Update previews

5 files changed, 106 insertions, 539 deletions

diff --git a/html/revdep-pax.html b/html/revdep-pax.html
index ee4e6d4..accbeee 100644
--- a/html/revdep-pax.html
+++ b/html/revdep-pax.html
@@ -21,13 +21,18 @@
 <form name="contents" action="http://www.gentoo.org">
 <b>Content</b>:
         <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What's revdep-pax about?</option>
-<option value="#doc_chap2">2. Using revdep-pax</option>
-<option value="#doc_chap3">3. Listing PaX Flags and Capabilities</option>
-<option value="#doc_chap4">4. Programming with ELF files</option></select>
+<option value="#doc_chap2">2. Using revdep-pax</option></select>
 </form>
 <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
             </span>What's revdep-pax about?</p>
-<p class="secthead"><a name="doc_chap1_sect1">A quick introduction to PaX markings.</a></p>
+<p class="epigraph">
+Since the early days of PaX it was known that all programs were equal although
+some were more equal than others and needed an environment with less
+restrictions in order to be able to run. Thus, in order to have a secure way of
+allowing system administrators and users telling the system which binaries
+needed this lessened environment the PaX marks were created.
+<br><br><span class="episig">—Geroge Orwell</span><br><br></p>
+<p class="secthead"><a name="doc_chap1_sect2">A quick introduction to PaX markings.</a></p>
 <p>
 There are some programs which won't be able to run in an environment with all
 the PaX features enabled, for example you may have a program which has so called
@@ -88,7 +93,7 @@ marks to the library to state it needs trampoline emulation but still we haven't
 fixed the issue since the kernel will only read the marks on the binary being
 called. In order to solve this issue we have created <span class="code" dir="ltr">revdep-pax</span>.
 </p>
-<p class="secthead"><a name="doc_chap1_sect2">What's revdep-pax?</a></p>
+<p class="secthead"><a name="doc_chap1_sect3">What's revdep-pax?</a></p>
 <p>
 <span class="code" dir="ltr">revdep-pax</span> is a tool that allows to check for differences in PaX markings
 between elf objects linking to libraries (for example <span class="path" dir="ltr">/bin/bash</span>)
@@ -108,530 +113,42 @@ libraries linked by an object and backwards to the objects linked by a library.
 </p>
 <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
             </span>Using revdep-pax</p>
-<p class="secthead"><a name="doc_chap2_sect1">Propagating PaX marks backwards from a library to objects that link at it
+<p class="epigraph">
+In order to witness the firepower of this fully ARMED and OPERATIONAL tool
+you'll first need to learn how to use it, once you are done, you'll be
+able to fire at will.
+<br><br><span class="episig">—The Emperor</span><br><br></p>
+<p class="secthead"><a name="doc_chap2_sect2">Propagating PaX marks backwards from a library to objects that link at it
 </a></p>
 <p>
 This is going to be probably the main way in which you are going to use this
-utility. What it does is check all the libraries linked statically 
-The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package.
-With this application you can print out information specific to the ELF
-structure of a binary. The following table sums up the various options.
