selinux-faq/en_US doc-entities.xml, NONE, 1.1 selinux-faq.xml, NONE, 1.1
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/selinux-faq/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26362/en_US
Added Files:
doc-entities.xml selinux-faq.xml
Log Message:
This should modify the module to meet modern standards; unless I forgot to add something. Build requires FC4 or later, as it needs DocBook XML 4.4.
--- NEW FILE doc-entities.xml ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE entities SYSTEM "../../docs-common/common/entities/entities.dtd">
<entities>
<title>These entities are absolutely essential in this document.</title>
<group name="Example Tutorial Entities">
<entity name="LOCAL-ENT">
<comment>A per-document entity</comment>
<text><wordasword>Per-document Entity</wordasword>
</text>
</entity>
<entity name="DOCNAME">
<comment>Should match the name of this module</comment>
<text>selinux-faq</text>
</entity>
<entity name="DOCVERSION">
<comment>Last revision number, bump when you change the doc</comment>
<text>1.5.2</text>
</entity>
<entity name="DOCDATE">
<comment>Last revision date, format YYYY-MM-DD</comment>
<text>2006-02-10</text>
</entity>
<entity name="DOCID">
<comment>Same for every document</comment>
<text>
<use entity="DOCNAME"/>-<use entity="DOCVERSION"/> (<use
entity="DOCDATE"/>)</text>
</entity>
<entity name="BUG-URL">
<comment>Useful pre-filled bug report; note the changes of the
ampersand and percentage characters to their entity equivalent.
</comment>
<text>https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&per...!
;percnt;20first&percnt;2C&percnt;20then&percnt;20the&percnt;20changed&percnt;20text&percnt;3A&percnt;20&percnt;5D&percnt;5D&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;5B&percnt;5B&percnt;20Version-Release&percnt;20of&percnt;20FAQ&percnt;20&percnt;0D&percnt;0A&percnt;28found&percnt;20on&percnt;0D&percnt;0Ahttp&percnt;3A&percnt;2F&percnt;2Ffedora.redhat.com&percnt;2Fdocs&percnt;2Fselinux-faq-fc5&percnt;2Fln-legalnotice.html&percnt;29&percnt;3A&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;20for&percnt;20example&percnt;3A&percnt;20&percnt;20selinux-faq-1.5.2&percnt;20&percnt;282006-03-20&percnt;29&amp;status_whiteboard=&amp;keywords=&amp;issuetrackers=&amp;dependson=&amp;blocked=&amp;ext_bz_id=0&amp;ext_bz_bug_id=&amp;data=&amp;desc!
ription=&amp;contenttypemethod=list&amp;contenttypesel!
ection
xt&percnt;2Fplain&amp;contenttypeentry=&amp;maketemplate=Remember&percnt;20values&percnt;20as&percnt;20bookmarkable&percnt;20template&amp;form_name=enter_bug</text>
</entity>
<entity name="APACHE">
<comment>Locally useful.</comment>
<text>Apache HTTP</text>
</entity>
<entity name="LOCALVER">
<comment>Set value to your choice, usefule for when guide
version is out of sync with FC release, use instead of FEDVER or
FEDTESTVER</comment>
<text>5</text>
</entity>
</group>
</entities>
--- NEW FILE selinux-faq.xml ---
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!-- *************** Bring in Fedora entities *************** -->
<!ENTITY % FEDORA-ENTITIES-EN SYSTEM "../../docs-common/common/fedora-entities-en.ent">
%FEDORA-ENTITIES-EN;
<!ENTITY % DOCUMENT-ENTITIES SYSTEM "doc-entities.ent">
%DOCUMENT-ENTITIES;
]>
<article id="selinux-faq" lang="en">
<xi:include href="fdp-info.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:fallback>WHERE IS MY FDP-INFO, DUDE</xi:fallback>
</xi:include>
<section id="sn-selinux-faq">
<title>&SEL; Notes and FAQ</title>
<para>
The information in this FAQ is valuable for those who are new to &SEL;. It
is also valuable if you are new to the latest &SEL; implementation in
&FC;, since some of the behavior may be different than you have
experienced.
</para>
<note>
<title>This FAQ is specific to &FC; &LOCALVER;</title>
<para>
If you are looking for the FAQ for other versions of &FC;, refer to
<ulink url="http://fedora.redhat.com/docs/selinux-faq/"/>.
</para>
</note>
<para>
For more information about how &SEL; works, how to use &SEL; for general
and specific Linux distributions, and how to write policy, these resources
are useful:
</para>
<itemizedlist id="external-link-list">
<title>External Link List</title>
<listitem>
<para>
NSA &SEL; main website — <ulink
url="http://www.nsa.gov/selinux/" />
</para>
</listitem>
<listitem>
<para>
NSA &SEL; FAQ — <ulink
url="http://www.nsa.gov/selinux/info/faq.cfm" />
</para>
</listitem>
<listitem>
<para>
&SEL; community page — <ulink
url="http://selinux.sourceforge.net" />
</para>
</listitem>
<listitem>
<para>
UnOfficial FAQ — <ulink
url="http://www.crypt.gen.nz/selinux/faq.html" />
</para>
</listitem>
<listitem>
<para>
Writing traditional SE Linux policy HOWTO — <ulink
url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=2..."
/>
</para>
</listitem>
<listitem>
<para>
Reference Policy (the new policy found in &FC; 5) — <ulink
url="http://serefpolicy.sourceforge.net/"
/>
</para>
</listitem>
<listitem>
<para>
SELinux policy development training courses — <ulink
url="http://tresys.com/services/training.shtml"
/> and <ulink
url="https://www.redhat.com/training/security/courses/rhs429.html"
/>
</para>
</listitem>
<listitem>
<para>
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —
<ulink
url="https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=2..." />
</para>
</listitem>
<listitem>
<para>
List of SELinux object classes and permissions —
<ulink
url="http://tresys.com/selinux/obj_perms_help.shtml" />
</para>
</listitem>
<listitem>
<para>
On IRC — irc.freenode.net, #fedora-selinux
</para>
</listitem>
<listitem>
<para>
&FED; mailing list — <ulink
url="mailto:fedora-selinux-list@redhat.com" />;
read the archives or subscribe at <ulink
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list" />
</para>
</listitem>
</itemizedlist>
<tip>
<title>Making changes/additions to the &FED; &SEL; FAQ</title>
<para>
This FAQ is available at <ulink
url="http://fedora.redhat.com/docs/selinux-faq-fc5/">http://fedora.redhat.com/docs/selinux-faq-fc5/</ulink>.
</para>
<para>
For changes or additions to the &FED; &SEL; FAQ, use this <ulink
url="&BUG-URL;">bugzilla template</ulink>, which pre-fills most of the
bug report. Patches should be a <command>diff -u</command> against the
XML, which is available from CVS (refer to <ulink
url="http://fedora.redhat.com/projects/docs/" /> for details on
obtaining the fedora-docs/selinux-faq module from anonymous CVS; you can
get just the <filename>fedora-docs/selinux-faq</filename> module if you
don't want the entire <filename>fedora-dcs</filename> tree.) Otherwise,
plain text showing before and after is sufficient.
</para>
<para>
For a list of all bug reports filed against this FAQ, refer to <ulink
url="https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757">https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757</ulink>.
</para>
</tip>
<qandaset defaultlabel="qanda" id="selinux-faq-list">
<?dbhtml toc="1"?>
<qandadiv id="faq-div-understanding-selinux">
<title>Understanding &SEL;</title>
<qandaentry>
<question>
<para>
What is &SEL;?
</para>
</question>
<answer>
<para>
&SEL; (<firstterm>Security-Enhanced Linux</firstterm>) in &FC; is
an implementation of <firstterm>mandatory access
control</firstterm> in the Linux kernel using the
<firstterm>Linux Security Modules</firstterm>
(<abbrev>LSM</abbrev>) framework. Standard Linux security is a
<firstterm>discretionary access control</firstterm> model.
</para>
<variablelist>
<varlistentry>
<term>Discretionary access control (<abbrev>DAC</abbrev>)</term>
<listitem>
<para>
DAC is standard Linux security, and it provides no
protection from broken software or malware running as a
normal user or root. Users can grant risky levels of access
to files they own.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mandatory access control (<abbrev>MAC</abbrev>)</term>
<listitem>
<para>
MAC provides full control over all interactions of
software. Administratively defined policy closely controls
user and process interactions with the system, and can
provide protection from broken software or malware running
as any user.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
In a DAC model, file and resource decisions are based solely on
user identity and ownership of the objects. Each user and program
run by that user has complete discretion over the user's objects.
Malicious or flawed software can do anything with the files and
resources it controls through the user that started the process.
If the user is the super-user or the application is
<command>setuid</command> or <command>setgid</command> to root,
the process can have root level control over the entire file
system.
</para>
<para>
A MAC system does not suffer from these problems. First, you can
administratively define a security policy over all processes and
objects. Second, you control all processes and objects, in the
case of &SEL; through the kernel. Third, decisions are based on
all the security relevant information available, and not just
authenticated user identity.
</para>
<para>
MAC under &SEL; allows you to provide granular permissions for all
<firstterm>subjects</firstterm> (users, programs, processes) and
<firstterm>objects</firstterm> (files, devices). In practice,
think of subjects as processes, and objects as the target of a
process operation. You can safely grant a process only the
permissions it needs to perform its function, and no more.
</para>
<para>
The &SEL; implementation uses <firstterm>role-based access
control</firstterm> (<abbrev>RBAC</abbrev>), which provides
abstracted user-level control based on roles, and
<firstterm><trademark class="registered">Type
Enforcement</trademark></firstterm> (<abbrev>TE</abbrev>). TE
uses a table, or <firstterm>matrix</firstterm> to handle access
controls, enforcing policy rules based on the types of processes
and objects. Process types are called
<firstterm>domains</firstterm>, and a cross-reference on the
matrix of the process's domain and the object's type defines their
interaction. This system provides extremely granular control for
actors in a Linux system.
</para>
</answer>
</qandaentry>
<qandaentry>
<question id="qa-whatis-policy" xreflabel="What is SELinux policy?">
<para>
What is &SEL; policy?
</para>
</question>
<answer>
<para>
The &SEL; policy describes the access permissions for all subjects
and objects, that is, the entire system of users, programs, and
processes and the files and devices they act upon. &FC; policy is
delivered in a package, with an associated source package. Current
shipping policy packages are:
</para>
<variablelist>
<varlistentry>
<term><filename>selinux-policy-<replaceable><version></replaceable>.noarch.rpm</filename></term>
<listitem>
<para>
This package is common to all types of policy and contains
config files/man pages.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>selinux-policy-devel-<replaceable><version></replaceable>.noarch.rpm</filename></term>
<listitem>
<para>
This is the development environment. This replaces the
-sources package from the past. This package contains the
interface files used in reference policy along with a
Makefile and a small tool used to generate a policy template
file. The interface files reside in
/usr/share/selinux/refpolicy/headers directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>selinux-policy-strict-<replaceable><version></replaceable>.noarch.rpm</filename></term>
<term><filename>selinux-policy-targeted-<replaceable><version></replaceable>.noarch.rpm</filename></term>
<term><filename>selinux-policy-mls-<replaceable><version></replaceable>.noarch.rpm</filename></term>
<listitem>
<para>
Binary policy files are in /etc/selinux/policyname. The
policy for the types and domains is configured separately
from security context for the subjects and objects.
</para>
</listitem>
</varlistentry>
</variablelist>
</answer>
</qandaentry>
<qandaentry id="qa-whatis-targeted-policy" xreflabel="What is the
SELinux targeted policy?">
<!-- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133403 thanks to -->
<!-- dwalsh for supplying the source FAQs -->
<question>
<para>
What is the &SEL; targeted policy?
</para>
</question>
<answer>
<para>
When &SEL; was initially introduced in &FC;, it enforced the NSA
strict policy. For testing purposes, this effectively exposed
hundreds of problems in the strict policy. In addition, it
demonstrated that applying a single strict policy to the many
environments of &FED; users was not feasible. To manage a single
strict policy for anything other than default installation would
require local expertise.
