web/html/docs/selinux-user-guide/f10/html-single/images icon.svg, NONE, 1.1 sealert_gui.png, NONE, 1.1 setroubleshoot_denial.png, NONE, 1.1 xguest.png, NONE, 1.1
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/images
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23851/selinux-user-guide/f10/html-single/images
Added Files:
icon.svg sealert_gui.png setroubleshoot_denial.png xguest.png
Log Message:
- updating content for multi-page HTML.
- adding single-page HTML content.
- adding PDF.
- updating index.php to reflect above mentioned changes.
--- NEW FILE icon.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:ns="http://ns.adobe.com/AdobeSVGViewerExtensions/3/"
xmlns:a="http://ns.adobe.com/AdobeSVGViewerExtensions/3.0/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
version="1.0"
width="32"
height="32"
id="svg3017"
sodipodi:version="0.32"
inkscape:version="0.44+devel"
sodipodi:docname="book.svg"
sodipodi:docbase="/home/andy/Desktop">
<metadata
id="metadata489">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
<sodipodi:namedview
inkscape:window-height="480"
inkscape:window-width="858"
inkscape:pageshadow="0"
inkscape:pageopacity="0.0"
guidetolerance="10.0"
gridtolerance="10.0"
objecttolerance="10.0"
borderopacity="1.0"
bordercolor="#666666"
pagecolor="#ffffff"
id="base"
inkscape:zoom="1"
inkscape:cx="16"
inkscape:cy="15.944056"
inkscape:window-x="0"
inkscape:window-y="33"
inkscape:current-layer="svg3017" />
<defs
id="defs3019">
<linearGradient
id="linearGradient2381">
<stop
style="stop-color:white;stop-opacity:1"
offset="0"
id="stop2383" />
<stop
style="stop-color:white;stop-opacity:0"
offset="1"
id="stop2385" />
</linearGradient>
<linearGradient
x1="415.73831"
y1="11.854"
x2="418.13361"
y2="18.8104"
id="XMLID_1758_"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.8362,0.5206,-1.1904,0.992,147.62,-30.9374)">
<stop
style="stop-color:#ccc;stop-opacity:1"
offset="0"
id="stop3903" />
<stop
style="stop-color:#f2f2f2;stop-opacity:1"
offset="1"
id="stop3905" />
<a:midPointStop
style="stop-color:#CCCCCC"
offset="0" />
<a:midPointStop
style="stop-color:#CCCCCC"
offset="0.5" />
<a:midPointStop
style="stop-color:#F2F2F2"
offset="1" />
</linearGradient>
<linearGradient
x1="500.70749"
y1="-13.2441"
x2="513.46442"
y2="-2.1547"
id="XMLID_1757_"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.6868,0.4269,-0.9821,0.821,111.6149,-5.7901)">
<stop
style="stop-color:#5387ba;stop-opacity:1"
offset="0"
id="stop3890" />
<stop
style="stop-color:#96bad6;stop-opacity:1"
offset="1"
id="stop3892" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.5" />
<a:midPointStop
style="stop-color:#96BAD6"
offset="1" />
</linearGradient>
<clipPath
id="XMLID_1755_">
<use
id="use3874"
x="0"
y="0"
width="744.09448"
height="600"
xlink:href="#XMLID_343_" />
</clipPath>
<linearGradient
x1="505.62939"
y1="-14.9526"
x2="527.49402"
y2="-0.7536"
id="XMLID_1756_"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.6868,0.4269,-0.9821,0.821,111.6149,-5.7901)">
<stop
style="stop-color:#b4daea;stop-opacity:1"
offset="0"
id="stop3877" />
<stop
style="stop-color:#b4daea;stop-opacity:1"
offset="0.51120001"
id="stop3879" />
<stop
style="stop-color:#5387ba;stop-opacity:1"
offset="0.64609998"
id="stop3881" />
<stop
style="stop-color:#16336e;stop-opacity:1"
offset="1"
id="stop3883" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5112" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.6461" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.5" />
<a:midPointStop
style="stop-color:#16336E"
offset="1" />
</linearGradient>
<linearGradient
x1="471.0806"
y1="201.07761"
x2="481.91711"
y2="210.4977"
id="XMLID_1754_"
gradientUnits="userSpaceOnUse">
<stop
style="stop-color:#6498c1;stop-opacity:1"
offset="0.005618"
id="stop3863" />
<stop
style="stop-color:#79a9cc;stop-opacity:1"
offset="0.2332"
id="stop3865" />
<stop
style="stop-color:#a4cde2;stop-opacity:1"
offset="0.74049997"
id="stop3867" />
<stop
style="stop-color:#b4daea;stop-opacity:1"
offset="1"
id="stop3869" />
<a:midPointStop
style="stop-color:#6498C1"
offset="5.618000e-003" />
<a:midPointStop
style="stop-color:#6498C1"
[...3537 lines suppressed...]
style="stop-color:#B4DAEA"
offset="0" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5112" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.6461" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.5" />
<a:midPointStop
style="stop-color:#16336E"
offset="1" />
</linearGradient>
<linearGradient
x1="506.09909"
y1="-11.5137"
x2="527.99609"
y2="2.7063999"
id="linearGradient17882"
xlink:href="#XMLID_1752_"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.6868,0.4269,-0.9821,0.821,111.6149,-5.7901)" />
<defs
id="defs3826">
<polygon
points="463.52,216.14 480.56,220.24 481.36,219.5 483.03,202.04 469.05,196.69 468.24,197.45 463.52,216.14 "
id="XMLID_338_" />
</defs>
<linearGradient
x1="468.2915"
y1="204.7612"
x2="479.39871"
y2="214.4166"
id="linearGradient17357"
gradientUnits="userSpaceOnUse">
<stop
style="stop-color:#5387ba;stop-opacity:1"
offset="0"
id="stop17359" />
<stop
style="stop-color:#96bad6;stop-opacity:1"
offset="1"
id="stop17361" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.5" />
<a:midPointStop
style="stop-color:#96BAD6"
offset="1" />
</linearGradient>
<clipPath
id="clipPath17364">
<use
id="use17366"
x="0"
y="0"
width="744.09448"
height="600"
xlink:href="#XMLID_338_" />
</clipPath>
<linearGradient
x1="506.09909"
y1="-11.5137"
x2="527.99609"
y2="2.7063999"
id="linearGradient17368"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.6868,0.4269,-0.9821,0.821,111.6149,-5.7901)">
<stop
style="stop-color:#b4daea;stop-opacity:1"
offset="0"
id="stop17370" />
<stop
style="stop-color:#b4daea;stop-opacity:1"
offset="0.51120001"
id="stop17372" />
<stop
style="stop-color:#5387ba;stop-opacity:1"
offset="0.64609998"
id="stop17374" />
<stop
style="stop-color:#16336e;stop-opacity:1"
offset="1"
id="stop17376" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5112" />
<a:midPointStop
style="stop-color:#B4DAEA"
offset="0.5" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.6461" />
<a:midPointStop
style="stop-color:#5387BA"
offset="0.5" />
<a:midPointStop
style="stop-color:#16336E"
offset="1" />
</linearGradient>
<linearGradient
x1="296.4996"
y1="188.81061"
x2="317.32471"
y2="209.69398"
id="linearGradient2387"
xlink:href="#linearGradient2381"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.90776,0,0,0.90776,24.35648,49.24131)" />
<linearGradient
x1="296.4996"
y1="188.81061"
x2="317.32471"
y2="209.69398"
id="linearGradient5105"
xlink:href="#linearGradient2381"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.90776,0,0,0.90776,24.35648,49.24131)" />
<linearGradient
x1="296.4996"
y1="188.81061"
x2="317.32471"
y2="209.69398"
id="linearGradient5145"
xlink:href="#linearGradient2381"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.90776,0,0,0.90776,24.35648,49.24131)" />
<linearGradient
inkscape:collect="always"
xlink:href="#linearGradient2381"
id="linearGradient2371"
gradientUnits="userSpaceOnUse"
gradientTransform="matrix(0.90776,0,0,0.90776,24.35648,49.24131)"
x1="296.4996"
y1="188.81061"
x2="317.32471"
y2="209.69398" />
</defs>
<g
transform="matrix(0.437808,-0.437808,0.437808,0.437808,-220.8237,43.55311)"
id="g5089">
<path
d="M 8.4382985,-6.28125 C 7.8309069,-6.28125 4.125,-0.33238729 4.125,1.96875 L 4.125,28.6875 C 4.125,29.533884 4.7068159,29.8125 5.28125,29.8125 L 30.84375,29.8125 C 31.476092,29.8125 31.968751,29.319842 31.96875,28.6875 L 31.96875,23.46875 L 32.25,23.46875 C 32.74684,23.46875 33.156249,23.059339 33.15625,22.5625 L 33.15625,-5.375 C 33.15625,-5.8718398 32.74684,-6.28125 32.25,-6.28125 L 8.4382985,-6.28125 z "
transform="translate(282.8327,227.1903)"
style="fill:#5c5c4f;stroke:black;stroke-width:3.23021388;stroke-miterlimit:4;stroke-dasharray:none"
id="path5091" />
<rect
width="27.85074"
height="29.369793"
rx="1.1414107"
ry="1.1414107"
x="286.96509"
y="227.63805"
style="fill:#032c87"
id="rect5093" />
<path
d="M 288.43262,225.43675 L 313.67442,225.43675 L 313.67442,254.80655 L 287.29827,254.83069 L 288.43262,225.43675 z "
style="fill:white"
id="rect5095" />
<path
d="M 302.44536,251.73726 C 303.83227,259.59643 301.75225,263.02091 301.75225,263.02091 C 303.99609,261.41329 305.71651,259.54397 306.65747,257.28491 C 307.62455,259.47755 308.49041,261.71357 310.9319,263.27432 C 310.9319,263.27432 309.33686,256.07392 309.22047,251.73726 L 302.44536,251.73726 z "
style="fill:#a70000;fill-opacity:1;stroke-width:2"
id="path5097" />
<rect
width="25.241802"
height="29.736675"
rx="0.89682275"
ry="0.89682275"
x="290.73544"
y="220.92249"
style="fill:#809cc9"
id="rect5099" />
<path
d="M 576.47347,725.93939 L 582.84431,726.35441 L 583.25121,755.8725 C 581.35919,754.55465 576.39694,752.1117 574.98889,754.19149 L 574.98889,727.42397 C 574.98889,726.60151 575.65101,725.93939 576.47347,725.93939 z "
transform="matrix(0.499065,-0.866565,0,1,0,0)"
style="fill:#4573b3;fill-opacity:1"
id="rect5101" />
<path
d="M 293.2599,221.89363 L 313.99908,221.89363 C 314.45009,221.89363 314.81318,222.25673 314.81318,222.70774 C 315.02865,229.0361 295.44494,244.47124 292.44579,240.30491 L 292.44579,222.70774 C 292.44579,222.25673 292.80889,221.89363 293.2599,221.89363 z "
style="opacity:0.65536726;fill:url(#linearGradient2371);fill-opacity:1"
id="path5103" />
</g>
</svg>
15 years, 3 months
web/html/docs/selinux-user-guide/f10/pdf Security-Enhanced_Linux.pdf, NONE, 1.1
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/pdf
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23851/selinux-user-guide/f10/pdf
Added Files:
Security-Enhanced_Linux.pdf
Log Message:
- updating content for multi-page HTML.
- adding single-page HTML content.
- adding PDF.
- updating index.php to reflect above mentioned changes.
--- NEW FILE Security-Enhanced_Linux.pdf ---
%PDF-1.4
%ª«¬
4 0 obj
<<
/Producer (Apache FOP Version 0.95beta)
/CreationDate (D:20090123095540+10'00')
>>
endobj
5 0 obj
<<
/N 3
/Length 10 0 R
/Filter /FlateDecode
>>
stream
xìÝUP_
L
="sMêLûÌfÍ·-®¬imžl%í€í5Ì]|Ã]çœ(wmpëròòüòò»×÷±Ï
ï?Î+Â
äA=Zøê±|šÇðõ¢gGÆ&ú¢Æ·ËyOMM?Ä2·Ûšy[>Y³:tù©ožº=ëú$
$Œ:Qkkr ÐR¿¬Œ
ÖJÏ×GûŒÖ3{èEþËnÊÒ0fÄíVõGÒP
!×^û!µR
ê=YÏ:îßQò ÊÔLw£2¢5ýþFüïë÷{«l)Cã«côɵ/àJ
3*ÓrËO%Lw ¬ç:L4ø(ÌŽ#µÌUå!_¶§}»$ÏrI(\S*¡ÒHRzä/§JKÏcÖÿú%öÿµÆ-¶ï€,Ø÷S?U*"œ[NÅSà&õK
ñí(wÁyÝúQøŠS^%bó9MÇýØßLæ_š]R@èvæß1t 1c«šmÔ
_ŠüŠCULÌÝòYíÄñY:8û,Û2žÙð:ý[5Ý&"PßÎd YàÌŠ?AÚœUéAúzy¢Á'F1Œ¡î€^]$FVD±£jÉœÐÒMPÏlEª6òB1¥oÕÌEZj\9³oXµy£€K»
=*PVòT5ïwU¢zjò£"=ëýþÙZ(ì^>ÌxUv_\[¶üÀ+a>mN÷ͱBã
Xu¹ŒJ0³¹sWö§sô}f§ûÜ6$VëÀ³-æÅùÊ<mS)žÐÝ"m,Sœ2kêjb©[þÉÜö"ÑÚ?þÌ'@ý.µûµìªQu³g¿È\¢í²èJCœîÍ#mÜ¥E¬h·fê/g*×ìx-ê]¥U£z±1£3œâÒBœ¥2ŸÍ}>r+Õúý²r(ûÕÇ#%Gìõ^zT3ó1;_{<Y\9Lœ]+
œWéTnÜÚjuŽI
P9Ÿ§bò
üÌ«(Îaç{$8#
t~±Hñm¢_Ù²»úϪ6¡vœ
^ë3f5h¬rùµ»8éÌB̹p\íÈäa7Z¢.;3ÞŒeEoÛ¯%ý@»GÕŽÜBöE>1u¿Ø}_œvDøû§ÀÕþkíELÀIÔ&æ»^ï¯éŽáÜbÒáâvÞm&áöòuzE¢S.B 1lng~ñ>>òvlÉ;A·ZÑÞQuH«;ýÀ^ÿJÞRavíVª "ÿC9
N,ª2ÜöÄ{ fÝåÚ¯AЬnÝï«Äÿ§¿Z©u°cQy£`à@²Šk€é0Šªë2±~É2IgýÅÂj3;°!pÿµ
ŽIÞäCtQoÈàU£·³Íw{TU#ŽçÝGeŠ åײïÓ&å1ÁJW- ÎmÑú#z¿;¡²læŸÝ
~}ùìõªXU1U>ªýU¿³âÕmªOÃyµ¬k+\wônêA&LÅ
il~·u ^ðŒwã6þG]oâ÷¶ÜŽ=5îÜè/©õfŸ
©#CùL×aøÏxc ¡»ftM»ûpZùŸGoluæäËÔÖ°Ïä×ÅW#&$!ßóZ£ŒJâÄqü^×EqÁÞi
ñ ÝRtÍ«€ÿZK]
£rÍÂÑÒóÎ&gI³WÄÚÔõTÛßC*uíê몲êk°\°dëÌÝÚý&²Œ»ìpZZwŽÔ-uYÆ¿
§êf×ÿÕ+èŠ1;#7ÎïûžcÞs3édËïýâsóUõ6£ü£yÐ6RÞgq;MAgkG\ñü}Ï®žJh-ö^µ.ïAÎß(îce£¿F¹Ý.
Æ î¢·& =<ñ¡æžh|fz£¬¿;<éOÑP}±<§yߺ
4XŽÑ7X>j³(!·RjûiØñì¶]ç=Ísn%mKOÓ^Sû+ÊA
auçýjæSê¹òÄçn5¹PWë:â×á^õ çºÞÏ[É wÙKäÌuqå¢êþæñ,$ç/ÅQ¹ûpEâXsÇéWø©€Àj{`NéiQ€=7éëQÑѲ±°ÌÅì®ü°ÔŒää׊"Ó^ãù2±Œt¥w/eÞœýð¹Þë¯9ªÁÁ'°t ñ§¿ToеK^:œ§>Õ³?³º
`±6s°ìŵhÄ
pÐ(ºúvÞLÎÔº%ûµÎOyëÙìkc-šíiëÏ¢÷¯tÇtÃ>°Fëœ<º4úß~²g.óáÌÝŠÐ[ÈÍ~€°SÊíÛÈxõûÒ(_gãèrø¡wîØ¥·Çx€^ÓdÂÈÏR
;ò"œ:\:£Š*/»öc2»Å
yõ&/»æÚdŽ·Î¢<Š§÷g]<Ù'þÎNzÎ
|õbm%¯ð)ã]ÐñgKüZð_k+¡ëNâ?Ì-åh~YŠ}yöcÆ
8åtjcíÒ¯vŠmkØøégÃÓbÖ$ç©k7O¿²HÉééþÈÄéóÖì(Íè[ŠèŸáÒ8Ùâ@t¢ÊܪÃrêÛ/Q:sÙOËÐ&1¥Sô81wSð¶ºØ¶©Äò¢xúOÜi¶J¥xL{9ugTÌÊéÕå^Í'Ks%wgr§
tì§t°UµŠáÌgae^dýùñâMÞÉDQdñÁ'Ü÷üµN¹áÀîNÿî÷}ÇïÖ7»
ȺibŒJ5{®ŒTËúÜ,ùj#UõêN«>jŒšÒ`|÷®j¹u»þmõ§·êbµZ©ÍîïüÚµb»ìZVõ2é2>å*dáõ¶d%}À
fgÖOåÔFëóãcÇQE¥ÞüS©¥¯DVtÂÆ¿<Y '¶XYÏõûQÚ
ý=5J¹J=Š6óË\üRÅ6eòkÔÕ;ü[üÕ{À×æk áðõ 'Ñ°âÍÛ%··çÞeÎw]þÔ)Éü×Ú¿ÿXÏ°±XjXfX/°°±
±Þa}Àúµõû¶06[
Ûûvv"v!ö;ìØ°W±à`áPâ<ÃÆAàšááŒÀ ÂIÄ)ÄyóçÎ*Î\,\JÜgžÂž\5\3ÜžAžž
žïp?à~Â]Åý
G÷O§g÷//¯ïÞŒOx«x?ð±ð)ñáã#ðÕðÍð_àá'ââ¿Ãÿÿ ÿ%Á3aÁ DBw>¬ü Ä"€$|F(L T#4#|ADHXHøðá'ÂUÂDXDDÏDjDfD/þý$IDEDõDœDÖN±©YEÄêÄæÄ®ÄÁÄIÄEÄõÄœÄ×OI°IšHXHDH$ê$æ$®$Á$I$E$õ$œ$IÖHNI±I©HYHEH€ê€æ€®€Á€I€E€õ€œ€I×HOÉ°ÉšÈXÈDÈdêdæd®dÁdIdEdõdœdÉÖÈNɱɩÈYÈEÈäêäæä®äÁäIäEäõäœäÉ×ÈO)°)š(X(D(êæ®ÁIEõœ)Ö(N`? zÀò@äòúó®$=(zPÿ ÷ÁçkN)±)©(Y(E(êæ®ÁIEõœ)×(O©°©ššXšDšTêTæT®TÁTITETõTœT©ÖšNb?€zÈòPä!ò¡úCó®&=,zXÿ°÷áçkOa?¢zÄòHäòú#óG®%=*zTÿš÷ÑçGkN©±©©šYšEšÔêÔæÔ®ÔÁÔIÔEÔõԜԩךOc?ŠzÌòXä1ò±úcóÇ®'=.z\ÿž÷ñçÇkOi°išhXhDh4ê4æ4®4Á4I4E4õ4œ4iÖhNi±i©hYhEhŽêŽæŽ®ŽÁŽIŽEŽõŽœŽi×hOé°éšèXèDètêtæt®tÁtItEtõtœtéÖèNé±é©èYèEèôêôæô®ôÁôIôÅô
ô}ôÓôëôg8XDPn!ÉÅ
}Óëg8YEQn!ÉÅ
}ÓëgOp<|ÂúDô êÆ'nOB$?)~Òð€ïÉôõ'gL8LXDPLLLnL!LÉLÅL
L}LÓLëLgÌ8ÌYEQÌÌÌnÌ!ÌÉÌÅÌ
Ì}ÌÓÌëÌgOq>|ÊúTô)ê©ÆS§nOC&?-~ÚðŽïéôÓõ§gÏp=|ÆúLôêÆ3gnÏB%?+~Öð¬ïÙô³õgg,8,YXYDYP,,,n,!,É,Å,
,},Ó,ë,g¬8¬YYYEYQ¬¬¬n¬!¬É¬Å¬
¬}¬Ó¬ë¬gl8lÙXÙDÙPlllnl!lÉlÅl
l}lÓlëlgì8ìÙYÙEÙQìììnì!ìÉìÅì
ì}ìÓìëìg89X9D9Pn!ÉÅ
}Óëg89Y9E9Qn!ÉÅ
}Óëg\8\¹X¹D¹P\\\n\!\É\Å\
\}\Ó\ë\gÜ8ܹY¹E¹QÜÜÜnÜ!ÜÉÜÅÜ
Ü}ÜÓÜëÜg<8<yXyDyP<<<n<!<É<Å<
<}<Ó<ë<gŒ8ŒyYyEyQŒŒŒnŒ!ŒÉŒÅŒŒýŒ3ŒŒ?ùpùñ±ññ¡ù4ù,ùÜù^ó¥ðœákäëçáÛàûÉËÿ_ͯÉoÉïÎÿ?