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>Option</b></td>
-  <td class="infohead"><b>Long Option</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">-p</td>
-  <td class="tableinfo">--path</td>
-  <td class="tableinfo">Scan all directories in PATH environment</td>
-</tr>
-<tr>
-  <td class="tableinfo">-l</td>
-  <td class="tableinfo">--ldpath</td>
-  <td class="tableinfo">Scan all directories in /etc/ld.so.conf</td>
-</tr>
-<tr>
-  <td class="tableinfo">-R</td>
-  <td class="tableinfo">--recursive</td>
-  <td class="tableinfo">Scan directories recursively</td>
-</tr>
-<tr>
-  <td class="tableinfo">-m</td>
-  <td class="tableinfo">--mount</td>
-  <td class="tableinfo">Don't recursively cross mount points</td>
-</tr>
-<tr>
-  <td class="tableinfo">-y</td>
-  <td class="tableinfo">--symlink</td>
-  <td class="tableinfo">Don't scan symlinks</td>
-</tr>
-<tr>
-  <td class="tableinfo">-A</td>
-  <td class="tableinfo">--archives</td>
-  <td class="tableinfo">Scan archives (.a files)</td>
-</tr>
-<tr>
-  <td class="tableinfo">-L</td>
-  <td class="tableinfo">--ldcache</td>
-  <td class="tableinfo">Utilize ld.so.cache information (use with -r/-n)</td>
-</tr>
-<tr>
-  <td class="tableinfo">-X</td>
-  <td class="tableinfo">--fix</td>
-  <td class="tableinfo">Try and 'fix' bad things (use with -r/-e)</td>
-</tr>
-<tr>
-  <td class="tableinfo">-z [arg]</td>
-  <td class="tableinfo">--setpax [arg]</td>
-  <td class="tableinfo">Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</td>
-</tr>
-<tr>
-  <td class="infohead"><b>Option</b></td>
-  <td class="infohead"><b>Long Option</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">-x</td>
-  <td class="tableinfo">--pax</td>
-  <td class="tableinfo">Print PaX markings</td>
-</tr>
-<tr>
-  <td class="tableinfo">-e</td>
-  <td class="tableinfo">--header</td>
-  <td class="tableinfo">Print GNU_STACK/PT_LOAD markings</td>
-</tr>
-<tr>
-  <td class="tableinfo">-t</td>
-  <td class="tableinfo">--textrel</td>
-  <td class="tableinfo">Print TEXTREL information</td>
-</tr>
-<tr>
-  <td class="tableinfo">-r</td>
-  <td class="tableinfo">--rpath</td>
-  <td class="tableinfo">Print RPATH information</td>
-</tr>
-<tr>
-  <td class="tableinfo">-n</td>
-  <td class="tableinfo">--needed</td>
-  <td class="tableinfo">Print NEEDED information</td>
-</tr>
-<tr>
-  <td class="tableinfo">-i</td>
-  <td class="tableinfo">--interp</td>
-  <td class="tableinfo">Print INTERP information</td>
-</tr>
-<tr>
-  <td class="tableinfo">-b</td>
-  <td class="tableinfo">--bind</td>
-  <td class="tableinfo">Print BIND information</td>
-</tr>
-<tr>
-  <td class="tableinfo">-S</td>
-  <td class="tableinfo">--soname</td>
-  <td class="tableinfo">Print SONAME information</td>
-</tr>
-<tr>
-  <td class="tableinfo">-s [arg]</td>
-  <td class="tableinfo">--symbol [arg]</td>
-  <td class="tableinfo">Find a specified symbol</td>
-</tr>
-<tr>
-  <td class="tableinfo">-k [arg]</td>
-  <td class="tableinfo">--section [arg]</td>
-  <td class="tableinfo">Find a specified section</td>
-</tr>
-<tr>
-  <td class="tableinfo">-N [arg]</td>
-  <td class="tableinfo">--lib [arg]</td>
-  <td class="tableinfo">Find a specified library</td>
-</tr>
-<tr>
-  <td class="tableinfo">-g</td>
-  <td class="tableinfo">--gmatch</td>
-  <td class="tableinfo">Use strncmp to match libraries. (use with -N)</td>
-</tr>
-<tr>
-  <td class="tableinfo">-T</td>
-  <td class="tableinfo">--textrels</td>
-  <td class="tableinfo">Locate cause of TEXTREL</td>
-</tr>
-<tr>
-  <td class="tableinfo">-E [arg]</td>
-  <td class="tableinfo">--etype [arg]</td>