</para>
<para>
At this point, the &SEL; developers reviewed their choices, and
decided to try a different strategy. They decided to create a
<firstterm>targeted</firstterm> policy that locks down specific
daemons, especially those vulnerable to attack or which could
devastate a system if broken or compromised. The rest of the
system runs exactly as it would under standard Linux DAC security.
</para>
<para>
Under the targeted policy, most processes run in the
<computeroutput>unconfined_t</computeroutput> domain. As the name
implies, these processes are mostly unconfined by the &SEL;
policy. They are still governed by standard Linux DAC security,
however.
</para>
<para>
Those network daemons which are addressed in the targeted policy
make a transition to the targeted policy when the application
starts. For example, at system boot, <command>init</command> runs
under the <computeroutput>unconfined_t</computeroutput> policy.
When <command>named</command> starts, it makes a transition to the
<computeroutput>named_t</computeroutput> domain and is locked down
by the appropriate policy.
</para>
<para>
For more information on enabling or disabling targeted policy on
each of the specific daemons, refer to <xref
linkend="qa-using-s-c-securitylevel"/>.
</para>
</answer>
</qandaentry>
<qandaentry>
<!-- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133403 thanks to -->
<!-- dwalsh for supplying the source FAQs -->
<question>
<para>
What daemons are protected by the targeted policy?
</para>
</question>
<answer>
<para>
Currently, the list of daemons is:
</para>
<itemizedlist>
<listitem>
<para><command>dhcpd</command></para>
</listitem>
<listitem>
<para><command>httpd</command>
(<filename>apache.te</filename>)</para>
</listitem>
<listitem>
<para><command>named</command></para>
</listitem>
<listitem>
<para><command>nscd</command></para>
</listitem>
<listitem>
<para><command>ntpd</command></para>
</listitem>
<listitem>
<para><command>portmap</command></para>
</listitem>
<listitem>
<para><command>snmpd</command></para>
</listitem>
<listitem>
<para><command>squid</command></para>
</listitem>
<listitem>
<para><command>syslogd</command></para>
</listitem>
</itemizedlist>
<para>
The policy files for these daemons are found in
<filename>/etc/selinux/targeted/src/policy/domains/program</filename>.
In the future, more daemons will be added to the targeted policy
protection.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Which daemons will you add to the targeted policy? How about
Sendmail, Postfix, MySQL, or PostgreSQL?
</para>
</question>
<answer>
<para>
&SEL; developers would like to add ftp and mail agents to targeted
policy eventually. For example, <command>vsftpd</command> could
work similar to <command>login</command>: after log-in, a new
process would be executed under the user's context (real user or
an anonymous context).
</para>
<para>
Mail agents can be problematic because they often need to
manipulate files in user home directories. One objective of the
targeted policy is to avoid labeling problems in the user home
directories. &SEL; developers continue to work on this problem.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What about the strict policy? Does it even work?
</para>
</question>
<answer>
<para>
The strict policy <emphasis>does</emphasis> work on &FC;. It is
challenged by the unique environments of different users. To use
the strict policy in your environment, you may need to fine-tune
both the policy and your systems.
</para>
<para>
To make the strict policy easier to use, &SEL; developers have
tried to make the change from one policy to the other easier.
For example, <command>system-config-securitylevel</command> builds
a relabel into the startup scripts.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What is the mls policy? Who is it for?
</para>
</question>
<answer>
<para>
The mls policy is similar to the strict policy, but adds an
additional field to security contexts for separating levels. &SEL;
can use these levels to separate data in an environment that calls
for strict hierarchical separation. A typical example is a
military setting, where data is classified at a certain level.
This policy is geared toward this sort of environment, and is
probably not useful to you unless you fall into this category.
</para>
</answer>
</qandaentry>
<qandaentry id="faq-entry-whatis-refpolicy" xreflabel="Reference Policy">
<question>
<para>
What is the Reference Policy?
</para>
</question>
<answer>
<para>
The <firstterm>Reference Policy</firstterm>
is a new project designed to rewrite the entire SELinux policy in a
way that is easier to use and understand. To do this, it uses
the concepts of modularity, abstraction, and well-defined interfaces.
Refer to <ulink
url="http://serefpolicy.sourceforge.net/"/>
for more information on the Reference Policy.
</para>
<para>
Fedora policies at version 1.x are based on the traditional example
policy. Version 2.x policies (as used in &FC; &LOCALVER;) are based
on the Reference Policy.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What are file contexts?
</para>
</question>
<answer>
<para>
<firstterm>File contexts</firstterm> are used by the
<command>setfiles</command> command to generate persistent labels
which describe the security context for a file or directory.
</para>
<para>
&FC; ships with the <command>fixfiles</command> script, which
supports three options: <option>check</option>,
<option>restore</option>, and <option>relabel</option>. This
script allows users to relabel the file system without having the
<filename>selinux-policy-targeted-sources</filename> package
installed. The command line usage is more friendly than the
standard <command>setfiles</command> command.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I view the security context of a file, user, or process?
</para>
</question>
<answer>
<para>
The new option <option>-Z</option> is the short method for
displaying the context of a subject or object:
</para>
<screen>
<command>ls -alZ <replaceable>file.foo</replaceable>
id -Z
ps -eZ</command>
</screen>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What is the difference between a <firstterm>domain</firstterm> and
a <firstterm>type</firstterm>?
</para>
</question>
<answer>
<para>
There is no difference between a domain and a type, although
domain is sometimes used to refer to the type of a process. The
use of domain in this way stems from Domain and Type Enforcement
(DTE) models, where domains and types are separate.
</para>
</answer>
</qandaentry>
</qandadiv>
<qandadiv id="faq-div-controlling-selinux">
<title>Controlling &SEL;</title>
<qandaentry>
<question>
<para>
How do I install/not install &SEL;?
</para>
</question>
<answer>
<para>
The installer follows the choice you make in the
<guilabel>Firewall Configuration</guilabel> screen. The default
running policy is the targeted policy, and it is on by default.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I switch the policy I am currently using?
</para>
</question>
<answer>
<caution>
<title>Use caution when switching policy</title>
<para>
Other than trying out a new policy on a test machine for
research purposes, you should seriously consider your situation
before switching to a different policy on a production system.
The act of switching is straightforward. This method is fairly
safe, but you should try it first on a test system.
</para>
</caution>
<para>
To use the automated method, run the <application>Security Level
Configuration</application> tool. From the GUI Main Menu,
select <menuchoice>
<guimenu>Desktop</guimenu>
<guisubmenu>System Settings</guisubmenu>
<guimenuitem>Security level</guimenuitem>
</menuchoice>, or from a terminal, run
<command>system-config-securitylevel</command>. Change the
policy as desired and ensure that the <guilabel>Relabel on next
reboot</guilabel> option is enaled.
</para>
<para>
You can also perform these steps manually with the following
procedure:
</para>
<procedure>
<step>
<para>
Edit <filename>/etc/selinux/config</filename> and change the
type and the mode of policy:
</para>
<screen>
<userinput>SELINUXTYPE=<replaceable>policyname</replaceable>
SELINUX=permissive</userinput>
</screen>
<para>
This step ensures you will not be locked out after rebooting.
&SEL; will run under the correct policy, but will allow you to
login if there is a problem such as incorrect file context
labeling.
</para>
</step>
<step>
<para>
Set the system to relabel the file system on reboot:
</para>
<screen>
<command>touch /.autorelabel</command>
</screen>
</step>
<step>
<para>
Reboot the system. A clean restart under the new policy
allows all system processes to be started in the proper
context, and reveals any problems in the policy change.
</para>
</step>
<step>
<para>
Confirm your changes took effect with the following command:
</para>
<screen>
<command>sestatus -v</command>
</screen>
<para>
With the new system running in
<computeroutput>permissive</computeroutput> mode, check
<filename>/var/log/messages</filename> for
<computeroutput>avc: denied</computeroutput> messages. These
may indicate a problem that needs to be solved for the system
to run without trouble under the new policy.
</para>
</step>
<step>
<para>
When you are satisfied that the system runs stable under the
new policy, enable enforcing by changing
<computeroutput>SELINUX=enforcing</computeroutput>. You can
either reboot or run <command>setenforce 1</command> to turn
enforcing on in real time.
</para>
</step>
</procedure>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How can I back up files from an &SEL; file system?
</para>
</question>
<answer>
<para>
Use the <command>star</command> utility, which supports the
extended attributes that store the security context labels.
Specify the <option>-xattr</option> and
<option>-H=exustar</option> options when creating archives.
</para>
<screen>
<command>ls -Z /var/log/maillog</command>
-rw------- root root system_u:object_r:var_log_t /var/log/maillog
<command>cd /var/log
star -xattr -H=exustar -c -f maillog.star ./maillog*</command>
</screen>
<caution>
<title>Absolute paths can overwrite existing data</title>
<para>
If you use an absolute path, such as
<filename>/var/log/maillog</filename>, when you unpack the
archive with <command>star -c
-f</command>, the files will be restored on the same path they
were archived with. The <filename>maillog</filename> file will
attempt to write to <filename>/var/log/maillog</filename>. You
should received a warning from <command>star</command> if the
files about to be overwritten have a later date, but you cannot
rely on this behavior.
</para>
<para>
Consider carefully how you construct your archiving argument.
</para>
</caution>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How can I install the strict policy by default with kickstart?
</para>
</question>
<answer>
<procedure>
<step>
<para>
Under the <computeroutput>%packages</computeroutput> section,
add <filename>selinux-policy-strict</filename>.
</para>
</step>
<step>
<para>
Under the <computeroutput>%post</computeroutput> section,
add the following:
</para>
<screen>
<computeroutput>lokkit -q --selinuxtype=strict
touch /.autorelabel</computeroutput>
</screen>
</step>
</procedure>
</answer>
</qandaentry>
<qandaentry id="qa-using-s-c-securitylevel" xreflabel="How to use system-config-securitylevel">
<question>
<para>
How do I enable/disable &SEL; protection on specific daemons under
the targeted policy?
</para>
</question>
<answer>
<para>
Use <command>system-config-securitylevel</command>, also known as
the <application>Security Level Configuration</application>
graphical tool, to control the
Boolean values of specific daemons. For example, if you need to
disable &SEL; for Apache to run correctly in your environment, you
can disable the value in
<command>system-config-securitylevel</command>. This change
disables the transition to the policy defined in
<filename>apache.te</filename>, allowing <command>httpd</command>
to remain under regular Linux DAC security.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I make a user <filename>public_html</filename> directory
work under &SEL;?
</para>
</question>
<answer>
<para>
This process presumes that you have enabled user public HTML
directories in your Apache configuration file,
<filename>/etc/httpd/conf/httpd.conf</filename>. This process
only covers serving static Web content. For more information
about &APACHE; and &SEL;, refer to <ulink
url="http://fedora.redhat.com/docs/selinux-apache-fc3/" />.
</para>
<procedure>
<step>
<para>
If you do not already have a
<filename>~/public_html</filename> directory, create it and
populate it with the files and folders to be served.
</para>
<screen>
<userinput>cd ~
mkdir public_html
cp /path/to/content ~/public_html</userinput>
</screen>
</step>
<step>
<para>
At this point, <command>httpd</command> is configured to serve
the contents, but you will still receive a <computeroutput>403
forbidden</computeroutput> error. This is because
<command>httpd</command> is not allowed to read the security
type for the directory and files as they are created in the
user's home directory. Change the security context of the
folder and its contents recursively using the
<option>-R</option> option:
</para>
<screen>
<userinput>ls -Z -d public_html/</userinput>
<computeroutput>drwxrwxr-x auser auser user_u:object_r:user_home_t public_html</computeroutput>
<userinput>chcon -R -t httpd_user_content_t public_html/
ls -Z -d public_html/</userinput>
<computeroutput>drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/</computeroutput>
<userinput>ls -Z public_html/</userinput>
<computeroutput>-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t bar.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t foo.html</computeroutput>
</screen>
<para>
You may notice at a later date that the user field, set here
to <computeroutput>user_u</computeroutput>, is changed to
<computeroutput>system_u</computeroutput>. This does not
affect how the targeted policy works. The field that matters
is the type field.