ÿ
#?ÿÿÿO\GlbhMKw×)oúf6~
â
>dDj
Z
ºŸL|#Ø(Ø/8#ž!øSWèZHSÈRÈ]èµPСF¡~¡¡
¡ÂžÂÙÅÑÂÂÂî¯
Sß7
÷ÏoÿÁy$Â&"&ѱqy-"òF€Q€_dFdCä§(®è#Q6Q1QŽšŠš¥š»èkÑÑ7¢¢ý¢3¢¢?Åpű¡Å4Å,ÅÜÅ^¥œkëÛû)+þHM\L-®)n)î.þZ<Eüx£x¿øøøO \Glbh M K w×)o$%ú%f$6$~JâJ>dDKjJZJºKŸL|#Ù(Ù/9#¹!ùS
WêZJSÊRÊ]êµTÔ©F©~©©
©
Ö[ÝÁ¯Á)à7àFð
å
E¥¢JPMšÔ,juÆCS£ÙÑâhZm
ö@¢SÑ%è&ô
(Í)m)](ã+?VæPPVÖV¶VöTSNS.UnVTSÞRŸPÁWy¬Â¡"¡"¢bâ©ŠŠRªÒ¬2š2§²¥r¡¯úXCUBUZU[ÕZÕS5L5MµTµYuPuNuKõB
_í±Ž¶µ§ZZZ©Z³Ú ÚÚÚ
:Ÿúcuu uiumukuOõ0õ4õRõfõAõ9õ-õ
|ÇÒÚÖai¥Ís[ø594%4¥5µ55=5Ã4Ó4K555ç4·4/ŽðµkqhIhIkikYkyj
i¥ij5k
jÍimi]hãk?ÖæÐÐÖÖÖ¶ÖöÔÓNÓ.ÕnÖÔÓÞÒŸÐÁ×y¬Ã¡#¡#£cã©ŠŠSªÓ¬3š3§³¥s¡¯ûXCWBWZW[×Z×S7L7M·T·YwPwNwK÷B_ﱎ¶µ§^^^©^³Þ ÞÞÞ
>Ÿþc}} }i}m}k}Oý0ý4ýRýfýAý9ý-ý|ÇÒÚÖai¥Ís[ø
9%¥
µ
=
ÃÓK
ç·/ðqIIiYy
¥5
Ím]ã?6æ006Ö6¶6ö43N3.5n643Þ6Ÿ4!0¡1á441Ñ1±1yinnRfÒb2d2o²mriJ`JcÊi*i*cªcjcúÒ4Ü4ÝŽÌŽÅtÈtÞtÛôÒÀÆÓLÒLÆLÇÌÆì¥YžYºYYÙٌٶ٥999§¹€¹¹¹ùKópótó2óó!óyómóKNIáée-CóÛ42:6/-Ã-Ó-Ë,[,,ç-·-/¬h¬8$d¬t¬l¬^Z
[¥[YµX
YÍ[m[]ZXÓXsZKZËXëXÛX¿Ž·N·.³n±²·Þ¶ŸŽ!°¡±áŽŽ±Ñ±±±yinnSfÓb3d3o³msiK`KcËi+i+c«ckcûÒ6Ü6ݶ̶ÅvÈvÞvÛöÒÀÆÓNÒNÆNÇÎÆî¥]ž]º]]Ý݌ݶݥ===§œ€œœœýKûpûtû2ûû!ûyûmûKNIáée-CóÛ42:6/ÃÓË[ç·/h8$dtl^:
;¥;9µ8
9Í;m;]:8Ó8s:K:Ë8ë8Û8¿twNw.snqrwÞvŸt!p¡qáttqÑq±qyéîîRæÒâ2ä2ï²írõð9ís®çRÏeë>·}îõ<âyÆó·Ï[?ÿò|çùÕÂŽ/ž^Hœ}¡ûÂö
×/ÞŸh}1üâËW®®Ž®\®R®²®º®¶®^®®®o][]]¿žîž^¹ºÑºq¹I¹ÉºéºÙºy¹Ežežœukuvûâ¶ãvåNèNëÎå.å.ë®ënëîåááþÖœÕ}Øýûû¡¬®GGÇ[Va/;WŽ\R²º¶^o=[==¿xîx^œ$|Iûë¥ÔKÙº/m_zœxñòíËÖÃ/¿ŒÜyyåEèEëÅå%å%ë¥ëeëååááõÖ«ÕkØë××7¡77··¬·®··ww÷[ïVïaï/Þ;ÞW>>Ž>\>R>²>º>¶>^>>>o}Z}}Ÿøìø\ùúÒúrùJùÊúêúÚúzùFøføŸõmõöýâ»ã{åGèGëÇå'å'ë§ëgëçåáá÷Ö¯ÕoØïßß?¡??¿¿¬¿®¿¿ÿ[ÿVÿaÿ/þ;þW¯_ÑŸâz%õJöî+ÛW^¯"^eŒzûªõÕð«/¯v^]ÐpHÈèØxDdŒ
h
ø°pHHÈ((šhèø6°5p8ðKàNàUQ]w H.H/È.È;(2(3š<š-h$h!h7è:(.;,¬lì\Ü<ŒŒ|BBÂѱñÉ)i YÙ
¹~Môî5÷kÀk¹×z¯í^{¿|ùºüuÛëׯw__
Ò
rBåBõBíBœC#C3CËCÛBGBBwC¯ÃÂèžÃ
%¥eåUÕ5µµuMMÍ
Ö¶öÎ.n^ÞŸ!¡áÄÈÅèÅØÅxÇDÆdÆÇŽÅÄ,ÄìÆ\ÇÅÒÅrÇbåbõbíbœc#c3cËcÛbGbbwc¯ãâèâžã
ÌÏÖ϶ÏöÉÊÎÊ®ÈnÏÍ^ÌÞËŸÉ!ΡÏáÉæÈçèçØçøäDådåTäŽçæ,æìåÜäçÒçòäsåsõsís}r£r³r+rÛsGss÷roòóèóxòyòyúyöy>yQyYyyíy£yy{y7ùÄùôù<ùÀ|ù|ý|û|üšü¬üüöüÑüÅüœüâú`|~}OATAVAEA{ÁhÁbÁ^ÁM!q!}!O!°PŸP¿ÐŸÐ§0ª0«°¢°œpŽp±p¯ðŠžŸ§X$_€_d_äSUUTQÔ^4ZŽXŽWtSL\L_Ì[*V(6(v(ö-.Î.®,î(+þZŒ_|ûä
ÃÞ7 7
oÞ8Œñ}ý&ûMå7coŸŸÙs[BRÂPÂ[*Q(1(q(ñ-.É.©,é(+ùZ²_r[JRÊPÊ[
*U(5(u(õ-.Í.,í(+ýZº_z[FRÆPÆ[*S(3(s(ó-.Ë.«,ë(+ûZ¶_vûä-Ã[Þ· ·
o
Þ:Œõ}ý6ûmåÛ·co¿ŸÝ{[NRÎPÎ[*W(7(w(÷-.Ï.¯,ï(+ÿZŸ_~[ARÁPÁ[ªPš0špšð®È®š¬èš«øZ±_q[IRÉPÉ[ ªTš4štšô®Ì®¬¬ìš«üZ¹_y[ERÅPÅ[ªRš2šršò®Ê®ª¬êš«úZµ_u[MRÍPÍ[
ªVš6švšö®Î®®¬îš«þZœ_}[CRÃPÃ[ªQš1šqšñ®É®©¬éš«ùZ³_s[KRËPË[ªUš5šušõ®Í®¬íš«ýZ»_{[GRÇPÇ[ªSš3šsšó®Ë®«¬ëš«ûZ·_wûäÃ;Þw w
ïÞ9Œó}ý.û]å»wcÛw[ORÏPÏ[ªWš7šwš÷®Ï®¯¬ïš«ÿZ¿_Û@ÒÀÐÀÛ
ÛÛýÚcÚsÚ«Ú;Û?¶/µŽÿê í`ìàë
{{ýzczsz«z;{?ö.õôþê#ícìãë÷)öö9öùõÅôåôUõuö}ì[ê;èûÕOÚÏØÏ×îWì7ìwì÷ëéÏé¯êïìÿØ¿ÔÐÿktqo
2¥4e4å4å?;;U=Õ55>µ<u8u÷ìÓOü >}rúäÿ)öSî§êO]Æ?-:üt÷ìóÏü!>}vúìÿ9ösîçêÏ]Ç?/>ü|7M6ýd24m4í4í?;;]=Ý5=>œ<}8}7C6ód2£4c4ã4ã?;;S=Ó53>³<s8s7K6ûd2«4k4ë4ë?;;[=Û5;>»<{8{7G6÷d2§4g<ç<÷j.n.o®fîýÜÄÜÊÜÑÜïyòyŠyyèŒòŒñŒóü«ùžùŒùù÷óó+óGó¿¿aú"ðúEùñç/¯ŸÄ}ÉûRóåý/+_Ÿü^ _`ZX.(//8/ŒZ[È[šYx¿0±°²pŽð{|iQ`ºšŒhŒèŒøj1n1o±fñýâÄâÊâÑâï¯ä_Ÿ
|
~UþjüÕù뫯q_óŸÖ|}ÿuâëÊ×£¯¿È KÊKÆKÎK¯âòjÞ/M,,-ý^&_fZX.+//;/¿Z[Î[®Y~¿<±Œ²|Žü{
|
iE`º¢ŒbŒâŒòj%n%o¥fåýÊÄÊÊÊÑÊïoäߟ |~SþfüÍùÛ«oqßòŸÕ|{ÿmâÛÊ·£o¿¿gú.ðú]ù»ñwçﯟÇ}Ïû^óýý÷ï+ߟÿ^%_eZX
®*¯¯:¯ŸZ[Í[Y}¿:±º²zŽú{|iM`
ºŠŒfŒæŒöj-n-ofíýÚÄÚÊÚÑÚïuòuŠuuèºòºñºóú«õžõŒõõ÷ëë+ëGë¿7È766 ÊÆί6â6ò6j6ÞoLl¬lmüÞ$ßdÚØn*oo:oŸÚÛÌÛ¬Ù|¿9±¹²yŽù{|iK`º¥ŒeŒåŒõj+n+o«fëýÖÄÖÊÖÑÖïmòmŠmmè¶ò¶ñ¶ËvÀvüvþvív÷öäö·íãí?;;Ì;;°øüÚîÉo;Ç;v)vwwa»*»&».»»ñ»ù»µ»Ý»»ßvwÿìQì1ï îÁöTöLö\ööâ÷ò÷j÷º÷&÷ŸíïýÙ§ØgÞÜí«ìì»ììÇïçï×îwïOîÛ?Þÿs@qÀ| x
ÂNUNMN]NNãOóOkO»O'O¿þ9£8c><©¹ÅåÕuM};;>ûóâ'óOÁ°*?M~ºüøÿ3ÿgíÏî?¿ý<þùçâù\ðv®rnrîrp^{Þ}>yþíüøüÏÅó
àìBåÂäÂå"à"þ"ÿ¢ö¢ûbòâÛÅñÅKKæKÁKإʥɥËeÀeüeþeíe÷åäå·ËãË?WWÌWW°+++«À«««º««©«ïW'W¯\?œº_«^^?¿ŒNž.ž®»î¹ºþ~}rý÷æÁÍÓ¡øêéÍóÀº©ï7'7oÜ>œº
ߪÞÞ>¿
ŒMž-ž»í¹ºý~{rû÷×_O ýÿRýeúëù¯À_ ¿
~Õýêù5õëû¯_ïÜ=œºß©ÞÞ=¿ŒKž+ž«»ë¹ºû~wr÷÷÷ßOýÿVýmúûùïÀß ¿~×ýîù=õûûïßÿ<øóôÐøÕ?Šÿ üð§àOÝ?SŸÿ9ùó÷ïÿ÷ëÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿïýÿÞÿÿ¿÷ÿÿëÌHúÿ3#±à0à²áñãK@1DÄ$z€&dVä/xRúQ={Mÿ8
&6®Ÿ¡±æI=SsÛÓ®g=,ý¬Clcì8gžŸpåYá]å[çßØ<:þ!òSôBìZüVâNò/
8%â!EŠÅÐK3Ê0É2Ë=gU`SäPâTæVáQåSãWÔÒÖÕÓ×ÐÒ
AF`c Ôf7GX -QVhkŽ
ÆVÚNÆ^ÖAÖQÎIÞYÞEá¹âEW%7%weO*^ªÞª>jŸj~êþê¯Ô4545B4_kjikFhEjEiEkÅhÅjÅiÅk%h%j%i%k¥h¥j¥i¥kehejeifkæhæjæiækhji«¿Q/Q/U+S{«V®Z¡Z©Z¥RR£\«\§ôN©^±A±Q¡I¡YŸEŸU®M®]¶CŠSŠKú=ŠÓþêEõ!ûAøl:
?ÆI©)©O%ŠÅgÄfEçDæ
¿-.
|å_â[æ]áùÆýksc}mueûÙó.ÓÞ}ÆCú#ÚcÇ?šOQý€<pAqIvEzMrCtKøàï7î¿XÿãÌÀ¿Øp~ãÞáý¿%ž!Œ&º"Ÿ"¹$œ ;'ÿ÷À?8£<¥úñðÇ£êãÇG4GŽtôûûOööwî>ÛaÙaÝfÛfßâØâÜäÚäÞäÙàÝàÛàÿ·® ¯¬®¯J¬J®JV« Uð*äßBûÿøüúþY^Y][_UXU\Uú·L©¬©®©«¯k¬k®kmhoèlènêmêolný[$LvLwÌvÍw-ö,÷¬öllííONž>?}qæúÓíÜýÂãÂóòå×µ÷Ïï/¿;ÿ߯þü
Â
ÆÁyNAIEMCKGÿ 2ñaÒ£dêTÚ4ºtúÆÌ'YÌÙOså²æ±åsprñóœá/,.y+V.^!Y šVk µð:Ä;T=ŠAŠQ¶IŸY±E¹UµMœ]³C»S§KïœA·Qɳ^>«~ÛûAÇ!çáç#®£îcœÇ}'ü'Š>œþ61=;?ô%e!m1óköRÞrÁJñ·ïoW+Öª×k7ê7·Z¶Ûw:w»÷>ì÷}<<ùücötþlñçòù÷õËÍ«ëý£Û¿~Þ]þŸùswßÿÿßû§HÇr©S0àšdú.ÄWqŠbÅ@-ÈØÿ;ðíËSáÑÄÀxg10YqŸSœÅß!Ó@8B µ²`àPÁTB(Dê|1p ÐÀ6ÃÀ%«g0p -\ìH.Z.ÊhæcàB¿Å(1pÁrJbôX
úcT&£zÜWâizÜM=añS=¡wÁý =©Ä;TlãCOʬÐèA^ô$2G°=
x,ÄœJEOA
ÑSra_ôšEø=41CODfÐSõ¢2è) CÑvô8Ÿ?zJŽN,=%¢/N
Ƭ¥òGäxÓú
£
£|Á,Dh#gföŽ±=×ÚXï6QÏä¢M{:Ð&²HÁ/hôPÚY,üm`NEÂúEÑŠPG_Ž)Zäm
ê5CEgЊ
1Ž©dX;ÚTÂ\m*N*^6m BJ¢M
I$.ÑŠÍOPû9tššRæÇšC_«/êÈS
u"Ú%ú!b#yú!L)eú!ØImòË c0AùGU?@ùûʱ¡^9óq ^YpòÖ¢ôžQê¥BÌš
Dpù aÄQPoqST E|AÝ$ÚQ
$N'
íºD8ìQAÂŽ%T`ßãYiN,ã'YTó¹¯
)ÜY
EaÁÏÿE¡ÿ@0õ@œJ8õ@qZô!ꬶ ê_ìõ
3TP#Ž2Èd&27ªÕç«Íùïà}Ì·HFèÓ!ÔDqb¡ÈYCñBd!LÂYìØG"$$
°ÉOÈBhYjEæŒÈB` YàR"%§!ÈB ?à²Pd,-!E|ÀÊÈ"avðdà]+?'¹ )Õöð5äF#á|H! RHÿH
CcÍHa8)Zæ Eá
€@\
UDô.C»œ"á0aD°ì
¢Op1¡SÆPçüPõµããDš:+ . Ô,dD¶jú<âæuõAI]ºâ¡ÔB]ö9à¡y
ìDš#§@0:BTPý
`
ä¡@[Ð/
BCëBhnÀ
"qð"°¡!žÎD
ÿSÍFÿ5Í-ÿîû?Ÿê¬!,_µPÓ
¯éILÃ×ÔÇ¥Fàkg@yøº¬'ÈŸáóÃ×sà:ø:BÂ
_]AÒáëÐ(1|"õ¯~@OàëÀ,|ÍÁ×%árð
4x'|Coî!
á")Èð
a2Ÿ!žËìwÉid÷?Zä)¿ðõ$»:ëŽÃ]-4ÅGànúR(žú4wSŒuÀÝdýÁópw?$î\>»#Ž¡)pwØoÜZ
ó
»CT`GpwÐÜî,ÏÀÝòž»ä¢î.ä»K#óáî¢'(*žH6ê5ÜCº{<=ýÍiçØcE}ç{Çöõòc;ñÂq,ô%p} «Ÿªã*þ
ðÂqeC ²p\(\%ÂñFpŒÿqyÁñ Õð}8DaÇýF|ãËh8@ÙÇŒFñÀñ$Q¹p<q%ô8è%:'R>ã +blàx,F°Ä.}XRÔ6,Ù7Dxìl-
K±0ª¥è£Al°TõïzXª4* k
¥bð
KCX <`ipÄ,
Ú4¥A°40
KV£`i
c:8±ùFêÁØ$I`ì6@z»Ÿ<8Æ¡Ÿq(ÁIa² .Ç¿Â1yt
q"ì0N8JÆ mGÁ8!æhL®q1ì0N&Æ)
/MãšöqëKÀ8ÅpeÌa"52³0Na]Y§;Ú3Î6Fý²6ù&@Ý€|¡ÍÎ (h³ŸÚ¢~»¶(=BøA[dÓÐÊÚŒ@B[ÏÑZÐV8-zÚ
íÁ ;L
ŽL)ýÚ
lN¶,d Rd2>ÐVfCh«ž©¬)ŽUXö3ŽU€Qm6k¶
sôA¡93|ÝPXÔðæ.¡
;û
(B_ EšÿD@Jô(,(R6ýÄ(£7 HäÆDŒÄ,Bpfi%(:$ý<"ÁŽ2eP$ð,= °
¢€Éþ
¢$ºä\¡(q¹M(JR^é
¢ PЮ4È»%dÈ»hÑNHœoŸ€Á94i°ð®CõMFFõ_(
H£+zÒ$[ùiÂhK·BPx2 H"@ŠÒç}iNÊŠ@ ^r&ðS9_HpDîÒp74I1ÊOC$€!Íâ.
mf1:E^H³Hb€YØYé€Y§B³%Ô
!&ßû!$Î1¿R0Tß !ÕÀÇ@Èød° d²µ²O dÙ
BÎB[Á
å dÐù2HÌ£P!N+ÒCÈ~±r)Ï1¹Ä€+\Ü[iB.ƪ¬!Wý·SôR@È
XøUÀè¢
`L4;XÚ·ŒvNÇe,PÙ`}ij°¬¥,)XVIJ.,+Û._Å8(<Ë¢ÎÀ²Ek°¬ž
DšÐå€UbÀr_U~åÄ_«Ÿ
&ù? K%b ÈRvX)dñR¶
+0Jd<PËYRÕIAVRPõ
4òB ¥×Æ5r'@cýDE ±¿²ÐDISe
h";¯úh W
x£å4RÒZJ\jkMŵŠb
:;ûs* ©pŸ.ÐTH^Ò ËñFcE
"báš`¡£`bb0a`bÍ8¶ÈÌçï[÷ÿϺ÷Z{íçºhäF££cð[Tš÷E}Áï(âòtœkE-¿"Ïó?bçmþ×ìCÖ"ÁAaeHïðAHöG'Ò!íøtѹHw3²yÉDÅ /1QWÔåhyIæF×!/ û7ä%Ö³yfÇZ /ÛعÈKè\ì'ä%8)n<òwy©>ïŒôÄîÓ×kåpÆâLÃu8sŠY
OJ|öy1b*<9xBT<Ùwiôx²nPl_x²ÔÛ
O²âà,îuÜ98]ÂY¿Î¢³³ÈÒq+à,Jè
gará,taB'
šcà,è^â8,Nâá,@tÎRßMv³Œúk¥îãà[Ò¿åÏþ+ºa*äðKeÔczË=â»<{ž¹Ê=h÷OrOýSÏ@¹§|ÝËOî)<öú!÷䪲ålŸê
Üqô{RŒ/Ê=É©jFîIØ©÷Ëœ°ó1r/t²fܱLå^Ð @îf
/œ3¥ÜsïçÒJv:BZÉžª/J+©kFZIæköK+ G`Ž
»¬V¡9 Ž
ÎVAÍà_Ò*p
(FB7¥Uê&X+òbá%¬IZ/ٷـK£òrüŠJ©ÿžŒFÇmp;'6òŽ^÷$Gý{oTr©AÉQx§~,9r¯5á#»PsQrdŒFr€Úý9#9nàÉ »INèLhä8CKNÐ8Qróà[àh%'u+r\rò1pž§&ÍÊKÜ[þж]¬-zéÐ îË Ó!îOýî+îÛêûÎ^sÅÞ~âýgõñÜ¡Ù.>!âîpA<À.iñ ûÅT;4F<H.Ö oØL<Ý
gÑyð_âAÄIB·[âAp6ªîèqñ ú&æ%ô=xÈÔd
ß,²åÏGlÑ;GPär¢]"D>õ?·«"·Ós(=UE! \}Jô](ÈoÁ¢(ü
D{ü%è"4Q
²)Ü (ôœpëÀè2ìŠpÁqpznKOá&ê'ä`áŠ÷Ë/B\Í,b!Ÿü,+úá<\HÈIu£
4sÏCBbÜï¥B¢×Ž IIàV!ÉÐ6äïp·$öEvI|otŽÄV¡åB2£Çú
ÉÔ,_H&+°wB2!âãdì-~CHFW°Ä1!ê$=
dp¹QHhj°¬~E ÉÞ+¥òÕÙ~áÿ.ÿ:z;ÿ¡ØÄ¥ÿ3Ù}/ÿO¥Êÿ'îú?þ£õüÇð0þ£a 2
ÿ$ÿNâ?0[þß[Éb«ñ>ü'&
_wÈâ
TÏd!øbÃ0ô_¬ôÁóÅâP|)_Ì&zóÅì^b:?1¯ùùÔ¿d,?¬&¯ñó@Jâçcß©:~>º
vãç#Ÿôz~>ô
ÈÏ73sùùùÄÏWbÇóóœ7YøA5ËíïðW÷SÂ)àÁÉ)ðZÁ[ŠÒôãÆ]
ÜÎ~ä@.
·Rwqwx+ïí#깪ßôÜÕýp[º?ä¶æÌóîÉýæäqÄ]
¹mÆ`t·-`Æm38ç¹m%yÛ.Š&sÛy{ªÛΧ#¹íL}ÛN÷g8n;y9Èm'bYn;Þ]ÇmGk9sn;ÉrÛá^Ün;žOæ¶áümn»Š 窜wÛzr
£sÀêÁcÓ9°ØÆÓr©§rp'øãÚ³lÄ-8$ žË!7
áe
r8~Ì!Œ3ΡlsC4æPz»CÉãÜ%ž5óŠÖñÄóq(l*$r(xPžÉ¡@¬šåPM?ñz°ÛÀ©ÙêäÁ]míz=W<Úë${>gæ{>
£ØÆžÄ6ãB¶)`1e`Þt5Û€80[Ù&QŲM¿LžéáH¶Éâö²MŽ5?m&ør¶(ôeqK!mFÿÞ±ÍÈxqÛ¯³ÍàqIfdéÛ¬±ÝÙfïcöØc*ÙÐÕöî>lXñXokÌY
°Æ4¹ÈÇ=Çÿ`ÃãÉ÷lxÀ
ú8a@ØálâÂ
e#D;ÍFðc#ØV~Áä
ölm/¬`#È&±7AdÓÙH|øDÏJ±l$!]e#a+Y`#ÁÓòa6šž²aJé}jTóŽfË`æÙjgæy±Jýó"g=ÔÂŒHã0é{MÚ0Æ:y°U3/
·y©xñ") ÌKö2/Ùâhæ%3K,g^ÑÎR_æÙ*å3¯éÒ;æî c^¡-ò
æ2UQWðHå(ó
lÒz0¯líFæÆV7yåÝ8`âjmfâW{zÍ`ÆÃ@43.çdŠÅ¿2qÿPWDã4ÖIØôËÙ 1I
$rL(ï$$ötIbe_ï%dÈ[I"
?$|¬v8^Ó.f|íO&£Ì$º§L20CÊ$kôML²w«B®ip»I7¬œçÓgY(>³[JM¢zÓgãºô9ã,Þ>P#|€Ïü€@úŒÂÈ~ôyÑWþAçõJ6}}¡<§Ï3KµáôyÑ^ Ït}XšÛOÇ5z'ú<zOÿ;})6Òça/C}l3Œ§Ïó|èF§Ï
ºÑ»Íyý[Í%Oî³ÓüE÷-Ö#×é~9G¯t¿Žhfmß×ÒŠÆEâJÚ,à K"㎢ӡÍD£.6ãCu÷i3öoœ?mƬÕ7ÐýiÞ
?Îg'°ÝŸ#)Ùæ»h?¿^@~ñË¥
@?ø_¡
a]Ã#rIûiuc xÀÇ°1òó!lÚ¶¢À©2-(°ç$lùÙÁå-gÒ°cÎ
Ì$ìè÷5,4°#NÞ$ìð aZÂv°C= ;8Ùž°,ÂvÀÑðbÂNþõå
ÆîÄKØ]ccPv7àCÝ5üº»«,«Äî«Zì¿Òx»Ç©Âìs;|vaÝ£\#J±{ÄÕ±{x~d6vs|ÝC.G
c÷àÜšìäMa÷Ñ{±{ÑØ}µÆ£;F1WÐÌÕ«€Ùhfñz}":)·¿ßBtrZmàèäøÈ;hñŸÑÍ
ìþÍ2ìôA³õQ:4KÜõ Íæ«£ÓÑlN~f3obÑlº<æ<MѱMŒÝ
fãËâìÑl[f#Oã{£Ùpi|.
Áñh6ðx\Y<®ÍVÃôøîDêß[œK_ß/>ä¿Ÿë|~ÖhDàñYáÆÑðÃÀ±ÎðCÞyp»r0~6Ü.6óÛùã¶Âí\TÜÎöJ(Ûé] ?áv*4q2ÜNt'>
ÛñíIap;Ô·#ßIžÞŒnüRàvàkÊ*øŠjüoð#µ¯ÈA6;õíêó³!»âÖÐDhd.±ö8ú_È>~q\dnàÙ¢ï¡QÉhr9Eï§|FñwƧC£žiãÛ¡QìÈ ÁÐ(úüóÐ(jR*"§îðÓiö¶r@-'öàs!hÂÄNÈ
9hêÓ[!õøŸä³uë-öÊ窀¡ïåóeU6Fù|á\û¯rcVã#¹)eœÜ=ÎõŒÜ2ÃýÜìçê¹HnÖ ^gäfijÜÌÿôFåfóÞ%·0¯ÔörœBœBn¡pMo¹
xª.·à¥×r±rÒ\[àE ·@
ËÒ&õ09Bè¥Þ%GpÆ^dþÒ¬#é5@o9âér$Ñ Œ#ñ`¬àU9yr$Œ:,GB8ì*GÏàJ9R³ Gª1³éYÝÁåÒóª á7¥e{GÒRGaÙèRGÖYçóÒËn¿I/£3=vI¯Bæ{µH¯ü`ïIÒ+]ºFz%m×,:S`€ÔÉù+€Næ3Ø[ê€7Ó¥NJ_KÄ_P¬Ô¯
®J
î%rQp®dÊö;%Sz#R!ÈÉø
)Ÿ
=,b«d|Ã*%3x>@2|ñ9ðÿ(iªÉLícqV,¯ûsØquU§ø{YÃèrñ÷Â*H\uÛÝN\¢ö×FÏU÷׬Fëüô¿|y. 6×IÇàÇâ:a$#®ãÆ!¯Äu¬)-®£÷£b
bÙ;$Và»ñ±bWÈÄ
ªj]£jrD·Mà*ÑÍ/
æcÑe@p,dÜ[8îöËë²ÐgÂq©;+Üñá8_³ÃV8N$Ç© €³pD®ãÇšþB=H
õš9õAšÓIB=OßêA3F/Ôk1õBý/L±äº+6 TÍp+hËn9w
ºÂÃî%.ëµ*[ЧHý>º!»\ÁàÙ].&øHXðÔÄÁFÒkGî|èsÔÁÊ€Ö>€m&øà§èYJÿ%ø CDÁþ¹%ø@ãYàb>zÎSðQ§-áo×ݶ=À·UÍý§ìþØ(þNaœG7ëoïgüœèÈß®[ø{!Ðü}¿DŒ¿¯E4ò÷¥ävþŸR$˧öò÷YGÚ¿O_€WóšiL?þiÇÌäàÌ{þ6Mà #Øüø§ð îÿ
üFþ:cØ~|ÝNüªùNI|jÙ×|Zá¯~bÖWM(?1%ZŧGW¡ràÓýÒ|®Bùé.=Ïhz7ÁÍeFñ¬³Ï ¯±}ø*Íã3H'ö-_ââù,»Îg £xÏü5ç>*žóàHa=©iòê)ÃÓ¹¯uÏìWqߪ¹É}/{åNq?
UžYÝÀ9®+%éÍuEWc»ž!§î§ßd*û©[L×pÝÒcf×-HìH®[È.çºYo®×MßáŠsÝÔî5×Mºñ±\7~¿ÊucÀu£ÎÂa®Ÿ"ºrÝPXÁuc€\·ŠUÍý«Î³~À-ªëtèÍTtžÅeï=öp¥
WÔ~\ivoæ€Ä¡9Ü蜷4ä<
sKýrévn©n9kÍ-:ØoÜRÁÀý/|®Eøi\ÝοäÊš
BWFª
Ë\~Wäž2lx+C=%®Ÿ-åÊ 9r®t¹2ÍMùo®L=Ûfg^÷aôfn@Õº±9²/^z΢ð¶ŠÝŸÆ
JIÁs¢G¹A!é[Ü`¿Yl>7X·;Ä
ÞñåÜ`!Hpçs«
Ü`qéb7*¿pCHTJãà¥Ül±À
AAù7~š@Üh¡RÍ
5Znæv 7DœÀn[÷Ýi9;œjÛUvFÙ¿ÞWøŒÃæe[¢§ÙüLÒÍ>ùËâgÜbϳ3ýðiìLÝfá¶@ú"³B4-à6HKØVMØúœ<- ÖÈlÉ)lÞ©\b°Z-@)í~¶
ÿô³£»¡í~et7èßîÖtùO¥»ÕÛÆäÒýôØHV5jÑfËQ-m6»ùî²Whóâ@Ú<ú©\Gù®œIðÛ©AÐ3€È6>«èB¡¯+=;ã[I[°ý,hfß<Úª÷ûL[Éþ©Ž1Àÿ>mÕøÑèžÓŽbÒСÀmŽdM[
§ßÄUòûì!lù#[+F])UÊZ²+ú=Kþ5õ%ú÷ëAþÔÝô§È²{ùS(ØOþä®!»ÙüÀ5d7ãÔìŠ.ÝäŽ d7128ìÆoÝhVìFFüIvCçBUd78)Žì¬Ã,ÉnõYÏDÃt#ÎTœÂ'gIÌuâÜì1ââ|v€68rÐPA4ÆôöãÆPÛx¢ÑïbP/¢I×ÌM2bO4 CMܳP¢-
]G41PØ
ÑÝ1Þ!Ðyá>Dâ~hnEšfpNÄV¢pF4«o©ñ#!èn||ÕOú->aY§ÎƵñÔìLxZJsctêòè÷8l>Q÷Ãx(oÆÓ
C0þëGìÀÓÙÍvx:£\§S¢zâédETNQ¯ðtìmt4þݧ#\§C¯câé`y¬30±kñtu'\>>2ªCl±Ÿ¢OMÖÅ£Ogøþ>Ë.|>Oi>Q[Ñç¡JÄ[ô
ßšåèýàèèyBÌ.ô
p1C_ð±Ñl]ú«@;èŸñÐr_üŽÿíÀ{KA;ÐÝãî 1ÁíMN àÎD5Ú%nA;4&€+â}€HDÔ[<uËͲE~ß`vjð:ÈÞ`)_#0F@¡ñqóÈà8wÒ»'$#°<'QF`áyâ=æÇ&ù!0{%é433AŠ·#0Ù2©)K·KùÑó㧠02yüGLG`ðÜLJ¥D3lÒÍ
·hý eºA¡³#Z Ðìc1û¡°ññ cLRâZÈ:3¹2ú{zyÂj(\^
ÿ¥AáŒ6
g߀}ÂòÉP8MMlÂÉé((K?