-  <td class="tableinfo">Print only ELF files matching etype ET_DYN,ET_EXEC ...</td>
-</tr>
-<tr>
-  <td class="tableinfo">-M [arg]</td>
-  <td class="tableinfo">--bits [arg]</td>
-  <td class="tableinfo">Print only ELF files matching numeric bits</td>
-</tr>
-<tr>
-  <td class="tableinfo">-a</td>
-  <td class="tableinfo">--all</td>
-  <td class="tableinfo">Print all scanned info (-x -e -t -r -b)</td>
-</tr>
-<tr>
-  <td class="infohead"><b>Option</b></td>
-  <td class="infohead"><b>Long Option</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">-q</td>
-  <td class="tableinfo">--quiet</td>
-  <td class="tableinfo">Only output 'bad' things</td>
-</tr>
-<tr>
-  <td class="tableinfo">-v</td>
-  <td class="tableinfo">--verbose</td>
-  <td class="tableinfo">Be verbose (can be specified more than once)</td>
-</tr>
-<tr>
-  <td class="tableinfo">-F [arg]</td>
-  <td class="tableinfo">--format [arg]</td>
-  <td class="tableinfo">Use specified format for output</td>
-</tr>
-<tr>
-  <td class="tableinfo">-f [arg]</td>
-  <td class="tableinfo">--from [arg]</td>
-  <td class="tableinfo">Read input stream from a filename</td>
-</tr>
-<tr>
-  <td class="tableinfo">-o [arg]</td>
-  <td class="tableinfo">--file [arg]</td>
-  <td class="tableinfo">Write output stream to a filename</td>
-</tr>
-<tr>
-  <td class="tableinfo">-B</td>
-  <td class="tableinfo">--nobanner</td>
-  <td class="tableinfo">Don't display the header</td>
-</tr>
-<tr>
-  <td class="tableinfo">-h</td>
-  <td class="tableinfo">--help</td>
-  <td class="tableinfo">Print this help and exit</td>
-</tr>
-<tr>
-  <td class="tableinfo">-V</td>
-  <td class="tableinfo">--version</td>
-  <td class="tableinfo">Print version and exit</td>
-</tr>
-</table>
-<p>
-The format specifiers for the <span class="code" dir="ltr">-F</span> option are given in the following table.
-Prefix each specifier with <span class="code" dir="ltr">%</span> (verbose) or <span class="code" dir="ltr">#</span> (silent) accordingly.
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>Specifier</b></td>
-  <td class="infohead"><b>Full Name</b></td>
-  <td class="infohead"><b>Specifier</b></td>
-  <td class="infohead"><b>Full Name</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">F</td>
-  <td class="tableinfo">Filename</td>
-  <td class="tableinfo">x</td>
-  <td class="tableinfo">PaX Flags</td>
-</tr>
-<tr>
-  <td class="tableinfo">e</td>
-  <td class="tableinfo">STACK/RELRO</td>
-  <td class="tableinfo">t</td>
-  <td class="tableinfo">TEXTREL</td>
-</tr>
-<tr>
-  <td class="tableinfo">r</td>
-  <td class="tableinfo">RPATH</td>
-  <td class="tableinfo">n</td>
-  <td class="tableinfo">NEEDED</td>
-</tr>
-<tr>
-  <td class="tableinfo">i</td>
-  <td class="tableinfo">INTERP</td>
-  <td class="tableinfo">b</td>
-  <td class="tableinfo">BIND</td>
-</tr>
-<tr>
-  <td class="tableinfo">s</td>
-  <td class="tableinfo">Symbol</td>
-  <td class="tableinfo">N</td>
-  <td class="tableinfo">Library</td>
-</tr>
-<tr>
-  <td class="tableinfo">o</td>
-  <td class="tableinfo">Type</td>
-  <td class="tableinfo">p</td>
-  <td class="tableinfo">File name</td>
-</tr>
-<tr>
-  <td class="tableinfo">f</td>
-  <td class="tableinfo">Base file name</td>
-  <td class="tableinfo">k</td>
-  <td class="tableinfo">Section</td>
-</tr>
-<tr>
-  <td class="tableinfo">a</td>
-  <td class="tableinfo">ARCH/e_machine</td>
-  <td class="tableinfo"></td>
-  <td class="tableinfo"></td>
-</tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect2">Using scanelf for Text Relocations</a></p>
-<p>
-As an example, we will use <span class="code" dir="ltr">scanelf</span> to find binaries containing text
-relocations.
