Changeset f586237

Timestamp:

06/05/2016 05:57:10 AM (7 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 7.10, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, ken/inkscape-core-mods, lazarus, nosym, perl-modules, plabs/python-mods, qt5new, trunk, upgradedb, xry111/intltool, xry111/soup3, xry111/test-20220226

Children:

422bd2c

Parents:

eb3dbe3

Message:

[Systemd merge] - Complete changes for Chapter 4.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17446 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• general.ent (modified) (3 diffs)
• general/genlib/genlib.xml (modified) (1 diff)
• general/genlib/grantlee.xml (deleted)
• general/sysutils/dbus.xml (modified) (1 diff)
• general/sysutils/strigi.xml (deleted)
• general/sysutils/sysutils.xml (modified) (1 diff)
• introduction/welcome/changelog.xml (modified) (1 diff)
• postlfs/security/cyrus-sasl.xml (modified) (2 diffs)
• postlfs/security/firewalling.xml (modified) (5 diffs)
• postlfs/security/gnutls.xml (modified) (1 diff)
• postlfs/security/haveged.xml (modified) (1 diff)
• postlfs/security/iptables.xml (modified) (2 diffs)
• postlfs/security/libcap.xml (modified) (4 diffs)
• postlfs/security/linux-pam.xml (modified) (1 diff)
• postlfs/security/mitkrb.xml (modified) (1 diff)
• postlfs/security/openssh.xml (modified) (3 diffs)
• postlfs/security/openssl.xml (modified) (1 diff)
• postlfs/security/p11-kit.xml (modified) (1 diff)
• postlfs/security/polkit.xml (modified) (7 diffs)
• postlfs/security/shadow.xml (modified) (2 diffs)
• postlfs/security/stunnel.xml (modified) (3 diffs)
• postlfs/security/sudo.xml (modified) (2 diffs)

general.ent

@@ -1 +1 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "04">                   <!-- Always 2 digits -->
+<!ENTITY day          "05">                   <!-- Always 2 digits -->
 <!ENTITY month        "06">                   <!-- Always 2 digits -->
 <!ENTITY year         "2016">
@@ -7 +7 @@
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "June 4th &year;">
+<!ENTITY releasedate  "June 5th &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
-<!ENTITY lfs-version  "development">          <!-- x.y|development] -->
+<!ENTITY lfs-version  "development">          <!-- x.y|development -->
+<!ENTITY lfs-versiond "systemd">              <!-- x.y-systemd|systemd -->
 <!ENTITY last-commit  "$Date$"> <!-- Automatic update -->
 <!ENTITY lfs-domainname       "linuxfromscratch.org">
@@ -35 +36 @@
 
 <!ENTITY lfs-root             "../../../../lfs/view/&lfs-version;">
+<!ENTITY lfs-rootd            "../../../../lfs/view/&lfs-versiond;">
 <!ENTITY lfs-dev              "../../../../lfs/view/development">
 <!ENTITY kernel               "http://www.kernel.org/pub/">

general/genlib/genlib.xml

@@ -63 +63 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gmime.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gobject-introspection.xml"/>
-
-  <!-- systemd only -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="grantlee.xml"/>
-
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gsl.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="icu.xml"/>

general/sysutils/dbus.xml

@@ -668 +668 @@
         A list of the installed files, along with their short
         descriptions can be found at
-        <ulink url="&lfs-root;/chapter06/dbus.html#contents-dbus"/>.
+        <phrase revision="sysv">
+        <ulink url="&lfs-root;/chapter06/dbus.html#contents-dbus"/></phrase>
+        <phrase revision="systemd">
+        <ulink url="&lfs-rootd;/chapter06/dbus.html#contents-dbus"/></phrase>.
       </para>
 

general/sysutils/sysutils.xml

@@ -54 +54 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="redland.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sg3_utils.xml"/>
-
-  <!-- systemd only -->  
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="strigi.xml"/>
-
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sysstat.xml"/>
 

