</ti>
+  <ti>Print this help and exit</ti>
+</tr>
+<tr>
+  <ti>-V</ti>
+  <ti>--version</ti>
+  <ti>Print version and exit</ti>
+</tr>
+</table>
+
+<p>
+The format specifiers for the <c>-F</c> option are given in the following table.
+Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly.
+</p>
+
+<table>
+<tr>
+  <th>Specifier</th>
+  <th>Full Name</th>
+  <th>Specifier</th>
+  <th>Full Name</th>
+</tr>
+<tr>
+  <ti>F</ti>
+  <ti>Filename</ti>
+  <ti>x</ti>
+  <ti>PaX Flags</ti>
+</tr>
+<tr>
+  <ti>e</ti>
+  <ti>STACK/RELRO</ti>
+  <ti>t</ti>
+  <ti>TEXTREL</ti>
+</tr>
+<tr>
+  <ti>r</ti>
+  <ti>RPATH</ti>
+  <ti>n</ti>
+  <ti>NEEDED</ti>
+</tr>
+<tr>
+  <ti>i</ti>
+  <ti>INTERP</ti>
+  <ti>b</ti>
+  <ti>BIND</ti>
+</tr>
+<tr>
+  <ti>s</ti>
+  <ti>Symbol</ti>
+  <ti>N</ti>
+  <ti>Library</ti>
+</tr>
+<tr>
+  <ti>o</ti>
+  <ti>Type</ti>
+  <ti>p</ti>
+  <ti>File name</ti>
+</tr>
+<tr>
+  <ti>f</ti>
+  <ti>Base file name</ti>
+  <ti>k</ti>
+  <ti>Section</ti>
+</tr>
+<tr>
+  <ti>a</ti>
+  <ti>ARCH/e_machine</ti>
+  <ti>&nbsp;</ti>
+  <ti>&nbsp;</ti>
+</tr>
+</table>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Text Relocations</title>
+<body>
+
+<p>
+As an example, we will use <c>scanelf</c> to find binaries containing text
+relocations.
+</p>
+
+<p>
+A relocation is an operation that rewrites an address in a loaded segment. Such
+an address rewrite can happen when a segment has references to a shared object
+and that shared object is loaded in memory. In this case, the references are
+substituted with the real address values. Similar events can occur inside the 
+shared object itself.
+</p>
+
+<p>
+A text relocation is a relocation in the text segment. Since text segments
+contain executable code, system administrators might prefer not to have these
+segments writable. This is perfectly possible, but since text relocations
+actually write in the text segment, it is not always feasible. 
+</p>
+
+<p>
+If you want to eliminate text relocations, you will need to make sure
+that the application and shared object is built with <e>Position Independent
+Code</e> (PIC), making references obsolete. This not only increases security,
+but also increases the performance in case of shared objects (allowing writes in
+the text segment requires a swap space reservation and a private copy of the
+shared object for each application that uses it).
+</p>
+
+<p>
+The following example will search your library paths recursively, without
+leaving the mounted file system and ignoring symbolic links, for any ELF binary
+containing a text relocation:
+</p>
+
+<pre caption="Scanning the system for text relocation binaries">
+# <i>scanelf -lqtmyR</i>
+</pre>
+
+<p>
+If you want to scan your entire system for <e>any</e> file containing text
+relocations:
+</p>
+
+<pre caption="Scanning the entire system for text relocation files">
+# <i>scanelf -qtmyR /</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Specific Header</title>
+<body>
+
+<p>
+The scanelf util can be used to quickly identify files that contain a 
+given section header using the -k .section option.
+</p>
+
+<p>
+In this example we are looking for all files in /usr/lib/debug 
+recursively using a format modifier with quiet mode enabled that have been 
+stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
+to invert the matching logic.
+</p>
+
+<pre caption="Scanning for stripped or non stripped executables">
+# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf for Specific Segment Markings</title>
+<body>
+
+<p>
+Each segment has specific flags assigned to it in the Program Header of the
+binary. One of those flags is the type of the segment. Interesting values are
+PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
+segment contains dynamic linking information), PT_INTERP (the segment 
+contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
+for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
+(a PaX extension for the ELF format, used by the security-minded 
+<uri link="http://pax.grsecurity.net/">PaX Project</uri>.
+</p>
+
+<p>
+If we want to scan all executables in the current working directory, PATH
+environment and library paths and report those who have a writable and
+executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
+</p>
+
+<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK">
+# <i>scanelf -lpqe .</i>
+</pre>
+
+</body>
+</section>
+<section>
+<title>Using scanelf's Format Modifier Handler</title>
+<body>
+
+<p>
+A useful feature of the <c>scanelf</c> utility is the format modifier handler.  
+With this option you can control the output of <c>scanelf</c>, thereby 
+simplifying parsing the output with scripts.
+</p>
+
+<p>
+As an example, we will use <c>scanelf</c> to print the file names that contain
+text relocations:
+</p>
+
+<pre caption="Example of the scanelf format modifier handler">
+# <i>scanelf -l -p -R -q -F "%F #t"</i>
+</pre>
+
+</body>
+</section>
+</chapter>
+
+<chapter id="pspax">
+<title>Listing PaX Flags and Capabilities</title>
+<section>
+<title>About PaX</title>
+<body>
+
+<p>
+<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri
+link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri
+link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main 
+goal is "to research various defense mechanisms against the exploitation of 
+software bugs that give an attacker arbitrary read/write access to the 
+attacked task's address space. This class of bugs contains among others 
+various forms of buffer overflow bugs (be they stack or heap based), user
+supplied format string bugs, etc."