-</p>
-<p>
-A relocation is an operation that rewrites an address in a loaded segment. Such
-an address rewrite can happen when a segment has references to a shared object
-and that shared object is loaded in memory. In this case, the references are
-substituted with the real address values. Similar events can occur inside the 
-shared object itself.
-</p>
-<p>
-A text relocation is a relocation in the text segment. Since text segments
-contain executable code, system administrators might prefer not to have these
-segments writable. This is perfectly possible, but since text relocations
-actually write in the text segment, it is not always feasible. 
-</p>
-<p>
-If you want to eliminate text relocations, you will need to make sure
-that the application and shared object is built with <span class="emphasis">Position Independent
-Code</span> (PIC), making references obsolete. This not only increases security,
-but also increases the performance in case of shared objects (allowing writes in
-the text segment requires a swap space reservation and a private copy of the
-shared object for each application that uses it).
-</p>
-<p>
-The following example will search your library paths recursively, without
-leaving the mounted file system and ignoring symbolic links, for any ELF binary
-containing a text relocation:
+utility. What it does is check all the libraries linked statically by the
+binaries using <span class="code" dir="ltr">ldd</span> and then smartly add the paxmarks of those libraries
+to generate the new set. As a result if <span class="path" dir="ltr">/usr/games/bin/armagetronad</span>
+links with <span class="path" dir="ltr">/usr/lib64/libGL.so.1</span> which has the <span class="emphasis">-m</span> PaX mark
+(allow RWX mappings) because you are using a llvm requiring graphics driver
+you'll get that binary marked with the <span class="emphasis">-m</span> PaX mark too since it needs it.
+Below you can see how to run it.
 </p>
 <a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Scanning the system for text relocation binaries</p></td></tr>
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Propagating the PaX marks from the libraries</p></td></tr>
 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -lqtmyR</span>
+# <span class="code-input">mv /etc/grsec/learning.roles /etc/grsec/policy</span>
+# <span class="code-input">chmod 0600 /etc/grsec/policy</span>
 </pre></td></tr>
 </table>
-<p>
-If you want to scan your entire system for <span class="emphasis">any</span> file containing text
-relocations:
-</p>
-<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Scanning the entire system for text relocation files</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -qtmyR /</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect3">Using scanelf for Specific Header</a></p>
-<p>
-The scanelf util can be used to quickly identify files that contain a 
-given section header using the -k .section option.
-</p>
-<p>
-In this example we are looking for all files in /usr/lib/debug 
-recursively using a format modifier with quiet mode enabled that have been 
-stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
-to invert the matching logic.
-</p>
-<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Scanning for stripped or non stripped executables</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect4">Using scanelf for Specific Segment Markings</a></p>
-<p>
-Each segment has specific flags assigned to it in the Program Header of the
-binary. One of those flags is the type of the segment. Interesting values are
-PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
-segment contains dynamic linking information), PT_INTERP (the segment 
-contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
-for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
-(a PaX extension for the ELF format, used by the security-minded 
-<a href="http://pax.grsecurity.net/">PaX Project</a>.
-</p>
-<p>
-If we want to scan all executables in the current working directory, PATH
-environment and library paths and report those who have a writable and
-executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
-</p>
-<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -lpqe .</span>
-</pre></td></tr>
-</table>
-<p class="secthead"><a name="doc_chap2_sect5">Using scanelf's Format Modifier Handler</a></p>
-<p>
-A useful feature of the <span class="code" dir="ltr">scanelf</span> utility is the format modifier handler.  
-With this option you can control the output of <span class="code" dir="ltr">scanelf</span>, thereby 
-simplifying parsing the output with scripts.
-</p>
-<p>
-As an example, we will use <span class="code" dir="ltr">scanelf</span> to print the file names that contain
-text relocations:
-</p>
-<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Example of the scanelf format modifier handler</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-# <span class="code-input">scanelf -l -p -R -q -F "%F #t"</span>
-</pre></td></tr>
-</table>
-<p class="chaphead"><a name="pspax"></a><a name="doc_chap3"></a><span class="chapnum">3.