introduction/welcome/changelog.xml

@@ -44 +44 @@
 
 -->
+    <listitem>
+      <para>June 5th, 2016</para>
+      <itemizedlist>
+        <listitem revision="systemd">
+          <para>[dj] - Removed grantlee and strigi packages.</para>
+        </listitem>
+        <listitem revision="sysv">
+          <para>[dj] - Only install the Linux-PAM module when rebuilding
+          libcap for Linux-PAM.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
     <listitem>
       <para>June 4th, 2016</para>

postlfs/security/cyrus-sasl.xml

@@ -269 +269 @@
 
     <sect3 id="cyrus-sasl-init">
-      <title>Init Script</title>
-
-      <para>
+      <title><phrase revision="sysv">Init Script</phrase>
+             <phrase revision="systemd">Systemd Unit</phrase></title>
+
+      <para revision="sysv">
         If you need to run the <command>saslauthd</command> daemon at system
         startup, install the <filename>/etc/rc.d/init.d/saslauthd</filename>
-        init script included in the <xref linkend="bootscripts" revision="sysv"/>
-        <xref linkend="systemd-units" revision="systemd"/>
-        package using the following command:
+        init script included in the
+        <xref linkend="bootscripts"/> package using the following command:
+      </para>
+
+      <para revision="systemd">
+        If you need to run the <command>saslauthd</command> daemon at system
+        startup, install the <filename>saslauthd.service</filename> unit
+        included in the <xref linkend="systemd-units"/> package using the
+        following command:
       </para>
 
@@ -287 +294 @@
       <note>
         <para>
-          You'll need to modify /etc/sysconfig/saslauthd and replace the
-          <option><replaceable>AUTHMECH</replaceable></option> parameter
-          with your desired authentication mechanism.
+          You'll need to modify
+          <filename revision="sysv">/etc/sysconfig/saslauthd</filename>
+          <filename revision="systemd">/etc/default/saslauthd</filename>
+          and modify the
+          <option revision="sysv">AUTHMECH</option>
+          <option revision="systemd">MECHANISM</option>
+          parameter with your desired authentication mechanism.
         </para>
       </note>

postlfs/security/firewalling.xml

@@ -141 +141 @@
     </caution>
 
-    <para>The firewall configuration script installed in the iptables section
-    differs from the standard configuration script. It only has two of
-    the standard targets: start and status. The other targets are clear
-    and lock. For instance if you issue:</para>
-
-<screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
-
-    <para>the firewall will be restarted just as it is upon system startup.
-    The status target will present a list of all currently implemented
-    rules. The clear target turns off all firewall rules and the lock
-    target will block all packets in and out of the computer with the
+    <para revision="sysv">The firewall configuration script installed in the
+    iptables section differs from the standard configuration script. It only
+    has two of the standard targets: start and status. The other targets are
+    clear and lock. For instance if you issue:</para>
+
+<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
+
+    <para revision="sysv">the firewall will be restarted just as it is upon
+    system startup. The status target will present a list of all currently
+    implemented rules. The clear target turns off all firewall rules and the
+    lock target will block all packets in and out of the computer with the
     exception of the loopback interface.</para>
 
-    <para>The main startup firewall is located in the file
+    <para revision="sysv">The main startup firewall is located in the file
     <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
     three different approaches that can be used for a system.</para>
+
+    <para revision="systemd">The main startup firewall is located in the file
+    <filename>/etc/systemd/scripts/iptables</filename>. The sections below
+    provide three different approaches that can be used for a system.</para>
 
     <note>
@@ -178 +182 @@
       to the Linux 2.6 kernels.</para>
 
-<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
 <literal>#!/bin/sh
 
@@ -253 +257 @@
 EOF
 chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+
+
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+
+# Begin /etc/systemd/scripts/iptables
+
+# Insert connection-tracking modules
+# (not needed if built into the kernel)
+modprobe nf_conntrack
+modprobe xt_LOG
+
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
+
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
+
+# Do not send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
+
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+
+iptables -t nat -F
+
+# Allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+
+# Free output on any interface to any ip for any service
+# (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+
+# Permit answers on already established connections
+# and permit new connections related to established ones
+# (e.g. port mode ftp)
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# Log everything else. What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
 