</para>
</step>
<step>
<para>
Your static webpages should now be served correctly. If you
continue to have errors, ensure that the Boolean which enables
user home directories is enabled. You can set it using
<command>system-config-securitylevel</command>. Select
the <guilabel>&SEL;</guilabel> tab, and then select the
<guilabel>Modify &SEL; Policy</guilabel> area. Select
<computeroutput>Allow HTTPD to read home
directories</computeroutput>. The changes take effect
immediately.
</para>
</step>
</procedure>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I turn &SEL; off at boot?
</para>
</question>
<answer>
<para>
Set <computeroutput>SELINUX=disabled</computeroutput> in
<filename>/etc/selinux/config</filename>.
</para>
<para>
Alternatively, you can add <option>selinux=0</option> to your
kernel boot parameters. However, this option is not recommended.
</para>
<caution>
<title>Be careful when disabling &SEL;</title>
<para>
If you boot with <option>selinux=0</option>, any files you
create while &SEL; is disabled will not have &SEL; context
information. The file system will be marked for relabeling at
the next boot. If an unforeseen problem prevents you from
rebooting normally, you may need to boot in single-user mode for
recovery. Add the option <option>emergency</option> to your
kernel boot parameters.
</para>
</caution>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I turn enforcing on/off at boot?
</para>
</question>
<answer>
<para>
You can specify the &SEL; mode using the configuration file
<filename>/etc/sysconfig/selinux</filename>.
</para>
<screen>
<computeroutput># This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.</computeroutput>
SELINUX=<userinput><replaceable>enforcing</replaceable></userinput>
<computeroutput># SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.</computeroutput>
SELINUXTYPE=<userinput><replaceable>targeted</replaceable></userinput>
</screen>
<para>
Setting the value to <computeroutput>enforcing</computeroutput> is
the same as adding <option>enforcing=1</option> to the kernel boot
parameters. Setting the value to
<computeroutput>permissive</computeroutput> is the same as adding
<option>enforcing=0</option> to the kernel boot parameters.
</para>
<para>
However, setting the value to
<computeroutput>disabled</computeroutput> is not the same as the
<option>selinux=0</option> kernel boot parameter. Rather than
fully disabling &SEL; in the kernel, the
<computeroutput>disabled</computeroutput> setting instead turns
enforcing off and skips loading a policy.
</para>
<important>
<title>&SEL; Configuration Precedence</title>
<para>
The command line kernel parameter overrides the configuration
file.
</para>
</important>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I temporarily turn off enforcing mode without having to
reboot?
</para>
</question>
<answer>
<para>
Occasionally you may need to perform an action that is normally
prevented by policy. Run the command <command>setenforce
0</command> to turn off enforcing mode in real time. When you
are finished, run <command>setenforce 1</command> to turn
enforcing back on.
</para>
<note>
<title><computeroutput>sysadm_r</computeroutput> Role
Required</title>
<para>
You must issue the <command>setenforce</command> command with
the <computeroutput>sysadm_r</computeroutput> role. Use the
<command>newrole</command> command to assume this role.
Alternately, if you switch to root using <command>su
-</command>, you assume the
<computeroutput>sysadm_r</computeroutput> role automatically.
</para>
</note>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I turn system call auditing on/off at boot?
</para>
</question>
<answer>
<para>
Add <option>audit=1</option> to your kernel command line to turn
system call auditing on. Add <option>audit=0</option> to your
kernel command line to turn system call auditing off.
</para>
<para>
System-call auditing is <emphasis>on</emphasis> by default. When
on, it provides information about the system call that was
executing when SELinux generated a
<computeroutput>denied</computeroutput> message. The error
message is helpful when debugging policy.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I temporarily turn off system-call auditing without having
to reboot?
</para>
</question>
<answer>
<para>
Run <command>auditctl -e 0</command>. Note that this command
will not affect auditing of SELinux AVC denials.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I get status info about my &SEL; installation?
</para>
</question>
<answer>
<para>
As root, execute the command <command>/usr/sbin/sestatus
-v</command>. For more information, refer to the
<filename>sestatus(8)</filename> manual page.
</para>
</answer>
</qandaentry>
</qandadiv>
<qandadiv id="faq-div-resolving-problems">
<title>Resolving Problems</title>
<qandaentry>
<question>
<para>
My application isn't working as expected and I am seeing
<computeroutput>avc: denied</computeroutput> messages. How do I
fix this?
</para>
</question>
<answer>
<para>
This message means that the current SELinux policy is not allowing
the application to do something. There are a number of reasons
this could happen.
</para>
<para>
First, one of the files the application is trying to access could
be mislabeled. If the AVC message refers to a specific file,
inspect its current label with <command>ls -alZ
<replaceable>/path/to/file</replaceable></command>. If it seems
wrong, use the command <command>restorecon -v
<replaceable>/path/to/file</replaceable></command> to restore
the file's default context. If you have a large number of denials
related to files, you may want to use <command>fixfiles
relabel</command>, or run <command>restorecon -R
<replaceable>/path</replaceable></command> to recursively
relabel a directory path.
</para>
<para>
Denials are sometimes due to a configuration change in the program
that triggered the denial message. For example, if you change
Apache to also listen on port 8800, you must also change the
security policy, <filename>apache.te</filename>. Refer to
<xref linkend="external-link-list"/> for more information about
writing policy.
</para>
<para>
If you are having trouble getting a specific application like
Apache to work, refer to <xref linkend="qa-using-s-c-securitylevel"/>
for information on disabling enforcement just for that
application.
</para>
</answer>
</qandaentry>
<!-- <qandaentry>
<question>
<para>
I'm trying to upgrade from &FC; &FCVER; to &FC; &LOCALVER;, and
the installer keeps crashing with an &SEL; error.
</para>
</question>
<answer>
<para>
This occurs because Anaconda finds an existing
<filename>/selinux</filename> directory. This problem has been
fixed in the latest version of the installer.
</para>
<para>
To work around this bug, either remove the directory just prior to
upgrading, <command>rm -rf /selinux</command>, or during an
install, switch to tty2 before packages start being upgraded, and
do <command>rm -rf /mnt/sysimage/selinux</command>.
</para>
</answer>
</qandaentry>
-->
<qandaentry>
<question>
<para>
I installed &FC; on a system with an existing
<filename>/home</filename> partition, and now I can't log in.
</para>
</question>
<answer>
<para>
Your <filename>/home</filename> partition is not labeled
correctly. You can easily fix this two different ways.
</para>
<para>
If you just want to relabel <filename>/home</filename>
recursively:
</para>
<screen>
<command>/sbin/restorecon -v -R /home</command>
</screen>
<para>
If you want to be sure there are no other files incorrectly
labeled, you can relabel the entire file system:
</para>
<screen>
<command>/sbin/fixfiles relabel</command>
</screen>
<para>
You must have the <filename>policycoreutils</filename> package
installed to use <command>fixfiles</command>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
After relabeling my <filename>/home</filename> using
<command>setfiles</command> or <command>fixfiles</command>, will I
still be able to read <filename>/home</filename> with a
non-&SEL;-enabled system?
</para>
</question>
<answer>
<para>
You can read the files from a non-&SEL; distribution, or one with
&SEL; disabled. However, files created by a system not using &SEL;
systems will not have a security context, nor will any files you
remove and recreate. This could be a challenge with files such as
<filename>~/.bashrc</filename>. You may have to relabel
<filename>/home</filename> when you reboot the &SEL; enabled &FC;
system.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How do I share directories using NFS between &FC; and non-&SEL;
systems?
</para>
</question>
<answer>
<para>
Just as NFS transparently supports many file system types, it can
be used to share directories between &SEL; and non-&SEL; systems.
</para>
<para>
When you mount a non-&SEL; file system via NFS, by default &SEL;
will treat all the files in the share as having a context of
<computeroutput>nfs_t</computeroutput>. You can override the
default context by setting it manually, using the
<option>context=</option> option. The following command makes
the files in the NFS mounted directory appear to have a context of
<computeroutput>system_u:object_r:tmp_t</computeroutput> to &SEL;:
</para>
<screen>
<command>mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo</command>
</screen>
<para>
When &SEL; exports a file system via NFS, newly created files have
the context of the directory they were created in. In other
words, the presence of &SEL; on the remote mounting system has no
effect on the local security contexts.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How can I create a new Linux user account with the user's home
directory having the proper context?
</para>
</question>
<answer>
<!-- wtf was I trying to say here?
<para>
This depends on the policy you are running. A very restrictive
policy requires you to change
</para>
-->
<para>
You can create your new user with the standard
<command>useradd</command> command. First you must become
<systemitem class="username">root</systemitem>. Under the strict
policy you will need to change role to
<computeroutput>sysadm_r</computeroutput> with the following
command:
</para>
<screen>
<userinput>newrole -r sysadm_r</userinput>
</screen>
<para>
For the targeted policy you will not need
to switch roles, staying in
<computeroutput>unconfined_t</computeroutput>:
</para>
<screen>
<userinput>su - root
id -Z</userinput>
<computeroutput>root:system_r:unconfined_t</computeroutput>
<userinput>useradd auser
ls -Z /home</userinput>
<computeroutput>drwx------ auser auser root:object_r:user_home_dir_t /home/auser</computeroutput>
</screen>
<para>
The initial context for a new user directory has an identity of
<computeroutput>root</computeroutput>. Subsequent relabeling of
the file system will change the identity to
<computeroutput>system_u</computeroutput>. These are functionally
the same since the role and type are identical
(<computeroutput>object_r:user_home_dir_t</computeroutput>.)
</para>
</answer>
</qandaentry>
<!-- <qandaentry>
<question>
<para>
All of the other &SEL; documentation states that the
<command>su</command> command will only change Linux identity
<emphasis>not</emphasis> security role.
</para>
</question>
<answer>
<para>
The &FC; development team has taken a slightly different direction
than existing &SEL; practice. Security context transitions are
now integrated into <command>su</command> via
<computeroutput>pam_selinux</computeroutput>. This greatly
simplifies using the system.
</para>
<para>
In practice, this is like combining the traditional
<command>su</command> with the &SEL; <command>newrole</command>,
as one step instead of two.
</para>
<para>
Other forms of Linux/<trademark
class="registered">UNIX</trademark> identity change, for example
<command>setuid(2)</command>, do not cause an &SEL; identity
change.
</para>
</answer>
</qandaentry> -->
<qandaentry>
<question>
<para>
I'm having troubles with <command>avc</command> errors filling my
logs for a particular program. How do I choose not to audit the
access for it?
</para>
</question>
<answer>
<para>
If you wanted to not audit <command>dmesg</command>, for example,
you would put this in your
<filename>/etc/selinux/targeted/src/policy/dmesg.te</filename>
file:
</para>
<screen>
<userinput>dontaudit dmesg_t userdomain:fd { use };</userinput>
</screen>
<para>
This eliminates the error output to the terminal for all
user domains, including <varname>user</varname>,
<varname>staff</varname> and <varname>sysadm</varname>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Even running in permissive mode, I'm getting a large number of
<computeroutput>avc denied</computeroutput> messages.
</para>
</question>
<answer>
<para>
In a non-enforcing mode, you should actually receive
<emphasis>more</emphasis> messages than in enforcing mode. The
kernel logs each access denial as if you were in an enforcing
mode. Since you are not restricted by policy enforcement, you can
perform more actions, which results in more denials being logged.
</para>
<para>
If an application running under an enforcing mode is denied
access to read a number of files in a directory, it is
stopped once at the beginning of the action. In a non-enforcing
mode, the application is not stopped from traversing the directory
tree, and generates a denial message for each file read in the
directory.
</para>
</answer>
</qandaentry>
<!-- Need to modify this to work with new policy sources, or find
a better method than modifying all source
<qandaentry>
<question>
<para>
I get a specific permission denial only when &SEL; is in enforcing
mode, but I don't see any audit messages in
<filename>/var/log/audit/audit.log</filename>. How can I identify the
cause of these silent denials?
</para>
</question>
<answer>
<para>
The most common reason for a silent denial is when the policy
contains an explicit <computeroutput>dontaudit</computeroutput>
rule to suppress audit messages. The
<computeroutput>dontaudit</computeroutput> rule is often used this
way when a benign denial is filling the audit logs.
