selinux-faq/en_US selinux-faq.xml,1.11,1.12
Chad Sellers (csellers)
fedora-docs-commits at redhat.com
Fri Apr 28 16:57:27 UTC 2006
Author: csellers
Update of /cvs/docs/selinux-faq/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7060
Modified Files:
selinux-faq.xml
Log Message:
added basic FAQ entry for administrator configuration, addressed bz#144696 and bz#147915
Index: selinux-faq.xml
===================================================================
RCS file: /cvs/docs/selinux-faq/en_US/selinux-faq.xml,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- selinux-faq.xml 20 Apr 2006 20:16:03 -0000 1.11
+++ selinux-faq.xml 28 Apr 2006 16:57:25 -0000 1.12
@@ -714,6 +714,82 @@
</para>
</answer>
</qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ As an administrator, what do I need to do to configure &SEL; for
+ my system?
+ </para>
+ </question>
+ <answer>
+ <para>
+ The answer might be nothing. There are many Fedora users that
+ don't even realize that they are using SELinux. SELinux provides
+ protection for their systems with an out-of-the-box
+ configuration. That said, there are a couple of things an
+ administrator might want to do to configure their system. These
+ include:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>booleans</term>
+ <listitem>
+ <para>
+ Booleans are settings that can be flipped to alter SELinux
+ policy behavior without having to write new policy. There
+ are many booleans that can be set in Fedora, and they allow
+ an administrator to configure SELinux to a great degree.
+ To view the available booleans and modify their settings,
+ use <command>system-config-securitylevel</command> or the
+ command line tool <command>setsebool</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>setting customizable file contexts</term>
+ <listitem>
+ <para>
+ Files on an SELinux system have a security context which
+ is stored in the extended attribute of the file (behavior
+ can vary from filesystem to filesystem, but this is how
+ ext3 works). These are set by <command>rpm</command>
+ automatically, but sometimes a user might want to set a
+ particular context on a file. An example would be setting
+ the context on a <filename>public_html</filename> directory
+ so that <command>apache</command> can access it, as
+ illustrated in
+ <xref linkend="faq-entry-public_html"/>.
+ </para>
+ <para>
+ For a list of types that you might want to assign to files,
+ see
+ <filename>/etc/selinux/targeted/contexts/customizable_types</filename>.
+ These are types commonly assigned to files by users and
+ administrators. To set these, use the
+ <command>chcon</command> command. Note that the types in
+ <filename>customizable_types</filename> are
+ also preserved after a relabel, so relabeling the system
+ will not undo this.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>making badly behaving libraries work</term>
+ <listitem>
+ <para>
+ There are many libraries around that behave badly and try
+ to break the memory protections SELinux provides. These
+ libraries should really be fixed, so please file a bug with
+ the library maintainer. That said, they can be made to
+ work. More information and solutions to make the libraries
+ work can be found in
+ <xref linkend="faq-entry-unconfined_t"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </answer>
+ </qandaentry>
<qandaentry id="qa-using-s-c-securitylevel" xreflabel="How to use system-config-securitylevel">
<question>
<para>
@@ -1239,7 +1315,7 @@
</procedure>
</answer>
</qandaentry>
- <qandaentry>
+ <qandaentry id="faq-entry-public_html" xreflabel="How do I make a user public_html directory work under SELinux">
<question>
<para>
How do I make a user <filename>public_html</filename> directory
@@ -2215,7 +2291,7 @@
</para>
</answer>
</qandaentry>
- <qandaentry>
+ <qandaentry id="faq-entry-unconfined_t" xreflabel="I have a process running as unconfined_t, and SELinux is still preventing my application from running">
<question>
<para>
I have a process running as
More information about the Fedora-docs-commits
mailing list