       <para>This script is quite simple, it drops all traffic coming
@@ -284 +367 @@
       a worm via a buffer-overflow).</para>
 
-<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
+<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
 <literal>#!/bin/sh
 
@@ -374 +457 @@
 EOF
 chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
+
+<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
+
+cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
+<literal>#!/bin/sh
+
+# Begin /etc/systemd/scripts/iptables
+
+echo
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the configuration rules below."
+
+echo "You can find additional information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.&lfs-domainname;/blfs"
+echo
+
+# Insert iptables modules (not needed if built into the kernel).
+
+modprobe nf_conntrack
+modprobe nf_conntrack_ftp
+modprobe xt_conntrack
+modprobe xt_LOG
+modprobe xt_state
+
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+
+# Don't send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
+
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
+
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-existing user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+
+iptables -t nat -F
+
+# Allow local connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Allow forwarding if the initiated on the intranet
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
+
+# Do masquerading
+# (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+
+# Log everything for debugging
+# (last of all rules, but before policy rules)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+
+# Enable IP Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+
+# End /etc/systemd/scripts/iptables</literal>
+EOF
+chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
 
       <para>With this script your intranet should be reasonably secure

postlfs/security/gnutls.xml

@@ -147 +147 @@
       To test the results, issue: <command>make check</command>.  If a prior
       version of <application>GnuTLS</application> (or the same version but
-      without all the recommended dependencies) has been installed, some
+      without all of the recommended dependencies) has been installed, some
       tests may fail. If <filename>/usr/lib/libgnutls.so</filename> and the
       target of that symlink are moved or renamed so that they cannot be found,

postlfs/security/haveged.xml

@@ -105 +105 @@
 
     <sect3  id="haveged-init">
-      <title>Boot Script</title>
+      <title><phrase revision="sysv">Boot Script</phrase>
+             <phrase revision="systemd">Systemd Unit</phrase></title>
 
-      <para>
+      <para revision="sysv">
         If you want the <application>Haveged</application> daemon to
         start automatically when the system is booted, install the
         <filename>/etc/rc.d/init.d/haveged</filename> init script included
-        in the <xref linkend="bootscripts" revision="sysv"/>
-        <xref linkend="systemd-units" revision="systemd"/> package.
+        in the <xref linkend="bootscripts"/> package (as the
+        <systemitem class="username">root</systemitem> user):
+      </para>
+
+      <para revision="systemd">
+        If you want the <application>Haveged</application> daemon to
+        start automatically when the system is booted, install the
+        <filename>haveged.service</filename> unit included in the
+        <xref linkend="systemd-units"/> package (as the
+        <systemitem class="username">root</systemitem> user):
       </para>
 

postlfs/security/iptables.xml

@@ -163 +163 @@
     <para>
       <parameter>--disable-nftables</parameter>: This switch disables building
-      nftables compat.
+      nftables compat. Omit this switch if you have installed nftables.
     </para>
 
@@ -199 +199 @@
 
     <sect3  id="iptables-init">
-      <title>Boot Script</title>
-
-      <para>
+      <title><phrase revision="sysv">Boot Script</phrase>
+             <phrase revision="systemd">Systemd Unit</phrase></title>
+
+      <para revision="sysv">
         To set up the iptables firewall at boot, install the
         <filename>/etc/rc.d/init.d/iptables</filename> init script included
-        in the <xref linkend="bootscripts" revision="sysv"/>
-        <xref linkend="systemd-units" revision="systemd"/> package.
+        in the <xref linkend="bootscripts"/> package.
+      </para>
+
+      <para revision="systemd">
+        To set up the iptables firewall at boot, install the
+        <filename>iptables.service</filename> unit included in the
+        <xref linkend="systemd-units"/> package.
       </para>
 

postlfs/security/libcap.xml

@@ -30 +30 @@
     <title>Introduction to libcap with PAM</title>
 
-    <para>The <application>libcap</application> package was installed in
-    LFS, but if PAM support is desired, it needs to be reinstalled after
-    PAM is built.</para>
+    <para>The <application>libcap</application> package was installed in 
+    LFS, but if <application>Linux-PAM</application> support is desired,
+    the PAM module must be built (after installation of
+    <application>Linux-PAM</application>).</para>
 
