selinux-faq selinux-faq-en.xml,1.25,1.26
Karsten Wade
kwade at redhat.com
Sat Feb 4 18:25:48 UTC 2006
BTW, there is a freeze date of 10 Feb. Midnight UTC for getting guides,
such as this one, translated. Plan to get all of your FC5 changes in by
that date. We'll tag a freeze at that point, and you can continue
writing at that point. We'll arrange translation freezes for new
content later, such as the final FC5 content freeze for guides on 03
Mar.
On Fri, 2006-02-03 at 17:41 -0500, Chad Sellers wrote:
> Author: csellers
>
> Update of /cvs/docs/selinux-faq
> In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2745
>
> Modified Files:
> selinux-faq-en.xml
> Log Message:
> First cut at an CF5 FAQ. Still missing several necessary new items, but
> old items should be consistent with FC5 now.
>
>
>
> Index: selinux-faq-en.xml
> ===================================================================
> RCS file: /cvs/docs/selinux-faq/selinux-faq-en.xml,v
> retrieving revision 1.25
> retrieving revision 1.26
> diff -u -r1.25 -r1.26
> --- selinux-faq-en.xml 29 Jun 2005 14:51:04 -0000 1.25
> +++ selinux-faq-en.xml 3 Feb 2006 22:40:55 -0000 1.26
> @@ -6,11 +6,11 @@
> <!ENTITY % FEDORA-ENTITIES-EN SYSTEM "../docs-common/common/fedora-entities-en.ent">
> %FEDORA-ENTITIES-EN;
>
> -<!ENTITY BOOKID "selinux-faq-1.3-8 (2005-01-20-T16:20-0800)"> <!-- version of manual and date -->
> +<!ENTITY DOCID "selinux-faq-1.5-1 (2005-12-30-T12:21-0500)"> <!-- version of manual and date -->
>
> <!-- ************** local entities *********** -->
> <!ENTITY APACHE "Apache HTTP">
> -<!ENTITY LOCALVER "3"> <!-- Set value to your choice, when guide version is out -->
> +<!ENTITY LOCALVER "5"> <!-- Set value to your choice, when guide version is out -->
> <!-- of sync with FC release, use instead of FEDVER or FEDTESTVER -->
> <!ENTITY BUG-URL
> "https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Core&op_sys=Linux&version=fc3&component=fedora-docs&component_text=&rep_platform=All&priority=normal&bug_severity=normal&bug_status=NEW&assigned_to=kwade%40redhat.com&cc=&estimated_time=0.0&bug_file_loc=http%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc3%2F&short_desc=SELinux%20FAQ%20-%20%5Bsummarize%20FAQ%20change%20or%20addition%5D&comment=Description%20of%20change%2FFAQ%20addition.%20%20If%20a%20change%2C%20include%20the%20original%0D%0Atext%20first%2C%20then%20the%20changed%20text%3A%0D%0A%0D%0A%0D%0A%0D%0AVersion-Release&percn!
> t;20of%20FAQ%20%28found%20on%0D%0Ahttp%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc3%2Fln-legalnotice.html%29%2C%0D%0Afor%20example%3A%0D%0A%0D%0A%20%20selinux-faq-1.3-8%20%282005-01-20-T16%3A20-0800%29%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A&keywords=&dependson=&blocked=118757%20%20&maketemplate=Remember%20values%20as%20bookmarkable%20template&form_name=enter_bug">
> @@ -28,6 +28,10 @@
> <surname>Wade</surname>
> <firstname>Karsten</firstname>
> </author>
> + <author>
> + <surname>Sellers</surname>
> + <firstname>Chad</firstname>
> + </author>
> </authorgroup>
> &LEGALNOTICE;
> </articleinfo>
> @@ -43,8 +47,9 @@
> <note>
> <title>This FAQ is specific to &FC; &LOCALVER;</title>
> <para>
> - If you are looking for the FAQ for &FC; 2, refer to <ulink
> - url="http://fedora.redhat.com/docs/selinux-faq-fc2/" />.
> + If you are looking for the FAQ for &FC; 2 or &FC; 3, refer to <ulink
> + url="http://fedora.redhat.com/docs/selinux-faq-fc2/" /> or <ulink
> + url="http://fedora.redhat.com/docs/selinux-faq-fc3/" />, respectively.