ãX7>ÉØ
#¥Ã pÎ\
2@ÀâIPÒ€#'
ÿKÁZü7¹ÄgÈ¥ÞýÊÃuªe«Zá³åá5#§ÉÃ=w\#[çrù*ÈXèŸM°Ü«V¶vm_ÿ_(žN¶UBd[q%'Ûò
Ü%Û²
È$Ù<mé!hlK֣Ͳ-²-nímÑ#žl$à«d[ž?ñl&fÈvÀ8âµl§éo(mkôb#m¯fýAª®Økß!Õ,z=ÆTÚWá&íÈ(ó.íLøÝ{ŽŽ3bŸfŽ3È\"íòûK»gŽK\ŒvñŸhŠŽmFH»,,TÚEÀ€]ävéøi7>pv£'Òn$üMÚ
!gH»Á?É×Òn`<+íÖîFÃ,K%€ÖÖ&IB+;DHØ¢Î3%<o³Û}È(÷*
êU±4È
BÏQœ%
DM(Øz-Qà:F¢LúDi
ü&^X 0$KŒä3ýKŒ€üÄíøñIØ[Ä9ñ3DÅKŽ¹SŒD^¡FÔrñ>î%^F/Ò¹âe$î/ãhñ2ØÂŽ©,'^ÖØ[lVÅðZ×QqÆ#ýë'Fåíñ<%FgT©3Äè`®±~/Ʊè1Æ''Æ(_b¬žäÄX><+Ʋ÷)De©b,íIÛ±ä-zK2=ÅXÜÉcÑkÌK1ÉF±°3{Y¯p¬äsÄXÍAVÂËÆÔá
WµÞöGÎæ1{×%œÝ®
oò©ÔÂjÍCámÂ>èð6b/Œ
ñ`áÏ4âðNé&ß
ïÄÔ~á?wìSºZxÇ,flw4È,ÞXá=1*ŒÇUlðœÃE
ï¹ÜEá=ìÁ3Â{ð6¿_xÌ÷Á
G yµ°«_Ñêb/äô÷àyÇœ«œ ¿PpfElî
³|³Â,|J
µœéX¡P<Æ8
|³M(d_±ÖB!³-
iýW($rÙB!QÊ=
q
ÑvþP,(¡Za6ø@-ÌåÂlÆÒ\èÙcs[èUKÞ+ô®ž5v«ð[É`ÏF¡O^ÆEèqº!ôýEíBßÝDÐ/(Òý|æÒÍB?óTè'fk~üTÎ]0eÿâ6ŠÌ~`Js|`Jvò_Sb¥&â€ð@0E_)²L<#ž Šà3©Z0Ê#S
6ô1ÓXh·ÏæòÓ+ºMçgØšÖñyy-À>/ãRÍç'4âøüC?3(±ãgú°üL%WÇÏùÿùìW!/`6 ÏùZ'óäñ_@TH4_KÒ>Ÿ
7ç.7.Ž¿ÍµÖú;ïå®TŒôØÊ]-qR7r×ònÀ.ܵ&ì&w=á
ÙÎ]8Éq79=wÃgßÌÝÐÚ O¹âu±»ÉÏܹ\iwÙ!ânÒÁrwì¿p7?4î&î§<àn¢_µÜM€J{» ûè î&øYWÍÝ6éGp75ëž~«F'qŠµ®$gVñQ¥æúx!y^;zqÇ
HžÏ€s".pO9 ,ágá³I
ã,Ž®òdÎB|šÀÜ@~
rÈkݹÌaín «Ä
€úèžDî7Ô§q±úÜ@d·Á
Ü@ÈÄâ»|¶s5aveìÆÍc"XçÚ Þ¬K¥f;¶BŽ¬kÞ[¢uÍxın ¯øxÖ-¢MlcÝfÉXwÝZ=ë®
uɬ»øZïƺóõ»YwnaëÎ1¬d=è>¿±¥ÏÖ8áóõÀÇûƱØ@ß«¬rÌOd=à$¿:Ö²ðwe=£þ¬&iÔ?}cíØ?Qµ¹ªUCå@š]âïbóºsÆ1ã=qJø*c":Ž$3&h^Åñ©7ìaÆh%fføÝw)3ßã7qæÜügæßÆÎ÷Oc)'ÿ3q) qÆsÎ0ÎØš@qF«gxJ
ãZÂ8MAÿ1Î)N©O
kšÏµIÔJ,úZC/ Ÿåó/©ï&r9õ=±nõ#â«õ#h)õÃçÿ"ê6,`+Õ%õL¥ºøoš.£º§Aך.º4X¢º((øÕE<q§ºð!š.L:êBî
ΣºàâÐÏT€
@uwÂîQ]"WòÆÞÛk+fr{%D «K²øÇdMþ(
#wdZêß;í|¿;#ûL&wíJ"wú<~JîÒŠ
ü$wIö¡gÈ]üõ0ÜÅù
!w1_îä.z£q#¹Ò&w»ðð/ä.LH#w!ï"»à5þä.l wo£@r·fW³ñ5tðªÝGVªJ¿ð.Y "Ôù°Ï(BéæÐ$Am&rtš?5ðùÞ@
[Š]§ÃIŸñØrÁ$~9¶9®¶3.[N_×-§rb°åäš+ØrŒ9QÀcScËQÛ€±Ørø|R¶ÊJ-mgcË5籩ÈñŠÔ×>×Cþ¬ågüYr,Ø9j\Ì")±2r*24þOäTÐ}È)_·$oäŽö@²9-MHlSV §¹ßÇ÷FN³ìøéÈiúåø×ÈijùXä4OžÆ¥ÈilIjrEÒÜÓðãŽJ€Z<Ñi
Ì ê5ø*i íÕP4?}7Ô `*š;Q5°1C¡æ·_®×@íÍìÈð_®w0ô:íAC'7Bgà³0èTµ:dÎhº Ž)ÚßX²Ï1ô`ie}ÔK ¬äë83 ,¿:y"°,³"ÕXž5ÝX¹2³XM^
¬ðm¬Ðþ=e,°BÚ6å-°B:XÁÝúXÁά`\~YÞ
ªõå gäìV£sG+±¹«èŽé}ýô<`%Ô2ý
°:#X ØûSê±M³}Ô®ûäj·ÊöÄëj÷Å6>«=ò/d©=3OfõR{&6N ö<3_í=}ÚËwñ¯j/eþµÔߊV 3#Õ*îÛÌËj»¹S«}ÁAµúgZEVÎZ§VR¡¹Z
œ/,T«Ðµ
Ô*D¬VAogßV«ÀßçèÕ*71ÑÍk³èc©+:ñp@n~õ¡ºùå£FÒ-(ì7éNÛíØ [îêÅõs³Ð-
[æ¡+ñ?áå€+Ñ'«fëJd£÷L]¢vÕpêMºÅÌ!ºÅtµfŸn1šùŠ[L|Òuñ@»n1æé#_À³ºÅðfÑ-ÐÝbà3l«[¬Ùü«Õ¶a}è,O<³ø©VœuØÝ°r[@gUD8Ñ
v`¬³N»Sggá>Wg¶Úó¢nÿYÕïºúÞÿèFÈ1ê¿t#tM¥nÑÙ°¿óu6ô^àÎ
Óu6€ Ø®³Áw@A:,:§³AºaTgWÃ;t6Pb§³º2f»Éí6Û~ßµx=h²v[õN«ïÚíåvÛŽÛøÑóµÕÓ:WkkRÝFjkây|Òî[¯bŽ;ü/šMµ;ôÙí9 HÐîŠÚÜdpŸv'k~Óî€AéÚT,Ô®ÝIöŽ;ñ}ð9íN,Aµ;Ñ^ÈNíNxj§Ý
£ËŽ;ÁXíNÍîßµ`£Y:ñ÷à§Zžzuº)íµhÖñvj¬KMw_ŠÅâlœ&hñ°-ÞûŽžÿUÍL-®Ži 9
Œ©%Ð\-ÁåBߎ;N×t=Ü®%šd$HKsZ¯CQ-Cwj Ô³Óð¡_WâðZìOӜҳm®ýÛs'ŸZ*ç«hWËñQŠ"ÿ1Šiç]*Í©Ù=8GÕ]¥%lÆIiñoÞ+ô
A¹ gÁZå0þš\à
ÊvÒ®\ Ð å5=§\ -1D¹Àv(°ñžr/S.ÂÇÊE(Š\ÊEͱÞ6ïJèî¡MJXõ Û@ÅXÎ:t+áE¡ÎiÜþS"RgxMS"ã\Õ>JdX-°ZòS¢ôÅðJS¢ùhÅÍC*Qì(,P¢±³J4#J4ùk§hü,a§DcD'{(Ñp9MÒÉ%FE*ÑÓ}ägm°ÅùÅÉÞVžÜQ}Îîü²\q,¿*ë/¿vÝ#[îL-TuÈqÞòë°ÃP_ùµÿsøºüZ_ªä×ò,ÌC~#,ÁÚä7\ ¿a]ð3òºå7Ôt¢F~C:¶òü¹T~M¥Lä7èHjªün¢:ä7P6!¿íèòMcßyZ5sN
ß)çV_°äéåŸNåE ®§åŒiw=Êy©óÕr~zËùaÂyrŸÿkTgêW`årŸ^)¬$ôòLnqZÉz <ŸEngR
Ôy&9Z"ÏįRÿÉX>=E.@èr| ̹
n=œCªdqÆNª€2Ë€Jªí)U#UâÙWR%¶*Q5×*UÂ÷yNªæó¥JÐ[p*5÷Ì$¶ ¡·¥'GÙùJ«9Þ'žÎåz%JÓÞk¥¡©ë ïÒÐ8zMv°ùÿGŸé·Ó4L^Ë0Ò0¡y#
ãþ`%+goIVt'§¬š\œdEŒJ²Â_ðUV&¬PLX YÁO
ïŽDL¬@Tl¬4O-ŠÛ¢¬^Y']í£ÅìêWc^SÊ'º¯§ÍöΧMû
®§¥nEMÅžü±óbÝÅÜ~ôg1W_˹rç'æ
ûžb.·ÏsYÿ\NÂÅéÔzá8EZ¿÷Ó±µ8å¥ßÅéð¹8ú])N9ù8]ófÐ#áP[Ê`áðIСEš«þ86X8RãùpŽh±Š]8Óé!KÝç
Çãâ(áxØfp<ÀKêõÇùBœŒ[šÿ_Ä B=wT|$Ô³aR°POÿ+ê©í2&Ôò.¡ÿ®ØõØe¹Púj{ õðm®ð'T¥}%ü úè¢
?5_,ð÷Ú²íùû'9§õüwgþaù<ïë|{Ñh?ßcÝ䥧ôü£žtv4ÿ8ì?à Âüc}Ž"Ëø'BBòOžóÊþ uæ0fÚµüê ®?ÿÑòO>ºü¬VÄ?A#õ·ù'H/í1ÔóOÀÿèiõko3j<÷ø€¿ËîI
W
÷Ž|98{ZŽ
ý{3Ê=OmaKžçqyB÷Âh"íä^šî
þö:÷BnÒµrÂmýL®»¡ÿë`³)\3Âpë ÎøøpdºÏI®ê«á:°Ÿphª×ñ+á: ?ý~ràxÿI\0ØŠ=ݶÜÉm8ïŸ=S3JcË-¯BØsEud5{>GŶ°çSï,Û·X±buãØŠ
ÎcOB3Åhih7SÀaYL1ô(ì)S.61Å
YÇß!Àºq²HPmÁµœFáõ'2¥ø53ä¡øò.C~¢x`@~2gaÈYüTá§âE
ÂO'ÆDâ§ÖÆÁOØø¹øiE3nÞ r îxÏ$Tá
ìœÄ¡xSžo =à
ä€LŒ(Lz7à®É!xz=ù<Þ€`xì²o
8ŒœjIy^UüÇ¿F¯±Ö WùšTô*û5u.zÙú œFëÒ& ×ÈÒî¡×Ê~è5\xœŸOÐkÈÚômè5XÌ^ße,F¯k©pÍi9Œãägß>ð®ÃÁËá]«Ñ
Þ]ìkïÉ9ÀÀ{Ó&'÷Æ;L(
÷·§Ýkn¥ok
?áZeRæ7žV,Ž
®åó'ÛÁû8«ÉËà}Ì©¬ð>:5+ÞG
Îzï#ê³£á}xrv+Œ³ÂÃû£SÂûàÄ©.ð>hÀÔµð>àxœ£÷ÕÆSÃCNá5mQ
±:2þ#Q<)ùÓúJ[1&`Ž±%»ø:56lvVçÔ1âŠÜ0_{áðé
Ã<~¡Kgx14cC<ÌÆàóæ1:ï+ÜÏÆÀóó1÷Ì
ñ|áYõ
þÌlB}œG}í;ÇA}Þ7gú9·úÙknúŸ{î[õ
Ì8/N}5wM}ÞY$ªo@aEuê IX€ªÿ5±TNOT;\Ò/ª®®É¡X|"7B5(ÊÏW
N{<ë/ÕàøsTCÂ
R
TšÞ-ÀTCG!¥øná%ÿfQÊ[žè¢ÊU0*KúnÉ~%5oñ%é¹xÊ¿UjŠ²Äfš,Q·Ò¿Tð%*KšpÉM%èjbbxÑ©5Á/[ûõ3Œ:|w`Ÿ¡sóaG¯þm;ÒðfÖíQÞd
rÚjxéòÔð6ê[á]ðjÃ;ßE^>wÚ*ÕÃ;ñ÷Ã;>Òû§á=[©Î2ŒgDõ3Ã{êÆhxO®ÖŽÞ,@Þc¯œ÷èJpŽá=Bå÷PÔÇð\åÞÔ¯V9þ=vŠ·Z6f~<è!oóÊáîü¥_íVfÎz8ÚÛ03ËÊÙÊP<Õ5ÌPÕèþÓ0+žÝËÆ0Ë·LuÊ0K[ãýÝ0KìVß3Ìâã5YB¶JóÌPÈ
Éõ e($d°ÖPý6¢ë rC!"Â}
Ð;8ÏP®ß
áW«>¡œFú¶ëOúî2Î`ºyõÙÒnûÞþ³9n1ôÏéRb0OÎwk6G]òlüBµÔ0ÀwµZc Ý«É0z~~<ðÌ`ÁÖF¶,šïe° ·@µÂv4X`árº ék°@ôHŸÁúŒ5XÑx 31ÑÿÞÝ{
~M«ùýÚÃï,¯ë×mÞd3H_QÖkT®ŸrÖë1Ãôë³ÆþÔ¯OãAê7DÝðzªßüFm¢ßà[©ùC¿A{x€ß(§õù(L¿Ý5ë72á0¥ßHÀµ¿Hz2Z¿FÊõ±h_ýFt;¯ß¢oõ¡XŒ~#øvM¿øÕÊ¥3¡OoýØVGœëáÃdœÛæí¶óôîefzY;/Ô{f¹»MÒ{&/ôÜ£÷ºëª÷
þ ¢÷òÝ׫ŽõP°^%
œ
7ëUìaÔ«Xd¯^E÷AGëUd-Z®WX_œ
ïåéUènìÞ1âñzoØ¿Š÷wÞ31ÑÕuŠöÍÕmužRwìð«#ºãwÛ}ÖÕ
rÖÕÏúêòC÷gÚýîDòRîDÔ#u£îDð7à¹î€o
T¢;©=Ó#èNòy(¡;ÉÖ£{t'dÌAwÒ"ëð>ºSD<§;
âou§ÐDîK\ÓûÓb~µÒvNê÷J§kõÜ[§¯3±vÓ6Ž ó)îtYç;«Û5Cç
zèüËœWêü¢:
Mom{Ô[p§¶=ä7žYûÈ÷0©}€œÕhIÿÇÑyF5±ua{¡], H 2É$dJ2LÚ€œ téMQ¢"
öÞö^°+VÀèÕO{»0×µ×zþgsf¿ûÏžBed ëHvôõwKÉ$7ì'ò²ÈÞÞ²;BvBãø·ÉNöXHvñð!²5Nv§Ud'#ŸÿÒÜoýºÅ3>l7Kl8ëEVº¹·a
ÖÞùdxEGobl"#Ì_YR2BgÃ%#'!2láÉH7o:)šà"#ÑfŸdó7°3<ä]ÜtžŠ Id$û2òSQ=Å^"£&"£)¯/t-°}+nºE*Ÿtxüñå
W§Í_©ôñž#ŸZ8Æ'Y|5
ò7¯EïbÖ¯{Ø|ñuÝXÈ,Ÿ®hâZÄ×É>W|]Ä'¯VÀûÄ×ûºØiâÈ\d
øì
ßàÝCóÅ7žùèñ
Èß`7c÷Å7À)ŸÁrß
'èx;Åf;]HØA ñbÁFÔ"v@cibd1öRì
»JºVzGoOFà}\| ÑNYQ)ò¹Kœ©dô9h%! Í Î "$'!%¿ xT$N"€œÂý}»Rd%ŸÂh8!åu
)wè#!
øD!eÿx@HÁ%b !eqÅ'ðô!d*W"u×ÎqÃEÚ[3§tynr~Ã{ï
"C¥ÖïÈPÈaU)©PÈÝÌoÑ I rD.|(@2@ð_(@pž%
@{ÄBQ
d9¢@öWÉQ žN#
dI€m¢@àL&
d¬µÏÂá®c«päVó;,÷x6ôÒpae$³J GOÂñèLü
ÝžH'%áâ§x/NHF¯qB'¹kÒPÀl€wq9$#pÅ þ¹7.æî¯ÅÅYa9óp1X¯øYT.fö§ábÆÞ1s
º®OÙ*|«ÜípèáÚÿÃ6ÚÓÃ+gs a¡uJµ`Ð:úH)Ž ÂÅß6º éh¡-e#;*ŽžÉ?mE¹{B[ÁS*^h9RO¶Èe¥Jh§(Ïmù*Ð{^µChÍROÚqÆ©+vàYÐ5S&ŽcÕŒÚ1Î8ØbÛº:]ü°í·6xQØéþiØήìlWe<Û],hÄö€ì Vc{bIa{Lò¹Ø^]
µ«§Šªp¬^ÂUbõ¢*MV/ø€ùÕc6«Gkcõð|«çûèÎaõÜV=ÕCsôÛ°Ák
û.šc×÷ébÔéÖz$:õpX:oäñ/¢.ë
^èŽÂâ«èŽ3²}škÌdêê€^ºéJŽšÅÖ nµ¡um5ÎFÝ
CMÃQwLf*@ÝÏŠš;Œ:
uçZPwîû@)ê<ºsf_Ôì6oDÝY5A£Qw&Tº3ÞL»Ç¿±§uà ·n³À³oäÓàÄzáL8©ò(yN.\¯HSÚÔF8%¥«SJ<8U·! N¥ÔàTÉÌ N §
à4,*ÄNCCjà4ž1t(Æ
ÍÓxCBßÃiП°8c»§±á4VCø18á
§œñJßÐ
tbfCÔâXš@²%N~Æ3¡apü5š[7
QñÌ}P!ü!aTȯMXò³A
P÷¬<šS3ë=TÈF# BVWâ=š¹<IgÛÿÍ,ÁB6£&ÝÆfþ£ŸÆfmÜgÊfU
Nb
¿#lÙìTfôW6;fiÀæœùÍÑõÌúÁš=IkØäRr+"&¥eCÂT
agRϱ!4.ÉiÛÙÿxúD6ÄJ/gs¹¶é6sdvËýÍ3Ll.óPÆU6ÇjGß,`kÖhZ'žô0On|Æeª¢70OMG§SÝgb§Ä0ÏM·aÑ;gx2ÏRw2o1ÏJº³1ÏXöæYáŠ"æYìEÎgæYŽ<7yaå¶1Ïñ;òäÌsŒ²ŒÓÌs\ÿ|æ9Îãü-Ìsìãç@¿
ÌsÌG¿çÒ"Æ°7ÇŽÃsÌgÖGdÿ0l6öÆ93l«"KvEd;Ã.unŠ-cDL{1"Ø/ïÃ^/-É°§~bØKGÏùÈIÄÍœÃ)ŒV<1R`Sü1mG1F"!óÎ2FÂçŒ}ó·2FrL`,XÌÉÞ» 14€0F²ú<göêŠÑ§Ÿy,Š;7o€O;PJwÝäÚDw*ÏòŠ»¥ç]£»§î)ÚOw1¬ø#}zpÐôéúÙ¥t¥ëÂ@ºYŽîAT/Î {¿§{ØåtŽ³ü#Ý)«¢{Àº'ïq¥îÉ]Pyî ùVÑé춪tOpÞ1tOϺ'вȻ·{Ôzï?Í÷®y[lÉø@³ÚdÊ÷¡õ«:1·Ö¿hc Ö?õñ"Ú
TêªÏÑJg-ï¡
$ÎÕ<¡
Â]W€Ñ f¬xIÙ
B¬ŒN×"ŽAüáµûižë\i ºŽA!«ÑûWåÓ±Wœ§
b¶²RíyÑÇñsûõ('4)]T:ÔO¶_¥Xw|\¥rRéÏIû³wOµWNNØ0írJø÷+Ê)ŠÒQÍõf*e3hJGâÏm¥£pœï
¥ŠŠ;(kôr¥N·(øýÒNÜ&¿J'(Ù?@éÄàMé^`ÀJ'V"cÒ9pQ:1Î[YQÛzºûžœ£l@2µ£É`ÍŠvÖ»²¥vÕÐÚ]f5eµ'ûó<jOÂ67joxÚkZãuªWcŽíTœ,Ñת'ŸÐqª^žÍoÕýÊ©ä¶
jsüÓšŸÿKª{@5@ëTÇ @šð*°j`¥3§Q
LGf
ÕÀžÒçö|ê#»£ràsÓd³ê=GÏ¡žufSŒ²Á+(~öQï°×}3ò¬§Óf;
šIß"K§¯¢âßa
îñϧP,ÄßB¡H+#Bá9Ê÷({žN¡P>¡Ps?