     &lfs79_checked;&gcc6_checked;
@@ -61 +62 @@
 
     <bridgehead renderas="sect4">Required</bridgehead>
-    <para role="required"><xref linkend="linux-pam"/></para>
+    <para role="required">
+      <xref linkend="linux-pam"/>
+    </para>
 
     <para condition="html" role="usernotes">User Notes:
@@ -74 +77 @@
     commands:</para>
 
-<screen><userinput>sed -i 's:LIBDIR:PAM_&amp;:g' pam_cap/Makefile &amp;&amp;
-make</userinput></screen>
+<screen><userinput>make -C pam_cap</userinput></screen>
 
     <para>This package does not come with a test suite.</para>
 
-    <para>
-      If you want to disable installing the static library, use this sed:
-    </para>
-
-<screen><userinput>sed -i '/install.*STALIBNAME/ s/^/#/' libcap/Makefile</userinput></screen>
-
     <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
 
-<screen role="root"><userinput>make prefix=/usr \
-     SBINDIR=/sbin \
-     PAM_LIBDIR=/lib \
-     RAISE_SETFCAP=no install</userinput></screen>
-
-   <para>
-     Still as the <systemitem class="username">root</systemitem> user,
-     clean up some library locations and permissions:
-   </para>
-
-<screen role="root"><userinput>chmod -v 755 /usr/lib/libcap.so &amp;&amp;
-mv -v /usr/lib/libcap.so.* /lib &amp;&amp;
-ln -sfv ../../lib/libcap.so.2 /usr/lib/libcap.so</userinput></screen>
-
-  </sect2>
-
-  <sect2 role="commands">
-    <title>Command Explanations</title>
-
-    <para>
-      <command>sed -i '...'</command>, <parameter>PAM_LIBDIR=/lib</parameter>:
-      These correct PAM module install location.
-    </para>
-
-    <para><parameter>RAISE_SETFCAP=no</parameter>: This parameter skips trying
-    to use <application>setcap</application> on itself.  This avoids an installation
-    error if the kernel or file system do not support extended capabilities.</para>
+<screen role="root"><userinput>install -v -m755 pam_cap/pam_cap.so /lib/security &amp;&amp;
+install -v -m644 pam_cap/capability.conf /etc/security</userinput></screen>
 
   </sect2>
@@ -122 +93 @@
     <segmentedlist>
       <segtitle>Installed Programs</segtitle>
-      <segtitle>Installed Libraries</segtitle>
+      <segtitle>Installed Library</segtitle>
       <segtitle>Installed Directories</segtitle>
 
       <seglistitem>
-        <seg>capsh, getcap, getpcaps, and setcap</seg>
-        <seg>libcap.{so,a} and pam_cap.so</seg>
+        <seg>None</seg>
+        <seg>pam_cap.so</seg>
         <seg>None</seg>
       </seglistitem>
     </segmentedlist>
 
-    <variablelist>
-      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
-      <?dbfo list-presentation="list"?>
-      <?dbhtml list-presentation="table"?>
-
-      <varlistentry id="capsh">
-        <term><command>capsh</command></term>
-        <listitem>
-          <para>is a shell wrapper to explore and constrain capability support.</para>
-          <indexterm zone="libcap-pam capsh">
-            <primary sortas="b-capsh">capsh</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="getcap">
-        <term><command>getcap</command></term>
-        <listitem>
-          <para>examines file capabilities.</para>
-          <indexterm zone="libcap-pam getcap">
-            <primary sortas="b-getcap">getcap</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="getpcaps">
-        <term><command>getpcaps</command></term>
-        <listitem>
-          <para>displays the capabilities on the queried process(es).</para>
-          <indexterm zone="libcap-pam getpcaps">
-            <primary sortas="b-getpcaps">getpcaps</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="setcap">
-        <term><command>setcap</command></term>
-        <listitem>
-          <para>sets file file capabilities.</para>
-          <indexterm zone="libcap-pam setcap">
-            <primary sortas="b-setcap">setcap</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="libcap-lib">
-        <term><filename class='libraryfile'>libcap.{so,a}</filename></term>
-        <listitem>
-          <para>contains the <application>libcap</application> API functions.</para>
-          <indexterm zone="libcap-pam libcap-lib">
-            <primary sortas="c-libcap">libcap.{so,a}</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
   </sect2>
 