-            </span>Listing PaX Flags and Capabilities</p>
-<p class="secthead"><a name="doc_chap3_sect1">About PaX</a></p>
-<p>
-<a href="http://pax.grsecurity.net">PaX</a> is a project hosted by the <a href="http://www.grsecurity.net">grsecurity</a> project. Quoting the <a href="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</a>, its main 
-goal is "to research various defense mechanisms against the exploitation of 
-software bugs that give an attacker arbitrary read/write access to the 
-attacked task's address space. This class of bugs contains among others 
-various forms of buffer overflow bugs (be they stack or heap based), user
-supplied format string bugs, etc."
-</p>
-<p>
-To be able to benefit from these defense mechanisms, you need to run a Linux
-kernel patched with the latest PaX code. The <a href="http://hardened.gentoo.org">Hardened Gentoo</a> project supports PaX and
-its parent project, grsecurity. The supported kernel package is
-<span class="code" dir="ltr">sys-kernel/hardened-sources</span>.
-</p>
-<p>
-The Gentoo/Hardened project has a <a href="pax-quickstart.html">Gentoo PaX Quickstart Guide</a>
-for your reading pleasure.
-</p>
-<p class="secthead"><a name="doc_chap3_sect2">Flags and Capabilities</a></p>
-<p>
-If your toolchain supports it, your binaries can have additional PaX flags in
-their Program Header. The following flags are supported:
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>Flag</b></td>
-  <td class="infohead"><b>Name</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">P</td>
-  <td class="tableinfo">PAGEEXEC</td>
-  <td class="tableinfo">
-    Refuse code execution on writable pages based on the NX bit
-    (or emulated NX bit)
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">S</td>
-  <td class="tableinfo">SEGMEXEC</td>
-  <td class="tableinfo">
-    Refuse code execution on writable pages based on the
-    segmentation logic of IA-32
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">E</td>
-  <td class="tableinfo">EMUTRAMP</td>
-  <td class="tableinfo">
-    Allow known code execution sequences on writable pages that
-    should not cause any harm
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">M</td>
-  <td class="tableinfo">MPROTECT</td>
-  <td class="tableinfo">
-    Prevent the creation of new executable code to the process
-    address space
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">R</td>
-  <td class="tableinfo">RANDMMAP</td>
-  <td class="tableinfo">
-    Randomize the stack base to prevent certain stack overflow
-    attacks from being successful
-  </td>
-</tr>
-<tr>
-  <td class="tableinfo">X</td>
-  <td class="tableinfo">RANDEXEC</td>
-  <td class="tableinfo">
-    Randomize the address where the application maps to prevent
-    certain attacks from being exploitable
-  </td>
-</tr>
-</table>
-<p>
-The default Linux kernel also supports certain capabilities, grouped in the
-so-called <span class="emphasis">POSIX.1e Capabilities</span>. You can find a listing of those
-capabilities in our <a href="capabilities.html">POSIX Capabilities</a> document.
-</p>
-<p class="secthead"><a name="doc_chap3_sect3">Using pspax</a></p>
-<p>
-The <span class="code" dir="ltr">pspax</span> application, part of the <span class="code" dir="ltr">pax-utils</span> package, displays the
-run-time capabilities of all programs you have permission for. On Linux kernels
-with additional support for extended attributes (such as SELinux) those
-attributes are shown as well.