> </para>
> </note>
> <para>
> @@ -80,13 +85,29 @@
> </listitem>
> <listitem>
> <para>
> - Writing SE Linux policy HOWTO — <ulink
> + Writing traditional SE Linux policy HOWTO — <ulink
> url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266"
> />
> </para>
> </listitem>
> <listitem>
> <para>
> + Reference Policy (the new policy found in &FC; 5) — <ulink
> + url="http://serefpolicy.sourceforge.net/"
> + />
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + SELinux policy development training courses — <ulink
> + url="http://tresys.com/services/training.shtml"
> + /> and <ulink
> + url="https://www.redhat.com/training/security/courses/rhs429.html"
> + />
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —
> <ulink
> url="https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266" />
> @@ -94,6 +115,13 @@
> </listitem>
> <listitem>
> <para>
> + List of SELinux object classes and permissions —
> + <ulink
> + url="http://tresys.com/selinux/obj_perms_help.shtml" />
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> On IRC — irc.freenode.net, #fedora-selinux
> </para>
> </listitem>
> @@ -110,7 +138,7 @@
> <title>Making changes/additions to the &FED; &SEL; FAQ</title>
> <para>
> This FAQ is available at <ulink
> - url="http://fedora.redhat.com/docs/selinux-faq-fc3/">http://fedora.redhat.com/docs/selinux-faq-fc3/</ulink>.
> + url="http://fedora.redhat.com/docs/selinux-faq-fc5/">http://fedora.redhat.com/docs/selinux-faq-fc5/</ulink>.
> </para>
> <para>
> For changes or additions to the &FED; &SEL; FAQ, use this <ulink
> @@ -224,29 +252,49 @@
> delivered in a package, with an associated source package. Current
> shipping policy packages are:
> </para>
> + <itemizedlist>
> + <listitem>
> + <para><filename>selinux-policy-<replaceable><version></replaceable>.noarch.rpm</filename>
> + </para>
> + </listitem>
> + </itemizedlist>
> + <para>
> + This package is common to all types of policy and contains config
> + files/man pages.
> + </para>
> + <itemizedlist>
> + <listitem>
> + <para><filename>selinux-policy-devel-<replaceable><version></replaceable>.noarch.rpm</filename>
> + </para>
> + </listitem>
> + </itemizedlist>
> + <para>
> + This is the development environment. This replaces the -sources
> + package from the past. This package contains the interface files
> + used in reference policy along with a Makefile and a small tool
> + used to generate a policy template file. The interface files
> + reside in /usr/share/selinux/refpolicy/headers directory.
> + </para>
> <itemizedlist>
> <listitem>
> - <para><filename>selinux-policy-strict-<replaceable><version-arch></replaceable>.rpm</filename>
> - and
> - <filename>selinux-policy-strict-sources-<replaceable><version-arch></replaceable>.rpm</filename>
> + <para><filename>selinux-policy-strict-<replaceable><version></replaceable>.noarch.rpm</filename>
> </para>
> </listitem>
> <listitem>
> <para>
> - <filename>selinux-policy-targeted-<replaceable><version-arch></replaceable>.rpm</filename>
> - and
> - <filename>selinux-policy-targeted-sources-<replaceable><version-arch></replaceable>.rpm</filename>
> + <filename>selinux-policy-targeted-<replaceable><version></replaceable>.noarch.rpm</filename>
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + <filename>selinux-policy-mls-<replaceable><version></replaceable>.noarch.rpm</filename>
> </para>
> </listitem>
> </itemizedlist>
> <para>
> - Policy source resides in
> - <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>,
> - when it is installed, and the binary policy file is in
> - <filename>/etc/selinux/<replaceable>policyname</replaceable>/policy</filename>.
> - Policy source is not required for ultra-minimal installations. The
> - policy for the types and domains is configured separately from
> - security context for the subjects and objects.
> + Binary policy files are in /etc/selinux/policyname. The policy for the
> + types and domains is configured separately from security context for the
> + subjects and objects.
> </para>
> </answer>
> </qandaentry>
> @@ -374,6 +422,47 @@
> <qandaentry>
> <question>
> <para>
> + What is the mls policy? Who is it for?
> + </para>
> + </question>
> + <answer>
> + <para>
> + The mls policy is similar to the strict policy, but adds an additional
> + field to security contexts for separating levels. These levels can be
> + used to separate data in an environment that calls for strict
> + hierarchical separation. The most common example of this is a military
> + setting where data is classified at a certain level. This policy is
> + geared toward these sorts of users, and is probably not useful to
> + you unless you fall into this category.
> + </para>
> + </answer>
> + </qandaentry>
> + <qandaentry id="faq-entry-whatis-refpolicy" xreflabel="Reference Policy">
> + <question>
> + <para>
> + What is the Reference Policy?