postlfs/security/linux-pam.xml

@@ -377 +377 @@
         <para>
           You should now reinstall the <xref linkend="shadow"/>
-          package.
+          <phrase revision="sysv">package.</phrase>
+          <phrase revision="systemd"> and <xref linkend="systemd"/>
+          packages.</phrase>
         </para>
       </important>

postlfs/security/mitkrb.xml

@@ -445 +445 @@
 
     <sect3 id="mitkrb-init">
-      <title>Init Script</title>
-
-      <para>
+      <title><phrase revision="sysv">Init Script</phrase>
+             <phrase revision="systemd">Systemd Unit</phrase></title>
+
+      <para revision="sysv">
         If you want to start <application>Kerberos</application> services
         at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
-        script included in the <xref linkend="bootscripts" revision="sysv"/>
-        <xref linkend="systemd-units" revision="systemd"/> package using
+        script included in the <xref linkend="bootscripts"/> package using
         the following command:
+      </para>
+
+      <para revision="systemd">
+        If you want to start <application>Kerberos</application> services
+        at boot, install the <filename>krb5.service</filename> unit included in
+        the <xref linkend="systemd-units"/> package using the following command:
       </para>
 

postlfs/security/openssh.xml

@@ -111 +111 @@
     <title>Installation of OpenSSH</title>
 
+    <warning revision="systemd">
+    <para>
+      If reinstalling over an <application>SSH</application> connection to
+      enable <xref linkend="linux-pam"/> support, be certain to temporarily set
+      <option>PermitRootLogin</option> to <parameter>yes</parameter> in
+      <filename>/etc/ssh/sshd_config</filename> until you complete
+      reinstallation of <xref linkend="systemd"/>, or you may find that you are
+      unable to login to the system remotely.
+    </para>
+    </warning>
+
     <para>
       <application>OpenSSH</application> runs as two processes when connecting
@@ -289 +300 @@
 
       <para>
-        If you added <application>LinuxPAM</application> support and you want
+        If you added <application>Linux-PAM</application> support and you want
         ssh to use it then you will need to add a configuration file for
         <application>sshd</application> and enable use of
         <application>LinuxPAM</application>. Note, ssh only uses PAM to check
         passwords, if you've disabled password logins these commands are not
-        needed. If you want to use PAM issue the following commands as the
+        needed. If you want to use PAM, issue the following commands as the
         <systemitem class='username'>root</systemitem> user:
       </para>
@@ -310 +321 @@
 
     <sect3  id="openssh-init">
-      <title>Boot Script</title>
-
-      <para>
+      <title><phrase revision="sysv">Boot Script</phrase>
+             <phrase revision="systemd">Systemd Unit</phrase></title>
+
+      <para revision="sysv">
         To start the SSH server at system boot, install the
         <filename>/etc/rc.d/init.d/sshd</filename> init script included
-        in the <xref linkend="bootscripts" revision="sysv"/>
-        <xref linkend="systemd-units" revision="systemd"/> package.
+        in the <xref linkend="bootscripts"/> package.
+      </para>
+
+      <para revision="systemd">
+        To start the SSH server at system boot, install the
+        <filename>sshd.service</filename> unit included in the
+        <xref linkend="systemd-units"/> package.
       </para>
 

postlfs/security/openssl.xml

@@ -207 +207 @@
         providing functions to other programs such as
         <application>OpenSSH</application> and web browsers do not need to worry
-        about additional configuration. This is an advanced topic and so those
+        about additional configuration. This is an advanced topic and those
         who do need it would normally be expected to either know how to properly
         update <filename>/etc/ssl/openssl.cnf</filename> or be able to find out