</para>
<para>
To look for your particular denial, you will need to enable
auditing of all <computeroutput>dontaudit</computeroutput> rules:
</para>
<screen>
<command>cd /etc/selinux/targeted/src/policy
make enableaudit
make load</command>
</screen>
<caution>
<title>Enabled <computeroutput>dontaudit</computeroutput> output
is verbose</title>
<para>
Enabling auditing of all
<computeroutput>dontaudit</computeroutput> rules will likely
produce a large amount of audit information, most of which is
irrelevant to your denial.
</para>
<para>
Use this technique only if you are specifically looking for an
audit message for a denial that seems to occur silently. You
will likely want to re-enable
<computeroutput>dontaudit</computeroutput> rules as soon as
possible.
</para>
</caution>
<para>
To re-enable <computeroutput>dontaudit</computeroutput> rules, do
the following:
</para>
<screen>
<command>cd /etc/selinux/targeted/src/policy
make clean
make load</command>
</screen> -->
<!-- commented out just in case it needs to be rewritten and included:
<para>
Another reason for getting silent denials is on an
<function>exec</function> when a domain transition would
normally occur, but the new domain is not authorized for
the current role.
</para>
<para>
At present, these errors are only logged when &SEL; is
running in permissive mode. This has been fixed in the
upstream Linux kernel so that it will log an audit message.
The current &FC; test kernel does not yet include this
change.
</para>
from ssmalley:
The Fedora kernel now includes the change, so the transition failures
now show up as security_compute_sid messages (also handled via the audit
framework). Example message below for a policy that failed to authorize
sysadm_r for system_chkpwd_t (an error from an earlier policy that has
been fixed):
audit(1083674459.837:0): security_compute_sid: invalid context root:sysadm_r:system_chkpwd_t for scontext=root:sysadm_r:newrole_t tcontext=system_u:object_r:chkpwd_exec_t tclass=process
</answer>
</qandaentry>
-->
<qandaentry>
<question>
<para>
Why do I not see the output when I run certain daemons in debug or
interactive mode?
</para>
</question>
<answer>
<para>
&SEL; intentionally disables access to the tty devices to stop
daemons from communicating back with the controlling terminal.
This communication is a potential security hole because such
daemons could insert commands into the controlling terminal. A
broken or compromised program could use this hole to cause serious
problems.
</para>
<para>
There are a few ways you can capture standard output from
daemons. One method is to pipe the output to the cat command.
</para>
<screen>
<command>snmpd -v | cat</command>
</screen>
<para>
When debugging a daemon, you may want to turn off the transition
of the daemon to its specific domain. You can do this using
<command>system-config-securitylevel</command> or
<command>setsebool</command> on the command line.
</para>
<para>
A final option is to turn off enforcing mode while debugging.
Issue the command <command>setenforce 0</command> to turn off
enforcing mode, and use the command <command>setenforce
1</command> to re-enable &SEL; when you are finished debugging.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
When I do an upgrade of the policy package (for example, using
<command>yum</command>), what happens with the policy? Is it
updated automatically?
</para>
</question>
<answer>
<para>
Policy reloads itself when the package is updated. This behavior
replaces the manual <command>make load</command>.
</para>
<para>
In certain situations, you may need to relabel the file system.
This might occur as part of an &SEL; bug fix where file contexts
become invalid, or when the policy update makes changes to the
file
<filename>/etc/selinux/targeted/contexts/files/file_contexts</filename>.
</para>
<para>
After the file system is relabeled, a <command>reboot</command> is
not required, but is useful in ensuring every process and program
is running in the proper domain. This is highly dependent on the
changes in the updated policy.
</para>
<para>
To relabel, you have several options. You may use the
<command>fixfiles</command> command:
</para>
<screen>
<command>fixfiles relabel
reboot</command>
</screen>
<para>
Alternately, use the <filename>/.autorelabel</filename> mechanism:
</para>
<screen>
<command>touch /.autorelabel
reboot</command>
</screen>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
If the policy shipping with an application package changes in a
way that requires relabeling, will RPM handle relabeling the files
owned by the package?
</para>
</question>
<answer>
<para>
Yes. The security contexts for the files owned by the package are
stored in the header data for the package. The file contexts are
set directly after the <command>cpio</command> copy, as the
package files are being put on the disk.
</para>
</answer>
</qandaentry>
<!-- Source package doesn't exist any more
Is there something similar now?
<qandaentry>
<question>
<para>
What is the relationship between policy and policy source
packages?
</para>
</question>
<answer>
-->
<!--
thanks to "Gene C." <czar czarc net> for authoring the
original answer in
http://www.redhat.com/archives/fedora-test-list/2004-April/msg00755.html
-->
<!--
<para>
A policy package such as
<filename>selinux-policy-targeted</filename> is a requirement for
a working &SEL; installation, while a policy source package such
as <filename>selinux-policy-targeted-sources</filename> is
required if you want to customize the default policy.
</para>
<para>
The policy package has the minimum files necessary for defining
the &SEL; security policy. It is kept trimmed down in size to
support a minimal install footprint.
</para>
<para>
The policy sources packages contain the source definitions in
<filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>
that are required to create the files
<filename>/etc/selinux/<replaceable>policyname</replaceable>/contexts/*</filename>
and
<filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/policy.<replaceable>version</replaceable></filename>.
<replaceable>version</replaceable> is the version number of the
policy. </para>
<para>
Choosing which packages to install is based on the type of
installation. If you are going to use only the default security
policy defined by the &FC; developers, you only need the policy
package. If you want to customize your security policy in any
way, or otherwise want to run <command>setools</command>, you need
to install the policy source.
</para>
<para>
Installing or updating the policy package loads the new policy
after it installs the files. Similarly, installing or updating the
policy source package rebuilds the
<filename>policy.<replaceable>version</replaceable></filename>
file as well as the <filename>file_contexts</filename> file, then
loads them as the currently effective policy.
</para>
-->
<!-- not sure if currently still an issue, or how to rephrase
<caution>
<title>Caution</title>
<para>
If you have locally modified any of the policy sources, you want to be cautious about updating <filename>policy</filename> or <filename>policy-sources</filename>. Make
updating policy and/or policy-sources can have
interesting (but not particularly desirable)
effects. See
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604
</para>
</caution>
-->
<!--
</answer>
</qandaentry>
-->
<qandaentry>
<!--
http://www.redhat.com/archives/fedora-selinux-list/2004-May/msg00061.html
-->
<question>
<para>
Why do binary policies distributed with Fedora, such as
<filename>/etc/selinux/<replaceable><policyname></replaceable>/policy/policy.<replaceable><version></replaceable></filename>,
and those I compile myself have different sizes and MD5 checksums?
</para>
</question>
<answer>
<para>
When you install a policy package, pre-compiled binary policy
files are put directly into <filename>/etc/selinux</filename>.
The different build environments will make target files that have
different sizes and MD5 checksums.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Will new policy packages disable my system?
</para>
</question>
<answer>
<para>
There is a possibility that changes in the policy package or in
the policy shipping with an application package can cause errors,
more denials, or other unknown behaviors. You can
discover which package caused the breakage by reverting policy and
application packages one at a time. If you don't want to return
to the previous package, the older version of the configuration
files will be saved with the extension <filename
class="extension">.rpmsave</filename>. Use the
mailing lists, bugzilla, and IRC to help you work through your
problem. If you are able, write or fix policy to resolve your
problem.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How can I help write policy?
</para>
</question>
<answer>
<para>
Your help is definitely appreciated.
</para>
<itemizedlist>
<listitem>
<para>
You can start by joining the &FED; &SEL; mailing list. You can
subscribe and read the archives at <ulink
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list"/>.
</para>
</listitem>
<listitem>
<para>
The Unofficial FAQ has some generic policy writing HOWTO
information. Refer to <ulink
url="http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21..."/>
for more information.
</para>
</listitem>
<listitem>
<para>
Another new resource is the Writing SE Linux policy HOWTO,
located online at <ulink
url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=2..."/>.
</para>
</listitem>
</itemizedlist>
<para>
Also, since the &FC; &LOCALVER; policy is based on the <xref
linkend="faq-entry-whatis-refpolicy"/>, you should look at the
documentation on its project page. Another excellent source of
information is the policy files in
<filename>/usr/share/doc/selinux-policy-<replaceable>>version<</replaceable></filename>
which shows examples of policy.
</para>
<para>
If you want to write a new policy domain, you should install the
<filename>selinux-policy-devel</filename> package. This will place
reference policy interface files into the
<filename>/usr/share/selinux/refpolicy</filename> directory.
There are also tools available to help you generate new policy.
The following procedure is an example:
</para>
<procedure>
<step>
<para>
Use the <command>policygentool</command> command to generate
your own <filename>te</filename>, <filename>fc</filename> and
<filename>if</filename> files. The
<command>policygentool</command> command takes two parameters:
the name of the policy module and the full path to the
executable. The following command gives a usage example:
</para>
<screen>
<command>policygentool <replaceable>mydaemon /usr/sbin/mydaemon</replaceable></command>
</screen>
<para>
This command creates three files:
<filename>mydaemon.te</filename>,
<filename>mydaemon.fc</filename> and
<filename>mydaemon.if</filename>.
</para>
</step>
<step>
<para>
After you generate the policy files, use the supplied
Makefile,
<filename>/usr/share/selinux/refpolicy/Makefile</filename>, to
build a policy package:
</para>
<screen>
<command>make -f /usr/share/selinux/refpolicy/Makefile</command>
</screen>
</step>
<step>
<para>
Now you can load the policy module, using
<command>semodule</command>, and relabel the executable using
<command>restorecon</command>:
</para>
<screen>
<command>semodule -i <replaceable>mydaemon.pp</replaceable></command>
<command>restorecon -v <replaceable>/usr/sbin/mydaemon</replaceable></command>
</screen>
</step>
<step>
<para>
Since you have very limited policy for your executeable,
SELinux will prevent it from doing much. Turn on permissive
mode and then use the init script to start your daemon:
</para>
<screen>
<command>setenforce 1</command> <!-- is this right? -->
<command>service <replaceable>mydaemon</replaceable> restart</command>
</screen>
</step>
</procedure>
<para>
Now you can collect avc messages. You can use
<command>audit2allow</command> to translate the avc messages to
allow rules and begin updating you
<filename>mydaemon.te</filename> file. You should search for
interface macros in the
<filename>/etc/selinux/refpolicy/include</filename> directory and
use these instead of using the allow rules directly, whenever
possible. If you want more examples of polcy, you could always
install the selinux-policy src rpm, which contains all of the
policy te files for the reference policy.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
My console is being flooded with messages. How do I turn them
off?
</para>
</question>
<answer>
<para>
To regain useful control, turn off kernel messages to the console
with this command:
</para>
<screen>
<command>dmesg -n 1</command>
</screen>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Can I test the default policy without installing the policy
source?
</para>
</question>
<answer>
<para>
You can test &SEL; default policy by installing just the
<filename>selinux-policy-<replaceable>policyname</replaceable></filename>
and <filename>policycoreutils</filename> packages. Without the
policy source installed, the <command>fixfiles</command> command
automates the file system relabeling.
</para>
<para>
The command <command>fixfiles relabel</command> is the equivalent
of <command>make relabel</command>. During the relabeling, it
will delete all of the files in <filename>/tmp</filename>,
cleaning up files which may have old file context labels.
</para>
<para>
Other commands are <command>fixfiles check</command>, which checks
for mislabeled files, and <command>fixfiles restore</command>,
which fixes the mislabeled files but does not delete the files in
<filename>/tmp</filename>. The <command>fixfiles</command>
command does not take a list of directories as an argument,
because it relabels the entire file system. If you need to
relabel a specific directory path, use
<command>restorecon</command>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Why are some of my KDE applications having trouble under &SEL;?
</para>
</question>
<answer>
<para>
KDE executables always appear as <command>kdeinit</command>, which
limits what can be done with &SEL; policy. This is because every
KDE application runs in the domain for <command>kdeinit</command>.
</para>
<para>
Problems often arise when installing &SEL; because it is not
possible to relabel <filename>/tmp</filename> and
<filename>/var/tmp</filename>. There is no good method of
determining which file should have which context.