> + </para>
> + </question>
> + <answer>
> + <para>
> + The Reference Policy
> + is a new project designed to rewrite the entire SELinux policy in a
> + way that is easier to use and understand. To do this, it uses
> + the concepts of modularity, abstraction, and well-defined interfaces.
> + See <ulink
> + url="http://serefpolicy.sourceforge.net/">it's project page</ulink>
> + for more information on it.
> + </para>
> + <para>
> + Fedora policies at version 1.x are based on the traditional example
> + policy. Policies version 2.x (as used in &FC; &LOCALVER;) are based
> + on the Reference Policy.
> + </para>
> + </answer>
> + </qandaentry>
> + <qandaentry>
> + <question>
> + <para>
> What are file contexts?
> </para>
> </question>
> @@ -423,8 +512,8 @@
> <para>
> There is no difference between a domain and a type, although
> domain is sometimes used to refer to the type of a process. The
> - use of domain in this way stems from traditional TE models, where
> - domains and types are separate.
> + use of domain in this way stems from Domain and Type Enforcement (DTE)
> + models, where domains and types are separate.
> </para>
> </answer>
> </qandaentry>
> @@ -796,7 +885,7 @@
> kernel command line to turn system-call auditing off.
> </para>
> <para>
> - System-call auditing is off by default. When on, it provides
> + System-call auditing is on by default. When on, it provides
> information about the system-call that was executing when SELinux
> generated a <computeroutput>denied</computeroutput> message. This
> may be helpful when debugging policy.
> @@ -812,8 +901,8 @@
> </question>
> <answer>
> <para>
> - This is not supported at this time. In the future, a utility will
> - be provided to tune auditing.
> + To do this, run <command>auditctl -e 0</command>. Note that this
> + will not affect auditing of SELinux AVC denials.
> </para>
> </answer>
> </qandaentry>
> @@ -1000,9 +1089,9 @@
> You can create your new user with the standard
> <command>useradd</command> command. First you must become root;
> under the strict policy you will need to change role to
> - <computeroutput>sysadm_r</computeroutput>. This context switch
> - has been incorporated into the <command>su</command> command and
> - occurs automatically. For the targeted policy, you will not need
> + <computeroutput>sysadm_r</computeroutput> using
> + <computeroutput>newrole -r sysadm_r</computeroutput>
> + For the targeted policy, you will not need
> to switch roles, staying in
> <computeroutput>unconfined_t</computeroutput>:
> </para>
> @@ -1024,7 +1113,7 @@
> </para>
> </answer>
> </qandaentry>
> - <qandaentry>
> +<!-- <qandaentry>
> <question>
> <para>
> All of the other &SEL; documentation states that the
> @@ -1052,7 +1141,7 @@
> change.
> </para>
> </answer>
> - </qandaentry>
> + </qandaentry> -->
> <qandaentry>
> <question>
> <para>
> @@ -1104,12 +1193,14 @@
> </para>
> </answer>
> </qandaentry>
> + <!-- Need to modify this to work with new policy sources, or find
> + a better method than modifying all source
> <qandaentry>
> <question>
> <para>
> I get a specific permission denial only when &SEL; is in enforcing
> mode, but I don't see any audit messages in
> - <filename>/var/log/messages</filename>. How can I identify the
> + <filename>/var/log/audit/audit.log</filename>. How can I identify the
> cause of these silent denials?
> </para>
> </question>
> @@ -1155,7 +1246,7 @@
> <command>cd /etc/selinux/targeted/src/policy
> make clean
> make load</command>
> -</screen>
> +</screen> -->
> <!-- commented out just in case it needs to be rewritten and included:
> <para>
> Another reason for getting silent denials is on an
> @@ -1180,9 +1271,9 @@
>
> audit(1083674459.837:0): security_compute_sid: invalid context root:sysadm_r:system_chkpwd_t for scontext=root:sysadm_r:newrole_t tcontext=system_u:object_r:chkpwd_exec_t tclass=process
>
> --->
> </answer>
> </qandaentry>
> +-->
> <qandaentry>
> <question>
> <para>
> @@ -1246,18 +1337,7 @@
> changes in the updated policy.
> </para>
> <para>
> - If you have installed the policy source packages, e.g.
> - <filename>selinux-policy-strict</filename>, you can execute these
> - commands to relabel the file system.