ͬiÊÊe PŠ+8BÍVVK=?úx¹cù`âJS€ÝŵzúÏëu7'þOqœÌvê0Åì3®ñ =Æ)nôvVÜ2íô©SÜRSô
Å-Y®¿¢YlÅðT42>(±( MÑ<^öu«%Ì
Ë?òùì}òÜÿq\ä¡*Nü#Ê?ÿ@¹ò¬
èü#Ã
d<ï³Jéµé÷CÚ±cøyyzSÆš
òÙõžC<£îNYæì!ÏÌŸëñ@p6OÞL¯gN1ɳÕÀ/y¬+Ïkä9ÂËì`yÅîç 8ZyŒÓ$ÏáãGÃ}íç@+žSä9»DŸá
ç²ó2ä¹L÷ZËè²²=ï3à¶ìý6u²M
c"dÿ«ObË^Õu9{Ë^yºS²×Ùœöʺ}Ͳ®ð6ÿÙSðTöFϺ#{#[ÁÖȺÅ9²na3Ⱥ±"è°¬ùÉõuÞkdÝ|9o¬ûW,ëÖñŸÉº9~¬¬üÌ$ëf)Y7ÏȺ}§Oõ:î'ãv·»&ã5[&ã׊ÄÉàº/ÓeHàQ(C³_ÐÚehÂC¿rþX!ÃLÍ L Nçô d y2Ø»N&>äÅÈØBÞ+À7ËðþMo1û>(B;w£EêdB°µ YÛÐB©A?ÊßVVÒŽ^Ï¡ÕÒôK#C€MÕ®ÒÌúp§_Ò¬:Û{iVâm/ÍÎþHOæ$Œ
toÔpDîöXQ€u°Ô0ãBI
0f9¯Wl÷\ÐñÏødIÓ>§Ådi}{Y¶jÍ@.,òÏ"åزZÉE³úAÈÅÃùKÈÅŠÑ¡d¹z5ÖCË®óÉr±¯%Ëñ~¢P²Û/zFV Þ¬ïÉ
~KVðŠ÷ÐmÒ¬àäËÈ
¶«dYÁº%É"+97d0mØ
c®!ÍÎÃsa=Ë]p° Z É€°Qâììa+Nw¶ž»b+aµP-ªŠV¶ðO¥aË߀KØòʯ-ôM5°ã¬W=$ìØRµ°c}Q&ìë4þ ¥ÁËzçNŠá:]¿áºi§ðòú£@5^±Êâe+xUWÍâàK"é9|I
_ÎÐ.À!#Ž?ðeü£º|/R×/ãZë5ø2Î!ýE|;Ì
ÝžÞ4TÐ-dZ,èFLÝG@ª 'à
hts]¯ º9·Ì° mnt.A.næ å·@Ö]ï¡éØN_6ò#ÀFÕ¿E'a£W-"F`cÊ®Éü±19yÊ¥ØØY)ZmbãfÎaã4Ãaãäì />¬ÁÆã)!ã±ñ©!«°ñèªP[l<ÎÁÆóß~ÁÆójÂf`ã¹hØCl<§+\gWÆÆp?6ù*b36Xæº
ÈÞÁ£1Ü1Ð?1ìý± È0(ö)25(Nöy·òô~aàµv.AòxmBÄ8ïa5÷hÕU-ïñ¡tÞãÁUŒ'³ú2éÓ#Q$ïiÀÖ3Œv4ö ¯]ðÚÅ=3UŒvŒ>a,¯]PËë@βæu ų
y°÷¬OŒÞýÄh^·0±×MOò:ØwNò:Àüd_^Ë=y#¯žÜfý7@Iâl(ùÒ\%¥4(
ã ÔUïCiiá4(=§=ºJu7Íx f\I< eh÷AòºT(Š2ð»é£¡ÁŒô(í=ÊD¶ÎÎ2aåì÷P&ïGFÉÝqÊä$ÉþyÊ×gÑ L,k |ã/
GÜ+
ÀV(ðØÊ\4l/=[Y©sT`+s2ñ øþ'Nuø÷Ù àÇ¥»á!ÀÏõ±
ôäÒ3wœÓr@o$ è
t(züÑ{ø#3þ©óã?¢ièEpÁÀQ%nù^RXà
¥Ö
/--,ÜÏ¥
°pÄe-üŽP
XX«
÷{œ:!Ëà×µpw~ßÜ9~o5óçûuGVùuøœÕt/þí÷V1¡"Ïï-¹®r¥ß[Š*Äï°_U§ß;,oÎïêºäß;øæRÈï?sé¿wŒ©ËüÞA×-õ{Ç]=ÐïÛ±:Óïëjuß;fzÐ8?£?ù¬xxÜgåeÿbÚ?ù>u«×+|V-|Rä³:·rñ-5ÅUy>k"/+ñYœüÏZíä}Ö*€µi>kÉæºJµ¢âUzuBƪVuØÕ2ušaõ)uð5~>ëø;ÖlöYÇÓ¬ç³úœ¶ÌggëÚß>ëتuI>ëX¿Öuú¬cnÑî5äOOÊ1¯¡Ïjsœ]+ó²Þ9yÙ¬ŸS9ÚËfÑÈjÐË6÷üÊ^vGVã^vgÖ)œFîÝpÉkV³éž×EᮜdàV£œèȶÉ^öÂØmëœì±gÛGyÙ£¶/ð²Gí?ŒìùOv$xÙóJvŽ{Ùsývªœì9v^ð²gÏßÅò²}wíð²g>Ž²Òzý÷?"-í³Ÿ>-Cú·jé'
Whý¶µ õ¯vW¬õ/fMÔ2Ò÷8-бßZ dÛ}-S_âá€eRû<»µLÎ[ªe4RË(hߎ,ðIÔ²àg>Z¯VËâŸMZôÎѲ8¥ôÝZÛßoÅzì·DËb.ðï¯e~VVãÿYiN~êã©»2ÍϬÏjÎnÛ2Jª9W=}ü7͹bþäóéŠþÔ\
vMÖ\>Ô\ÔWx.Ó\€xi.JÌŽ"ÏqÍEÖ7NÓ*|;5Mð+ºNÓÄ_B¿€iâqý8&è¿Ý&N
¿£ŠÍö_¢ib=cÐ41Ë&Ýg"ÿk¥øÑGªeÌ SÕÉW¶Fœm×èMµ¯CFS,thŽéÇ\4ºØH·ç]œÇq^_í=H£§NÑîjôp_ºF/RÒ}4A ý±ÆjýtüÞïÆÀ_éi<Ì·Æ
Âüêh ú%üÁQ¿ä¯eìV¿ä£ú%ôXª~ÉYÅš~É13Õ/Yï]êÌ:Vú%÷Äÿµù9É£Õâ<t§:ñäW{'uÒ¶#ãvš«yõêb3S~É-@ìqK2Å{»:M¿Áç:ºF?N$ùOR§êtÁÆeu: êtø7p@ÎßÂtS§ó(f:ú5Œ/ldšÓÙrÖGu:ë©Ng®šÓêÿ¬T/>göûŠzÙâ9|êÕÉOT¯·£êª:Tœ)6¹|RœI¿5}¬ª;6Ëk±ª;ÄÍ'JõV¿^¯zKÝõÏSœd0ÚToEQ@ê 9_õeöšÞ!Xɪwü=¬çªw<šWœ,àeÕ;Î6WõeïUœcõrTïÛ9ËTï
RÉÒ[==U²Ø¹Žõ*y/=[%×ï÷?¯SO*BRÄ|«Rf±Þš,°V¥@SØö*bçR𱿫ŒPNŒJÁÊy¬Rp@JÅΩ(p0PQÌýÜm*
è;wÊÿY)K>/¯,kíÞ+²¥\ŽíÞä·ÊÅÕ&:eyqÂôeyúsï5ÊØÅôQÊÊÈ¿[Y©?ÉÔ+°¿²J²®¬eqBUbÈFY
æAóUÈx軲¯¬âÅs(«ž£y*eçï²Ëg*«ÀümÊ*æ ØA¹aeEíüÏÚõyå0#µ§E6ò
µ÷ÔªßÖétjšrK£ög{i©}é|3©ý±µþo©ý!bfu@=:@}á<¡HVp!ê h>MTñ^RÑ2~uqåߊòoÂ8u Šr§"ÔAÎ5d5u=µ£èê ó
ú
:€[Y)v[,Š*ö~Þf³NQß8Ö^Ñp6yb߶Óìû«Ó<N(ú¬VLïõ?8»ÅT48¶F}7@qHÙïª8$Ù
+ª9CµšâºÝª80° CüÇØbÅaÞìâ0×Wª8Ìiü£8Ì.Aðâ0³ç)ÅVVòEËàvyùçÃöÁònÉ+Oñ§âòªm÷ò%Õóh9ò¥Åµþòe³íXùòe±G9åÕ!1Œëòj}2NŸ\9}._.9,ÀäËE[|¹ ^Ø-_îÀ£äËo/ç¿Iå5Œ¢ò.JÐå5.b£Œ]-#¯aqŒùZüS^,³#Ã-ë2âóÕ1µ2qKþa2òʵP&Ý>Ê{LZœÂ¯Q&+ÞÍZ.Ïvȱ×a_"$,Sè{¥t9Ê(ÉU"OFsdà9]F¡'Èõ2%b)ùÉ|·Sò¯LÉÕJgÊéSœMŠ)AµìŒLÉü-gÊÀÖAäŸÅ2â€åsC€µeó5IÛ©OTòh»ýäQõnVäqñY®Aòd6dKÆv
ÞKT.KF£$íJ€ý¿ñ%í¢r®€]Ð"%iGo+Â$H⮀CÞiꚀ«ôt@#k%ì*{I£*t°ìUß$Àá$Ïb;äþîžDZvNO¢§ò}ËIl;ÊK
ª/pÏÂâ6tÏVâM$û䢲1€Èà©#EJÒ$$ßUIBôº$ï5,@_kö2OëD0M»$x-ºA$Á-Òeä©{Cì{úRèI1Ëà $ÅÀ]û$"Ãb4Èü2ÒµÈn¹HûAäZÉL$r·¹ßŒê§Øf"¿ø31('ÝFÄ¢&
!gUßB®ÅBe¢Þ(ÚfE¢?Æ8¢H8Ô4(Âú*"dmQéDïcÀÿ"n]` Qá×"ö;3Bµæ}Ä0h1x7®c±8/À¿øzÀçµ<fãóO5rßà¶g Òñê_€^:oÜÍ.Q»àeqt]Ÿ0ä©1_h8/T.2/ÄI}þ/"&¿À ÝBá0§Ðáø"äxhŸý/âÛEâžGÂà ðp Ÿ3<ü8Ÿ<á/f
E¬Ç3;-- /J €µw¹ ôÔ}á0AØöeðåš b]ç$œÕ$DÆ©ÌGQ!œ!KQ9aOQÊ];ÑR*j° àEDèýhñD#bÖ¢áy3F¢ù>3ÑÜßÑÐØXA4Ç+ö Œ§Ä°âÎb^n÷Q+Å/ íÿ%zhu Ný+œÞ~\Y¢Cæiͯѡ³¯Y£ÃâÒ"Ña¡ScÌèpÃæØèpåÍø4tž4ef3:MžÆÍÊC±ÈY_Pk€7qj
oK|ZóÕIrÔû3é4j
mNöG9TòfÔü7ejÍÚRZ3)_?ÕbátñÓ¿¬Æòg·Êdù§§hü¬íüìåQ¡óøÙó²£¢ù9³ßÇòsãjgöòsCÄ~ájÊT~òKê;~tEºGÌ-åç +gççceIü|tZÆ3~>|#SÏÏçgf^æçó² ~>t5k?íÄÏgOÉ^ÊÏg]ÉÈÏgŠ±çC}w»ÐÚóå¬|5Ž·5]o5CûvŽö//=
í·qV-t c|Ê è`ܹÙþÐÁÐä¬áP£ásjTMÎs¥gò FboAtHx€Ð:í/ÜBEc¡Cð÷¢2è}ÑoèO2' :}Ó â¬«±É¹ C¬OÅès Üe±(F»¿Œ5,÷¶®íÖNÉv°fYûKÝîw3³Ü!ÊÝ{_è]=Ç4:ÎUÒãÀÒ·%é`#ñ°4lŸ(s±§e+ÁF4gáp°qYX
&h±oI_'+ÖæžÓ@êéM)
;é=Üy'Ó{ UôvëŠ~ôpîŠÙô-z*e±$§±¿fsh6Þ]4è]»ãNå¯F¿Ü@ãϯcÑàµ48~á[4$ÜŒoýLCU/¶Š¡²Òiš8c×DíºLC9»QÙ}"§öžÑP8vO-
ãÛ﵊aÜã{hœ÷#
ãØÕGÒ0ðXýÆJ
ó
íõ~flCx4±ÿvÙØÆ«ðáÛžlœÆ6N§ïTc{ï2cÈ¢2¶1;èYÆ6`QCð_п{=¥7:1F6Ž9gZ3Êb.¿<!Ö¿kÊcLRçÔÆQW?ãÀîmÆXMÇc¬÷ZoŒc
Ûi§±Ø@1ø\1ÆñßøòqŒjßzcŠO5Æq^Ñ«qì¥~q Ï/ÛÇü_·1XbeehÿÏÇÐùÏ^»õñù×CPÃÆãvÑëgÙdxY~kâ0Ãÿò8î4ŒJzå²Ìð*
s»gxXágxÙàµÚÐ%Ñ.qšO¡¡KXïaè¬}º)=ÁÐÅÿDo7tñVû©
]\ßCçœ?hxîõßix
oï7@mø¯ä/¥¯}úM2Èn|Æ6(/ØšõãVšòÖÉýÊüS7TI]TQÒé×
êÀ^éµf'Ú ë|!FKÏ4hGülßGÑøG4ü_þ-
oCbÐp)Æ ó/àkв7ZPÎmÐ2¿3ŽÀ++ý²ÿ|ôËÿ²æ5g@²~ÅßÖõµ7GíÓ×/ðA_WþÌÑš_ßäò]¿:é{»~uÎËI¿&pí~æ ï+ýZyš_¥~8Íÿº~ðc¯~-æôk`à~-<é¥_Ë«g®Õ¯å°ìõk¡~¬bý:önÖ7ý:ÐÆé×±¬ÀGúuÀn++ÝÙÿ|tçþòÂkÑ`ÝÅCìDºŠÆcãuÖ/ŽCw¹üœóÝü;n
º«ÉC<kuW£Âhmºk{èsu×4gü7è®Ég€îºž9_w]x5Cwófõê®#q`î:<üGwwmÔ]çF³¯ê®Cvî:û(§^wu×Y6Pµî:pÄÊJ{óïüê¿3èœýZ;L©œssìÈxíÝÆWªŽ÷Ö×9ÞÔÞ/ïqejäwxÜ׶$¥Ò¶D%Ò{µÇÛŽÌKÚVy68KÛ&.gïÔ¶ pkÛ0rѶ!P¶
vâÕ¶ñ®póŽmÜ4î{m4¡mc_âÝÓ¶)|±¶5Tûh²²Òù;):Ö
/j¿Žy¥9qÓmlÍ©Æ'O×^¿Ëeæt
Íô3ùh³Én~FÍÙš`
æ\à5ÕÓ<åiÎËËž4çÅkxBÍyá[Ÿ«æ<&åÐGJ`_ÍyoÔçµ!c4ç¹ÅH©æ<DC~i.°[ÐYàŽCsåi4VVêü¿3BeHºèuýoõlñê¹Oå«ç?é«WáèýL=¿ ¿ß\õd6sŠzAÔönuIàS®N]¢ùÈOWÊW!êRq=jT
ÿ`u)ÝV"u\]
Õ¥Œn¡º»\žZ]
!žºý£.á_Ôe,X£.^YY©,þ jÅb¬üzáØe*Ç)õ*§C®÷TS×ßö©r®
©¥7£\©êC,ÏoÔòõ¯ü
¢êÀÓÔª§t€ê£ûí?°Xlå-ËxBÞöúøÔXùÃóä©è;ä7ôcœ?©â)åOHôœŒ=9¿/¡·G= ÇË;Ì.Ò³ò-KÞñ_Q%òNñåy'«¶Ê;±
jŸŒiW7È;áŒï§©wrjÊ;¡yÚ\y'ÇGûNÞ ¶êÂå¬bÝ]y'ÓgÈé{et ô£Å2eôÓë÷FéçuŸ·¥_%°ŸI¿mÂgJ¿W VK¿DyÒke®ÒQšhé3¢¶þÐjŽ4éOyîô'io°þÄÃ¥?±Æ
ÒÈ/cô'ŒÙ,ýÉWKq¿€¿ õW€¿8Ò@®ôø5p¯ôkÙIú)µûÙj±L$ÉëòÑëo>ÉÇ7²NO-âÿC>ÝÀÇ]Èöu
dGA1åIv&Ñ";£íõZò9Äø|ŠM D>SL2#ô ?äsŒ0ž|=É"£!oÈçðùÐò9?!ô6ù76'C§ÃÏ9qáä?ìÑá«ÉX§"lÉqã
Ÿ÷Êù)Ñ÷^ÑÆKºÆ³ béÍG°Xvh(šÞ*;J,¯8«v"j
¶èÏ+ì VD3ºæ¢Ð¥ÄJí²ðýD jIMÔr¢ßEÔbœ1vD-ÊKÔÂ/bŸµü±D-=ã!QuÆ*Z΢Ø3DçOÔ±:â¶uÌEp;Åkno±0Cð]|žuÓB¬ÆGº£8Ù0Oû[ñ¿øž«!ññÉÂßãã£MÑt|yËV|öHÜ¿øEäÌužðwÀfÂÓõžxw@%qqþ€œž/8y*îÀŒwà4€ÂØæ,|"80å
>Ù0ý,`±
Ý°;š«ŽÂÂ>ÍE€LED%Ò°HóäX€¶#õ©XŸ$×Ínâð÷DZ(<SE¡e±(Ä?Eñeí¢xó³§`Q\ßì%X§-§?Å.ÎÉÀ¢@ZÎ+,ÙêÇY,ü'ðL
't-QsàY·tz8ñ°[XŽ¡5æ(\ %8Á)
SÏÀ©)ÚôípjôîÌ×pùGÎR8Mg·NS*0ÁéäµÂåpºÈ¡(Ndα
ÓÑÆ9sàt$dÎ8<wÎkûNçËáth@ñi8]?Ï
ÌÛÏf
àýáöuÈd(·¯CÖ¬äb]gÌǹ[Å-\áa}üo.Ÿqp
ÄUÆelà
\K€Ì-ôä£ÍÉM?Kêž%.©xYúK?åJD
?žÁÖEU\ úÏâþ\ RŸ8+Y_s%Œr3WÂ-+¿É@
+a?8À¥n\ A*À{v/Øwkÿléú4cØv«1É|xž4C>Úå+WÏù
>±-?
>
2WEíºÄ¥sÁvj|õt°]âœ<låÕÁvA[ÍS°»B
v §W\
`Zz
°Dû7Æ,¡Ý&+
)6¥,äÛŠÿ,xÝæ@Å'7ß
/é2žm_
KOvzOÄ.ÒyODO]ò;
yOä=œÇ{"oæ'ïÜ1gzOä>;Ð{";îlŠ÷DptÁ$÷Z¥,Ï}Ų¬Ñ}õç«[Ý×4oÝüÅ}íìÝÜ×mòÚot__U~øû¢ä!îS·»oé=_âŸ)XÞDw߀œ¬r߀zåûféäk÷ÍĬëcÜ7¯^ßíŸY0øûfŽáÆR÷ÍHàÍîáþ7³Ü7óöÜ|ãŸkŒìŸ²ºÕìŸ
œ»YàŸ4XY
Dý×_
ÄüeìïÌ>Ƶîcü
~óBfîÙ5ÔPKØ©BfÌEÿ $iæ€IBŠ8.I6p¶ IVn6 $YrÉuAH²Hì¶9$ûì¬uÿÂ;9ýAH
[...9996 lines suppressed...]
0000501330 00000 n
0000658452 00000 n
0000501476 00000 n
0000501622 00000 n
0000658538 00000 n
0000501770 00000 n
0000501916 00000 n
0000658622 00000 n
0000502064 00000 n
0000502209 00000 n
0000658706 00000 n
0000502355 00000 n
0000502501 00000 n
0000658792 00000 n
0000502647 00000 n
0000502793 00000 n
0000658876 00000 n
0000502941 00000 n
0000503087 00000 n
0000658962 00000 n
0000503233 00000 n
0000503379 00000 n
0000659048 00000 n
0000503525 00000 n
0000503673 00000 n
0000503819 00000 n
0000503965 00000 n
0000504109 00000 n
0000504255 00000 n
0000504399 00000 n
0000504543 00000 n
0000659134 00000 n
0000504687 00000 n
0000504830 00000 n
0000659220 00000 n
0000504974 00000 n
0000505117 00000 n
0000505261 00000 n
0000513832 00000 n
0000514235 00000 n
0000513854 00000 n
0000514405 00000 n
0000659306 00000 n
0000659390 00000 n
0000514426 00000 n
0000659443 00000 n
0000514526 00000 n
0000514635 00000 n
0000514775 00000 n
0000514989 00000 n
0000515182 00000 n
0000515386 00000 n
0000515559 00000 n
0000515720 00000 n
0000515944 00000 n
0000516173 00000 n
0000516382 00000 n
0000516530 00000 n
0000516726 00000 n
0000516963 00000 n
0000517208 00000 n
0000517381 00000 n
0000517617 00000 n
0000517822 00000 n
0000518063 00000 n
0000518236 00000 n
0000518432 00000 n
0000518649 00000 n
0000518911 00000 n
0000519076 00000 n
0000519280 00000 n
0000519488 00000 n
0000519765 00000 n
0000519938 00000 n
0000520115 00000 n
0000520283 00000 n
0000520472 00000 n
0000520645 00000 n
0000520849 00000 n
0000521058 00000 n
0000521347 00000 n
0000521552 00000 n
0000521809 00000 n
0000522045 00000 n
0000522286 00000 n
0000522451 00000 n
0000522687 00000 n
0000522919 00000 n
0000523119 00000 n
0000523356 00000 n
0000523606 00000 n
0000523835 00000 n
0000524075 00000 n
0000524347 00000 n
0000524571 00000 n
0000524784 00000 n
0000525025 00000 n
0000525250 00000 n
0000525502 00000 n
0000525802 00000 n
0000526030 00000 n
0000526218 00000 n
0000526483 00000 n
0000526725 00000 n
0000526962 00000 n
0000527231 00000 n
0000659528 00000 n
0000527449 00000 n
0000527663 00000 n
0000527923 00000 n
0000528184 00000 n
0000528387 00000 n
0000528564 00000 n
0000528820 00000 n
0000529044 00000 n
0000659614 00000 n
0000529281 00000 n
0000659700 00000 n
0000529502 00000 n
0000529739 00000 n
0000529995 00000 n
0000530191 00000 n
0000530379 00000 n
0000530600 00000 n
0000530816 00000 n
0000531009 00000 n
0000531278 00000 n
0000547247 00000 n
0000547349 00000 n
0000547519 00000 n
0000548047 00000 n
0000548667 00000 n
0000548929 00000 n
0000569265 00000 n
0000569373 00000 n
0000569538 00000 n
0000570114 00000 n
0000570784 00000 n
0000570894 00000 n
0000571154 00000 n
0000588103 00000 n
0000588201 00000 n
0000588366 00000 n
0000588960 00000 n
0000589650 00000 n
0000589923 00000 n
0000608182 00000 n
0000608284 00000 n
0000608456 00000 n
0000608985 00000 n
0000609609 00000 n
0000609878 00000 n
0000623266 00000 n
0000623366 00000 n
0000623538 00000 n
0000623987 00000 n
0000624530 00000 n
0000624803 00000 n
0000634014 00000 n
0000634112 00000 n
0000634288 00000 n
0000634689 00000 n
0000635168 00000 n
0000635279 00000 n
0000635544 00000 n
0000648328 00000 n
0000648428 00000 n
0000648598 00000 n
0000649113 00000 n
0000649723 00000 n
0000649746 00000 n
0000649766 00000 n
0000649787 00000 n
0000649810 00000 n
0000649830 00000 n
0000649851 00000 n
0000649874 00000 n
0000649894 00000 n
0000649915 00000 n
0000649938 00000 n
0000649958 00000 n
0000649979 00000 n
0000650002 00000 n
0000650022 00000 n
0000650043 00000 n
0000650065 00000 n
0000650085 00000 n
0000650106 00000 n
0000650129 00000 n
0000650149 00000 n
trailer
<<
/Size 834
/Root 2 0 R
/Info 4 0 R
/ID [<A4D8CB4F4B04B25C55C6C4899931B916> <A4D8CB4F4B04B25C55C6C4899931B916>]
>>
startxref
659786
%%EOF
15 years, 3 months
web/html/docs/selinux-user-guide/f10/html-single/Common_Content/images 1.png, NONE, 1.1 1.svg, NONE, 1.1 10.png, NONE, 1.1 10.svg, NONE, 1.1 11.png, NONE, 1.1 11.svg, NONE, 1.1 12.png, NONE, 1.1 12.svg, NONE, 1.1 13.png, NONE, 1.1 13.svg, NONE, 1.1 14.png, NONE, 1.1 14.svg, NONE, 1.1 15.png, NONE, 1.1 15.svg, NONE, 1.1 16.png, NONE, 1.1 16.svg, NONE, 1.1 17.png, NONE, 1.1 17.svg, NONE, 1.1 18.png, NONE, 1.1 18.svg, NONE, 1.1 19.png, NONE, 1.1 19.svg, NONE, 1.1 2.png, NONE, 1.1 2.svg, NONE, 1.1 20.png, NONE,
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/Common_Content/images
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23851/selinux-user-guide/f10/html-single/Common_Content/images
Added Files:
1.png 1.svg 10.png 10.svg 11.png 11.svg 12.png 12.svg 13.png
13.svg 14.png 14.svg 15.png 15.svg 16.png 16.svg 17.png 17.svg
18.png 18.svg 19.png 19.svg 2.png 2.svg 20.png 20.svg 21.png
21.svg 22.png 22.svg 23.png 23.svg 3.png 3.svg 4.png 4.svg
5.png 5.svg 6.png 6.svg 7.png 7.svg 8.png 8.svg 9.png 9.svg
background.png bkgrnd_greydots.png bullet_arrowblue.png
documentation.png dot.png dot2.png h1-bg.png image_left.png
image_right.png important.png important.svg key.png logo.png
note.png note.svg shade.png stock-go-back.png
stock-go-forward.png stock-go-up.png stock-home.png
title_logo.png title_logo.svg warning.png warning.svg
watermark-alpha1.png watermark-alpha2.png watermark-beta1.png
watermark-beta2.png watermark-blank.png watermark-draft.png
watermark-pre-release-candidate.png
watermark-release-candidate.png
Log Message:
- updating content for multi-page HTML.
- adding single-page HTML content.
- adding PDF.
- updating index.php to reflect above mentioned changes.