-</p>
-<p>
-When ran, <span class="code" dir="ltr">pspax</span> shows the following information:
-</p>
-<table class="ntable">
-<tr>
-  <td class="infohead"><b>Column</b></td>
-  <td class="infohead"><b>Description</b></td>
-</tr>
-<tr>
-  <td class="tableinfo">USER</td>
-  <td class="tableinfo">Owner of the process</td>
-</tr>
-<tr>
-  <td class="tableinfo">PID</td>
-  <td class="tableinfo">Process id</td>
-</tr>
-<tr>
-  <td class="tableinfo">PAX</td>
-  <td class="tableinfo">Run-time PaX flags (if applicable)</td>
-</tr>
-<tr>
-  <td class="tableinfo">MAPS</td>
-  <td class="tableinfo">Write/eXecute markings for the process map</td>
-</tr>
-<tr>
-  <td class="tableinfo">ELF_TYPE</td>
-  <td class="tableinfo">Process executable type: ET_DYN or ET_EXEC</td>
-</tr>
-<tr>
-  <td class="tableinfo">NAME</td>
-  <td class="tableinfo">Name of the process</td>
-</tr>
-<tr>
-  <td class="tableinfo">CAPS</td>
-  <td class="tableinfo">POSIX.1e capabilities (see note)</td>
-</tr>
-<tr>
-  <td class="tableinfo">ATTR</td>
-  <td class="tableinfo">Extended attributes (if applicable)</td>
-</tr>
-</table>
 <table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
-<span class="code" dir="ltr">pspax</span> only displays these capabilities when it is linked with
-the external capabilities library. This requires you to build <span class="code" dir="ltr">pax-utils</span>
-with -DWANT_SYSCAP.
+Due to the way in which <span class="code" dir="ltr">ldd</span> works you'll get all the libraries required
+at runtime, even those required by libraries you link to (and so on recursively)
+as a result <span class="code" dir="ltr">revdep-pax</span> will detect all dependencies in a single pass. If
+the behaviour of <span class="code" dir="ltr">ldd</span> changes so may change the behaviour of
+<span class="code" dir="ltr">revdep-pax</span>
 </p></td></tr></table>
 <p>
-By default, <span class="code" dir="ltr">pspax</span> does not show any kernel processes. If you want those
-to be taken as well, use the <span class="code" dir="ltr">-a</span> switch.
-</p>
-<p class="chaphead"><a name="dumpelf"></a><a name="doc_chap4"></a><span class="chapnum">4.
-            </span>Programming with ELF files</p>
-<p class="secthead"><a name="doc_chap4_sect1">The dumpelf Utility</a></p>
-<p>
-With the <span class="code" dir="ltr">dumpelf</span> utility you can convert a ELF file into human readable C
-code that defines a structure with the same image as the original ELF file.
+The <span class="code" dir="ltr">scanelf</span> application is part of the <span class="code" dir="ltr">app-misc/pax-utils</span> package.
+With this application you can print out information specific to the ELF
+structure of a binary. The following table sums up the various options.
 </p>
-<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
-<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: dumpelf example</p></td></tr>
-<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
-$ <span class="code-input">dumpelf /bin/hostname</span>
-#include &lt;elf.h&gt;
-
-<span class="code-comment">/*
- * ELF dump of '/bin/hostname'
- *     10276 (0x2824) bytes
- */</span>
-
-struct {
-        Elf32_Ehdr ehdr;
-        Elf32_Phdr phdrs[8];
-        Elf32_Shdr shdrs[26];
-} dumpedelf_0 = {
-
-.ehdr = {
-<span class="code-comment">(... Output stripped ...)</span>
-</pre></td></tr>
-</table>
 <br><p class="copyright">
 	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
   </p>
diff --git a/html/roadmap.html b/html/roadmap.html
index 17be1a3..e35467e 100644
--- a/html/roadmap.html
+++ b/html/roadmap.html
@@ -270,29 +270,15 @@ of the packages and standard policies.
   <td class="infohead"><b>Related Bugs</b></td>
 </tr>
 <tr>
-  <td class="tableinfo">Deprecate old policies</td>
-  <td class="tableinfo">2011-11-10</td>
-  <td class="tableinfo">done</td>
-  <td class="tableinfo">SwifT</td>
-  <td class="tableinfo"></td>
-</tr>
-<tr>
-  <td class="tableinfo">Deprecate old profiles</td>
-  <td class="tableinfo">2011-12-01</td>
-  <td class="tableinfo">done</td>
-  <td class="tableinfo">blueness</td>
-  <td class="tableinfo"></td>
-</tr>
-<tr>
-  <td class="tableinfo">Get mainstream packages the proper dependencies on the SELinux policies</td>
-  <td class="tableinfo">2011-12-31</td>
+  <td class="tableinfo">Stabilize 20120215 policies</td>
+  <td class="tableinfo">2012-04-30</td>
   <td class="tableinfo"></td>
   <td class="tableinfo">SwifT</td>
   <td class="tableinfo"></td>
 </tr>
 <tr>
   <td class="tableinfo">Have SELinux-enabled stage3 available on the mirrors</td>
-  <td class="tableinfo">2012-01-31</td>
+  <td class="tableinfo">2012-06-31</td>
   <td class="tableinfo"></td>
   <td class="tableinfo"></td>
   <td class="tableinfo"></td>
@@ -302,7 +288,7 @@ of the packages and standard policies.