</para>
<para>
The solution is to fully log out of KDE and remove all KDE
temporary files:
</para>
<screen>
<command>rm -rf /var/tmp/kdecache-<replaceable><username></replaceable>
rm -rf /var/tmp/<replaceable><other_kde_files></replaceable></command>
</screen>
<para>
At your next login, your problem should be fixed.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Why does <option>SELINUX=disabled</option> not work for me?
</para>
</question>
<answer>
<para>
Be careful of white space in the file
<filename>/etc/sysconfig/selinux</filename>. The code is very
sensitive to white space, even trailing space.
</para>
</answer>
</qandaentry>
</qandadiv>
<qandadiv id="faq-div-deploying-selinux">
<title>Deploying &SEL;</title>
<qandaentry>
<question>
<para>
What file systems can I use for &SEL;?
</para>
</question>
<answer>
<para>
The file system must support
<computeroutput>xattr</computeroutput> labels in the right
<parameter>security.*</parameter> namespace. In addition to
ext2/ext3, XFS has recently added support for the necessary
labels.
</para>
<para>
Note that XFS SELinux support is broken in upstream kernel
2.6.14 and 2.6.15, but fixed (worked around)
in 2.6.16. Your kernel must include this fix if
you choose to use XFS with &SEL;.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How does &SEL; impact system performance?
</para>
</question>
<answer>
<para>
This is a variable that is hard to measure, and is heavily
dependent on the tuning and usage of the system running &SEL;.
When performance was last measured, the impact was around 7% for
completely untuned code. Subsequent changes in system components
such as networking are likely to have made that worse in some
cases. &SEL; performance tuning continues to be a priority of the
development team.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What types of deployments, applications, and systems should I
leverage &SEL; in?
</para>
</question>
<answer>
<para>
Initially, &SEL; has been used on Internet facing servers that are
performing a few specialized functions, where it is critical to
keep extremely tight security. Administrators typically strip
such a box of all extra software and services, and run a very
small, focused set of services. A Web server or mail server is a
good example.
</para>
<para>
In these edge servers, you can lock down the policy very tightly.
The smaller number of interactions with other components makes
such a lockdown easier. A dedicated system running a specialized
third-party application would also be a good candidate.
</para>
<para>
In the future, &SEL; will be targeted at all environments. In
order to achieve this goal, the community and
<firstterm>independent software vendors</firstterm>
(<abbrev>ISV</abbrev>s) must work with the &SEL; developers to
produce the necessary policy. So far, a very restrictive
<firstterm>strict policy</firstterm> has been written, as well as
a <firstterm>targeted policy</firstterm> that focuses on specific,
vulnerable daemons.
</para>
<para>For more information about these policies, refer to <xref
linkend="qa-whatis-policy"/> and <xref
linkend="qa-whatis-targeted-policy"/>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How does &SEL; affect third-party applications?
</para>
</question>
<answer>
<para>
One goal of implementing a targeted &SEL; policy in &FC; is to
allow third-party applications to work without modification. The
targeted policy is transparent to those unaddressed applications,
and it falls back on standard Linux DAC security. These
applications, however, will not be running in an extra-secure
manner. You or another provider must write policy to protect these
applications with MAC security.
</para>
<para>
It is impossible to predict how every third-party application
might behave with &SEL;, even running the targeted policy. You
may be able to fix issues that arise by changing the policy. You
may find that &SEL; exposes previously unknown security issues
with your application. You may have to modify the application to
work under &SEL;.
</para>
<para>
One important value that &FC; testers and users bring to the
community is extensive testing of third-party applications. With
that in mind, please bring your experiences to the appropriate
mailing list, such as the fedora-selinux.list, for discussion. For
more information about that list, refer to <ulink
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/"/>.
</para>
<!-- Add policy modules section -->
<!-- Add managed policy section -->
</answer>
</qandaentry>
</qandadiv>
</qandaset>
</section>
</article>
18 years, 2 months
- 1
- 0
selinux-faq/en rpm-info-en.xml, 1.6, NONE selinux-faq-en.xml, 1.4, NONE
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/selinux-faq/en
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26362/en
Removed Files:
rpm-info-en.xml selinux-faq-en.xml
Log Message:
This should modify the module to meet modern standards; unless I forgot to add something. Build requires FC4 or later, as it needs DocBook XML 4.4.
--- rpm-info-en.xml DELETED ---
--- selinux-faq-en.xml DELETED ---
18 years, 2 months
- 1
- 0
selinux-faq rpm-info.xml,1.3,1.4 Makefile,1.5,1.6
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/selinux-faq
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26362
Modified Files:
Makefile
Added Files:
rpm-info.xml
Log Message:
This should modify the module to meet modern standards; unless I forgot to add something. Build requires FC4 or later, as it needs DocBook XML 4.4.
Index: rpm-info.xml
===================================================================
RCS file: rpm-info.xml
diff -N rpm-info.xml
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ rpm-info.xml 16 Mar 2006 19:42:55 -0000 1.4
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+
+<!DOCTYPE rpm-info SYSTEM "../docs-common/packaging/rpm-info.dtd">
+
+<rpm-info>
+ <colophon>
+ <worker surname="Wade" firstname="Karsten" id="KarstenWade" email="kwade(a)redhat.com" wholename="Karsten Wade" initials="KW"/>
+ <worker surname="Sellers" firstname="Chad" id="ChadSellers" email="csellers(a)tresys.com" wholename="Chad Sellers" initials="CS"/>
+ <worker surname="Tombolini" firstname="Francesco" id="FrancescoTombolini" email="tombo(a)adamantio.net" wholename="Francesco Tombolini" initials="FT"/>
+ <worker firstname="Paul" othername="W." surname="Frields" initials="PWF" email="stickster(a)gmail.com" wholename="Paul W. Frields" id="PaulWFrields"/>
+ </colophon>
+ <author worker="KarstenWade"/>
+ <author worker="ChadSellers"/>
+ <translator worker="FrancescoTombolini"/>
+ <license>
+ <rights>GNU FDL</rights>
+ <version>1.0</version>
+ </license>
+ <copyright>
+ <year>2004</year>
+ <year>2005</year>
+ <holder>Red Hat, Inc.</holder>
+ <holder>Karsten Wade</holder>
+ </copyright>
+ <copyright>
+ <year>2006</year>
+ <holder>Chad Sellers</holder>
+ <holder>Paul W. Frields</holder>
+ </copyright>
+ <titles>
+ <translation lang="en">
+ <title>Fedora Core 5 SELinux FAQ</title>
+ <desc>Frequently asked questions about SELinux in Fedora Core 5</desc>
+ </translation>
+ <translation lang="it">
+ <title>Fedora Core 5 SELinux FAQ</title>
+ <desc></desc>
+ </translation>
+ </titles>
+ <changelog order="newest-first">
+ <revision date="2006-02-10" number="1.5.2" role="doc">
+ <author worker="PaulWFrields"/>
+ <details lang="en">Make admonition more easily maintainable</details>
+ </revision>
+ <revision date="2006-02-05" number="1.5.1" role="doc">
+ <author worker="PaulWFrields"/>
+ <details lang="en">Style and readability editing; some element clarifications</details>
+ </revision>
+ <revision date="2006-02-03" number="1.5" role="doc">
+ <author worker="ChadSellers"/>
+ <details lang="en">First round of editing.</details>
+ <details lang="it">Primo round di editing.</details>
+ </revision>
+ </changelog>
+</rpm-info>
Index: Makefile
===================================================================
RCS file: /cvs/docs/selinux-faq/Makefile,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Makefile 7 Dec 2005 17:21:12 -0000 1.5
+++ Makefile 16 Mar 2006 19:42:55 -0000 1.6
@@ -1,22 +1,43 @@
-###############################################################################
-# Makefile for RHLP docs project
-# Created by: Tammy Fox <tfox(a)redhat.com>
-# Last edited by: Tommy Reynolds <Tommy.Reynolds(a)MegaCoder.com>
-# WARNING: need passivetex 1.24 for pdf generation to work
-# License: GPL
-# Copyright 2003 Tammy Fox, Red Hat, Inc.
-# Copyright 2005 Tommy Reynolds, MegaCoder.com
-###############################################################################
+########################################################################
+# NOTICE
+#-----------------------------------------------------------------------
+# There is actually no "de" translation. All the '*de*" files are just
+# fodder to check the internationalization (i18n) workings for the FTP.
+# No discourtesy to any German speaker is intended. -- Tommy Reynolds
+# Actual translations welcome.
+########################################################################
-LANGUAGES = en it
-DOCBASE = selinux-faq
-XMLEXTRAFILES-en =
-XMLEXTRAFILES-it =
+########################################################################
+# Fedora Documentation Project Per-document Makefile
+# License: GPL
+# Copyright 2005,2006 Tommy Reynolds, MegaCoder.com
+########################################################################
+#
+# Document-specific definitions.
+#
+DOCBASE = selinux-faq
+PRI_LANG = en_US
+# OTHERS =
+# If ${DOC_ENTITIES} is defined, ${PRI_LANG}/${DOC_ENTITIES}.xml
+# must contain a complete XML file conforming to the DTD located
+# in the "docs-common/common/entities/entities.dtd" file. Do NOT
+# reference this file in the XMLFILES_template below.
+DOC_ENTITIES = doc-entities
+########################################################################
+# List each XML file of your document in the template below. Append the
+# path to each file to the "XMLFILES-${1}" string. Use a backslash if you
+# need additional lines. Here, we have one extra file "en/para.xml"; that
+# gets written as "${1}/para.xml" because later, make(1) will need to compute
+# the necesssary filenames. Oh, do NOT include "fdp-info.xml" because that's
+# a generated file and we already know about that one...
-######################################################
+define XMLFILES_template
+XMLFILES-${1}=${1}/${DOCBASE}.xml
+endef
+#
+########################################################################
include ../docs-common/Makefile.common
-######################################################
-
+########################################################################
# If you want to add additional steps to any of the
# targets defined in "Makefile.common", be sure to use
# a double-colon in your rule here. For example, to
@@ -25,3 +46,4 @@
# line:
#${DOCNAME}/index.html::
# echo FINISHED AT LAST
+########################################################################
18 years, 2 months
- 1
- 0
selinux-faq/en_US - New directory
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/selinux-faq/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23418/en_US
Log Message:
Directory /cvs/docs/selinux-faq/en_US added to the repository
18 years, 2 months
- 1
- 0
marketing-content/FC-5-press-release fc5-press-release-en_US.xml, 1.2, 1.3
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/marketing-content/FC-5-press-release
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15386
Modified Files:
fc5-press-release-en_US.xml
Log Message:
Final edit, minor grammar and brevity clean ups, link to relnotes top center.
Index: fc5-press-release-en_US.xml
===================================================================
RCS file: /cvs/docs/marketing-content/FC-5-press-release/fc5-press-release-en_US.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- fc5-press-release-en_US.xml 16 Mar 2006 00:07:47 -0000 1.2
+++ fc5-press-release-en_US.xml 16 Mar 2006 00:47:35 -0000 1.3
@@ -8,18 +8,26 @@
<para>
The Fedora Project is pleased to announce the release of Fedora Core 5. New
desktop applications, advances in security, better localization tools,
- improved software installation and management facilities and strong Java
+ improved software installation and management facilities, and strong Java
integration help to make Fedora Core 5 the most innovative Linux
distribution ever.
</para>
+ <para>
+ For a more complete list of changes and interesting information for users,
+ administrators, and developers, refer to the latest release notes:
+ </para>
+ <para>
+ <ulink url="http://fedora.redhat.com/docs/release-notes/"/>
+ </para>
+
<header>Getting Fedora Core 5</header>
<header>Download ISO Images</header>
<para>
Users can download the ISO images of the installation DVD or CD-ROMs now
- from the Fedora web site.
+ from the Fedora Website.
</para>
<para>
- <ulink
+ <ulink
url='http://fedoraproject.org/wiki/Distribution/Download'>http://fedoraproject.org/wiki/Distribution/Download</ulink>
</para>
<header>Online Vendors</header>
@@ -260,8 +268,8 @@
<header>Internationalization and Localization</header>
<para>
Fedora contributors speak many different languages besides C, C++, Python,
- Java, and so on. We are also humans who speak the world's many different
- languages, and we all want Fedora to support as many as possible.