--- NEW FILE 1.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 17.993,22.013004 L 17.993,10.113004 L 15.239,10.113004 C 14.899001,11.218003 14.286999,11.643004 12.757,11.728004 L 12.757,13.819004 L 14.763,13.819004 L 14.763,22.013004 L 17.993,22.013004"
id="text2207"
style="fill:#ffffff" />
</svg>
--- NEW FILE 10.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.252562,22 L 12.252562,10.1 L 9.4985624,10.1 C 9.1585628,11.204999 8.5465609,11.63 7.0165624,11.715 L 7.0165624,13.806 L 9.0225624,13.806 L 9.0225624,22 L 12.252562,22 M 24.983438,16.033 C 24.983438,12.072004 22.705435,9.913 19.611438,9.913 C 16.517441,9.913 14.205438,12.106004 14.205438,16.067 C 14.205438,20.027996 16.483441,22.187 19.577438,22.187 C 22.671435,22.187 24.983438,19.993996 24.983438,16.033 M 21.600438,16.067 C 21.600438,18.242998 20.886437,19.348 19.611438,19.348 C 18.336439,19.348 17.588438,18.208998 17.588438,16.033 C 17.588438,13.857002 18.302439,12.752 19.577438,12.752 C 20.852437,12.752 21.600438,13.891002 21.600438,16.067"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 11.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 14.623052,22 L 14.623052,10.1 L 11.869052,10.1 C 11.529053,11.204999 10.917051,11.63 9.3870527,11.715 L 9.3870527,13.806 L 11.393052,13.806 L 11.393052,22 L 14.623052,22 M 21.794928,22 L 21.794928,10.1 L 19.040928,10.1 C 18.700928,11.204999 18.088926,11.63 16.558928,11.715 L 16.558928,13.806 L 18.564928,13.806 L 18.564928,22 L 21.794928,22"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 12.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.677562,22 L 12.677562,10.1 L 9.9235624,10.1 C 9.5835628,11.204999 8.9715609,11.63 7.4415624,11.715 L 7.4415624,13.806 L 9.4475624,13.806 L 9.4475624,22 L 12.677562,22 M 24.558438,22 L 24.558438,19.314 L 18.353438,19.314 C 18.608438,18.600001 19.27144,17.936999 21.651438,16.832 C 23.929436,15.778001 24.473438,14.825998 24.473438,13.262 C 24.473438,11.103002 22.926435,9.913 19.968438,9.913 C 17.92844,9.913 16.381436,10.491001 14.868438,11.46 L 16.381438,13.891 C 17.571437,13.092001 18.727439,12.684 19.917438,12.684 C 20.869437,12.684 21.243438,12.973001 21.243438,13.5 C 21.243438,13.976 21.056437,14.163001 19.798438,14.724 C 16.823441,16.049999 14.936438,17.988004 14.834438,22 L 24.558438,22"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 13.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.550062,22 L 12.550062,10.1 L 9.7960624,10.1 C 9.4560628,11.204999 8.8440609,11.63 7.3140624,11.715 L 7.3140624,13.806 L 9.3200624,13.806 L 9.3200624,22 L 12.550062,22 M 24.685938,18.226 C 24.685938,16.713002 23.716937,15.914 22.611938,15.659 C 23.427937,15.268 24.192938,14.638999 24.192938,13.33 C 24.192938,10.814003 22.288935,9.913 19.432938,9.913 C 17.35894,9.913 15.930937,10.610001 14.825938,11.46 L 16.389938,13.602 C 17.307937,12.939001 18.191939,12.582 19.347938,12.582 C 20.520937,12.582 20.996938,12.922001 20.996938,13.551 C 20.996938,14.332999 20.656937,14.554 19.619938,14.554 L 18.089938,14.554 L 18.089938,17.121 L 19.806938,17.121 C 21.013937,17.121 21.489938,17.427001 21.489938,18.26 C 21.489938,19.075999 20.911937,19.467 19.534938,19.467 C 18.225939,19.467 17.120937,18.973999 16.151938,18.226 L 14.451938,20.368 C 15.726937,21.489999 17.44394,22.187 19.466938,22.187 C 22.696935,22.187 24.685938,20.979997 24.685938,18.226"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 14.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.040062,22 L 12.040062,10.1 L 9.2860624,10.1 C 8.9460628,11.204999 8.3340609,11.63 6.8040624,11.715 L 6.8040624,13.806 L 8.8100624,13.806 L 8.8100624,22 L 12.040062,22 M 25.195938,19.96 L 25.195938,17.172 L 23.665938,17.172 L 23.665938,10.1 L 20.401938,10.1 L 13.992938,17.461 L 13.992938,19.875 L 20.707938,19.875 L 20.707938,22 L 23.665938,22 L 23.665938,19.96 L 25.195938,19.96 M 20.758938,13.432 C 20.724938,13.992999 20.707938,15.302001 20.707938,15.999 L 20.707938,17.172 L 19.823938,17.172 C 19.007939,17.172 18.191937,17.189 17.596938,17.223 C 18.038938,16.798 18.531939,16.253999 19.160938,15.489 L 19.330938,15.285 C 20.112937,14.350001 20.435938,13.925 20.758938,13.432"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 15.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.388562,22 L 12.388562,10.1 L 9.6345624,10.1 C 9.2945628,11.204999 8.6825609,11.63 7.1525624,11.715 L 7.1525624,13.806 L 9.1585624,13.806 L 9.1585624,22 L 12.388562,22 M 24.847438,17.852 C 24.847438,15.200003 23.164435,13.908 20.597438,13.908 C 19.407439,13.908 18.693437,14.112 18.030438,14.435 L 18.132438,12.786 L 24.133438,12.786 L 24.133438,10.1 L 15.463438,10.1 L 15.055438,16.271 L 17.877438,17.223 C 18.472437,16.798 19.067439,16.543 20.070438,16.543 C 21.090437,16.543 21.668438,17.019001 21.668438,17.937 C 21.668438,18.888999 21.107436,19.45 19.577438,19.45 C 18.302439,19.45 16.891437,18.956999 15.752438,18.277 L 14.409438,20.742 C 15.871436,21.625999 17.43544,22.187 19.492438,22.187 C 22.875435,22.187 24.847438,20.622997 24.847438,17.852"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 16.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.405562,22 L 12.405562,10.1 L 9.6515624,10.1 C 9.3115628,11.204999 8.6995609,11.63 7.1695624,11.715 L 7.1695624,13.806 L 9.1755624,13.806 L 9.1755624,22 L 12.405562,22 M 24.830438,17.903 C 24.830438,15.387003 23.096435,14.214 20.631438,14.214 C 19.203439,14.214 18.336437,14.486 17.571438,14.911 C 18.472437,13.534001 20.104441,12.616 23.215438,12.616 L 23.215438,9.913 C 16.415445,9.913 14.341438,14.112003 14.341438,17.257 C 14.341438,20.537997 16.415441,22.187 19.407438,22.187 C 22.773435,22.187 24.830438,20.588997 24.830438,17.903 M 21.651438,18.124 C 21.651438,19.075999 20.818437,19.586 19.577438,19.586 C 18.132439,19.586 17.486438,18.990999 17.486438,18.141 C 17.486438,17.206001 18.183439,16.645 19.645438,16.645 C 20.903437,16.645 21.651438,17.206001 21.651438,18.124"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 17.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.652062,22 L 12.652062,10.1 L 9.8980624,10.1 C 9.5580628,11.204999 8.9460609,11.63 7.4160624,11.715 L 7.4160624,13.806 L 9.4220624,13.806 L 9.4220624,22 L 12.652062,22 M 24.583938,12.48 L 24.583938,10.1 L 14.740938,10.1 L 14.740938,12.786 L 20.656938,12.786 C 18.36194,15.131998 17.239938,17.920004 17.205938,22 L 20.435938,22 C 20.435938,18.141004 21.098941,15.675997 24.583938,12.48"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 18.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.176062,22 L 12.176062,10.1 L 9.4220624,10.1 C 9.0820628,11.204999 8.4700609,11.63 6.9400624,11.715 L 6.9400624,13.806 L 8.9460624,13.806 L 8.9460624,22 L 12.176062,22 M 25.059938,18.294 C 25.059938,16.764002 23.971937,15.948 23.206938,15.642 C 23.954937,15.166 24.549938,14.519999 24.549938,13.449 C 24.549938,11.171002 22.526935,9.913 19.653938,9.913 C 16.780941,9.913 14.723938,11.171002 14.723938,13.449 C 14.723938,14.519999 15.352939,15.251 16.066938,15.676 C 15.301939,15.982 14.213938,16.764002 14.213938,18.294 C 14.213938,20.707998 16.287941,22.187 19.619938,22.187 C 22.951935,22.187 25.059938,20.707998 25.059938,18.294 M 21.387938,13.5 C 21.387938,14.094999 20.945937,14.639 19.653938,14.639 C 18.361939,14.639 17.885938,14.094999 17.885938,13.5 C 17.885938,12.905001 18.327939,12.31 19.619938,12.31 C 20.911937,12.31 21.387938,12.905001 21.387938,13.5 M 21.897938,18.26 C 21.897938,19.075999 21.149936,19.688 19.653938,19.688 C 18.157939,19.688 17.375938,19.075999
17.375938,18.26 C 17.375938,17.444001 18.106939,16.849 19.619938,16.849 C 21.115936,16.849 21.897938,17.444001 21.897938,18.26"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 19.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 12.414062,22 L 12.414062,10.1 L 9.6600624,10.1 C 9.3200628,11.204999 8.7080609,11.63 7.1780624,11.715 L 7.1780624,13.806 L 9.1840624,13.806 L 9.1840624,22 L 12.414062,22 M 24.821938,14.843 C 24.821938,11.562003 22.747935,9.913 19.755938,9.913 C 16.389941,9.913 14.332938,11.511003 14.332938,14.197 C 14.332938,16.712997 16.06694,17.886 18.531938,17.886 C 19.959937,17.886 20.826939,17.614 21.591938,17.189 C 20.690939,18.565999 19.058935,19.484 15.947938,19.484 L 15.947938,22.187 C 22.747931,22.187 24.821938,17.987997 24.821938,14.843 M 21.676938,13.959 C 21.676938,14.893999 20.979936,15.455 19.517938,15.455 C 18.259939,15.455 17.511938,14.893999 17.511938,13.976 C 17.511938,13.024001 18.344939,12.514 19.585938,12.514 C 21.030936,12.514 21.676938,13.109001 21.676938,13.959"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 2.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 20.862,22.013004 L 20.862,19.327004 L 14.657,19.327004 C 14.912,18.613005 15.575003,17.950003 17.955,16.845004 C 20.232998,15.791005 20.777,14.839003 20.777,13.275004 C 20.777,11.116006 19.229997,9.9260043 16.272,9.9260043 C 14.232002,9.9260043 12.684999,10.504005 11.172,11.473004 L 12.685,13.904004 C 13.874999,13.105005 15.031001,12.697004 16.221,12.697004 C 17.172999,12.697004 17.547,12.986005 17.547,13.513004 C 17.547,13.989004 17.359999,14.176005 16.102,14.737004 C 13.127003,16.063003 11.24,18.001008 11.138,22.013004 L 20.862,22.013004"
id="text2207"
style="fill:#ffffff" />
</svg>
--- NEW FILE 20.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 14.685,22 L 14.685,19.314 L 8.4799999,19.314 C 8.7349997,18.600001 9.3980023,17.936999 11.778,16.832 C 14.055998,15.778001 14.6,14.825998 14.6,13.262 C 14.6,11.103002 13.052997,9.913 10.095,9.913 C 8.055002,9.913 6.5079984,10.491001 4.9949999,11.46 L 6.5079999,13.891 C 7.6979988,13.092001 8.8540011,12.684 10.044,12.684 C 10.995999,12.684 11.37,12.973001 11.37,13.5 C 11.37,13.976 11.182999,14.163001 9.9249999,14.724 C 6.9500029,16.049999 5.0629998,17.988004 4.9609999,22 L 14.685,22 M 27.421719,16.033 C 27.421719,12.072004 25.143716,9.913 22.049719,9.913 C 18.955722,9.913 16.643719,12.106004 16.643719,16.067 C 16.643719,20.027996 18.921722,22.187 22.015719,22.187 C 25.109716,22.187 27.421719,19.993996 27.421719,16.033 M 24.038719,16.067 C 24.038719,18.242998 23.324717,19.348 22.049719,19.348 C 20.77472,19.348 20.026719,18.208998 20.026719,16.033 C 20.026719,13.857002 20.74072,12.752 22.015719,12.752 C 23.290717,12.752 24.038719,13.891002 24.038719,16.067"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 21.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 16.648141,22 L 16.648141,19.314 L 10.44314,19.314 C 10.69814,18.600001 11.361143,17.936999 13.741141,16.832 C 16.019139,15.778001 16.563141,14.825998 16.563141,13.262 C 16.563141,11.103002 15.016138,9.913 12.058141,9.913 C 10.018143,9.913 8.471139,10.491001 6.9581405,11.46 L 8.4711405,13.891 C 9.661139,13.092001 10.817142,12.684 12.007141,12.684 C 12.95914,12.684 13.333141,12.973001 13.333141,13.5 C 13.333141,13.976 13.14614,14.163001 11.88814,14.724 C 8.9131435,16.049999 7.0261404,17.988004 6.9241405,22 L 16.648141,22 M 23.82586,22 L 23.82586,10.1 L 21.07186,10.1 C 20.73186,11.204999 20.119858,11.63 18.58986,11.715 L 18.58986,13.806 L 20.59586,13.806 L 20.59586,22 L 23.82586,22"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 22.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 14.685,22 L 14.685,19.314 L 8.4799999,19.314 C 8.7349997,18.600001 9.3980023,17.936999 11.778,16.832 C 14.055998,15.778001 14.6,14.825998 14.6,13.262 C 14.6,11.103002 13.052997,9.913 10.095,9.913 C 8.055002,9.913 6.5079984,10.491001 4.9949999,11.46 L 6.5079999,13.891 C 7.6979988,13.092001 8.8540011,12.684 10.044,12.684 C 10.995999,12.684 11.37,12.973001 11.37,13.5 C 11.37,13.976 11.182999,14.163001 9.9249999,14.724 C 6.9500029,16.049999 5.0629998,17.988004 4.9609999,22 L 14.685,22 M 26.571719,22 L 26.571719,19.314 L 20.366719,19.314 C 20.621718,18.600001 21.284721,17.936999 23.664719,16.832 C 25.942716,15.778001 26.486719,14.825998 26.486719,13.262 C 26.486719,11.103002 24.939716,9.913 21.981719,9.913 C 19.941721,9.913 18.394717,10.491001 16.881719,11.46 L 18.394719,13.891 C 19.584718,13.092001 20.74072,12.684 21.930719,12.684 C 22.882718,12.684 23.256719,12.973001 23.256719,13.5 C 23.256719,13.976 23.069717,14.163001 21.811719,14.724 C 18.836722,16.049999 16.949719
,17.988004 16.847719,22 L 26.571719,22"
id="number"
style="fill:#ffffff" />
</svg>
--- NEW FILE 23.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 15.32239,22.013004 L 15.32239,19.327004 L 9.1173907,19.327004 C 9.3723904,18.613005 10.035393,17.950003 12.41539,16.845004 C 14.693388,15.791005 15.23739,14.839003 15.23739,13.275004 C 15.23739,11.116006 13.690387,9.9260043 10.73239,9.9260043 C 8.6923927,9.9260043 7.1453891,10.504005 5.6323906,11.473004 L 7.1453906,13.904004 C 8.3353896,13.105005 9.4913919,12.697004 10.68139,12.697004 C 11.633389,12.697004 12.00739,12.986005 12.00739,13.513004 C 12.00739,13.989004 11.820389,14.176005 10.56239,14.737004 C 7.5873937,16.063003 5.7003905,18.001008 5.5983906,22.013004 L 15.32239,22.013004 M 26.401609,18.239004 C 26.401609,16.726006 25.432608,15.927004 24.327609,15.672004 C 25.143608,15.281005 25.908609,14.652003 25.908609,13.343004 C 25.908609,10.827007 24.004606,9.9260043 21.148609,9.9260043 C 19.074611,9.9260043 17.646608,10.623005 16.541609,11.473004 L 18.105609,13.615004 C 19.023608,12.952005 19.90761,12.595004 21.063609,12.595004 C 22.236608,12.595004 22.712609,12.9
35005 22.712609,13.564004 C 22.712609,14.346004 22.372608,14.567004 21.335609,14.567004 L 19.805609,14.567004 L 19.805609,17.134004 L 21.522609,17.134004 C 22.729608,17.134004 23.205609,17.440005 23.205609,18.273004 C 23.205609,19.089003 22.627608,19.480004 21.250609,19.480004 C 19.94161,19.480004 18.836608,18.987004 17.867609,18.239004 L 16.167609,20.381004 C 17.442608,21.503003 19.159611,22.200004 21.182609,22.200004 C 24.412606,22.200004 26.401609,20.993002 26.401609,18.239004"
id="text2207"
style="fill:#ffffff" />
</svg>
--- NEW FILE 3.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 21.117,18.239004 C 21.117,16.726006 20.147999,15.927004 19.043,15.672004 C 19.858999,15.281005 20.624,14.652003 20.624,13.343004 C 20.624,10.827007 18.719997,9.9260043 15.864,9.9260043 C 13.790002,9.9260043 12.361999,10.623005 11.257,11.473004 L 12.821,13.615004 C 13.738999,12.952005 14.623001,12.595004 15.779,12.595004 C 16.951999,12.595004 17.428,12.935005 17.428,13.564004 C 17.428,14.346004 17.087999,14.567004 16.051,14.567004 L 14.521,14.567004 L 14.521,17.134004 L 16.238,17.134004 C 17.444999,17.134004 17.921,17.440005 17.921,18.273004 C 17.921,19.089003 17.342999,19.480004 15.966,19.480004 C 14.657002,19.480004 13.551999,18.987004 12.583,18.239004 L 10.883,20.381004 C 12.157999,21.503003 13.875002,22.200004 15.898,22.200004 C 19.127997,22.200004 21.117,20.993002 21.117,18.239004"
id="text2207"
style="fill:#ffffff" />
</svg>
--- NEW FILE 4.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 20.573772,19.96 L 20.573772,17.172 L 19.043772,17.172 L 19.043772,10.1 L 15.779772,10.1 L 9.3707718,17.461 L 9.3707718,19.875 L 16.085772,19.875 L 16.085772,22 L 19.043772,22 L 19.043772,19.96 L 20.573772,19.96 M 16.136772,13.432 C 16.102772,13.992999 16.085772,15.302001 16.085772,15.999 L 16.085772,17.172 L 15.201772,17.172 C 14.385773,17.172 13.569771,17.189 12.974772,17.223 C 13.416772,16.798 13.909773,16.253999 14.538772,15.489 L 14.708772,15.285 C 15.490771,14.350001 15.813772,13.925 16.136772,13.432"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 5.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 21.219,17.852 C 21.219,15.200003 19.535997,13.908 16.969,13.908 C 15.779001,13.908 15.064999,14.112 14.402,14.435 L 14.504,12.786 L 20.505,12.786 L 20.505,10.1 L 11.835,10.1 L 11.427,16.271 L 14.249,17.223 C 14.843999,16.798 15.439001,16.543 16.442,16.543 C 17.461999,16.543 18.04,17.019001 18.04,17.937 C 18.04,18.888999 17.478998,19.45 15.949,19.45 C 14.674001,19.45 13.262999,18.956999 12.124,18.277 L 10.781,20.742 C 12.242999,21.625999 13.807002,22.187 15.864,22.187 C 19.246997,22.187 21.219,20.622997 21.219,17.852"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 6.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 21.2445,17.903 C 21.2445,15.387003 19.510497,14.214 17.0455,14.214 C 15.617501,14.214 14.750499,14.486 13.9855,14.911 C 14.886499,13.534001 16.518503,12.616 19.6295,12.616 L 19.6295,9.913 C 12.829507,9.913 10.7555,14.112003 10.7555,17.257 C 10.7555,20.537997 12.829503,22.187 15.8215,22.187 C 19.187497,22.187 21.2445,20.588997 21.2445,17.903 M 18.0655,18.124 C 18.0655,19.075999 17.232499,19.586 15.9915,19.586 C 14.546501,19.586 13.9005,18.990999 13.9005,18.141 C 13.9005,17.206001 14.597501,16.645 16.0595,16.645 C 17.317499,16.645 18.0655,17.206001 18.0655,18.124"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 7.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 20.9215,12.48 L 20.9215,10.1 L 11.0785,10.1 L 11.0785,12.786 L 16.9945,12.786 C 14.699502,15.131998 13.5775,17.920004 13.5435,22 L 16.7735,22 C 16.7735,18.141004 17.436503,15.675997 20.9215,12.48"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 8.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 21.423,18.294 C 21.423,16.764002 20.334999,15.948 19.57,15.642 C 20.317999,15.166 20.913,14.519999 20.913,13.449 C 20.913,11.171002 18.889997,9.913 16.017,9.913 C 13.144003,9.913 11.087,11.171002 11.087,13.449 C 11.087,14.519999 11.716001,15.251 12.43,15.676 C 11.665001,15.982 10.577,16.764002 10.577,18.294 C 10.577,20.707998 12.651003,22.187 15.983,22.187 C 19.314997,22.187 21.423,20.707998 21.423,18.294 M 17.751,13.5 C 17.751,14.094999 17.308999,14.639 16.017,14.639 C 14.725001,14.639 14.249,14.094999 14.249,13.5 C 14.249,12.905001 14.691001,12.31 15.983,12.31 C 17.274999,12.31 17.751,12.905001 17.751,13.5 M 18.261,18.26 C 18.261,19.075999 17.512998,19.688 16.017,19.688 C 14.521001,19.688 13.739,19.075999 13.739,18.26 C 13.739,17.444001 14.470002,16.849 15.983,16.849 C 17.478998,16.849 18.261,17.444001 18.261,18.26"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE 9.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="32"
height="32"
id="svg2">
<defs
id="defs15" />
<circle
cx="16"
cy="16"
r="14"
id="circle"
style="fill:#aa0000" />
<path
d="M 22.128383,14.843 C 22.128383,11.562003 20.05438,9.913 17.062383,9.913 C 13.696386,9.913 11.639383,11.511003 11.639383,14.197 C 11.639383,16.712997 13.373385,17.886 15.838383,17.886 C 17.266382,17.886 18.133384,17.614 18.898383,17.189 C 17.997384,18.565999 16.36538,19.484 13.254383,19.484 L 13.254383,22.187 C 20.054376,22.187 22.128383,17.987997 22.128383,14.843 M 18.983383,13.959 C 18.983383,14.893999 18.286381,15.455 16.824383,15.455 C 15.566384,15.455 14.818383,14.893999 14.818383,13.976 C 14.818383,13.024001 15.651384,12.514 16.892383,12.514 C 18.337381,12.514 18.983383,13.109001 18.983383,13.959"
id="text2219"
style="fill:#ffffff" />
</svg>
--- NEW FILE important.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
version="1.0"
width="48"
height="48"
id="svg5921"
sodipodi:version="0.32"
inkscape:version="0.46"
sodipodi:docname="important.svg"
inkscape:output_extension="org.inkscape.output.svg.inkscape"
inkscape:export-filename="/home/jfearn/Build/src/fedora/publican/trunk/publican-fedora/en-US/images/important.png"
inkscape:export-xdpi="111.32"
inkscape:export-ydpi="111.32">
<metadata
id="metadata2611">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
<sodipodi:namedview
inkscape:window-height="681"
inkscape:window-width="738"
inkscape:pageshadow="2"
inkscape:pageopacity="0.0"
guidetolerance="10.0"
gridtolerance="10.0"
objecttolerance="10.0"
borderopacity="1.0"
bordercolor="#666666"
pagecolor="#ffffff"
id="base"
showgrid="false"
inkscape:zoom="11.5"
inkscape:cx="20"
inkscape:cy="20"
inkscape:window-x="0"
inkscape:window-y="51"
inkscape:current-layer="svg5921" />
<defs
id="defs5923">
<inkscape:perspective
sodipodi:type="inkscape:persp3d"
inkscape:vp_x="0 : 20 : 1"
inkscape:vp_y="0 : 1000 : 0"
inkscape:vp_z="40 : 20 : 1"
inkscape:persp3d-origin="20 : 13.333333 : 1"
id="perspective2613" />
</defs>
<g
transform="matrix(0.4626799,0,0,0.4626799,-5.2934127,-3.3160376)"
id="g5485">
<path
d="M 29.97756,91.885882 L 55.586992,80.409826 L 81.231619,91.807015 L 78.230933,63.90468 L 96.995009,43.037218 L 69.531053,37.26873 L 55.483259,12.974592 L 41.510292,37.311767 L 14.064204,43.164717 L 32.892392,63.97442 L 29.97756,91.885882 z"
id="path6799"
style="fill:#f3de82;fill-opacity:1;enable-background:new" />
<path
d="M 55.536215,56.538729 L 55.48324,12.974601 L 41.51028,37.311813 L 55.536215,56.538729 z"
id="path6824"
style="opacity:0.91005291;fill:#f9f2cb;fill-opacity:1;enable-background:new" />
<path
d="M 55.57947,56.614318 L 78.241135,63.937979 L 96.976198,43.044318 L 55.57947,56.614318 z"
id="use6833"
style="opacity:1;fill:#d0bc64;fill-opacity:1;enable-background:new" />
<path
d="M 55.523838,56.869126 L 55.667994,80.684281 L 81.379011,91.931065 L 55.523838,56.869126 z"
id="use6835"
style="opacity:1;fill:#e0c656;fill-opacity:1;enable-background:new" />
<path
d="M 55.283346,56.742618 L 13.877363,43.200977 L 32.640089,64.069652 L 55.283346,56.742618 z"
id="use6831"
style="opacity:1;fill:#d1ba59;fill-opacity:1;enable-background:new" />
<path
d="M 55.472076,56.869126 L 55.32792,80.684281 L 29.616903,91.931065 L 55.472076,56.869126 z"
id="use6837"
style="opacity:1;fill:#d2b951;fill-opacity:1;enable-background:new" />
<path
d="M 55.57947,56.614318 L 96.976198,43.044318 L 69.504294,37.314027 L 55.57947,56.614318 z"
id="path7073"
style="opacity:1;fill:#f6e7a3;fill-opacity:1;enable-background:new" />
<path
d="M 55.523838,56.869126 L 81.379011,91.931065 L 78.214821,64.046881 L 55.523838,56.869126 z"
id="path7075"
style="opacity:1;fill:#f6e7a3;fill-opacity:1;enable-background:new" />
<path
d="M 55.283346,56.742618 L 41.341708,37.434209 L 13.877363,43.200977 L 55.283346,56.742618 z"
id="path7077"
style="opacity:1;fill:#f6e59d;fill-opacity:1;enable-background:new" />
<path
d="M 55.472076,56.869126 L 29.616903,91.931065 L 32.781093,64.046881 L 55.472076,56.869126 z"
id="path7079"
style="opacity:1;fill:#f3df8b;fill-opacity:1;enable-background:new" />
</g>
</svg>
--- NEW FILE note.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
version="1.0"
width="48"
height="48"
id="svg5921"
sodipodi:version="0.32"
inkscape:version="0.46"
sodipodi:docname="note.svg"
inkscape:output_extension="org.inkscape.output.svg.inkscape"
inkscape:export-filename="/home/jfearn/Build/src/fedora/publican/trunk/publican-fedora/en-US/images/note.png"
inkscape:export-xdpi="111.32"
inkscape:export-ydpi="111.32">
<metadata
id="metadata16">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
<sodipodi:namedview
inkscape:window-height="1024"
inkscape:window-width="1205"
inkscape:pageshadow="2"
inkscape:pageopacity="0.0"
guidetolerance="10.0"
gridtolerance="10.0"
objecttolerance="10.0"
borderopacity="1.0"
bordercolor="#666666"
pagecolor="#ffffff"
id="base"
showgrid="false"
inkscape:zoom="11.5"
inkscape:cx="22.217181"
inkscape:cy="20"
inkscape:window-x="334"
inkscape:window-y="51"
inkscape:current-layer="svg5921" />
<defs
id="defs5923">
<inkscape:perspective
sodipodi:type="inkscape:persp3d"
inkscape:vp_x="0 : 20 : 1"
inkscape:vp_y="0 : 1000 : 0"
inkscape:vp_z="40 : 20 : 1"
inkscape:persp3d-origin="20 : 13.333333 : 1"
id="perspective18" />
</defs>
<g
transform="matrix(0.468275,0,0,0.468275,-5.7626904,-7.4142703)"
id="layer1">
<g
transform="matrix(0.115136,0,0,0.115136,9.7283,21.77356)"
id="g8014"
style="enable-background:new">
<g
id="g8518"
style="opacity:1">
<path
d="M -2512.4524,56.33197 L 3090.4719,56.33197 L 3090.4719,4607.3813 L -2512.4524,4607.3813 L -2512.4524,56.33197 z"
transform="matrix(0.1104659,-2.3734892e-2,2.2163258e-2,0.1031513,308.46782,74.820675)"
id="rect8018"
style="fill:#ffe680;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.1;stroke-linecap:butt;stroke-miterlimit:4;stroke-dashoffset:0;stroke-opacity:1" />
</g>
<g
transform="matrix(0.5141653,-7.1944682e-2,7.1944682e-2,0.5141653,146.04015,-82.639785)"
id="g8020">
<path
d="M 511.14114,441.25315 C 527.3248,533.52772 464.31248,622.82928 370.39916,640.71378 C 276.48584,658.59828 187.23462,598.29322 171.05095,506.01865 C 154.86728,413.74408 217.8796,324.44253 311.79292,306.55803 C 405.70624,288.67353 494.95747,348.97858 511.14114,441.25315 z"
id="path8022"
style="opacity:1;fill:#e0c96f;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.0804934;stroke-linecap:butt;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<path
d="M 527.8214,393.1416 C 527.8214,461.31268 472.55783,516.57625 404.38675,516.57625 C 336.21567,516.57625 280.9521,461.31268 280.9521,393.1416 C 280.9521,324.97052 336.21567,269.70695 404.38675,269.70695 C 472.55783,269.70695 527.8214,324.97052 527.8214,393.1416 z"
transform="matrix(1.2585415,-0.2300055,0.2168789,1.1867072,-248.76141,68.254424)"
id="path8024"
style="opacity:1;fill:#c00000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.0804934;stroke-linecap:butt;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<path
d="M 358.5625,281.15625 C 348.09597,281.05155 337.43773,281.94729 326.71875,283.90625 C 240.96686,299.57789 183.37901,377.92385 198.15625,458.78125 C 209.70749,521.98673 262.12957,567.92122 325.40625,577.5625 L 357.25,433.6875 L 509.34375,405.875 C 509.14405,404.58166 509.0804,403.29487 508.84375,402 C 495.91366,331.24978 431.82821,281.88918 358.5625,281.15625 z"
id="path8026"
style="opacity:1;fill:#b60000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.1;stroke-linecap:butt;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<path
d="M 294.2107,361.9442 L 282.79367,370.38482 L 261.73414,386.13346 C 253.13706,404.40842 254.3359,423.7989 259.7176,444.39774 C 273.6797,497.83861 313.42636,523.96124 369.50989,517.58957 C 398.21848,514.32797 424.51832,504.67345 440.64696,484.15958 L 469.89512,447.48298 L 294.2107,361.9442 z"
id="path8028"
style="fill:#750000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.09999999;stroke-linecap:butt;stroke-miterlimit:4;stroke-dashoffset:0;stroke-opacity:1" />
<path
d="M 527.8214,393.1416 C 527.8214,461.31268 472.55783,516.57625 404.38675,516.57625 C 336.21567,516.57625 280.9521,461.31268 280.9521,393.1416 C 280.9521,324.97052 336.21567,269.70695 404.38675,269.70695 C 472.55783,269.70695 527.8214,324.97052 527.8214,393.1416 z"
transform="matrix(0.9837071,-0.1797787,0.1695165,0.9275553,-78.013985,79.234385)"
id="path8030"
style="opacity:1;fill:#d40000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.10298239;stroke-linecap:butt;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<path
d="M 527.8214,393.1416 C 527.8214,461.31268 472.55783,516.57625 404.38675,516.57625 C 336.21567,516.57625 280.9521,461.31268 280.9521,393.1416 C 280.9521,324.97052 336.21567,269.70695 404.38675,269.70695 C 472.55783,269.70695 527.8214,324.97052 527.8214,393.1416 z"
transform="matrix(0.9837071,-0.1797787,0.1695165,0.9275553,-69.306684,71.273294)"
id="path8032"
style="opacity:1;fill:#e11212;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.10298239;stroke-linecap:butt;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
</g>
</g>
</g>
</svg>
--- NEW FILE title_logo.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.0"
width="220"
height="70"
id="svg6180">
<defs
id="defs6182" />
<g
transform="translate(-266.55899,-345.34488)"
id="layer1">
<path
d="M 316.7736,397.581 C 316.7736,397.581 316.7736,397.581 296.23471,397.581 C 296.56741,402.03345 300.15628,405.35709 304.94186,405.35709 C 308.33169,405.35709 311.25642,403.96093 313.5828,401.70202 C 314.04833,401.23523 314.58006,401.1024 315.17799,401.1024 C 315.9758,401.1024 316.7736,401.50172 317.30491,402.16628 C 317.63761,402.63181 317.83707,403.16354 317.83707,403.69485 C 317.83707,404.42603 317.50437,405.22342 316.90601,405.82219 C 314.11411,408.81271 309.39515,410.80722 304.74198,410.80722 C 296.30049,410.80722 289.52124,404.02755 289.52124,395.58564 C 289.52124,387.14415 296.10146,380.3649 304.54295,380.3649 C 312.91824,380.3649 319.16618,386.87807 319.16618,395.45239 C 319.16618,396.71657 318.03694,397.581 316.7736,397.581 z M 304.54295,385.81588 C 300.08966,385.81588 297.0321,388.74061 296.36796,392.99319 C 306.40422,392.99319 312.71879,392.99319 312.71879,392.99319 C 312.12043,388.93964 308.93005,385.81588 304.54295,385.81588 z"
id="path11"
style="fill:#3c6eb4" />
<path
d="M 375.46344,410.80807 C 367.02238,410.80807 360.2427,404.02839 360.2427,395.58648 C 360.2427,387.14499 367.02238,380.36574 375.46344,380.36574 C 383.90578,380.36574 390.68503,387.14499 390.68503,395.58648 C 390.68461,404.02797 383.90535,410.80807 375.46344,410.80807 z M 375.46344,386.14815 C 370.14656,386.14815 366.68967,390.40242 366.68967,395.58648 C 366.68967,400.77012 370.14656,405.02481 375.46344,405.02481 C 380.78075,405.02481 384.23848,400.77012 384.23848,395.58648 C 384.23806,390.40242 380.78075,386.14815 375.46344,386.14815 z"
id="path13"
style="fill:#3c6eb4" />
<path
d="M 412.66183,380.36574 C 408.2022,380.36574 405.25217,381.68474 402.64792,384.9953 L 402.40756,383.45535 L 402.40756,383.45535 C 402.20558,381.84792 400.8343,380.60609 399.17374,380.60609 C 397.37235,380.60609 395.91168,382.06509 395.91168,383.8669 C 395.91168,383.86943 395.91168,383.87196 395.91168,383.87449 L 395.91168,383.87449 L 395.91168,383.87744 L 395.91168,383.87744 L 395.91168,407.28456 C 395.91168,409.0792 397.37362,410.54199 399.16868,410.54199 C 400.96333,410.54199 402.42612,409.0792 402.42612,407.28456 L 402.42612,394.72247 C 402.42612,389.00626 407.41114,386.14815 412.66225,386.14815 C 414.25744,386.14815 415.51951,384.81862 415.51951,383.223 C 415.51951,381.62739 414.25744,380.36574 412.66183,380.36574 z"