+</p>
+
+<p>
+To be able to benefit from these defense mechanisms, you need to run a Linux
+kernel patched with the latest PaX code. The <uri
+link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and
+its parent project, grsecurity. The supported kernel package is
+<c>sys-kernel/hardened-sources</c>.
+</p>
+
+<p>
+The Gentoo/Hardened project has a <uri
+link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri>
+for your reading pleasure.
+</p>
+
+</body>
+</section>
+<section>
+<title>Flags and Capabilities</title>
+<body>
+
+<p>
+If your toolchain supports it, your binaries can have additional PaX flags in
+their Program Header. The following flags are supported:
+</p>
+
+<table>
+<tr>
+  <th>Flag</th>
+  <th>Name</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>P</ti>
+  <ti>PAGEEXEC</ti>
+  <ti>
+    Refuse code execution on writable pages based on the NX bit
+    (or emulated NX bit)
+  </ti>
+</tr>
+<tr>
+  <ti>S</ti>
+  <ti>SEGMEXEC</ti>
+  <ti>
+    Refuse code execution on writable pages based on the
+    segmentation logic of IA-32
+  </ti>
+</tr>
+<tr>
+  <ti>E</ti>
+  <ti>EMUTRAMP</ti>
+  <ti>
+    Allow known code execution sequences on writable pages that
+    should not cause any harm
+  </ti>
+</tr>
+<tr>
+  <ti>M</ti>
+  <ti>MPROTECT</ti>
+  <ti>
+    Prevent the creation of new executable code to the process
+    address space
+  </ti>
+</tr>
+<tr>
+  <ti>R</ti>
+  <ti>RANDMMAP</ti>
+  <ti>
+    Randomize the stack base to prevent certain stack overflow
+    attacks from being successful
+  </ti>
+</tr>
+<tr>
+  <ti>X</ti>
+  <ti>RANDEXEC</ti>
+  <ti>
+    Randomize the address where the application maps to prevent
+    certain attacks from being exploitable
+  </ti>
+</tr>
+</table>
+
+<p>
+The default Linux kernel also supports certain capabilities, grouped in the
+so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
+capabilities in our <uri
+link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document.
+</p>
+
+</body>
+</section>
+<section>
+<title>Using pspax</title>
+<body>
+
+<p>
+The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the
+run-time capabilities of all programs you have permission for. On Linux kernels
+with additional support for extended attributes (such as SELinux) those
+attributes are shown as well.
+</p>
+
+<p>
+When ran, <c>pspax</c> shows the following information:
+</p>
+
+<table>
+<tr>
+  <th>Column</th>
+  <th>Description</th>
+</tr>
+<tr>
+  <ti>USER</ti>
+  <ti>Owner of the process</ti>
+</tr>
+<tr>
+  <ti>PID</ti>
+  <ti>Process id</ti>
+</tr>
+<tr>
+  <ti>PAX</ti>
+  <ti>Run-time PaX flags (if applicable)</ti>
+</tr>
+<tr>
+  <ti>MAPS</ti>
+  <ti>Write/eXecute markings for the process map</ti>
+</tr>
+<tr>
+  <ti>ELF_TYPE</ti>
+  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
+</tr>
+<tr>
+  <ti>NAME</ti>
+  <ti>Name of the process</ti>
+</tr>
+<tr>
+  <ti>CAPS</ti>
+  <ti>POSIX.1e capabilities (see note)</ti>
+</tr>
+<tr>
+  <ti>ATTR</ti>
+  <ti>Extended attributes (if applicable)</ti>
+</tr>
+</table>
+
+<note>
+<c>pspax</c> only displays these capabilities when it is linked with
+the external capabilities library. This requires you to build <c>pax-utils</c>
+with -DWANT_SYSCAP.
+</note>
+
+<p>
+By default, <c>pspax</c> does not show any kernel processes. If you want those
+to be taken as well, use the <c>-a</c> switch.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter id="dumpelf">
+<title>Programming with ELF files</title>
+<section>
+<title>The dumpelf Utility</title>
+<body>
+
+<p>
+With the <c>dumpelf</c> utility you can convert a ELF file into human readable C
+code that defines a structure with the same image as the original ELF file.
+</p>
+
+<pre caption="dumpelf example">
+$ <i>dumpelf /bin/hostname</i>
+#include &lt;elf.h&gt;
+
+<comment>/*
+ * ELF dump of '/bin/hostname'
+ *     10276 (0x2824) bytes
+ */</comment>
+
+struct {
+        Elf32_Ehdr ehdr;
+        Elf32_Phdr phdrs[8];
+        Elf32_Shdr shdrs[26];
+} dumpedelf_0 = {
+
+.ehdr = {
+<comment>(... Output stripped ...)</comment>
+</pre>
+
+</body>
+</section>
+</chapter>
+</guide>