+ Java, and so on. We are also humans who speak the world's languages, and we
+ want Fedora to support as many as possible.
</para>
<para>
In Fedora Core 5, we have come closer to that goal by adopting SCIM, in
@@ -364,8 +372,8 @@
</para>
<para>
Fedora Core 5 also offers technology previews for SystemTap and Frysk,
- cutting edge execution analysis tools that will allow developers to
- troubleshoot performance issues to a degree never before possible.
+ cutting edge execution analysis tools that allow developers to troubleshoot
+ performance issues to a degree never before possible.
</para>
<para>
<ulink
@@ -379,9 +387,9 @@
<header>The Future of Fedora</header>
<para>
Fedora contributors are already working toward the next release of Fedora
- Core, which will feature advancements in Xen, and new integration work from
+ Core, which features advancements in Xen, and new integration work from
the Fedora Rendering and One Laptop Per Child (a.k.a. $100 laptop) projects.
- Stateless Linux work is also progressing steadily. We are working on the
+ Stateless Linux work is also progressing steadily. We are working on the
ability to support Fedora Extras and other custom software repositories
during installation. As usual, work continues on new releases of the best
and most robust free and open source software. See our roadmap at:
18 years, 2 months
- 1
- 0
marketing-content/FC-5-press-release fdp-pr.dtd,1.1.1.1,1.2
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/marketing-content/FC-5-press-release
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15305
Modified Files:
fdp-pr.dtd
Log Message:
Making the ulink work, this does as expected, spits out the content of the link.
Index: fdp-pr.dtd
===================================================================
RCS file: /cvs/docs/marketing-content/FC-5-press-release/fdp-pr.dtd,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- fdp-pr.dtd 14 Mar 2006 20:46:34 -0000 1.1.1.1
+++ fdp-pr.dtd 16 Mar 2006 00:33:45 -0000 1.2
@@ -14,5 +14,5 @@
<!ATTLIST list mark (star|dot) "star" >
<!ELEMENT item (#PCDATA|ulink)* >
-<!ELEMENT ulink EMPTY >
+<!ELEMENT ulink (#PCDATA) >
<!ATTLIST ulink url CDATA #REQUIRED >
\ No newline at end of file
18 years, 2 months
- 1
- 0
marketing-content/FC-5-press-release Makefile,1.2,1.3
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/marketing-content/FC-5-press-release
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15200
Modified Files:
Makefile
Log Message:
This is the real Makefile based on the real rev. 1.8.
Index: Makefile
===================================================================
RCS file: /cvs/docs/marketing-content/FC-5-press-release/Makefile,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- Makefile 16 Mar 2006 00:11:38 -0000 1.2
+++ Makefile 16 Mar 2006 00:14:13 -0000 1.3
@@ -1,10 +1,10 @@
########################################################################
# The ${DOC_BASE} symbol provides the basic name for this document.
-DOC_BASE=fdp-pr
+DOC_BASE=fc5-press-release
########################################################################
-# The ${LANG} symbol gives the locale for the original language for
+# The ${PRI_LANG} symbol gives the locale for the original language for
# the document.
-LANG=en
+PRI_LANG=en_US
########################################################################
# The ${OTHERS} symbol is a list of additional locales into which the
# document is to be translated.
@@ -18,60 +18,125 @@
XMLTOFLAGS=-m params.xsl
XSL =fdp-pr.xsl
SED =/bin/sed
-XML2POT =xml2pot
XML2PO =xml2po
-PO2XML =po2xml
MSGMERGE=msgmerge
MSGMERGEFLAGS=
########################################################################
+LANGUAGES=${PRI_LANG} ${OTHERS}
+########################################################################
# Define our own set of suffixes to streamline the process
.SUFFIXES:
.SUFFIXES: .txt .pdf .po .pot .xml .xsl .dtd .in
########################################################################
# Mark the proper virtual targets so that a "make -t all" does not create
# an empty file called "all".
-.PHONY: all clean distclean clobber pot
-.PHONY: $(foreach LOCALE,${OTHERS},xml-${LOCALE})
-.PHONY: $(foreach LOCALE,${OTHERS},po-${LOCALE})
+.PHONY: all clean distclean clobber pot help
########################################################################
# The default target "all"
all:: ${DOC_BASE}.pot
-all:: $(foreach LOCALE,${LANG} ${OTHERS},${DOC_BASE}-${LOCALE}.xml)
-all:: $(foreach LOCALE,${LANG} ${OTHERS},${DOC_BASE}-${LOCALE}.pdf)
-all:: $(foreach LOCALE,${LANG} ${OTHERS},${DOC_BASE}-${LOCALE}.txt)
+all:: $(foreach LOCALE,${LANGUAGES},${DOC_BASE}-${LOCALE}.pdf)
+# FIXME all:: $(foreach LOCALE,${LANGUAGES},${DOC_BASE}-${LOCALE}.txt)
+########################################################################
+HFMT =%-31s\t%s\n
+help::
+ @printf "${HFMT}" "all" "Default target; generate PDF's"
+ @printf "${HFMT}" "clean" "Delete temporary files"
+ @printf "${HFMT}" "distclean" "Delete output and temporary files"
+ @printf "${HFMT}" "clobber" "Delete output and temporary files"
+ @printf "${HFMT}" "help" "This message; use 'make help|sort'"
########################################################################
# Compute the rules to transform our XML documents into both PDF and TXT
# forms
-define OUTPUT_template
-${DOC_BASE}-$(1).pdf:: ${DOC_BASE}-$(1).xml params.xsl.in
- LC_ALL=${1}.UTF-8 ${SED} -e "s|DATE|$$(date +'%x %X')|" \
+define PDF_template
+.PHONY: pdf-${1}
+
+pdf-${1}:: ${DOC_BASE}-${1}.pdf
+
+help::
+ @printf "${HFMT}" "pdf-${1}" "Generate PDF for locale '${1}'"
+
+${DOC_BASE}-$(1).pdf:: ${DOC_BASE}-$(1).xml params.xsl.in ${XSL}
+ LC_ALL=${1}.UTF-8 ${SED} \
+ -e "s|DATE|$$(shell LC_ALL=${1} date +'%x %X')|" \
+ -e "s|LANG|${1}|" \
params.xsl.in >params.xsl
LC_ALL=${1}.UTF-8 ${XMLTO} -x ${XSL} ${XMLTOFLAGS} pdf \
${DOC_BASE}-$(1).xml
-${DOC_BASE}-$(1).txt:: ${DOC_BASE}-$(1).xml params.xsl.in
- LC_ALL=${1}.UTF-8 ${SED} -e "s|DATE|$$(date +'%x %X')|" \
- params.xsl.in >params.xsl
- LC_ALL=${1}.UTF-8 ${XMLTO} -x ${XSL} ${XMLTOFLAGS} txt \
- ${DOC_BASE}-$(1).xml
+
+help::
+ @printf "${HFMT}" "${DOC_BASE}-${1}.pdf" "Render PDF for locale '${1}'"
+
+distclean::
+ ${RM} ${DOC_BASE}-${1}.pdf
endef
-$(foreach LOCALE,${LANG} ${OTHERS},$(eval $(call OUTPUT_template,${LOCALE})))
+$(foreach LOCALE,${LANGUAGES},$(eval $(call PDF_template,${LOCALE})))
+########################################################################
+
+########################################################################
+define TXT_template
+# This assumes w3m(1) is installed. The stock xmlto RPM uses it.
+XMLPOSTFLAGS=-p '-cols 72'
+
+.PHONY: txt-${1}
+
+txt-${1}:: ${DOC_BASE}-${1}.txt
+
+help::
+ @printf "${HFMT}" "txt-${1}" "Generate text version for locale '${1}'"
+
+${DOC_BASE}-$(1).txt:: ${DOC_BASE}-$(1).xml params.xsl.in ${XSL}
+ LC_ALL=${1}.UTF-8 ${SED} \
+ -e "s|DATE|$$(shell LC_ALL=${1} date +'%x %X')|" \
+ params.xsl.in >params.xsl
+ LC_ALL=${1}.UTF-8 ${XMLTO} -x ${XSL} ${XMLTOFLAGS} $${XMLPOSTFLAGS} \
+ txt ${DOC_BASE}-$(1).xml
+
+help::
+ @printf "${HFMT}" "${DOC_BASE}-${1}.txt" "Render locale '${1}' text"
+
+distclean::
+ ${RM} ${DOC_BASE}-${1}.txt
+endef
+# FIXME $(foreach LOCALE,${LANGUAGES},$(eval $(call TXT_template,${LOCALE})))
########################################################################
# Always generate the current date.
-params.xsl: params.xsl.in
- ${SED} -e "s|DATE|$$(date +'%x %X')|" $< >$@.tmp && move-if-change $@.tmp $@
+params.xsl: params.xsl.in Makefile
+ ${SED} -e "s|DATE|$$(LC_ALL=${PRI_LANG} date +'%x %X')|" \
+ -e "s|LANG|${PRI_LANG}|" \
+ $< >$@.tmp && move-if-change $@.tmp $@
+
+help::
+ @printf "${HFMT}" "params.xsl" "Generate dynamic parameters"
########################################################################
# The ${DOC_BASE}.pot target produces a new .POT file everytime the
# original XML file is updated.
-${DOC_BASE}.pot: ${DOC_BASE}-${LANG}.xml
- xml2pot $< >$@
+.PHONY: pot
+
+pot:: ${DOC_BASE}.pot
+
+help::
+ @printf "${HFMT}" "pot" "Generate .POT file for translation"
+
+${DOC_BASE}.pot:: ${DOC_BASE}-${PRI_LANG}.xml
+ xml2po -o $@ $<
+
+help::
+ @printf "${HFMT}" "${DOC_BASE}.pot" "Generate .POT file for translation"
########################################################################
# Compute the rules to create or update a language-specific .po file
# any time the ${DOC_BASE}.pot file is updated. We try to avoid losing
# current .PO translations by calling msgmerge if a .po file already
# exists.
define PO_template
-po-${1} ${1}.po:: ${DOC_BASE}.pot
+.PHONY: po-${1}
+po-${1}:: ${1}.po
+
+help::
+ @printf "${HFMT}" "po-${1}" "Update translations for locale '${1}'"
+
+.PRECIOUS: ${1}.po
+${1}.po:: ${DOC_BASE}.pot
@if [ ! -f ${1}.po ]; then \
echo Creating pristine ${1}.po; \
cp ${DOC_BASE}.pot ${1}.po; \
@@ -80,6 +145,9 @@
${MSGMERGE} ${MSGMERGEFLAGS} \
${1}.po $${DOC_BASE}.pot >${1}.po; \
fi
+
+help::
+ @printf "${HFMT}" "${1}.po" "Update translations for locale '${1}'"
endef
$(foreach LOCALE,${OTHERS},$(eval $(call PO_template,${LOCALE})))
@@ -87,20 +155,40 @@
# Compute the rules and targets to generate the translated XML files
# given an updated .PO file and the source XML file.
define NEWLANG_template
-xml-${1} ${DOC_BASE}-${1}.xml:: ${DOC_BASE}-${LANG}.xml ${1}.po
- ${PO2XML} ${DOC_BASE}-${LANG}.xml ${1}.po >${DOC_BASE}-${1}.xml
+.PHONY: xml-${1}
+xml-${1}:: ${DOC_BASE}-${1}.xml
+
+help::
+ @printf "${HFMT}" "xml-${1}" "Translate XML for locale '${1}'"
+
+${DOC_BASE}-${1}.xml:: ${DOC_BASE}-${PRI_LANG}.xml ${1}.po
+ ${XML2PO} -p ${1}.po ${DOC_BASE}-${PRI_LANG}.xml >${DOC_BASE}-${1}.xml
+
+help::
+ @printf "${HFMT}" "${DOC_BASE}-${1}.xml" "Create XML for locale '${1}'"
+
+clean::
+ ${RM} ${DOC_BASE}-${1}.xml
endef
$(foreach LOCALE,${OTHERS},$(eval $(call NEWLANG_template,${LOCALE})))
+
+.PHONY: xml-${PRI_LANG}
+
+xml-${PRI_LANG}:: ${DOC_BASE}-${PRI_LANG}.xml
+
+help::
+ @printf "${HFMT}" "${DOC_BASE}-${PRI_LANG}.xml" "Primary XML"
########################################################################
-# Neatness counts
-clean:
- ${RM} $(foreach LOCALE,${OTHERS},${DOC_BASE}-${LOCALE}.xml)
+clean::
${RM} params.xsl
-
-distclean clobber: clean
- ${RM} $(foreach LOCALE,${LANG} ${OTHERS},${DOC_BASE}-${LOCALE}.pdf)
- ${RM} $(foreach LOCALE,${LANG} ${OTHERS},${DOC_BASE}-${LOCALE}.txt)
+distclean clobber:: clean
+########################################################################
+.PHONY: mrproper
+mrproper:: distclean
+ ${RM} *.po
+ ${RM} *.pdf
+ ${RM} *.txt
########################################################################
# End of Makefile
########################################################################
18 years, 2 months
- 1
- 0
marketing-content/FC-5-press-release Makefile,1.1.1.1,1.2
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/marketing-content/FC-5-press-release
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15171
Modified Files:
Makefile
Log Message:
Updating Makefile to canonical from press-release module (rev. 1.8).