id="path15"
style="fill:#3c6eb4" />
<path
d="M 447.02614,395.58648 C 447.09277,387.41107 441.24288,380.36574 431.80414,380.36574 C 423.36222,380.36574 416.51635,387.14499 416.51635,395.58648 C 416.51635,404.02839 423.16319,410.80807 431.2062,410.80807 C 435.22054,410.80807 438.83302,408.74186 440.44466,406.58289 L 441.23825,408.59723 L 441.23825,408.59723 C 441.66414,409.729 442.75585,410.5344 444.03605,410.5344 C 445.68606,410.5344 447.02361,409.19769 447.02614,407.54895 L 447.02614,407.54895 L 447.02614,399.74208 L 447.02614,399.74208 L 447.02614,395.58648 z M 431.80414,405.02481 C 426.48641,405.02481 423.02995,400.77012 423.02995,395.58648 C 423.02995,390.40242 426.48599,386.14815 431.80414,386.14815 C 437.12144,386.14815 440.57833,390.40242 440.57833,395.58648 C 440.57833,400.77012 437.12144,405.02481 431.80414,405.02481 z"
id="path17"
style="fill:#3c6eb4" />
<path
d="M 355.01479,368.3337 C 355.01479,366.5399 353.55285,365.14373 351.7582,365.14373 C 349.96398,365.14373 348.50077,366.54032 348.50077,368.3337 L 348.50077,385.4836 C 346.8398,382.42604 343.25051,380.36574 338.99582,380.36574 C 330.3553,380.36574 324.57246,386.87892 324.57246,395.58648 C 324.57246,404.29405 330.55475,410.80807 338.99582,410.80807 C 342.76137,410.80807 346.02639,409.25378 347.98169,406.55253 L 348.70486,408.38681 C 349.15268,409.64593 350.35403,410.54705 351.76537,410.54705 C 353.55158,410.54705 355.01521,409.0927 355.01521,407.2989 C 355.01521,407.29384 355.01521,407.29004 355.01521,407.28498 L 355.01521,407.28498 L 355.01521,368.3337 L 355.01479,368.3337 z M 339.79363,405.02481 C 334.47632,405.02481 331.08648,400.77012 331.08648,395.58648 C 331.08648,390.40242 334.47632,386.14815 339.79363,386.14815 C 345.11136,386.14815 348.50077,390.20255 348.50077,395.58648 C 348.50077,400.96957 345.11136,405.02481 339.79363,405.02481 z"
id="path19"
style="fill:#3c6eb4" />
<path
d="M 287.21553,365.34023 C 286.62139,365.25253 286.01587,365.20825 285.41456,365.20825 C 278.68338,365.20825 273.2071,370.68495 273.2071,377.41613 L 273.2071,381.22933 L 269.21807,381.22933 C 267.7557,381.22933 266.55899,382.42604 266.55899,383.88714 C 266.55899,385.35035 267.7557,386.82452 269.21807,386.82452 L 273.20626,386.82452 L 273.20626,407.28456 C 273.20626,409.0792 274.66862,410.54199 276.46284,410.54199 C 278.25791,410.54199 279.72028,409.0792 279.72028,407.28456 L 279.72028,386.82452 L 284.13014,386.82452 C 285.59208,386.82452 286.78837,385.35035 286.78837,383.88714 C 286.78837,382.42562 285.59208,381.22891 284.13014,381.22891 L 279.72281,381.22891 L 279.72281,377.41571 C 279.72281,374.27719 282.27604,371.30102 285.41456,371.30102 C 285.6975,371.30102 285.98213,371.3221 286.26128,371.363 C 288.04159,371.62655 289.69708,370.82031 289.96147,369.03958 C 290.22417,367.26054 288.99541,365.6042 287.21553,365.34023 z"
id="path21"
style="fill:#3c6eb4" />
<path
d="M 482.01243,363.57426 C 482.01243,353.50638 473.85135,345.34488 463.78346,345.34488 C 453.72064,345.34488 445.56167,353.49963 445.55492,363.56119 L 445.5545,363.56077 L 445.5545,377.66787 L 445.55492,377.66829 C 445.5604,379.95292 447.41324,381.80238 449.69955,381.80238 C 449.7063,381.80238 449.71221,381.80154 449.71895,381.80154 L 449.72022,381.80238 L 463.79105,381.80238 L 463.79105,381.80238 C 473.85514,381.79817 482.01243,373.63962 482.01243,363.57426 z"
id="path25"
style="fill:#294172" />
<path
d="M 469.13577,349.66577 C 464.41049,349.66577 460.58001,353.49626 460.58001,358.22154 C 460.58001,358.22322 460.58001,358.22533 460.58001,358.22744 L 460.58001,362.7558 L 456.06557,362.7558 C 456.06472,362.7558 456.06472,362.7558 456.0643,362.7558 C 451.33902,362.7558 447.50854,366.56773 447.50854,371.29258 C 447.50854,376.01786 451.33902,379.84835 456.0643,379.84835 C 460.78916,379.84835 464.61964,376.01786 464.61964,371.29258 C 464.61964,371.2909 464.61964,371.28879 464.61964,371.28668 L 464.61964,366.73935 L 469.13408,366.73935 C 469.13493,366.73935 469.13535,366.73935 469.13577,366.73935 C 473.86063,366.73935 477.69111,362.94639 477.69111,358.22154 C 477.69111,353.49626 473.86063,349.66577 469.13577,349.66577 z M 460.58001,371.3006 C 460.57621,373.79058 458.55555,375.80871 456.0643,375.80871 C 453.57052,375.80871 451.53004,373.78678 451.53004,371.29301 C 451.53004,368.7988 453.57052,366.73935 456.0643,366.73935 C 456.06641,366.73935 456.06852,366.73977 456.0702,36
6.73977 L 459.93991,366.73977 C 459.94117,366.73977 459.94201,366.73935 459.94286,366.73935 C 460.29495,366.73935 460.58085,367.0244 460.58085,367.3765 C 460.58085,367.37692 460.58043,367.37734 460.58043,367.37776 L 460.58043,371.3006 L 460.58001,371.3006 z M 469.13535,362.7558 C 469.13408,362.7558 469.1324,362.7558 469.13113,362.7558 L 465.2589,362.7558 C 465.25806,362.7558 465.25721,362.7558 465.25679,362.7558 C 464.90427,362.7558 464.61922,362.47074 464.61922,362.11822 L 464.61922,362.1178 L 464.61922,358.21437 C 464.62344,355.72354 466.64368,353.70583 469.13493,353.70583 C 471.62871,353.70583 473.66961,355.72776 473.66961,358.22196 C 473.67003,360.71532 471.62913,362.7558 469.13535,362.7558 z"
id="path29"
style="fill:#3c6eb4" />
<path
d="M 460.58001,362.7558 L 460.58001,358.22744 C 460.58001,358.22533 460.58001,358.22322 460.58001,358.22154 C 460.58001,353.49626 464.41049,349.66577 469.13577,349.66577 C 469.85262,349.66577 470.362,349.74631 471.02529,349.92046 C 471.99303,350.17431 472.78325,350.96664 472.78367,351.88968 C 472.78409,353.00543 471.97448,353.81589 470.76427,353.81589 C 470.18785,353.81589 469.97954,353.70541 469.13535,353.70541 C 466.6441,353.70541 464.62386,355.72312 464.61964,358.21395 L 464.61964,362.1178 L 464.61964,362.11822 C 464.61964,362.47074 464.90469,362.7558 465.25721,362.7558 C 465.25764,362.7558 465.25848,362.7558 465.25932,362.7558 L 468.22453,362.7558 C 469.32974,362.7558 470.222,363.64047 470.22285,364.74863 C 470.22285,365.85679 469.32932,366.73977 468.22453,366.73977 L 464.61964,366.73977 L 464.61964,371.2871 C 464.61964,371.28921 464.61964,371.29132 464.61964,371.29343 C 464.61964,376.01828 460.78916,379.84877 456.0643,379.84877 C 455.34746,379.84877 454.83807,379.
76823 454.17478,379.59408 C 453.20704,379.34065 452.4164,378.5479 452.41598,377.62528 C 452.41598,376.50953 453.22517,375.69865 454.4358,375.69865 C 455.0118,375.69865 455.22053,375.80913 456.0643,375.80913 C 458.55555,375.80913 460.57621,373.79142 460.58043,371.30102 C 460.58043,371.30102 460.58043,367.37734 460.58043,367.37692 C 460.58043,367.02524 460.29453,366.74019 459.94244,366.74019 C 459.94201,366.74019 459.94159,366.74019 459.94075,366.74019 L 456.97554,366.73977 C 455.87033,366.73977 454.97723,365.85763 454.97723,364.74947 C 454.9768,363.63414 455.87961,362.7558 456.99662,362.7558 L 460.58001,362.7558 L 460.58001,362.7558 z"
id="path31"
style="fill:#ffffff" />
<path
d="M 477.41661,378.55292 L 480.23219,378.55292 L 480.23219,378.9319 L 479.05067,378.9319 L 479.05067,381.88125 L 478.59813,381.88125 L 478.59813,378.9319 L 477.41661,378.9319 L 477.41661,378.55292 M 480.67805,378.55292 L 481.34906,378.55292 L 482.19843,380.81788 L 483.05224,378.55292 L 483.72326,378.55292 L 483.72326,381.88125 L 483.28409,381.88125 L 483.28409,378.95865 L 482.42581,381.24144 L 481.97326,381.24144 L 481.11499,378.95865 L 481.11499,381.88125 L 480.67805,381.88125 L 480.67805,378.55292"
id="text6223"
style="fill:#294172;enable-background:new" />
</g>
</svg>
--- NEW FILE warning.svg ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
version="1.0"
width="48"
height="48"
id="svg5921"
sodipodi:version="0.32"
inkscape:version="0.46"
sodipodi:docname="warning.svg"
inkscape:output_extension="org.inkscape.output.svg.inkscape"
inkscape:export-filename="/home/jfearn/Build/src/fedora/publican/trunk/publican-fedora/en-US/images/warning.png"
inkscape:export-xdpi="111.32"
inkscape:export-ydpi="111.32">
<metadata
id="metadata2482">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
<sodipodi:namedview
inkscape:window-height="910"
inkscape:window-width="1284"
inkscape:pageshadow="2"
inkscape:pageopacity="0.0"
guidetolerance="10.0"
gridtolerance="10.0"
objecttolerance="10.0"
borderopacity="1.0"
bordercolor="#666666"
pagecolor="#ffffff"
id="base"
showgrid="false"
inkscape:zoom="11.5"
inkscape:cx="20"
inkscape:cy="20"
inkscape:window-x="0"
inkscape:window-y="51"
inkscape:current-layer="svg5921" />
<defs
id="defs5923">
<inkscape:perspective
sodipodi:type="inkscape:persp3d"
inkscape:vp_x="0 : 20 : 1"
inkscape:vp_y="0 : 1000 : 0"
inkscape:vp_z="40 : 20 : 1"
inkscape:persp3d-origin="20 : 13.333333 : 1"
id="perspective2484" />
</defs>
<g
transform="matrix(0.4536635,0,0,0.4536635,-5.1836431,-4.6889387)"
id="layer1">
<g
transform="translate(2745.6887,-1555.5977)"
id="g8304"
style="enable-background:new">
<path
d="M -1603,1054.4387 L -1577.0919,1027.891 L -1540,1027.4387 L -1513.4523,1053.3468 L -1513,1090.4387 L -1538.9081,1116.9864 L -1576,1117.4387 L -1602.5477,1091.5306 L -1603,1054.4387 z"
transform="matrix(0.8233528,8.9983906e-3,-8.9983906e-3,0.8233528,-1398.5561,740.7914)"
id="path8034"
style="opacity:1;fill:#efd259;fill-opacity:1;stroke:#efd259;stroke-opacity:1" />
<path
d="M -1603,1054.4387 L -1577.0919,1027.891 L -1540,1027.4387 L -1513.4523,1053.3468 L -1513,1090.4387 L -1538.9081,1116.9864 L -1576,1117.4387 L -1602.5477,1091.5306 L -1603,1054.4387 z"
transform="matrix(0.6467652,7.0684723e-3,-7.0684723e-3,0.6467652,-1675.7492,927.16391)"
id="path8036"
style="opacity:1;fill:#a42324;fill-opacity:1;stroke:#a42324;stroke-opacity:1" />
<path
d="M -2686.7886,1597.753 C -2686.627,1596.5292 -2686.5462,1595.6987 -2686.5462,1595.218 C -2686.5462,1593.1637 -2688.0814,1592.0711 -2690.9899,1592.0711 C -2693.8985,1592.0711 -2695.4336,1593.12 -2695.4336,1595.218 C -2695.4336,1595.961 -2695.3528,1596.7914 -2695.1912,1597.753 L -2692.929,1614.4491 L -2689.0508,1614.4491 L -2686.7886,1597.753"
id="path8038"
style="font-size:107.13574219px;font-style:normal;font-weight:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Charter" />
<path
d="M -2690.9899,1617.8197 C -2693.6124,1617.8197 -2695.8118,1619.9346 -2695.8118,1622.6416 C -2695.8118,1625.3486 -2693.6124,1627.4635 -2690.9899,1627.4635 C -2688.2829,1627.4635 -2686.168,1625.264 -2686.168,1622.6416 C -2686.168,1619.9346 -2688.2829,1617.8197 -2690.9899,1617.8197"
id="path8040"
style="font-size:107.13574219px;font-style:normal;font-weight:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Charter" />
</g>
</g>
</svg>
15 years, 3 months
web/html/docs/selinux-user-guide/f10/html-single index.html, NONE, 1.1
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23851/selinux-user-guide/f10/html-single
Added Files:
index.html
Log Message:
- updating content for multi-page HTML.
- adding single-page HTML content.
- adding PDF.
- updating index.php to reflect above mentioned changes.
--- NEW FILE index.html ---
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Security-Enhanced Linux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content=""/><meta name="description" content="This book is about managing and using Security-Enhanced Linux."/></head><body class=""><div class="book" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">10</span></div><div><h1 id="d0e1" class="title">Security-Enhanced Linux</h1></div><div><h2 class="subtitle">User Guide</h2></div><p class="edition">Edition 1.1</p><div><h3 class="corpauthor">
<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"/></span>
</h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a href="mailto:mmcallis@redhat.com">mmcallis(a)redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Daniel</span> <span class="surname">Walsh</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a href="mailto:dwalsh@redhat.com">dwalsh(a)redhat.com</a></code></div><div class="othercredit"><h3 class="othercredit"><span class="firstname">Dominick</span> <span class="surname">Grift</span></h3><span class="contrib">Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chap
ters.</span><div class="affiliation"><span class="orgname"/> <span class="orgdiv"/></div><code class="email"><a href="mailto:domg472@gmail.com">domg472(a)gmail.com</a></code></div><div class="othercredit"><h3 class="othercredit"><span class="firstname">Eric</span> <span class="surname">Paris</span></h3><span class="contrib">Technical editor for the Mounting File Systems and Raw Audit Messages sections.</span><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a href="mailto:eparis@parisplace.org">eparis(a)parisplace.org</a></code></div><div class="othercredit"><h3 class="othercredit"><span class="firstname">James</span> <span class="surname">Morris</span></h3><span class="contrib">Technical editor for the Introduction and Targeted Policy chapters.</span><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a href=
"mailto:jmorris@redhat.com">jmorris(a)redhat.com</a></code></div></div></div><div><p class="copyright">Copyright © 2008 Red Hat, Inc.</p></div><hr/><div><div id="d0e35" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
Copyright <span class="trademark"/>© 2008 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at <a href="http://www.opencontent.org/openpub/">http://www.opencontent.org/openpub/</a>).
</div><div class="para">
Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
</div><div class="para">
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
</div><div class="para">
All other trademarks and copyrights referred to are the property of their respective owners.
</div><div class="para">
Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at <a href="http://fedoraproject.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>.
</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">This book is about managing and using Security-Enhanced <span class="trademark">Linux</span>®.</div></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security-Enhanced_Linux-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e146">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e156">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#d0e372">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#d0e391">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#d0e411">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Trademark_Information">1. Trademark Information</a></span></dt><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Introductio
n">2. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-SELinux_Contexts">3. SELinux Contexts</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinu
x_Contexts_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Targeted_Policy">4. Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Working_with_SELinux">5. Working with SELinux</a></span></dt><dd><dl><dt><span class="section"><a hr
ef="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_wit
h_SELinux-SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="s
ection"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</a></span></dt>
<dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context
">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Confining_Users">6. Confining Users</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_User
s_semanage_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Troubleshooting">7. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.
2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_D
enials">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl
></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Further_Information">8. Further Information</a></span></dt><dt><span class="appendix"><a href="#appe-Security-Enhanced_Linux-Revision_History">A. Revision History</a></span></dt></dl></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security-Enhanced_Linux-Preface" class="title">Preface</h1></div></div></div><div class="para">
The Fedora 10 SELinux User Guide is for people with minimal or no experience with SELinux. Although system administration experience is not necessary, content in this guide is written for system administration tasks. This guide provides an introduction to fundamental concepts and practical applications of SELinux. After reading this guide you should have an intermediate understanding of SELinux.
</div><div class="para">
Thank you to everyone who offered encouragement, help, and testing - it is most appreciated. Very special thanks to:
</div><div class="itemizedlist"><ul><li><div class="para">
Dominick Grift, Stephen Smalley, and Russell Coker for their contributions, help, and patience.
</div></li><li><div class="para">
Karsten Wade for his help, adding a component for this guide to <a href="https://bugzilla.redhat.com/"> Red Hat Bugzilla</a>, and sorting out web hosting on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a>.
</div></li><li><div class="para">
The <a href="http://fedoraproject.org/wiki/Infrastructure">Fedora Infrastructure Team</a> for providing hosting.
</div></li><li><div class="para">
Jens-Ulrik Petersen for making sure the Red Hat Brisbane office has up-to-date Fedora mirrors.
</div></li></ul></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e146">1. Document Conventions</h2></div></div></div><div class="para">
This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
</div><div class="para">
In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e156">1.1. Typographic Conventions</h3></div></div></div><div class="para">
Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
</div><div class="para">
<code class="literal">Mono-spaced Bold</code>
</div><div class="para">
Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span><strong class="keycap">Enter</strong></span> to execute the command.
</div></blockquote></div><div class="para">
The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
</div><div class="para">
Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
Press <span><strong class="keycap">Enter</strong></span> to execute the command.
</div><div class="para">
Press <span><strong class="keycap">Ctrl</strong></span>-<span><strong class="keycap">Alt</strong></span>-<span><strong class="keycap">F1</strong></span> to switch to the first virtual terminal. Press <span><strong class="keycap">Ctrl</strong></span>-<span><strong class="keycap">Alt</strong></span>-<span><strong class="keycap">F7</strong></span> to return to your X-Windows session.
</div></blockquote></div><div class="para">
The first sentence highlights the particular key cap to press. The second highlights two sets of three key caps, each set pressed simultaneously.
</div><div class="para">
If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">Mono-spaced Bold</code>. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
</div></blockquote></div><div class="para">
<span><strong class="application">Proportional Bold</strong></span>
</div><div class="para">
This denotes words or phrases encountered on a system, including application names; dialogue box text; labelled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
Choose <span><strong class="guimenu">System > Preferences > Mouse</strong></span> from the main menu bar to launch <span><strong class="application">Mouse Preferences</strong></span>. In the <span><strong class="guilabel">Buttons</strong></span> tab, click the <span><strong class="guilabel">Left-handed mouse</strong></span> check box and click <span><strong class="guibutton">Close</strong></span> to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).
</div><div class="para">
To insert a special character into a <span><strong class="application">gedit</strong></span> file, choose <span><strong class="guimenu">Applications > Accessories > Character Map</strong></span> from the main menu bar. Next, choose <span><strong class="guimenu">Search > Find…</strong></span> from the <span><strong class="application">Character Map</strong></span> menu bar, type the name of the character in the <span><strong class="guilabel">Search</strong></span> field and click <span><strong class="guibutton">Next</strong></span>. The character you sought will be highlighted in the <span><strong class="guilabel">Character Table</strong></span>. Double-click this highlighted character to place it in the <span><strong class="guilabel">Text to copy</strong></span> field and then click the <span><strong class="guibutton">Copy</strong></span> button. Now switch back to your document and choose <span><strong class="guimenu">Edit > Paste</strong></span> from the <
span><strong class="application">gedit</strong></span> menu bar.
</div></blockquote></div><div class="para">
The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in Proportional Bold and all distinguishable by context.
</div><div class="para">
Note the <span><strong class="guimenu">></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This is to avoid the difficult-to-follow 'Select <span><strong class="guimenuitem">Mouse</strong></span> from the <span><strong class="guimenu">Preferences</strong></span> sub-menu in the <span><strong class="guimenu">System</strong></span> menu of the main menu bar' approach.
</div><div class="para">
<code class="command"><em class="replaceable"><code>Mono-spaced Bold Italic</code></em></code> or <span><strong class="application"><em class="replaceable"><code>Proportional Bold Italic</code></em></strong></span>
</div><div class="para">
Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
To connect to a remote machine using ssh, type <code class="command">ssh <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>domain.name</code></em></code> at a shell prompt. If the remote machine is <code class="filename">example.com</code> and your username on that machine is john, type <code class="command">ssh john(a)example.com</code>.
</div><div class="para">
The <code class="command">mount -o remount <em class="replaceable"><code>file-system</code></em></code> command remounts the named file system. For example, to remount the <code class="filename">/home</code> file system, the command is <code class="command">mount -o remount /home</code>.
</div><div class="para">
To see the version of a currently installed package, use the <code class="command">rpm -q <em class="replaceable"><code>package</code></em></code> command. It will return a result as follows: <code class="command"><em class="replaceable"><code>package-version-release</code></em></code>.
</div></blockquote></div><div class="para">
Note the words in bold italics above — username, domain.name, file-system, package, version and release. Each word is a placeholder, either for text you enter when issuing a command or for text displayed by the system.
</div><div class="para">
Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
</div></blockquote></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e372">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
Two, commonly multi-line, data types are set off visually from the surrounding text.
</div><div class="para">
Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
</div><pre class="screen">
books Desktop documentation drafts mss photos stuff svn
books_tests Desktop1 downloads images notes scripts svgs
</pre><div class="para">
Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
</div><pre class="programlisting">
<span class="hl-keyword">package</span> org.jboss.book.jca.ex1;
<span class="hl-keyword">import</span> javax.naming.InitialContext;
<span class="hl-keyword">public</span> <span class="hl-keyword">class</span> ExClient
{
<span class="hl-keyword">public</span> <span class="hl-keyword">static</span> <span class="hl-keyword">void</span> main(String args[])
<span class="hl-keyword">throws</span> Exception
{
InitialContext iniCtx = <span class="hl-keyword">new</span> InitialContext();
Object ref = iniCtx.lookup(<span class="hl-string">"EchoBean"</span>);
EchoHome home = (EchoHome) ref;
Echo echo = home.create();
System.out.println(<span class="hl-string">"Created Echo"</span>);
System.out.println(<span class="hl-string">"Echo.echo('Hello') = "</span> + echo.echo(<span class="hl-string">"Hello"</span>));
}
}
</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e391">1.3. Notes and Warnings</h3></div></div></div><div class="para">
Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
</div><div class="note"><h2>Note</h2><div class="para">
A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
</div></div><div class="important"><h2>Important</h2><div class="para">
Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
</div></div><div class="warning"><h2>Warning</h2><div class="para">
A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
</div></div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e411">2. We Need Feedback!</h2></div></div></div><a id="d0e414" class="indexterm"/><div class="para">
If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla: <a href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla.redhat.com/bugzilla/</a>
against the product <span><strong class="application">Fedora Documentation.</strong></span>
</div><div class="para">
When submitting a bug report, be sure to mention the manual's identifier: <em class="citetitle">selinux-user-guide</em>
</div><div class="para">
If you have a suggestion for improving the documentation, try to be as specific as possible when describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.
</div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information">Chapter 1. Trademark Information</h2></div></div></div><div class="para">
<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the U.S. and other countries.
</div><div class="para">
UNIX is a registered trademark of The Open Group.
</div><div class="para">
Type Enforcement is a trademark of Secure Computing Corporation, registered in the U.S. and in other countries. Secure Computing Corporation has not consented to the use or reference to this trademark by the author outside of this guide.
</div><div class="para">
Apache is a trademark of The Apache Software Foundation.
</div><div class="para">
MySQL is a trademark or registered trademark of MySQL AB in the U.S. and other countries.
</div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Introduction">Chapter 2. Introduction</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></div><div class="para">
Files, such as directories and devices, are called objects. Processes, such as a user running a command or the <span class="trademark">Mozilla</span>®<span class="trademark"> Firefox</span>® application, are called subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. For example, on <span class="trademark">Linux</span>® operating systems, users can make their home directories world-readable, giving users and processes (subjects) access to potentially sensitive information.
</div><div class="para">
DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.<sup>[<a id="d0e465" href="#ftn.d0e465">1</a>]</sup>
</div><div class="para">
The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions in these examples may differ from your system. Use the <code class="command">ls -l</code> command to view file permissions:
</div><pre class="screen">$ ls -l file1
-rwxrw-r-- 1 user1 group1 0 2008-11-21 15:42 file1
</pre><div class="para">
The first three permission bits, <code class="computeroutput">rwx</code>, control the access the Linux <code class="computeroutput">user1</code> user (in this case, the owner) has to <code class="filename">file1</code>. The next three permission bits, <code class="computeroutput">rw-</code>, control the access the Linux <code class="computeroutput">group1</code> group has to <code class="filename">file1</code>. The last three permission bits, <code class="computeroutput">r--</code>, control the access everyone else has to <code class="filename">file1</code>, which includes all users and processes.
</div><div class="para">
Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from au
thorized users who have unwittingly executed malicious applications.<sup>[<a id="d0e507" href="#ftn.d0e507">2</a>]</sup>
</div><div class="para">
The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the <code class="command">ls -Z</code> command:
</div><pre class="screen">$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre><div class="para">
In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Introduction-Linux_and_SELinux_Users">Linux and SELinux Users</h5>
On Linux operating systems that run SELinux, there are Linux users as well as SELinux users. SELinux users are part of SELinux policy. Linux users are mapped to SELinux users. To avoid confusion, this guide uses "Linux user" and "SELinux user" to differentiate between the two.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</h2></div></div></div><div class="itemizedlist"><ul><li><div class="para">
All processes and files are labeled with a type. A type defines a domain for processes, and a type for files. Processes are separated from each other by running in their own domains, and SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.
</div></li><li><div class="para">
Fine-grained access control. Stepping beyond traditional <span class="trademark">UNIX</span>® permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a level.
</div></li><li><div class="para">
SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion.
