We are working on the Fedora SELinux FAQ

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 25 15:28:22 UTC 2010 

On Sat, 2010-01-23 at 00:48 +0100, Dominick Grift wrote:
> On 01/22/2010 01:48 PM, Daniel J Walsh wrote:
> > Any comments?  What should we add?  What should we remove?
> > 
> > http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720
> > 
> > 
> > Dan
> 
> 
> 00:24 < dgrift> reading http://sradvan.fedorapeople.org/SELinux_FAQ/
> 
> 00:25 < dgrift> two comments. first one i think most will agree with
> regard to "Now, su/sudo only change the Linux identity."
> 00:25 < dgrift> sudo does domain transitions afaik (i use it every day)
> 00:27 < dgrift> its easier by default than the newrole command with su
> as this requires you to type two passwords. one to identify as the
>                 user (newrole) and one to identify as root (su)
> 
> 00:28 < dgrift> second comment i do not think may will agree and i dont
> know why: "What is the difference between a domain and a type? "
> 00:28 < dgrift> a domain is not a type. a domain type is a type
> 00:29 < dgrift> a domain is like an environment: it is all the rules
> where a particular domain type is the source in an interaction.

The term "domain" was used in the original descriptions of Type
Enforcement to refer to the subject/process security label, while "type"
was used for the object security label.  In SELinux, we dropped the
distinction and used "type" for everything, but continue to call types
that are used as subject/process labels "domains" or "domain types".

http://www.nsa.gov/research/_files/selinux/papers/policy2/x86.shtml
http://www.nsa.gov/research/_files/selinux/papers/ottawa01/node3.shtml

> 00:38 < dgrift> "How do I enable/disable SELinux protection on specific
> daemons under the targeted policy?" that answer also does not
>                 apply on all systems.
> 00:39 < dgrift> workaround is to label apaches executable file with type
> bin_t. That will cause apache to run in the init script
>                 domain/environment. which is unconfined by default
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list