Index: Makefile
===================================================================
RCS file: /cvs/docs/marketing-content/FC-5-press-release/Makefile,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- Makefile 14 Mar 2006 20:46:35 -0000 1.1.1.1
+++ Makefile 16 Mar 2006 00:11:38 -0000 1.2
@@ -1,10 +1,10 @@
########################################################################
# The ${DOC_BASE} symbol provides the basic name for this document.
-DOC_BASE=fc5-press-release
+DOC_BASE=fdp-pr
########################################################################
# The ${LANG} symbol gives the locale for the original language for
# the document.
-LANG=en_US
+LANG=en
########################################################################
# The ${OTHERS} symbol is a list of additional locales into which the
# document is to be translated.
18 years, 2 months
- 1
- 0
marketing-content/FC-5-press-release fc5-press-release-en_US.xml, 1.1.1.1, 1.2
by fedora-docs-commits@redhat.com
Author: kwade
Update of /cvs/docs/marketing-content/FC-5-press-release
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15118
Modified Files:
fc5-press-release-en_US.xml
Log Message:
Converted from Wiki, no changes made yet to actual content.
Index: fc5-press-release-en_US.xml
===================================================================
RCS file: /cvs/docs/marketing-content/FC-5-press-release/fc5-press-release-en_US.xml,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- fc5-press-release-en_US.xml 14 Mar 2006 20:46:34 -0000 1.1.1.1
+++ fc5-press-release-en_US.xml 16 Mar 2006 00:07:47 -0000 1.2
@@ -2,123 +2,400 @@
<!DOCTYPE fdp-pr SYSTEM "fdp-pr.dtd" >
<fdp-pr>
<source>
- Red Hat, Inc.
+ Fedora Project
</source>
- <header>A Section</header>
+ <header>Presenting Fedora Core 5</header>
<para>
- Veniam ut wisi tation et delenit
- <ulink url="www.redhat.com/promo/summit/"/>.
+ The Fedora Project is pleased to announce the release of Fedora Core 5. New
+ desktop applications, advances in security, better localization tools,
+ improved software installation and management facilities and strong Java
+ integration help to make Fedora Core 5 the most innovative Linux
+ distribution ever.
</para>
- <list>
- <item>
- Lorem ipsum sit ut et, odio.
- </item>
- <item>
- Suscipit laoreet dolore consequat autem ad.
- </item>
- <item>
- Tation praesent autem aliquip consectetuer illum hendrerit vero vulputate.
- </item>
- <item>
- Iriure delenit sit vulputate suscipit, dolore veniam eros adipiscing.
- </item>
- <item>
- Sed in blandit, et ullamcorper consequat nonummy, amet eros veniam.
- </item>
- <item>
- Odio aliquip dolore tincidunt aliquip.
- </item>
- </list>
- <para>
- Red Hat (NASDAQ: RHAT - News),
- Lorem ipsum suscipit ut et, molestie.
- Lobortis, duis zzril dolore nisl ad.
- Dignissim dolore consequat, minim facilisis commodo enim nostrud at vel.
- Ut delenit, autem vero et sed Ut esse.
- Nonummy magna dolor blandit, facilisi dignissim commodo consequat et et.
- </para>
- <para>
- Lorem ipsum, facilisi ad dignissim nisl luptatum nulla dolore commodo.
- Te consequat eu et blandit hendrerit hendrerit.
- </para>
- <para>
- Lorem ipsum praesent diam duis facilisi.
- Autem vulputate ullamcorper molestie ex commodo at.
- Euismod vel ex nisl hendrerit et tincidunt.
- Vulputate in at praesent nonummy vel.
- Adipiscing amet duis dolore velit.
- Lobortis facilisis nulla, commodo commodo hendrerit duis illum ut sit.
- Ut illum nulla aliquip eros nulla, iusto.
- </para>
- <para>
- Lorem ipsum vel velit quis.
- Eum delenit enim, aliquip vulputate ad et commodo.
- Iriure illum blandit vel nibh nisl.
- Exerci hendrerit in delenit dolore ut in.
- </para>
- <para>
- Lorem ipsum commodo augue commodo.
- Quis duis zzril vel consequat et lobortis ad lobortis.
- Nulla vulputate, tation esse minim in wisi dolore, aliquip.
- Volutpat dolore, dolore sit velit.
- Illum eum vel hendrerit commodo aliquam, nisl velit praesent, duis.
- Lobortis praesent et lobortis in.
- </para>
- <para>
- Lorem ipsum, aliquip, accumsan wisi commodo.
- Praesent eum feugait feugiat adipiscing, nonummy praesent erat zzril facilisis.
- Suscipit facilisis duis veniam veniam iusto, sit.
- Volutpat tation ex eros minim ad eum amet blandit esse.
- Enim ex duis aliquip molestie.
- Consequat feugiat ullamcorper in eu velit dolore tincidunt.
- Minim, nonummy vel in esse aliquam ad, luptatum in.
- Et euismod dolore praesent ea consequat.
- </para>
- <para>
- Lorem ipsum nulla enim in, eros, ullamcorper iriure et.
- Veniam ut wisi tation et delenit
- <ulink url="www.redhat.com/promo/summit/"/>.
- </para>
- <para>
- Lorem ipsum facilisis, lorem dolore enim iusto luptatum in duis.
- Duis in, odio minim augue, dolore dignissim commodo ut vulputate.
- Ea luptatum nulla aliquip dignissim dolor duis consequat, Ut.
- Minim magna duis dolor ut.
- Tincidunt iriure tation consequat augue odio magna tincidunt.
- Vulputate lobortis praesent molestie nisl iusto, wisi.
- </para>
- <para>
- Lorem ipsum, elit feugiat eros in delenit wisi.
- Nostrud iusto nonummy eu veniam augue nonummy in.
- Ullamcorper, augue elit elit ullamcorper minim augue luptatum.
- Ut molestie, minim qui vel blandit.
- Eros, ut delenit luptatum vel dignissim.
- Tation feugait exerci aliquam nibh sit blandit ipsum.
- Et vulputate nonummy sit ut.
- Sed zzril dolore, ex vero feugait volutpat at, tation.
- Learn more: <ulink url="http://www.redhat.com"/>
- </para>
- <para>
- Lorem ipsum luptatum feugiat ea magna vulputate accumsan euismod.
- Facilisis vel nostrud tation qui ut.
- Qui suscipit delenit qui odio te.
- Hendrerit illum euismod veniam et feugait feugiat.
- Vero molestie duis velit diam, delenit praesent.
- Iriure molestie aliquip dolor at.
- Commodo et ut erat feugiat molestie vulputate in esse.
- </para>
- <para>
- Lorem ipsum wisi vero nulla suscipit ea dolor nisl.
- Zzril, lorem, ullamcorper amet, eu nulla eum iusto zzril.
- Vero molestie consequat, facilisi, enim praesent tincidunt et dignissim zzril.
- At feugait nostrud accumsan suscipit.
- Diam molestie zzril wisi veniam.
- Nisl nibh in praesent velit at hendrerit dignissim autem.
- Lobortis, vel feugait feugait aliquip.
- Vulputate consectetuer, minim duis hendrerit wisi consectetuer nostrud.
- Ut illum sed et nulla, velit zzril ad veniam.
- Duis minim commodo vel vulputate ullamcorper esse dolore.
- Nulla dolor at hendrerit feugait.
- Dignissim qui esse dolore ut.
+ <header>Getting Fedora Core 5</header>
+ <header>Download ISO Images</header>
+ <para>
+ Users can download the ISO images of the installation DVD or CD-ROMs now
+ from the Fedora web site.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Distribution/Download'>http://fedoraproject.org/wiki/Distribution/Download</ulink>
+ </para>
+ <header>Online Vendors</header>
+ <para>
+ We recognize that many people do not have sufficient bandwidth to download
+ an entire operating system. This is one of the reasons that the Trademark
+ Guidelines are written to allow third parties to sell physical media
+ containing Fedora Core, as long as they comply with the guidelines.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Distribution/OnlineVendors'>http://fedoraproject.org/wiki/Distribution/OnlineVendors</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Legal/TrademarkGuidelines'>http://fedoraproject.org/wiki/Legal/TrademarkGuidelines</ulink>
+ </para>
+ <header>Fedora Community Free Media</header>
+ <para>
+ Fedora Community Free Media, a volunteer initiative under the Fedora
+ Ambassadors Program, aims to distribute Fedora Core media (DVDs) for free to
+ individuals. Local Fedora Ambassadors or Contributors are invited to
+ participate.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/FreeMedia'>http://fedoraproject.org/wiki/FreeMedia</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Ambassadors'>http://fedoraproject.org/wiki/Ambassadors</ulink>
+ </para>
+ <header>What's New In Fedora Core 5</header>
+
+ <header>See Fedora Core 5 Now</header>
+ <para>
+ Fedora Core 5 has an exciting new look and feel. The menus and user
+ interface have been carefully crafted by the interaction designers and
+ desktop team. Take a tour at:
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Tours/FedoraCore5'>http://fedoraproject.org/wiki/Tours/FedoraCore5</ulink>
+ </para>
+
+ <header>Desktop</header>
+ <para>
+ Fedora Core 5 features some great new desktop applications powered by Mono.
+ </para>
+ <para>
+ Tomboy is a note-taking tool; simple and handy, it has already changed the
+ way that some Fedora users and developers work.
+ </para>
+ <para>
+ <ulink
+ url='http://www.beatniksoftware.com/tomboy/'>http://www.beatniksoftware.com/tomboy/</ulink>
+ </para>
+ <para>
+ Thanks to F-Spot, managing digital photographs is easier than ever.
+ </para>
+ <para>
+ <ulink
+ url='http://f-spot.org/Main_Page'>http://f-spot.org/Main_Page</ulink>
+ </para>
+ <para>
+ If you are looking for something in a chat log, an email, or a web page you
+ visited days ago, Beagle helps you find it.
+ </para>
+ <para>
+ <ulink
+ url='http://beaglewiki.org/Main_Page'>http://beaglewiki.org/Main_Page</ulink>
+ </para>
+ <para>
+ We are also pleased to introduce Accelerated Indirect GLX (AIGLX) support in
+ Fedora Core 5. Developed in partnership with the upstream Xorg community,
+ AIGLX provides the foundation for GLX-accelerated effects on a standard
+ desktop. While this can mean eye-catching effects, it also provides a
+ platform for creating a high-performance, efficient, and elegant desktop.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/RenderingProject'>http://fedoraproject.org/wiki/RenderingProject</ulink>
+ </para>
+ <para>
+ Power management has been improved thanks to GNOME Power Manager, included
+ in this release. The GNOME screensaver package is included, with a new
+ Fedora screensaver to accompany it.