</div></li><li><div class="para">
Reduced vulnerability to privilege escalation attacks. One example: since processes run in domains, and are therefore separated from each other, and SELinux policy rules define how processes access files and other processes, if a process is compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker can not use that process to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access.
</div></li><li><div class="para">
SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs.
</div></li></ul></div><div class="para">
SELinux is not:
</div><div class="itemizedlist"><ul><li><div class="para">
antivirus software.
</div></li><li><div class="para">
a replacement for passwords, firewalls, or other security systems.
</div></li><li><div class="para">
an all-in-one security solution.
</div></li></ul></div><div class="para">
SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, firewalls, and so on.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</h2></div></div></div><div class="para">
The following examples demonstrate how SELinux increases security:
</div><div class="itemizedlist"><ul><li><div class="para">
the default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied.
</div></li><li><div class="para">
SELinux can confine Linux users. A number of confined SELinux users exist. Linux users can be mapped to SELinux users to take advantage of confined SELinux users. For example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as <code class="command">sudo</code> and <code class="command">su</code>, as well as preventing them from executing files and applications in their home directory- if configured, this prevents users from executing malicious files from their home directories.
</div></li><li><div class="para">
process separation. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as processes accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server to read and write to files used by other processes, such as databases used by <span class="trademark">MySQL</span>®.
</div></li><li><div class="para">
help limit the damage done by configuration mistakes. <a href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System (DNS)</a> servers can replicate information between each other. This is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <a href="https://www.isc.org/software/bind">Berkeley Internet Name Domain (BIND)</a> DNS server in Fedora 10, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <sup>[<a id="d0e609" href="#ftn.d0e609">3</a>]</sup> from being updated by zone transfers, the BIND <code class="systemitem">named</code> daemon, and other processes.
</div></li><li><div class="para">
refer to the <a href="http://www.redhatmagazine.com/"><span class="trademark">Red Hat</span>® Magazine</a> article, <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-h...">Risk report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a id="d0e626" href="#ftn.d0e626">4</a>]</sup>, for exploits that were restricted due to the default SELinux targeted policy in <span class="trademark">Red Hat</span>® Enterprise <span class="trademark">Linux</span>® 4.
</div></li><li><div class="para">
refer to the <a href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">A seatbelt for server software: SELinux blocks real-world exploits</a><sup>[<a id="d0e646" href="#ftn.d0e646">5</a>]</sup>, for background information about SELinux, and information about various exploits that SELinux has prevented.
</div></li><li><div class="para">
refer to James Morris's <a href="http://james-morris.livejournal.com/25421.html">SELinux mitigates remote root vulnerability in OpenPegasus</a> blog post, for information about an exploit in <a href="http://www.openpegasus.org/">OpenPegasus</a> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
</div></li></ul></div><div class="para">
The <a href="http://www.tresys.com/">Tresys Technology</a> website has an <a href="http://www.tresys.com/innovation.php">SELinux Mitigation News</a> section (on the right-hand side), that lists recent exploits that have been mitigated or prevented by SELinux.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</h2></div></div></div><div class="para">
SELinux is a Linux security module that is built into the Linux kernel. SELinux is driven by loadable policy rules. When security-relevant access is taking place, such as when a process attempts to open a file, the operation is intercepted in the kernel by SELinux. If an SELinux policy rule allows the operation, it continues, otherwise, the operation is blocked and the process receives an error.
</div><div class="para">
SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Caching decisions decreases how often SELinux policy rules need to be checked, which increases performance. SELinux policy rules have no affect if DAC rules deny access first.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</h2></div></div></div><div class="para">
Refer to the following for information about running SELinux on operating systems:
</div><div class="itemizedlist"><ul><li><div class="para">
Hardened Gentoo: <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml">http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml</a>.
</div></li><li><div class="para">
Debian: <a href="http://wiki.debian.org/SELinux">http://wiki.debian.org/SELinux</a>.
</div></li><li><div class="para">
Ubuntu: <a href="https://wiki.ubuntu.com/SELinux">https://wiki.ubuntu.com/SELinux</a> and <a href="https://help.ubuntu.com/community/SELinux">https://help.ubuntu.com/community/SELinux</a>.
</div></li><li><div class="para">
Red Hat Enterprise Linux: <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deploy...">Red Hat Enterprise Linux Deployment Guide</a> and <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/">Red Hat Enterprise Linux 4 SELinux Guide</a>.
</div></li><li><div class="para">
Fedora: <a href="http://fedoraproject.org/wiki/SELinux">http://fedoraproject.org/wiki/SELinux</a> and the <a href="http://docs.fedoraproject.org/selinux-faq-fc5/">Fedora Core 5 SELinux FAQ</a>.
</div></li></ul></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e465" href="#d0e465">1</a>] </sup>
"Integrating Flexible Support for Security Policies into the Linux Operating System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/research/_files/selinux/papers/freenix01/index.shtml">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e507" href="#d0e507">2</a>] </sup>
"Meeting Critical Security Objectives with Security-Enhanced Linux", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e609" href="#d0e609">3</a>] </sup>
Text files that include information, such as hostname to IP address mappings, that are used by DNS servers.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e626" href="#d0e626">4</a>] </sup>
Cox, Mark. "Risk report: Three years of Red Hat Enterprise Linux 4". Published 26 February 2008. Accessed 28 August 2008: <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-h...">http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-h...</a>.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e646" href="#d0e646">5</a>] </sup>
Marti, Don. "A seatbelt for server software: SELinux blocks real-world exploits". Published 24 February 2008. Accessed 28 August 2008: <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">http://www.linuxworld.com/news/2008/022408-selinux.html?page=1</a>.
</p></div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-SELinux_Contexts">Chapter 3. SELinux Contexts</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></div><div class="para">
Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. In Fedora 10, SELinux provides a combination of Role-Based Access Control (RBAC), <span class="trademark">Type Enforcement</span>® (TE), and, optionally, Multi-Level Security (MLS).
</div><div class="para">
The following is an example SELinux context. SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux. Use the <code class="command">ls -Z</code> command to view the SELinux context of files and directories:
</div><pre class="screen">$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre><div class="para">
SELinux contexts follow the <span class="emphasis"><em>SELinux user:role:type:level</em></span> syntax:
</div><div class="variablelist"><dl><dt><span class="term"><span class="emphasis"><em>SELinux user</em></span></span></dt><dd><div class="para">
The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to bound what roles and levels they can enter. Run the <code class="command">semanage login -l</code> command as the Linux root user to view a list of mappings between SELinux and Linux user accounts:
</div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre><div class="para">
Output may differ from system to system. The <code class="computeroutput">Login Name</code> column lists Linux users, and the the <code class="computeroutput">SELinux User</code> column lists which SELinux user is mapped to which Linux user. For processes, the SELinux user limits which roles and levels are accessible. The last column, <code class="computeroutput">MLS/MCS Range</code>, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are briefly discussed later.
</div></dd><dt><span class="term"><span class="emphasis"><em>role</em></span></span></dt><dd><div class="para">
Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered - ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
</div></dd><dt><span class="term"><span class="emphasis"><em>type</em></span></span></dt><dd><div class="para">
The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
</div></dd><dt><span class="term"><span class="emphasis"><em>level</em></span></span></dt><dd><div class="para">
The level is an attribute of MLS and Multi-Category Security (MCS). An MLS range is a pair of levels, written as <span class="emphasis"><em>lowlevel-highlevel</em></span> if the levels differ, or <span class="emphasis"><em>lowlevel</em></span> if the levels are identical (<code class="computeroutput">s0-s0</code> is the same as <code class="computeroutput">s0</code>). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as <span class="emphasis"><em>sensitivity:category-set</em></span>. If there are no categories, it is written as <span class="emphasis"><em>sensitivity</em></span>.
</div><div class="para">
If the category set is a contiguous series, it can be abbreviated. For example, <code class="computeroutput">c0.c3</code> is the same as <code class="computeroutput">c0,c1,c2,c3</code>. The <code class="filename">/etc/selinux/targeted/setrans.conf</code> file maps levels (<code class="computeroutput">s0:c0</code>) to human-readable form (<code class="computeroutput">CompanyConfidential</code>). Do not edit <code class="filename">setrans.conf</code> with a text editor: use <code class="command">semanage</code> to make changes. Refer to the <span class="citerefentry"><span class="refentrytitle">semanage</span>(8)</span> manual page for further information. In Fedora 10, targeted policy enforces MCS, and in MCS, there is one sensitivity, <code class="computeroutput">s0</code>. MCS in Fedora 10 supports 1024 different categories: <code class="computeroutput">c0</code> through to <code class="computeroutput">c1023</code>. <code class="computeroutput">s0-s0:c0.c1023</code> is
sensitivity <code class="computeroutput">s0</code> and authorized for all categories.
</div><div class="para">
MLS enforces the <a href="http://en.wikipedia.org/wiki/Bell-LaPadula_model">Bell-LaPadula Mandatory Access Model</a>, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the <span class="package">selinux-policy-mls</span> package, and configure MLS to be the default SELinux policy. The MLS policy shipped with Fedora omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the <a href="http://oss.tresys.com/projects/refpolicy">upstream SELinux Reference Policy</a> can be built that includes all program domains.
</div></dd></dl></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</h2></div></div></div><div class="para">
A process in one domain transitions to another domain by executing an application that has the <code class="computeroutput">entrypoint</code> type for the new domain. The <code class="computeroutput">entrypoint</code> permission is used in SELinux policy, and controls which applications can be used to enter a domain. The following example demonstrates a domain transition:
</div><div class="orderedlist"><ol><li><div class="para">
A users wants to change their password. To change their password, they run the <code class="command">passwd</code> application. The <code class="filename">/usr/bin/passwd</code> executable is labeled with the <code class="computeroutput">passwd_exec_t</code> type:
</div><pre class="screen">$ ls -Z /usr/bin/passwd
-rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
</pre><div class="para">
The <span><strong class="application">passwd</strong></span> application accesses <code class="filename">/etc/shadow</code>, which is labeled with the <code class="computeroutput">shadow_t</code> type:
</div><pre class="screen">$ ls -Z /etc/shadow
-r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow
</pre></li><li><div class="para">
An SELinux policy rule states that processes running in the <code class="computeroutput">passwd_t</code> domain are allowed to read and write to files labeled with the <code class="computeroutput">shadow_t</code> type. The <code class="computeroutput">shadow_t</code> type is only applied to files that are required for a password change. This includes <code class="filename">/etc/gshadow</code>, <code class="filename">/etc/shadow</code>, and their backup files.
</div></li><li><div class="para">
An SELinux policy rule states that the <code class="computeroutput">passwd_t</code> domain has <code class="computeroutput">entrypoint</code> permission to the <code class="computeroutput">passwd_exec_t</code> type.
</div></li><li><div class="para">
When a user runs the <code class="command">/usr/bin/passwd</code> application, the user's shell process transitions to the <code class="computeroutput">passwd_t</code> domain. With SELinux, since the default action is to deny, and a rule exists that allows (among other things) applications running in the <code class="computeroutput">passwd_t</code> domain to access files labeled with the <code class="computeroutput">shadow_t</code> type, the <span><strong class="application">passwd</strong></span> application is allowed to access <code class="filename">/etc/shadow</code>, and update the user's password.
</div></li></ol></div><div class="para">
This example is not exhaustive, and is used as a basic example to explain domain transition. Although there is an actual rule that allows subjects running in the <code class="computeroutput">passwd_t</code> domain to access objects labeled with the <code class="computeroutput">shadow_t</code> file type, other SELinux policy rules must be met before the subject can transition to a new domain. In this example, Type Enforcement ensures:
</div><div class="itemizedlist"><ul><li><div class="para">
the <code class="computeroutput">passwd_t</code> domain can only be entered by executing an application labeled with the <code class="computeroutput">passwd_exec_t</code> type; can only execute from authorized shared libraries, such as the <code class="computeroutput">lib_t</code> type; and can not execute any other applications.
</div></li><li><div class="para">
only authorized domains, such as <code class="computeroutput">passwd_t</code>, can write to files labeled with the <code class="computeroutput">shadow_t</code> type. Even if other processes are running with superuser privileges, those processes can not write to files labeled with the <code class="computeroutput">shadow_t</code> type, as they are not running in the <code class="computeroutput">passwd_t</code> domain.
</div></li><li><div class="para">
only authorized domains can transition to the <code class="computeroutput">passwd_t</code> domain. For example, the <code class="systemitem">sendmail</code> process running in the <code class="computeroutput">sendmail_t</code> domain does not have a legitimate reason to execute <code class="command">passwd</code>; therefore, it can never transition to the <code class="computeroutput">passwd_t</code> domain.
</div></li><li><div class="para">
processes running in the <code class="computeroutput">passwd_t</code> domain can only read and write to authorized types, such as files labeled with the <code class="computeroutput">etc_t</code> or <code class="computeroutput">shadow_t</code> types. This prevents the <span><strong class="application">passwd</strong></span> application from being tricked into reading or writing arbitrary files.
</div></li></ul></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux Contexts for Processes</h2></div></div></div><div class="para">
Use the <code class="command">ps -eZ</code> command to view the SELinux context for processes. For example:
</div><div class="orderedlist"><ol><li><div class="para">
Open a terminal, such as <span><strong class="guimenu">Applications</strong></span> → <span><strong class="guisubmenu">System Tools</strong></span> → <span><strong class="guimenuitem">Terminal</strong></span>.
</div></li><li><div class="para">
Run the <code class="command">/usr/bin/passwd</code> command. Do not enter a new password.
</div></li><li><div class="para">
Open a new tab, or another terminal, and run the <code class="command">ps -eZ | grep passwd</code> command. The output is similar to the following:
</div><pre class="screen">unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
</pre></li><li><div class="para">
In the first tab, press <strong class="userinput"><code>Ctrl+C</code></strong> to cancel the <span><strong class="application">passwd</strong></span> application.
</div></li></ol></div><div class="para">
In this example, when the <code class="filename">/usr/bin/passwd</code> application (labeled with the <code class="computeroutput">passwd_exec_t</code> type) is executed, the user's shell process transitions to the <code class="computeroutput">passwd_t</code> domain. Remember: the type defines a domain for processes, and a type for files.
</div><div class="para">
Use the <code class="command">ps -eZ</code> command to view the SELinux contexts for running processes. The following is a limited example of the output, and may differ on your system:
</div><pre class="screen">system_u:system_r:setroubleshootd_t:s0 1866 ? 00:00:08 setroubleshootd
system_u:system_r:dhcpc_t:s0 1869 ? 00:00:00 dhclient
system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
system_u:system_r:gpm_t:s0 1964 ? 00:00:00 gpm
system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
system_u:system_r:kerneloops_t:s0 1983 ? 00:00:05 kerneloops
system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
</pre><div class="para">
The <code class="computeroutput">system_r</code> role is used for system processes, such as daemons. Type Enforcement then separates each domain.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</h2></div></div></div><div class="para">
Use the <code class="command">id -Z</code> command to view the SELinux context associated with your Linux user:
</div><pre class="screen">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</pre><div class="para">
In Fedora 10, Linux users run unconfined by default. This SELinux context shows that the Linux user is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user, running as the <code class="computeroutput">unconfined_r</code> role, and is running in the <code class="computeroutput">unconfined_t</code> domain. <code class="computeroutput">s0-s0</code> is an MLS range, which in this case, is the same as just <code class="computeroutput">s0</code>. The categories the user has access to is defined by <code class="computeroutput">c0.c1023</code>, which is all categories (<code class="computeroutput">c0</code> through to <code class="computeroutput">c1023</code>).
</div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Targeted_Policy">Chapter 4. Targeted Policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></div><div class="para">
Targeted policy is the default SELinux policy used in Fedora 10. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged in users run in the <code class="computeroutput">unconfined_t</code> domain, and system processes started by init run in the <code class="computeroutput">initrc_t</code> domain - both of these domains are unconfined.
</div><div class="para">
Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain can not allocate writeable memory and execute it. This reduces vulnerability to <a href="http://en.wikipedia.org/wiki/Buffer_overflow">buffer overflow attacks</a>. These memory checks are disable by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</h2></div></div></div><div class="para">
Almost every service that listens on a network is confined in Fedora 10. Also, most processes that run as the Linux root user and perform tasks for users, such as the <span><strong class="application">passwd</strong></span> application, are confined. When a process is confined, it runs in its own domain, such as the <code class="systemitem">httpd</code> process running in the <code class="computeroutput">httpd_t</code> domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
</div><div class="para">
The following example demonstrates how SELinux prevents the Apache HTTP Server (<code class="systemitem">httpd</code>) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
</div><div class="orderedlist"><ol><li><div class="para">
Run the <code class="command">sestatus</code> command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
</div><pre class="screen">
$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">touch /var/www/html/testfile</code> command to create a file.
</div></li><li><div class="para">
Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the SELinux context:
</div><pre class="screen">-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
</pre><div class="para">
By default, Linux users run unconfined in Fedora 10, which is why the <code class="filename">testfile</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1213" href="#ftn.d0e1213">6</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">service httpd start</code> command to start the <code class="systemitem">httpd</code> process. The output is as follows if <code class="systemitem">httpd</code> starts successfully:
</div><pre class="screen"># /sbin/service httpd start
Starting httpd: [ OK ]
</pre></li><li><div class="para">
Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are changes to the default configuration, this command succeeds:
</div><pre class="screen">--2008-09-06 23:00:01-- http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'
[ <=> ] 0 --.-K/s in 0s
2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
</pre></li><li><div class="para">
The <code class="command">chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">semanage</code> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
</div><div class="para">
<code class="command">chcon -t samba_share_t /var/www/html/testfile</code>
</div><div class="para">
Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the changes:
</div><pre class="screen">-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
</pre></li><li><div class="para">
Note: the current DAC permissions allow the <code class="systemitem">httpd</code> process access to <code class="filename">testfile</code>. Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are changes to the default configuration, this command fails:
</div><pre class="screen">--2008-09-06 23:00:54-- http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2008-09-06 23:00:54 ERROR 403: Forbidden.
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">rm -i /var/www/html/testfile</code> command to remove <code class="filename">testfile</code>.
</div></li><li><div class="para">
If you do not require <code class="systemitem">httpd</code> to be running, as the Linux root user, run the <code class="command">service httpd stop</code> command to stop <code class="systemitem">httpd</code>:
</div><pre class="screen"># /sbin/service httpd stop
Stopping httpd: [ OK ]
</pre></li></ol></div><div class="para">
This example demonstrates the additional security added by SELinux. Although DAC rules allowed the <code class="systemitem">httpd</code> process access to <code class="filename">testfile</code> in step 7, because the file was labeled with a type that the <code class="systemitem">httpd</code> process does not have access to, SELinux denied access. After step 7, an error similar to the following is logged to <code class="filename">/var/log/messages</code>:
</div><pre class="screen">Sep 6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
</pre><div class="para">
Previous log files may use a <code class="filename">/var/log/messages.<em class="replaceable"><code>YYYYMMDD</code></em></code> format. When running <span><strong class="application">syslog-ng</strong></span>, previous log files may use a <code class="filename">/var/log/messages.<em class="replaceable"><code>X</code></em></code> format. If the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> processes are running, errors similar to the following are logged to <code class="filename">/var/log/audit/audit.log</code>:
</div><pre class="screen">type=AVC msg=audit(1220706212.937:70): avc: denied { getattr } for pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre><div class="para">
Also, an error similar to the following is logged to <code class="filename">/var/log/httpd/error_log</code>:
</div><pre class="screen">[Sat Sep 06 23:00:54 2008] [error] [client <em class="replaceable"><code>127.0.0.1</code></em>] (13)Permission denied: access to /testfile denied
</pre><div class="note"><h2>Note</h2><div class="para">
In Fedora 10, the <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed by default. These packages include the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons respectively. These daemons run by default. Stopping either of these daemons changes where SELinux denials are written to. Refer to <a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used" title="5.2. Which Log File is Used">Section 5.2, “Which Log File is Used”</a> for further information.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</h2></div></div></div><div class="para">
Unconfined processes run in unconfined domains, for example, init programs run in the unconfined <code class="computeroutput">initrc_t</code> domain, unconfined kernel processes run in the <code class="computeroutput">kernel_t</code> domain, and unconfined Linux users run in the <code class="computeroutput">unconfined_t</code> domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them.
</div><div class="para">
The following example demonstrates how the Apache HTTP Server (<code class="systemitem">httpd</code>) can access data intended for use by Samba, when running unconfined. Note: in Fedora 10, the <code class="systemitem">httpd</code> process runs in the confined <code class="computeroutput">httpd_t</code> domain by default. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
</div><div class="orderedlist"><ol><li><div class="para">
Run the <code class="command">sestatus</code> command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
</div><pre class="screen">
$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">touch /var/www/html/test2file</code> command to create a file.
</div></li><li><div class="para">
Run the <code class="command">ls -Z /var/www/html/test2file</code> command to view the SELinux context:
</div><pre class="screen">-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
</pre><div class="para">
By default, Linux users run unconfined in Fedora 10, which is why the <code class="filename">test2file</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1463" href="#ftn.d0e1463">7</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
</div></li><li><div class="para">
The <code class="command">chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">semanage</code> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
</div><div class="para">
<code class="command">chcon -t samba_share_t /var/www/html/test2file</code>
</div><div class="para">
Run the <code class="command">ls -Z /var/www/html/test2file</code> command to view the changes:
</div><pre class="screen">-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
</pre></li><li><div class="para">
Run the <code class="command">service httpd status</code> command to confirm that the <code class="systemitem">httpd</code> process is not running:
</div><pre class="screen">$ /sbin/service httpd status
httpd is stopped
</pre><div class="para">
If the output differs, run the <code class="command">service httpd stop</code> command as the Linux root user to stop the <code class="systemitem">httpd</code> process:
</div><pre class="screen"># /sbin/service httpd stop
Stopping httpd: [ OK ]
</pre></li><li><div class="para">
To make the <code class="systemitem">httpd</code> process run unconfined, run the following command as the Linux root user to change the type of <code class="filename">/usr/sbin/httpd</code>, to a type that does not transition to a confined domain:
</div><div class="para">
<code class="command">chcon -t unconfined_exec_t /usr/sbin/httpd</code>
</div></li><li><div class="para">
Run the <code class="command">ls -Z /usr/sbin/httpd</code> command to confirm that <code class="filename">/usr/sbin/httpd</code> is labeled with the <code class="computeroutput">unconfined_exec_t</code> type:
</div><pre class="screen">-rwxr-xr-x root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">service httpd start</code> command to start the <code class="systemitem">httpd</code> process. The output is as follows if <code class="systemitem">httpd</code> starts successfully:
</div><pre class="screen"># /sbin/service httpd start
Starting httpd: [ OK ]
</pre></li><li><div class="para">
Run the <code class="command">ps -eZ | grep httpd</code> command to view the <code class="systemitem">httpd</code> running in the <code class="computeroutput">unconfined_t</code> domain:
</div><pre class="screen">$ ps -eZ | grep httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7721</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7723</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7724</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7725</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7726</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7727</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7728</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7729</code></em> ? 00:00:00 httpd
unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7730</code></em> ? 00:00:00 httpd
</pre></li><li><div class="para">
Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/test2file</code> command. Unless there are changes to the default configuration, this command succeeds:
</div><pre class="screen">--2008-09-07 01:41:10-- http://localhost/test2file
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `test2file.1'
[ <=> ]--.-K/s in 0s
2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
</pre><div class="para">
Although the <code class="systemitem">httpd</code> process does not have access to files labeled with the <code class="computeroutput">samba_share_t</code> type, <code class="systemitem">httpd</code> is running in the unconfined <code class="computeroutput">unconfined_t</code> domain, and falls back to using DAC rules, and as such, the <code class="command">wget</code> command succeeds. Had <code class="systemitem">httpd</code> been running in the confined <code class="computeroutput">httpd_t</code> domain, the <code class="command">wget</code> command would have failed.
</div></li><li><div class="para">
The <code class="command">restorecon</code> command restores the default SELinux context for files. As the Linux root user, run the <code class="command">restorecon -v /usr/sbin/httpd</code> command to restore the default SELinux context for <code class="filename">/usr/sbin/httpd</code>:
</div><pre class="screen"># /sbin/restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
</pre><div class="para">
Run the <code class="command">ls -Z /usr/sbin/httpd</code> command to confirm that <code class="filename">/usr/sbin/httpd</code> is labeled with the <code class="computeroutput">httpd_exec_t</code> type:
</div><pre class="screen">$ ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/service httpd restart</code> command to restart <code class="systemitem">httpd</code>. After restarting, run the <code class="command">ps -eZ | grep httpd</code> to confirm that <code class="systemitem">httpd</code> is running in the confined <code class="computeroutput">httpd_t</code> domain:
</div><pre class="screen"># /sbin/service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
# ps -eZ | grep httpd
unconfined_u:system_r:httpd_t 8880 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8882 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8883 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8884 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8885 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8886 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8887 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8888 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8889 ? 00:00:00 httpd
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">rm -i /var/www/html/test2file</code> command to remove <code class="filename">test2file</code>.
</div></li><li><div class="para">
If you do not require <code class="systemitem">httpd</code> to be running, as the Linux root user, run the <code class="command">service httpd stop</code> command to stop <code class="systemitem">httpd</code>:
</div><pre class="screen"># /sbin/service httpd stop
Stopping httpd: [ OK ]
</pre></li></ol></div><div class="para">
The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux).
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</h2></div></div></div><div class="para">
Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. This Linux user mapping is seen by running the <code class="command">semanage login -l</code> command as the Linux root user:
</div><pre class="screen"># /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre><div class="para">
In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). The following defines the default-mapping:
</div><pre class="screen">__default__ unconfined_u s0-s0:c0.c1023
</pre><div class="para">
The following example demonstrates adding a new Linux user, and that Linux user being mapped to the SELinux <code class="computeroutput">unconfined_u</code> user. It assumes that the Linux root user is running unconfined, as it does by default in Fedora 10:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/useradd newuser</code> command to create a new Linux user named newuser.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">passwd newuser</code> command to assign a password to the Linux newuser user:
</div><pre class="screen"># passwd newuser
Changing password for user newuser.
New UNIX password: <em class="replaceable"><code>Enter a password</code></em>
Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em>
passwd: all authentication tokens updated successfully.
</pre></li><li><div class="para">
Log out of your current session, and log in as the Linux newuser user. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case, unconfined_u), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run the <code class="command">id -Z</code> command to view the context of a Linux user:
</div><pre class="screen">[newuser@localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</pre></li><li><div class="para">
Log out of the Linux newuser's session, and log in with your account. If you do not want the Linux newuser user, run the <code class="command">/usr/sbin/userdel -r newuser</code> command as the Linux root user to remove it, along with the Linux newuser's home directory.
</div></li></ol></div><div class="para">
Confined and unconfined Linux users are subject to executable and writeable memory checks, and are also restricted by MCS (and MLS, if the MLS policy is used). If unconfined Linux users execute an application that SELinux policy defines can transition from the <code class="computeroutput">unconfined_t</code> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy. Note: this does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
</div><div class="para">
The following confined SELinux users are available in Fedora 10:
</div><div class="table" id="tabl-Security-Enhanced_Linux-Confined_and_Unconfined_Users-SELinux_User_Capabilities"><div class="table-contents"><table summary="SELinux User Capabilities" border="1"><colgroup><col/><col/><col/><col/><col/><col/></colgroup><thead><tr><th>
User
</th><th>
Domain
</th><th>
X Window System
</th><th>
su and sudo
</th><th>
Execute in home directory and /tmp/
</th><th>
Networking
</th></tr></thead><tbody><tr><td>
guest_u
</td><td>
guest_t
</td><td align="center">
no
</td><td align="center">
no
</td><td align="center">
optional
</td><td align="center">
no
</td></tr><tr><td>
xguest_u
</td><td>
xguest_t
</td><td align="center">
yes
</td><td align="center">
no
</td><td align="center">
optional
</td><td align="center">
only <span><strong class="application">Firefox</strong></span>
</td></tr><tr><td>
user_u
</td><td>
user_t
</td><td align="center">
yes
</td><td align="center">
no
</td><td align="center">
optional
</td><td align="center">
yes
</td></tr><tr><td>
staff_u
</td><td>
staff_t
</td><td align="center">
yes
</td><td align="center">
only <code class="command">sudo</code>
</td><td align="center">
optional
</td><td align="center">
yes
</td></tr></tbody></table></div><h6>Table 4.1. SELinux User Capabilities</h6></div><br class="table-break"/><div class="itemizedlist"><ul><li><div class="para">
Linux users in the <code class="computeroutput">guest_t</code>, <code class="computeroutput">xguest_t</code>, and <code class="computeroutput">user_t</code> domains can only run set user ID (setuid) applications if SELinux policy permits it (such as <code class="command">passwd</code>). They can not run the <code class="command">su</code> and <code class="command">/usr/bin/sudo</code> setuid applications, and therefore, can not use these applications to become the Linux root user.