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated December 10, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 A roadmap that plots current needs and goals of the
 Hardened Gentoo project.
diff --git a/html/selinux-faq.html b/html/selinux-faq.html
index 41695b4..29c7826 100644
--- a/html/selinux-faq.html
+++ b/html/selinux-faq.html
@@ -79,6 +79,7 @@ FAILED (crontabs/root)'</a></li>
 <li><a href="#nosuid">Applications do not transition on a nosuid-mounted partition</a></li>
 <li><a href="#auth-run_init">Why do I always need to re-authenticate when operating init scripts?</a></li>
 <li><a href="#initramfs">How do I use SELinux with initramfs?</a></li>
+<li><a href="#xdm">Logons through xdm (or similar) fail</a></li>
 </ul>
 <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
             </span>General SELinux Support Questions</p>
@@ -728,11 +729,35 @@ When enabled, enforcing mode cannot be disabled anymore (until you reboot).
 # <span class="code-input">setsebool secure_mode_policyload on</span>
 </pre></td></tr>
 </table>
+<p class="secthead"><a name="xdm"></a><a name="doc_chap5_sect12">Logons through xdm (or similar) fail</a></p>
+<p>
+If you log on through xdm, gdm, kdm, slim or any other graphical logon manager,
+you might notice in permissive mode that your context is off, and in enforcing
+mode that you just cannot log on.
+</p>
+<p>
+The reason of this is that PAM needs to be configured to include SELinux
+awareness in your session handling:
+</p>
+<a name="doc_chap5_pre18"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.18: Updating pam setting for gdm</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+...
+session  required   pam_loginuid.so
+session  optional   pam_console.so
+<span class="code-input">session  optional   pam_selinux.so</span>
+</pre></td></tr>
+</table>
+<p>
+Replicate the calls towards <span class="path" dir="ltr">pam_selinux.so</span> in the various
+<span class="path" dir="ltr">/etc/pam.d/gdm*</span> files (or similar depending on your graphical
+logon manager).
+</p>
 <br><br>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
 <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="pebenito@gentoo.org?style=printable">Print</a></p></td></tr>
-<tr><td class="topsep" align="center"><p class="alttext">Page updated February 26, 2012</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 5, 2012</p></td></tr>
 <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
 Frequently Asked Questions on SELinux integration with Gentoo Hardened.
 The FAQ is a collection of solutions found on IRC, mailinglist, forums or 
diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-install.html
index fc61177..9e97553 100644
--- a/html/selinux/hb-using-install.html
+++ b/html/selinux/hb-using-install.html
@@ -58,6 +58,7 @@ we recommend to switch to Python 2 until the packages are updated and fixed.
 <a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
 <tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Switching to python 2</p></td></tr>
 <tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">emerge '&lt;=dev-lang/python-3.0'</span>
 ~# <span class="code-input">eselect python list</span>
 Available Python interpreters:
   [1]   python2.7
@@ -184,6 +185,7 @@ The following changes <span class="emphasis">might</span> be necessary on your s
 tools or configurations that apply.
 </p>
 <ul>
+  
   <li>
     If you use LVM for one or more file systems, you need to edit
     <span class="path" dir="ltr">/lib/rcscripts/addons/lvm-start.sh</span> (or <span class="path" dir="ltr">/lib64/..</span>)
@@ -200,6 +202,12 @@ tools or configurations that apply.
     which mess up the file labelling. For instance, <span class="code" dir="ltr">cp /bin/hostname 
     /bin/hostname.old</span>.