postlfs/security/p11-kit.xml

@@ -120 +120 @@
     <para>
       <option>--with-hash-impl=freebl</option>: Use this switch if you want to
-      use Freebl library from <application>NSS</application> for SHA1 and MD5
-      hashing.
+      use the Freebl library from <application>NSS</application> for SHA1 and
+      MD5 hashing.
     </para>
 

postlfs/security/polkit.xml

@@ -81 +81 @@
     </para>
 
+    <bridgehead renderas="sect4" revision="systemd">Recommended</bridgehead>
+    <para role="recommended" revision="systemd">
+      <xref linkend="linux-pam"/>
+    </para>
+
+    <note revision="systemd">
+      <para>
+        Since <command>systemd-logind</command> uses PAM to register user
+        sessions, it is a good idea to build <application>Polkit</application>
+        with PAM support so <command>systemd-logind</command> can track
+        <application>Polkit</application> sessions.
+      </para>
+    </note>
+
+
     <bridgehead renderas="sect4">Optional (Required if building GNOME)</bridgehead>
     <para role="optional">
@@ -90 +105 @@
       <xref linkend="DocBook"/>,
       <xref linkend="docbook-xsl"/>,
-      <xref linkend="gtk-doc"/>,
-      <xref linkend="libxslt"/> and
-      <xref linkend="linux-pam"/>
+      <xref linkend="gtk-doc"/>, <phrase revision="systemd">and </phrase>
+      <xref linkend="libxslt"/><phrase revision="sysv">, and
+      <xref linkend="linux-pam"/></phrase>
+    </para>
+
+    <bridgehead renderas="sect4" revision="systemd">Required Runtime Dependencies</bridgehead>
+    <para role="required" revision="systemd">
+      <xref linkend="systemd"/>
     </para>
 
     <note>
       <para>
-        If <xref linkend="libxslt"/> is installed, then <xref linkend="DocBook"/>
-        and <xref linkend="docbook-xsl"/> are required. If you have installed
-        <xref linkend="libxslt"/>, but you do not want to install any of the
-        DocBook packages mentioned, you will need to use
-        <option>--disable-man-pages</option> in the instructions below.
+        If <xref linkend="libxslt"/> is installed,
+        then <xref linkend="DocBook"/> and <xref linkend="docbook-xsl"/> are
+        required. If you have installed <xref linkend="libxslt"/>, but you do
+        not want to install any of the DocBook packages mentioned, you will
+        need to use <option>--disable-man-pages</option> in the instructions
+        below.
       </para>
     </note>
@@ -124 +145 @@
         -g polkitd -s /bin/false polkitd</userinput></screen>
 
+    <note revision="systemd">
+      <para>
+        When building <application>Polkit</application> with
+        <application>systemd</application> logind support, the
+        <command>configure</command> script explicitly checks if
+        system is booted using <application>systemd</application>.
+        This can cause problems if building the package in chroot,
+        where the <command>configure</command> would fail to
+        detect <application>systemd</application>. To workaround
+        the problem, simply run the following command:
+      </para>
+
+<screen><userinput>sed -i "s:/sys/fs/cgroup/systemd/:/sys:g" configure</userinput></screen>
+    </note>
+
     <para>
       Install <application>Polkit</application> by running the following
@@ -129 +165 @@
     </para>
 
-<screen><userinput>./configure --prefix=/usr                \
+<screen revision="sysv"><userinput>./configure --prefix=/usr                \
             --sysconfdir=/etc            \
             --localstatedir=/var         \
@@ -137 +173 @@
 make</userinput></screen>
 
+<screen revision="systemd"><userinput>./configure --prefix=/usr        \
+            --sysconfdir=/etc    \
+            --localstatedir=/var \
+            --disable-static     &amp;&amp;
+make</userinput></screen>
+
     <para>
       To test the results, issue: <command>make check</command>.
@@ -156 +198 @@
     <title>Command Explanations</title>
 