+ </para>
+ <para>
+ <ulink
+ url='http://www.gnome.org/projects/gnome-power-manager/'>http://www.gnome.org/projects/gnome-power-manager/</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://live.gnome.org/GnomeScreensaver/'>http://live.gnome.org/GnomeScreensaver/</ulink>
+ </para>
+ <para>
+ Integration, testing, and development was done to verify that suspend and
+ hibernation features work with the largest number of hardware combinations
+ that the Fedora community could get its hands on.
+ </para>
+ <para>
+ We didn't forget our Apple hardware users and included support for the
+ widely-used Broadcom 43xx wireless chipsets in the Fedora Core 5 kernel,
+ which is based on the 2.6.16 kernel release.
+ </para>
+ <para>
+ <ulink
+ url='http://bcm43xx.berlios.de/'>http://bcm43xx.berlios.de/</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://wiki.kernelnewbies.org/LinuxChanges'>http://wiki.kernelnewbies.org/LinuxChanges</ulink>
+ </para>
+ <para>
+ Fedora Core 5 also features updated versions of old favorites. The latest
+ in the Firefox 1.5 series offers improvements in speed, stability, security,
+ and accessibility. The latest OpenOffice.org 2.0.2 introduces OpenDocument
+ support, a new enhanced database frontend, a mail merge wizard, and better
+ PDF export capability. The latest versions of both GNOME 2.14 and KDE 3.5
+ bring a many new features and improvements to the Fedora desktop.
+ </para>
+ <para>
+ <ulink
+ url='http://www.mozilla.com/firefox/releases/1.5.html'>http://www.mozilla.com/firefox/releases/1.5.html</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://www.openoffice.org/product/index.html'>http://www.openoffice.org/product/index.html</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://www.gnome.org/start/2.14/notes/C/'>http://www.gnome.org/start/2.14/notes/C/</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://kde.org/announcements/announce-3.5.php'>http://kde.org/announcements/announce-3.5.php</ulink>
+ </para>
+ <para>
+ Finally, the Fedora Core 5 desktop features new advances in multimedia
+ applications built around the free Xiph.org codecs. Fedora is proud to say
+ that Chris Montgomery, the founder of Xiph.org and the genius behind the Ogg
+ family of codecs, is now a member of the Fedora Core team. We hope that
+ Fedora and Xiph.org form a strong and lasting partnership to further the
+ development of free media formats.
+ </para>
+ <para>
+ <ulink url='http://www.xiph.org'>http://www.xiph.org</ulink>
+ </para>
+
+ <header>Software Installation and Management</header>
+ <para>
+ Anaconda, the Fedora Core installer, has been completely rewritten to
+ present a more streamlined interface that matches the new look and feel of
+ Fedora Core 5.
+ </para>
+ <para>
+ Fedora Core 5 also brings major advancements in software management with the
+ introduction of Pirut, a graphical interface to replace
+ system-config-packages. Pirut helps manage the large number of software
+ packages available in Fedora Core and Extras repositories. The software
+ package updater, Pup, helps users keep pace with Fedora's rapid
+ improvements.
+ </para>
+ <para>
+ For the first time, all of Fedora Core's tools for software installation and
+ management share the same strong foundation: the package management utility
+ Yum. This tight integration will lead to dramatic improvements in software
+ management in future Fedora releases.
+ </para>
+
+ <header>Xen Virtualization</header>
+ <para>
+ Xen, the leading open source virtualization project, is included in Fedora
+ Core 5. Our version of Xen is based on the latest Xen 3.0 development
+ branch, with support for both 32-bit and 64-bit x86 hardware. Also included
+ is the Xen guest install script from Fedora developers, which allows users
+ to set up virtual machines.
+ </para>
+ <para>
+ Xen's advances in Fedora Core 5 represent a critical next step in the future
+ of virtualization on Linux. Fedora has expanded our virtualization team
+ with Chris Wright, one of the maintainers of the stable branch of 2.6 kernel
+ releases, and Juan Quintela, as virtualization wizards. They are part of a
+ large Red Hat team, headed by Brian Stein, responsible for making
+ virtualization ubiquitous and seamless in Fedora.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Tools/Xen'>http://fedoraproject.org/wiki/Tools/Xen</ulink>
+ </para>
+
+ <header>Security</header>
+ <para>
+ You can always expect interesting and exciting advancements in security from
+ Fedora Core, and this release does not disappoint. Security Enhanced Linux
+ (SELinux) is now using the reference policy, which makes it easier to create
+ and maintain modular security policies. The introduction of a stack
+ protector to GCC 4.1 makes it harder than ever for hackers to exploit buffer
+ overflows, one of the most common security vulnerabilities.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Security/Features?highlight=%28fstack%29'>http://fedoraproject.org/wiki/Security/Features?highlight=%28fstack%29</ulink>
+ </para>
+ <para>
+ Fedora has switched to using the reference policy for the SELinux security
+ framework. This supports binary modules, allowing SELinux policies to move
+ into individual packages. Developers can use this to ship site-specific
+ policy customizations. Fedora Core also supports the Multi Category
+ Security (MCS) SELinux policy by default, in addition to Type Enforcement
+ (TE), Muti Level Security (MLS), and Role Base Access Control (RBAC)
+ security policies. These gains in security continue to make Fedora Core one
+ of the most secure general-use operating systems in the world. Find more
+ facts at:
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Security'>http://fedoraproject.org/wiki/Security</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://serefpolicy.sourceforge.net/'>http://serefpolicy.sourceforge.net/</ulink>
+ </para>
+ <para>
+ Linux Unified Key Support (LUKS) provides hard disk encryption support in
+ Fedora Core 5; David Zeuthen of Red Hat, the HAL developer and maintainer,
+ worked on the LUKS integration with HAL and GNOME, finishing just in time
+ for the new Fedora Core release. Hard disk encryption provides one of the
+ best physical security solutions -- protection of your data if your hard
+ disk falls into the wrong hands.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Software/LUKS'>http://fedoraproject.org/wiki/Software/LUKS</ulink>
+ </para>
+
+ <header>Internationalization and Localization</header>
+ <para>
+ Fedora contributors speak many different languages besides C, C++, Python,
+ Java, and so on. We are also humans who speak the world's many different
+ languages, and we all want Fedora to support as many as possible.
+ </para>
+ <para>
+ In Fedora Core 5, we have come closer to that goal by adopting SCIM, in
+ place of IIIMF, as the input method of choice for internationalization. This
+ and other advances allow Fedora to communicate with its many users better
+ than ever before.
+ </para>
+ <para>
+ <ulink url='http://www.scim-im.org/'>http://www.scim-im.org/</ulink>
+ </para>
+
+ <header>Java</header>
+ <para>
+ This release of Fedora Core represents another big step down the free Java
+ path.
+ </para>
+ <para>
+ Through the introduction of the completely free software stack
+ java-gcj-compat that runs native and bytecode Java, Fedora can now compile
+ and run software written in Java without relying upon proprietary and closed
+ Java machine implementations.
+ </para>
+ <para>
+ The excellent Fedora Java development team of Red Hat and community hackers
+ have built many popular Java-based or Java-using packages utilizing
+ java-gcj-compat for this release. These packages, which include
+ OpenOffice.org, Eclipse, Apache Tomcat, and Jakarta, are now compiled and
+ run on a 100% free and open software stack.
+ </para>
+ <para>
+ We included a complete set of packages and development goodies in Fedora
+ Core 5 for Java technologies. Fedora Extras also has many Java
+ applications: the popular BitTorrent utility Azureus, RSSowl, and others,
+ all powered by gcj-java-compat.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Java'>http://fedoraproject.org/wiki/Java</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://www.gnu.org/philosophy/java-trap.html'>http://www.gnu.org/philosophy/java-trap.html</ulink>
+ </para>
+
+ <header>Under the Hood</header>
+ <para>
+ The software repositories for the Fedora Legacy community maintenance
+ project are available in this release. Disabled by default, these
+ repositories can easily be re-enabled so that users can keep up with
+ community patches after Fedora Core 5 leaves its official maintenance
+ window.
+ </para>
+ <para>
+ Fedora Core 5 includes the latest releases of Apache HTTP Web Server 2.2,
+ MySQL 5.0, and PostgreSQL 8.1 with various enhancements.
+ </para>
+ <para>
+ <ulink
+ url='http://httpd.apache.org/docs/2.2/new_features_2_2.html'>http://httpd.apache.org/docs/2.2/new_features_2_2.html</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://dev.mysql.com/doc/refman/5.0/en/mysql-5-0-nutshell.html'>http://dev.mysql.com/doc/refman/5.0/en/mysql-5-0-nutshell.html</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://www.postgresql.org/docs/whatsnew'>http://www.postgresql.org/docs/whatsnew</ulink>
+ </para>
+ <para>
+ X.Org has been completely modularized and Fedora Core includes the latest
+ X.Org X11R7.0 in this release. The new modular architecture of R7.0 enables
+ easier driver upgrades and simplifies development, opening the way for rapid
+ improvement in Linux graphics.
+ </para>
+ <para>
+ Gstreamer, the free desktop multimedia framework, has seen major
+ improvements with the 0.10 release, and we made sure that applications such
+ as Totem take full advantage of it.
+ </para>
+ <para>
+ <ulink
+ url='http://gstreamer.freedesktop.org/'>http://gstreamer.freedesktop.org/</ulink>
+ </para>
+ <para>
+ We have the latest version of the GNU Compiler Collection, GCC 4.1, which
+ provides security and performance improvements. We used GCC 4.1 to compile
+ over 6,000 packages in the Fedora Core and Fedora Extras software
+ repositories. GCJ, a critical part of our free Java environment, is
+ included. There is also an implementation of the OpenMP parallel
+ programming standard (<ulink
+ url='http://www.openmp.org/'>http://www.openmp.org/</ulink>) for C, C++
+ and Fortran. Use the compiler switch -fopenmp to enable it.
+ </para>
+ <para>
+ Other improvements are listed at:
+ </para>
+ <para>
+ <ulink
+ url='http://gcc.gnu.org/gcc-4.1/changes.html'>http://gcc.gnu.org/gcc-4.1/changes.html</ulink>.
+ </para>
+ <para>
+ Fedora Core 5 also offers technology previews for SystemTap and Frysk,
+ cutting edge execution analysis tools that will allow developers to
+ troubleshoot performance issues to a degree never before possible.
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/SystemTap'>http://fedoraproject.org/wiki/SystemTap</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/Frysk'>http://fedoraproject.org/wiki/Frysk</ulink>
+ </para>
+
+ <header>The Future of Fedora</header>
+ <para>
+ Fedora contributors are already working toward the next release of Fedora
+ Core, which will feature advancements in Xen, and new integration work from
+ the Fedora Rendering and One Laptop Per Child (a.k.a. $100 laptop) projects.
+ Stateless Linux work is also progressing steadily. We are working on the
+ ability to support Fedora Extras and other custom software repositories
+ during installation. As usual, work continues on new releases of the best
+ and most robust free and open source software. See our roadmap at:
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/RoadMap'>http://fedoraproject.org/wiki/RoadMap</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/OLPC'>http://fedoraproject.org/wiki/OLPC</ulink>
+ </para>
+ <para>
+ <ulink
+ url='http://fedoraproject.org/wiki/StatelessLinux'>http://fedoraproject.org/wiki/StatelessLinux</ulink>
</para>
</fdp-pr>
18 years, 2 months
- 1
- 0
press-release Makefile,1.7,1.8
by fedora-docs-commits@redhat.com
Author: jtr
Update of /cvs/docs/press-release
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31888
Modified Files:
Makefile
Log Message:
Oops, cleaned a file that was never generated!
Index: Makefile
===================================================================
RCS file: /cvs/docs/press-release/Makefile,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- Makefile 15 Mar 2006 15:11:49 -0000 1.7
+++ Makefile 15 Mar 2006 18:11:40 -0000 1.8
@@ -181,7 +181,7 @@
@printf "${HFMT}" "${DOC_BASE}-${PRI_LANG}.xml" "Primary XML"
########################################################################
clean::
- ${RM} params.xml
+ ${RM} params.xsl
distclean clobber:: clean
########################################################################
.PHONY: mrproper
18 years, 2 months
- 1
- 0