> - </para>
> -<screen>
> -<command>cd /etc/selinux/targeted/src/policy
> -make
> -make relabel
> -reboot</command>
> -</screen>
> - <para>
> - If you aren't using policy sources, another approach is to use the
> + To relabel, use the
> <command>fixfiles</command> command or take advantage of the
> <filename>/.autorelabel</filename> mechanism:
> </para>
> @@ -1288,6 +1368,8 @@
> </para>
> </answer>
> </qandaentry>
> + <!-- Source package doesn't exist any more
> + Is there something similar now?
> <qandaentry>
> <question>
> <para>
> @@ -1296,11 +1378,13 @@
> </para>
> </question>
> <answer>
> + -->
> <!--
> thanks to "Gene C." <czar czarc net> for authoring the
> original answer in
> http://www.redhat.com/archives/fedora-test-list/2004-April/msg00755.html
> -->
> + <!--
> <para>
> A policy package such as
> <filename>selinux-policy-targeted</filename> is a requirement for
> @@ -1338,6 +1422,7 @@
> file as well as the <filename>file_contexts</filename> file, then
> loads them as the currently effective policy.
> </para>
> + -->
>
> <!-- not sure if currently still an issue, or how to rephrase
> <caution>
> @@ -1351,32 +1436,28 @@
> </para>
> </caution>
> -->
> + <!--
> </answer>
> </qandaentry>
> + -->
> <qandaentry>
> <!--
> http://www.redhat.com/archives/fedora-selinux-list/2004-May/msg00061.html
> -->
> <question>
> <para>
> - Why do the files
> + Why do binary policies (e.g.
> <filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/policy.<<replaceable>version</replaceable>></filename>
> - and
> - <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy/policy.<<replaceable>version</replaceable>></filename>
> - have different (sizes, md5sums, dates)?
> + distributed with Fedora and those I compile myself have different sizes
> + and md5sums?
> </para>
> </question>
> <answer>
> <para>
> When you install a policy package, pre-compiled binary policy
> files are put directly into <filename>/etc/selinux</filename>.
> - When a policy source package is installed or updated, binary
> - policy files are built in
> - <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>,
> - then moved to
> - <filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/</filename>.
> The different build environments will make target files that have
> - different sizes, md5sums, and dates.
> + different sizes, md5sums.
> </para>
> </answer>
> </qandaentry>
> @@ -1409,39 +1490,94 @@
> </question>
> <answer>
> <para>
> - Your help is definitely appreciated. You can start by joining the
> - &SEL; mailing list, <ulink
> - url="mailto:fedora-selinux-list at redhat.com">fedora-selinux-list at redhat.com</ulink>;
> - you can subscribe and read the archives at <ulink
> - url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">http://www.redhat.com/mailman/listinfo/fedora-selinux-list</ulink>.
> - The UnOfficial FAQ has some generic policy writing HOWTO
> - information (<ulink
> - url="http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1">http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1</ulink>).
> - Another new resource is the Writing SE Linux policy HOWTO (<ulink
> - url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266">https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266</ulink>).
> + Your help is definitely appreciated.
> + <itemizedlist>
> + <listitem>
> + <para>
> + You can start by joining the
> + &FED; &SEL; mailing list, <ulink
> + url="mailto:fedora-selinux-list at redhat.com">fedora-selinux-list at redhat.com</ulink>;
> + you can subscribe and read the archives at <ulink
> + url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">http://www.redhat.com/mailman/listinfo/fedora-selinux-list</ulink>.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + The UnOfficial FAQ has some generic policy writing HOWTO
> + information (<ulink
> + url="http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1">http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1</ulink>).
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + Another new resource is the Writing SE Linux policy HOWTO (<ulink
> + url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266">https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266</ulink>).
> + </para>
> + </listitem>
> + </itemizedlist>
> + Also, since the &FC; &LOCALVER; policy is based on the <xref linkend="faq-entry-whatis-refpolicy"/>,
> + you should look at the documentation on its project page.
> </para>
> <para>
> Your best bet is to look at the policy files in
> - <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy/</filename>
> - and try experiments. Watch the <computeroutput>avc
> - denied</computeroutput> messages in
> - <filename>/var/log/messages</filename> for clues.
> - </para>
> - <para>
> - A useful tool for the policy writer is
> - <command>/usr/bin/audit2allow</command>, which translates
> - <computeroutput>avc</computeroutput> messages from
> - <filename>/var/log/messages</filename> into rules that can be used
> - by &SEL;. These rules will likely need to be cleaned up.