-    <para>
+    <para revision="sysv">
       <parameter>--enable-libsystemd-login=no</parameter>: This parameter fixes
       building without <application>systemd</application>, which is not part
@@ -163 +205 @@
     </para>
 
-    <para>
+    <para revision="sysv">
       <parameter>--with-authfw=shadow</parameter>: This parameter configures the
       package to use the <application>Shadow</application> rather than the
-      <application>Linux PAM</application> Authentication framework. Remove it
-      if you would like to use <application>Linux PAM</application>.
+      <application>Linux-PAM</application> Authentication framework. Remove it
+      if you would like to use <application>Linux-PAM</application>.
+    </para>
+
+    <para revision="systemd">
+      <option>--with-authfw=shadow</option>: This switch enables the
+      package to use the <application>Shadow</application> rather than the
+      <application>Linux PAM</application> Authentication framework. Use it
+      if you have not installed <application>Linux PAM</application>.
     </para>
 

postlfs/security/shadow.xml

@@ -459 +459 @@
 done</userinput></screen>
 
+        <para revision="systemd">Because the installation of
+        <application>systemd</application> is not yet complete, you will need
+        to remove the <filename>/run/nologin</filename> file before testing the
+        installation. Execute the following command as the
+        <systemitem class="username">root</systemitem> user:</para>
+
+<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
+
         <warning>
           <para>
@@ -532 +540 @@
     <para>
       A list of the installed files, along with their short descriptions can be
-      found at <ulink url="http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.
+      found at
+      <phrase revision="sysv">
+      <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
+      <phrase revision="systemd">
+      <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
     </para>
 

postlfs/security/stunnel.xml

@@ -150 +150 @@
 <screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>
 
+    <para revision="systemd">
+      Install the included systemd unit by running the following command as the
+      <systemitem class="username">root</systemitem> user:
+    </para>
+
+<screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system</userinput></screen>
+
     <para>If you do not already have a signed SSL Certificate and Private Key,
     create the <filename>stunnel.pem</filename> file in the
@@ -255 +262 @@
 
     <sect3  id="stunnel-init">
-      <title>Boot Script</title>
-
-      <para>To automatically start the <command>stunnel</command> daemon
-      when the system is booted, install the
+      <title><phrase revision="sysv">Boot Script</phrase>
+             <phrase revision="systemd">Systemd Unit</phrase></title>
+
+      <para revision="sysv">To automatically start the
+      <command>stunnel</command> daemon when the system is booted, install the
       <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
-      <xref linkend="bootscripts" revision="sysv"/>
-      <xref linkend="systemd-units" revision="systemd"/> package.</para>
+      <xref linkend="bootscripts"/> package.</para>
+
+      <para revision="systemd">To start the <command>stunnel</command>
+      daemon at boot, enalbe the previously installed
+      <application>systemd</application> unit by running the following command
+     as the <systemitem class="username">root</systemitem> user:</para>
 
       <indexterm zone="stunnel stunnel-init">
@@ -267 +279 @@
       </indexterm>
 
-<screen role="root"><userinput>make install-stunnel</userinput></screen>
+<screen role="root" revision="sysv"><userinput>make install-stunnel</userinput></screen>
+
+<screen role="root" revision="systemd"><userinput>systemctl enable stunnel</userinput></screen>
 
     </sect3>

postlfs/security/sudo.xml

@@ -159 +159 @@
 
     <para>
-      <option>--without-pam</option>: Avoids building <application>PAM</application>
-      support when <application>PAM</application> is installed on the system.
+      <option>--without-pam</option>: This switch avoids building
+      <application>Linux-PAM</application> support when
+      <application>Linux-PAM</application> is installed on the system.
     </para>
 
@@ -175 +176 @@
 
     <para>
-      <command>ln -sfv libsudo_util...</command>: works around a bug in the
+      <command>ln -sfv libsudo_util...</command>: Works around a bug in the
       installation process, which links to the previously installed
       version (if there is one) instead of the new one.