   </li>
+  
+  <li>
+    Edit <span class="path" dir="ltr">/etc/sandbox.conf</span> and add in
+    <span class="path" dir="ltr">/sys/fs/selinux/context</span> to the <span class="code" dir="ltr">SANDBOX_WRITE</span> parameter.
+    This is currently needed to work around bug <a href="https://bugs.gentoo.org/410687">410687</a>.
+  </li>
 </ul>
 <p class="secthead"><a name="doc_chap1_sect1">Installing a SELinux Kernel</a></p>
 <p>
@@ -560,7 +568,8 @@ access to the <span class="path" dir="ltr">/dev/urandom</span> device:
 </table>
 <p class="secthead"><a name="doc_chap1_sect1">Define the Administrator Accounts</a></p>
 <p>
-Finally, we need to map the account(s) you use to manage your system (those
+If the <span class="code" dir="ltr">SELINUXTYPE</span> is set to <span class="code" dir="ltr">strict</span>, then we 
+need to map the account(s) you use to manage your system (those
 that need access to Portage) to the <span class="code" dir="ltr">staff_u</span> SELinux user. If not, none
 of your accounts will be able to succesfully manage the system (except for
 <span class="code" dir="ltr">root</span>, but then you will need to login as <span class="code" dir="ltr">root</span> directly and not
@@ -596,11 +605,16 @@ staff_u:sysadm_r:sysadm_t
 </pre></td></tr>
 </table>
 <p>
+If you however use a <span class="code" dir="ltr">targeted</span> policy, then the user you work with will be
+of type <span class="emphasis">unconfined_t</span> and will already have the necessary privileges to
+perform system administrative tasks.
+</p>
+<p>
 With that done, enjoy - your first steps into the SELinux world are now made.
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated January 29, 2012</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>
diff --git a/html/selinux/hb-using-troubleshoot.html b/html/selinux/hb-using-troubleshoot.html
index 983cc5a..c18afc1 100644
--- a/html/selinux/hb-using-troubleshoot.html
+++ b/html/selinux/hb-using-troubleshoot.html
@@ -95,6 +95,31 @@ selinux USE flag is in place, and reinstall <span class="path" dir="ltr">sys-app
 the selinux USE flag is not in place, check your Gentoo profile and make sure it
 points to a <span class="path" dir="ltr">selinux/v2refpolicy/...</span> profile.
 </p>
+<p class="secthead"><a name="doc_chap1_sect1">Policy Store is Corrupt</a></p>
+<p>
+If you encounter problems during boot-up or <span class="code" dir="ltr">semodule</span> operations which
+fail with loading problems, but cannot be resolved with the above solution, then
+you might need to reinstall the policies after eliminating the corrupt store.
+</p>
+<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
+<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Recovering from store corruption</p></td></tr>
+<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
+~# <span class="code-input">semodule -n -B</span>
+libsemanage.semanage_load_module: Error while reading from module file
+/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)
+
+~# <span class="code-input">setenforce 0</span>
+~# <span class="code-input">mv /etc/selinux/targeted /etc/selinux/targeted.old</span>
+~# <span class="code-input">FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)</span>
+~# <span class="code-input">restorecon -R /etc/selinux</span>
+</pre></td></tr>
+</table>
+<p>
+This will effectively disable the current, corrupted SELinux policy store and
+then use Portage to reinstall all SELinux policy packages that are installed on
+the system. When done, the file contexts of <span class="path" dir="ltr">/etc/selinux</span> are
+restored, after which you should be able to continue.
+</p>
 <p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
             </span>Unable to Log On</p>
 <p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
@@ -267,7 +292,7 @@ disable its SELinux support. To relabel the entire file system, use <span class=
 </p>
 </td>
 <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
-<tr><td class="topsep" align="center"><p class="alttext">Page updated December 11, 2011</p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Page updated April 10, 2012</p></td></tr>
 <tr lang="en"><td align="center" class="topsep">
 <p class="alttext"><b>Donate</b> to support our development efforts.
         </p>