> - </para>
> - <para>
> - The command <command>audit2allow</command> can receive input via
> - three methods. Default is from standard input
> - (<firstterm>STDIN</firstterm>). Using the <option>-i</option>
> - option reads input from <filename>/var/log/messages</filename>,
> - and the <option>-d</option> option reads input from
> - <command>dmesg</command> output.
> + <filename>/usr/share/doc/selinux-policy-<replaceable>>version<</replaceable></filename>
> + which shows examples of policy.
> </para>
> + <para>
> + If you want to write a new policy domain, you should install the
> + selinux-policy-devel package. This will place reference policy
> + interface files into the
> + <filename>/usr/share/selinux/refpolicy directory</filename>.
> + </para>
> + <para>
> + There is also a tool there to help you get started. You can use
> + the tool <command>policygentool</command> to generate your own
> + <filename>te</filename>, <filename>fc</filename>
> + and <filename>if</filename> file.
> + This tool takes two parameters: the Name of the policy module
> + (mydaemon) and the full path to the executable
> + (<filename>/usr/sbin/mydaemon</filename>). This will create three
> + files <filename>mydaemon.te</filename>,
> + <filename>mydaemon.fc</filename> and
> + <filename>mydaemon.if</filename>.
> + After you generate the policy files,
> + use the supplied Makefile,
> + <filename>/usr/share/selinux/refpolicy/Makefile</filename>,
> + build a policy package (<filename>mydaemon.pp</filename>). Now
> + you can load the policy
> + module, using <command>semodule</command>, and relabel the
> + executable using
> + <filename>restorecon</filename>. Since you have very limited
> + policy for your
> + executeable, SELinux will prevent it from doing much. So you need
> + to turn on permissive mode and then use the init script to start
> + your daemon. Now you can start collect avc messages. You can use
> + <command>audit2allow</command> to translate the avc messages to
> + allow rules and begin
> + updating you <filename>mydaemon.te</filename> file. You should
> + search for interface
> + macros in the <filename>/etc/selinux/refpolicy/include</filename>
> + directory and use
> + these instead of using the allow rules directly, whenever
> + possible. If you want more examples of polcy, you could always
> + install the selinux-policy src rpm, which contains all of the
> + policy te files for the reference policy.
> + </para>
> +<screen>
> +<command># /usr/share/selinux/refpolicy/policygentool mydaemon /usr/sbin/mydaemon
> +# make -f /usr/share/selinux/refpolicy/Makefile
> +m4 /usr/share/selinux/refpolicy/include/all_perms.spt /usr/share/selinux/refpolicy/include/loadable_module.spt /usr/share/selinux/refpolicy/include/misc_macros.spt
> +...
> +/usr/share/selinux/refpolicy/include/obj_perm_sets.spt mydaemon.fc > tmp/mydaemon.mod.fc
> +Creating targeted mydaemon.pp policy package
> +/usr/bin/semodule_package -o mydaemon.pp -m tmp/mydaemon.mod -f tmp/mydaemon.mod.fc
> +rm tmp/mydaemon.mod.fc tmp/mydaemon.mod
> +# semodule -i mydaemon.pp
> +# restorecon -v /usr/sbin/mydaemon
> +restorecon reset /usr/sbin/mydaemon context user_u:object_r:sbin_t->system_u:object_r:mydaemon_exec_t
> +# setenforce 1
> +# service mydaemon restart</command>
> +</screen>
> </answer>
> </qandaentry>
> <qandaentry>
> @@ -1552,6 +1688,12 @@
> ext2/ext3, XFS has recently added support for the necessary
> labels.
> </para>
> + <para>
> + Note that XFS SELinux support is broken in upstream kernel
> + 2.6.14 and 2.6.15, but fixed (worked around)
> + in 2.6.16. So, make sure your kernel includes this fix if
> + you choose to use XFS.
> + </para>
> </answer>
> </qandaentry>
> <qandaentry>
> @@ -1636,10 +1778,11 @@
> url="mailto:fedora-selinux-list at redhat.com">fedora-selinux-list at redhat.com</ulink>)
> for discussion.
> </para>
> + <!-- Add policy modules section -->
> + <!-- Add managed policy section -->
> </answer>
> </qandaentry>
> </qandadiv>
> </qandaset>
> </section>
> </article>
> -
>
> --
> Fedora-docs-commits mailing list
> Fedora-docs-commits at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-docs-commits
--
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Content Services Fedora Documentation Project
http://www.redhat.com/docs http://fedoraproject.org/wiki/DocsProject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-docs-list/attachments/20060204/109ff5c1/attachment.sig>
More information about the fedora-docs-list
mailing list