</div></li><li><div class="para">
Linux users in the <code class="computeroutput">guest_t</code> domain have no network access, and can only log in via a terminal (including <code class="systemitem">ssh</code>; they can log in via <code class="systemitem">ssh</code>, but can not use <code class="systemitem">ssh</code> to connect to another system).
</div></li><li><div class="para">
The only network access Linux users in the <code class="computeroutput">xguest_t</code> domain have is <span><strong class="application">Firefox</strong></span> connecting to web pages.
</div></li><li><div class="para">
Linux users in the <code class="computeroutput">xguest_t</code>, <code class="computeroutput">user_t</code> and <code class="computeroutput">staff_t</code> domains can log in via the X Window System and a terminal.
</div></li><li><div class="para">
By default, Linux users in the <code class="computeroutput">staff_t</code> domain do not have permissions to execute applications with <code class="command">/usr/bin/sudo</code>. These permissions must be configured by an administrator.
</div></li></ul></div><div class="para">
By default, Linux users in the <code class="computeroutput">guest_t</code> and <code class="computeroutput">xguest_t</code> domains can not execute applications in their home directories or <code class="filename">/tmp/</code>, preventing them from executing applications (which inherit users' permissions) in directories they have write access to. This helps prevent flawed or malicious applications from modifying files users' own.
</div><div class="para">
By default, Linux users in the <code class="computeroutput">user_t</code> and <code class="computeroutput">staff_t</code> domains can execute applications in their home directories and <code class="filename">/tmp/</code>. Refer to <a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications" title="6.6. Booleans for Users Executing Applications">Section 6.6, “Booleans for Users Executing Applications”</a> for information about allowing and preventing users from executing applications in their home directories and <code class="filename">/tmp/</code>.
</div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e1213" href="#d0e1213">6</a>] </sup>
When using other policies, such as MLS, other roles may be used, for example, <code class="computeroutput">secadm_r</code>.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e1463" href="#d0e1463">7</a>] </sup>
When using other policies, such as MLS, other roles may also be used, for example, <code class="computeroutput">secadm_r</code>.
</p></div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Working_with_SELinux">Chapter 5. Working with SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1.
Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_
Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_L
inux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a h
ref="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></div><div class="para">
The following sections give a brief overview of the main SELinux packages in Fedora 10; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the <code class="command">mount</code> command; mounting NFS file systems; and how to preserve SELinux contexts when copying and archiving files and directories.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</h2></div></div></div><div class="para">
In Fedora 10, the SELinux packages are installed by default, unless they are manually excluded during installation. By default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:
</div><div class="para">
<span class="package">policycoreutils</span>: provides utilities, such as <code class="command">semanage</code>, <code class="command">restorecon</code>, <code class="command">audit2allow</code>, <code class="command">semodule</code>, <code class="command">load_policy</code>, and <code class="command">setsebool</code>, for operating and managing SELinux.
</div><div class="para">
<span class="package">policycoreutils-gui</span>: provides <code class="command">system-config-selinux</code>, a graphical tool for managing SELinux.
</div><div class="para">
<span class="package">selinux-policy</span>: provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy. Refer to the Tresys Technology <a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a> page for further information. The <span class="package">selinux-policy-devel</span> package provides development tools, such as <code class="command">/usr/share/selinux/devel/policygentool</code> and <code class="command">/usr/share/selinux/devel/policyhelp</code>, as well as example policy files. This package was merged into the <span class="package">selinux-policy</span> package.
</div><div class="para">
<span class="package">selinux-policy-<em class="replaceable"><code>policy</code></em></span>: provides SELinux policies. For targeted policy, install <span class="package">selinux-policy-targeted</span>. For MLS, install <span class="package">selinux-policy-mls</span>. In Fedora 8, the strict policy was merged into targeted policy, allowing confined and unconfined users to co-exist on the same system.
</div><div class="para">
<span class="package">setroubleshoot-server</span>: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with <code class="command">sealert</code> (which is provided by this package).
</div><div class="para">
<span class="package">setools</span>, <span class="package">setools-gui</span>, and <span class="package">setools-console</span>: these packages provide the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</a>, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management<sup>[<a id="d0e2044" href="#ftn.d0e2044">8</a>]</sup>. The <span class="package">setools</span> package is a meta-package for SETools. The <span class="package">setools-gui</span> package provides the <code class="command">apol</code>, <code class="command">seaudit</code>, and <code class="command">sediffx</code> tools. The <span class="package">setools-console</span> package provides the <code class="command">seaudit-report</code>, <code class="command">sechecker</code>, <code class="command">sediff</code>, <code class="command">seinfo</code>, <code class="command">sesearch</code>, <code class="com
mand">findcon</code>, <code class="command">replcon</code>, and <code class="command">indexcon</code> command line tools. Refer to the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools</a> page for information about these tools.
</div><div class="para">
<span class="package">libselinux-utils</span>: provides the <code class="command">avcstat</code>, <code class="command">getenforce</code>, <code class="command">getsebool</code>, <code class="command">matchpathcon</code>, <code class="command">selinuxconlist</code>, <code class="command">selinuxdefcon</code>, <code class="command">selinuxenabled</code>, <code class="command">setenforce</code>, <code class="command">togglesebool</code> tools.
</div><div class="para">
<span class="package">mcstrans</span>: translates levels, such as <code class="computeroutput">s0-s0:c0.c1023</code>, to an easier to read form, such as <code class="computeroutput">SystemLow-SystemHigh</code>. This package is not installed by default.
</div><div class="para">
To install packages in Fedora 10, as the Linux root user, run the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. For example, to install the <span class="package">mcstrans</span> package, run the <code class="command">yum install mcstrans</code> command. To upgrade all installed packages in Fedora 10, run the <code class="command">yum update</code> command.
</div><div class="para">
Refer to <a href="http://docs.fedoraproject.org/yum/en/">Managing Software with yum</a><sup>[<a id="d0e2156" href="#ftn.d0e2156">9</a>]</sup> for further information about using <code class="command">yum</code> to manage packages.
</div><div class="note"><h2>Note</h2><div class="para">
In previous versions of Fedora, the <span class="package">selinux-policy-devel</span> package is required when making a local policy module with <code class="command">audit2allow -M</code>.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</h2></div></div></div><div class="para">
In Fedora 10, the <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed if packages are not removed from the default package selection. These packages include the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons respectively. These daemons run by default.
</div><div class="para">
SELinux denial messages, such as the following, are written to <code class="filename">/var/log/audit/audit.log</code> by default:
</div><pre class="screen">type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
</pre><div class="para">
Also, if <code class="systemitem">setroubleshootd</code> is running, which it is by default, denial messages from <code class="filename">/var/log/audit/audit.log</code> are translated to an easier-to-read form and sent to <code class="filename">/var/log/messages</code>:
</div><pre class="screen">Oct 3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
</pre><div class="para">
Denial messages are sent to a different location, depending on which daemons are running:
</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">setroubleshootd, rsyslogd, and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">Starting Daemons Automatically</h5>
To configure the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons to automatically start at boot, run the following commands as the Linux root user:
</div><pre class="screen">/sbin/chkconfig --levels 2345 auditd on
</pre><pre class="screen">/sbin/chkconfig --levels 2345 rsyslog on
</pre><pre class="screen">/sbin/chkconfig --levels 345 setroubleshoot on
</pre><div class="para">
Use the <code class="command">service <em class="replaceable"><code>service-name</code></em> status</code> command to check if these services are running, for example:
</div><pre class="screen">
$ /sbin/service auditd status
auditd (pid <em class="replaceable"><code>1318</code></em>) is running...
</pre><div class="para">
If the above services are not running (<code class="computeroutput"><em class="replaceable"><code>service-name</code></em> is stopped</code>), use the <code class="command">service <em class="replaceable"><code>service-name</code></em> start</code> command as the Linux root user to start them. For example:
</div><pre class="screen">
# /sbin/service setroubleshoot start
Starting setroubleshootd: [ OK ]
</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</h2></div></div></div><div class="para">
The <code class="filename">/etc/selinux/config</code> file is the main SELinux configuration file. It controls the SELinux mode and the SELinux policy to use:
</div><pre class="screen"># This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</pre><div class="variablelist"><dl><dt><span class="term"><code class="computeroutput">SELINUX=enforcing</code></span></dt><dd><div class="para">
The <code class="option">SELINUX</code> option sets the mode SELinux runs in. SELinux has three modes: enforcing, permissive, and disabled. When using enforcing mode, SELinux policy is enforced, and SELinux denies access based on SELinux policy rules. Denial messages are logged. When using permissive mode, SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running SELinux in enforcing mode. When using disabled mode, SELinux is disabled (the SELinux module is not registered with the Linux kernel), and only DAC rules are used.
</div></dd><dt><span class="term"><code class="computeroutput">SELINUXTYPE=targeted</code></span></dt><dd><div class="para">
The <code class="option">SELINUXTYPE</code> option sets the SELinux policy to use. Targeted policy is the default policy. Only change this option if you want to use the MLS policy. To use the MLS policy, install the <span class="package">selinux-policy-mls</span> package; configure <code class="option">SELINUXTYPE=mls</code> in <code class="filename">/etc/selinux/config</code>; and reboot your system.
</div></dd></dl></div><div class="important"><h2>Important</h2><div class="para">
When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</h2></div></div></div><div class="para">
Use the <code class="command">/usr/sbin/getenforce</code> or <code class="command">/usr/sbin/sestatus</code> commands to check the status of SELinux. The <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code>, <code class="computeroutput">Permissive</code>, or <code class="computeroutput">Disabled</code>. The <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code> when SELinux is enabled (SELinux policy rules are enforced):
</div><pre class="screen">$ /usr/sbin/getenforce
Enforcing
</pre><div class="para">
The <code class="command">getenforce</code> command returns <code class="computeroutput">Permissive</code> when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The <code class="command">getenforce</code> command returns <code class="computeroutput">Disabled</code> if SELinux is disabled.
</div><div class="para">
The <code class="command">sestatus</code> command returns the SELinux status and the SELinux policy being used:
</div><pre class="screen">$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</h3></div></div></div><div class="para">
On systems with SELinux disabled, the <code class="computeroutput">SELINUX=disabled</code> option is configured in <code class="filename">/etc/selinux/config</code>:
</div><pre class="screen"># This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</pre><div class="para">
Also, the <code class="command">getenforce</code> command returns <code class="computeroutput">Disabled</code>:
</div><pre class="screen">$ /usr/sbin/getenforce
Disabled
</pre><div class="para">
To enable SELinux:
</div><div class="orderedlist"><ol><li><div class="para">
Use the <code class="command">rpm -qa | grep selinux</code>, <code class="command">rpm -q policycoreutils</code>, and <code class="command">rpm -qa | grep setroubleshoot</code> commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: <span class="package">selinux-policy-targeted</span>, <span class="package">selinux-policy</span>, <span class="package">libselinux</span>, <span class="package">libselinux-python</span>, <span class="package">libselinux-utils</span>, <span class="package">policycoreutils</span>, <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, <span class="package">setroubleshoot-plugins</span>. If these packages are not installed, as the Linux root user, install them via the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. The following packages are optional: <span class="package">policycoreut
ils-gui</span>, <span class="package">setroubleshoot</span>, <span class="package">selinux-policy-devel</span>, and <span class="package">mcstrans</span>.
</div><div class="para">
After installing the <span class="package">setroubleshoot-server</span> package, use the <code class="command">/sbin/chkconfig --list setroubleshoot</code> command to confirm that <code class="systemitem">setroubleshootd</code> starts when the system is running in runlevel<sup>[<a id="d0e2484" href="#ftn.d0e2484">10</a>]</sup> 3, 4, and 5:
</div><pre class="screen">$ /sbin/chkconfig --list setroubleshoot
setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
</pre><div class="para">
If the output differs, as the Linux root user, run the <code class="command">/sbin/chkconfig --levels 345 setroubleshoot on</code> command. This makes <code class="systemitem">setroubleshootd</code> automatically start when the system is in runlevel 3, 4, and 5.
</div></li><li><div class="para">
Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure <code class="computeroutput">SELINUX=permissive</code> in <code class="filename">/etc/selinux/config</code>:
</div><pre class="screen"># This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">reboot</code> command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
</div><pre class="screen">*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
</pre><div class="para">
Each <code class="computeroutput">*</code> character on the bottom line represents 1000 files that have been labeled. In the above example, four <code class="computeroutput">*</code> characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
</div></li><li><div class="para">
In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the <code class="command">grep "SELinux is preventing" /var/log/messages</code> command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to <a href="#chap-Security-Enhanced_Linux-Troubleshooting" title="Chapter 7. Troubleshooting">Chapter 7, <i xmlns:xlink="http://www.w3.org/1999/xlink">Troubleshooting</i></a> for troubleshooting information if SELinux denied access during boot.
</div></li><li><div class="para">
If there were no denial messages in <code class="filename">/var/log/messages</code>, configure <code class="computeroutput">SELINUX=enforcing</code> in <code class="filename">/etc/selinux/config</code>:
</div><pre class="screen"># This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</pre></li><li><div class="para">
Reboot your system. After reboot, confirm that the <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code>:
</div><pre class="screen">$ /usr/sbin/getenforce
Enforcing
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage login -l</code> command to view the mapping between SELinux and Linux users. The output should be as follows:
</div><pre class="screen">Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre></li></ol></div><div class="para">
If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the <code class="computeroutput">SELinux-user<em class="replaceable"><code> username</code></em> is already defined</code> warnings if they occur, where <em class="replaceable"><code>username</code></em> can be <code class="computeroutput">unconfined_u</code>, <code class="computeroutput">guest_u</code>, or <code class="computeroutput">xguest_u</code>:
</div><div class="orderedlist"><ol><li><div class="para">
<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
</pre>
</div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
</pre>
</div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
</pre>
</div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
</pre>
</div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u
</pre>
</div></li></ol></div><div class="important"><h2>Important</h2><div class="para">
When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</h3></div></div></div><div class="para">
To disable SELinux, configure <code class="option">SELINUX=disabled</code> in <code class="filename">/etc/selinux/config</code>:
</div><pre class="screen"># This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
</pre><div class="para">
Reboot your system. After reboot, confirm that the <code class="command">getenforce</code> command returns <code class="computeroutput">Disabled</code>:
</div><pre class="screen">$ /usr/sbin/getenforce
Disabled
</pre></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux Modes</h2></div></div></div><div class="para">
SELinux has three modes:
</div><div class="itemizedlist"><ul><li><div class="para">
Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
</div></li><li><div class="para">
Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.
</div></li><li><div class="para">
Disabled: SELinux is disabled. Only DAC rules are used.
</div></li></ul></div><div class="para">
Use the <code class="command">/usr/sbin/setenforce</code> command to change between enforcing and permissive mode. Changes made with <code class="command">/usr/sbin/setenforce</code> do not persist across reboots. To change to enforcing mode, as the Linux root user, run the <code class="command">/usr/sbin/setenforce 1</code> command. To change to permissive mode, run the <code class="command">/usr/sbin/setenforce 0</code> command. Use the <code class="command">/usr/sbin/getenforce</code> command to view the current SELinux mode.
</div><div class="para">
Persistent mode changes are covered in <a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux" title="5.4. Enabling and Disabling SELinux">Section 5.4, “Enabling and Disabling SELinux”</a>.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</h2></div></div></div><div class="para">
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</h3></div></div></div><div class="para">
For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <code class="command">semanage boolean -l</code> command as the Linux root user. The following example does not list all Booleans:
</div><pre class="screen"># /usr/sbin/semanage boolean -l
SELinux boolean Description
ftp_home_dir -> off Allow ftp to read and write files in the user home directories
xen_use_nfs -> off Allow xen to manage nfs files
xguest_connect_network -> on Allow xguest to configure Network Manager
</pre><div class="para">
The <code class="computeroutput">SELinux boolean</code> column lists Boolean names. The <code class="computeroutput">Description</code> column lists whether the Booleans are on or off, and what they do.
</div><div class="para">
In the following example, the <code class="computeroutput">ftp_home_dir</code> Boolean is off, preventing the FTP daemon (<code class="systemitem">vsftpd</code>) from reading and writing to files in user home directories:
</div><pre class="screen">ftp_home_dir -> off Allow ftp to read and write files in the user home directories
</pre><div class="para">
The <code class="command">getsebool -a</code> command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
</div><pre class="screen">$ /usr/sbin/getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
</pre><div class="para">
Run the <code class="command">getsebool <em class="replaceable"><code>boolean-name</code></em></code> command to only list the status of the <em class="replaceable"><code>boolean-name</code></em> Boolean:
</div><pre class="screen">$ /usr/sbin/getsebool allow_console_login
allow_console_login --> off
</pre><div class="para">
Use a space-separated list to list multiple Booleans:
</div><pre class="screen">$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</h3></div></div></div><div class="para">
The <code class="command">setsebool <em class="replaceable"><code>boolean-name</code></em> <em class="replaceable"><code>x</code></em></code> command turns Booleans on or off, where <em class="replaceable"><code>boolean-name</code></em> is a Boolean name, and <em class="replaceable"><code>x</code></em> is either <code class="option">on</code> to turn the Boolean on, or <code class="option">off</code> to turn it off.
</div><div class="para">
The following example demonstrates configuring the <code class="computeroutput">httpd_can_network_connect_db</code> Boolean:
</div><div class="orderedlist"><ol><li><div class="para">
By default, the <code class="computeroutput">httpd_can_network_connect_db</code> Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
</div><pre class="screen">$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
</pre></li><li><div class="para">
To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run the <code class="command">setsebool httpd_can_network_connect_db on</code> command as the Linux root user.
</div></li><li><div class="para">
Use the <code class="command">getsebool httpd_can_network_connect_db</code> command to verify the Boolean is turned on:
</div><pre class="screen">$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
</pre><div class="para">
This allows Apache HTTP Server scripts and modules to connect to database servers.
</div></li><li><div class="para">
This change is not persistent across reboots. To make changes persistent across reboots, run the <code class="command">setsebool -P <em class="replaceable"><code>boolean-name</code></em> on</code> command as the Linux root user:
</div><pre class="screen"># /usr/sbin/setsebool -P httpd_can_network_connect_db on
</pre></li><li><div class="para">
To temporarily revert to the default behavior, as the Linux root user, run the <code class="command">setsebool httpd_can_network_connect_db off</code> command. For changes that persist across reboots, run the <code class="command">setsebool -P httpd_can_network_connect_db off</code> command.
</div></li></ol></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</h3></div></div></div><div class="para">
By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <code class="computeroutput">nfs_t</code> type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the <code class="computeroutput">cifs_t</code> type.
</div><div class="para">
Depending on policy configuration, services may not be able to read files labeled with the <code class="computeroutput">nfs_t</code> or <code class="computeroutput">cifs_t</code> types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be turned on or off to control which services are allowed to access the <code class="computeroutput">nfs_t</code> and <code class="computeroutput">cifs_t</code> types.
</div><div class="para">
The <code class="command">setsebool</code> and <code class="command">semanage</code> commands must be run as the Linux root user. The <code class="command">setsebool -P</code> command makes persistent changes. Do not use the <code class="option">-P</code> option if you do not want changes to persist across reboots:
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Apache_HTTP_Server">Apache HTTP Server</h5>
To allow access to NFS file systems (files labeled with the <code class="computeroutput">nfs_t</code> type):
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P httpd_use_nfs on</code>
</div><div class="para">
To allow access to Samba file systems (files labeled with the <code class="computeroutput">cifs_t</code> type):
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P httpd_use_cifs on</code>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Samba">Samba</h5>
To export NFS file systems:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P samba_share_nfs on</code>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-FTP_vsftpd">FTP (<code class="systemitem">vsftpd</code>)</h5>
To allow access to NFS file systems:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_ftpd_use_nfs on</code>
</div><div class="para">
To allow access to Samba file systems:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_ftpd_use_cifs on</code>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Other_Services">Other Services</h5>
For a list of NFS related Booleans for other services:
</div><div class="para">
<code class="command">/usr/sbin/semanage boolean -l | grep nfs</code>
</div><div class="para">
For a list of Samba related Booleans for other services:
</div><div class="para">
<code class="command">/usr/sbin/semanage boolean -l | grep cifs</code>
</div><div class="note"><h2>Note</h2><div class="para">
These Booleans exist in SELinux policy as shipped with Fedora 10. They may not exist in policy shipped with other versions of Fedora or other operating systems.
</div></div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</h2></div></div></div><div class="para">
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. For files, this is viewed using the <code class="command">ls -Z</code> command:
</div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre><div class="para">
In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
</div><div class="para">
There are multiple commands for managing the SELinux context for files, such as <code class="command">chcon</code>, <code class="command">semanage fcontext</code>, and <code class="command">restorecon</code>.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</h3></div></div></div><div class="para">
The <code class="command">chcon</code> command changes the SELinux context for files. These changes do not survive a file system relabel, or the <code class="command">/sbin/restorecon</code> command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using <code class="command">chcon</code>, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Quick_Reference">Quick Reference</h5>
<div class="itemizedlist"><ul><li><div class="para">
Run the <code class="command">chcon -t <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>file-name</code></em></code> command to change the file type, where <em class="replaceable"><code>type</code></em> is a type, such as <code class="computeroutput">httpd_sys_content_t</code>, and <em class="replaceable"><code>file-name</code></em> is a file or directory name.
</div></li><li><div class="para">
Run the <code class="command">chcon -R -t <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>directory-name</code></em></code> command to change the type of the directory and its contents, where <em class="replaceable"><code>type</code></em> is a type, such as <code class="computeroutput">httpd_sys_content_t</code>, and <em class="replaceable"><code>directory-name</code></em> is a directory name.
</div></li></ul></div>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Files_or_Directorys_Type">Changing a File's or Directory's Type</h5>
The following example demonstrates changing the type, and no other attributes of the SELinux context:
</div><div class="orderedlist"><ol><li><div class="para">
Run the <code class="command">cd</code> command without arguments to change into your home directory.
</div></li><li><div class="para">
Run the <code class="command">touch file1</code> command to create a new file. Use the <code class="command">ls -Z file1</code> command to view the SELinux context for <code class="filename">file1</code>:
</div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre><div class="para">
In this example, the SELinux context for <code class="filename">file1</code> includes the SELinux <code class="computeroutput">unconfined_u</code> user, <code class="computeroutput">object_r</code> role, <code class="computeroutput">user_home_t</code> type, and the <code class="computeroutput">s0</code> level. For a description of each part of the SELinux context, refer to <a href="#chap-Security-Enhanced_Linux-SELinux_Contexts" title="Chapter 3. SELinux Contexts">Chapter 3, <i xmlns:xlink="http://www.w3.org/1999/xlink">SELinux Contexts</i></a>.
</div></li><li><div class="para">
Run the <code class="command">chcon -t samba_share_t file1</code> command to change the type to <code class="computeroutput">samba_share_t</code>. The <code class="option">-t</code> option only changes the type. View the change with <code class="command">ls -Z file1</code>:
</div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
</pre></li><li><div class="para">
Use the <code class="command">/sbin/restorecon -v file1</code> command to restore the SELinux context for the <code class="filename">file1</code> file. Use the <code class="option">-v</code> option to view what changes:
</div><pre class="screen">$ /sbin/restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
</pre><div class="para">
In this example, the previous type, <code class="computeroutput">samba_share_t</code>, is restored to the correct, <code class="computeroutput">user_home_t</code> type. When using targeted policy (the default SELinux policy in Fedora 10), the <code class="command">/sbin/restorecon</code> command reads the files in the <code class="filename">/etc/selinux/targeted/contexts/files/</code> directory, to see which SELinux context files should have.
</div></li></ol></div><div class="para">
The example in this section works the same for directories, for example, if <code class="filename">file1</code> was a directory.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Directory_and_its_Contents_Types">Changing a Directory and its Contents Types</h5>
The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by the Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of <code class="filename">/var/www/html/</code>):
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">mkdir /web</code> command to create a new directory, and then the <code class="command">touch /web/file{1,2,3}</code> command to create 3 empty files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). The <code class="filename">/web/</code> directory and files in it are labeled with the <code class="computeroutput">default_t</code> type:
</div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">chcon -R -t httpd_sys_content_t /web/</code> command to change the type of the <code class="filename">/web/</code> directory (and its contents) to <code class="computeroutput">httpd_sys_content_t</code>:
</div><pre class="screen"># chcon -R -t httpd_sys_content_t /web/
# ls -dZ /web/
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
# ls -lZ /web/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/restorecon -R -v /web/</code> command to restore the default SELinux contexts:
</div><pre class="screen"># /sbin/restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
</pre></li></ol></div><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">chcon</span>(1)</span> manual page for further information about <code class="command">chcon</code>.
</div><div class="note"><h2>Note</h2><div class="para">
Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</h3></div></div></div><div class="para">
The <code class="command">/usr/sbin/semanage fcontext</code> command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts</code> file if the changes are to files that exists in <code class="filename">file_contexts</code>, or are added to <code class="filename">file_contexts.local</code> for new files and directories, such as creating a <code class="filename">/web/</code> directory. <code class="command">setfiles</code>, which is used when a file system is relabeled, and <code class="command">/sbin/restorecon</code>, which restores the default SELinux contexts, read these files. This means that changes made by <code class="command">/usr/sbin/semanage fcontext</code> are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Quick_Reference">Quick Reference</h5>
To make SELinux context changes that survive a file system relabel:
</div><div class="orderedlist"><ol><li><div class="para">
Run the <code class="command">/usr/sbin/semanage fcontext -a <em class="replaceable"><code>options</code></em> <em class="replaceable"><code>file-name</code></em>|<em class="replaceable"><code>directory-name</code></em></code> command, remembering to use the full path to the file or directory.
</div></li><li><div class="para">
Run the <code class="command">/sbin/restorecon -v <em class="replaceable"><code>file-name</code></em>|<em class="replaceable"><code>directory-name</code></em></code> command to apply the context changes.
</div></li></ol></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Files_Type">Changing a File's Type</h5>
The following example demonstrates changing a file's type, and no other attributes of the SELinux context:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">touch /etc/file1</code> command to create a new file. By default, newly-created files in the <code class="filename">/etc/</code> directory are labeled with the <code class="computeroutput">etc_t</code> type:
</div><pre class="screen"># ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1</code> command to change the <code class="filename">file1</code> type to <code class="computeroutput">samba_share_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (<code class="computeroutput">samba_share_t</code>). Note: running this command does not directly change the type - <code class="filename">file1</code> is still labeled with the <code class="computeroutput">etc_t</code> type:
</div><pre class="screen"># /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</pre><div class="para">
The <code class="command">/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1</code> command adds the following entry to <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
</div><pre class="screen">/etc/file1 unconfined_u:object_r:samba_share_t:s0
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/restorecon -v /etc/file1</code> command to change the type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="filename">/etc/file1</code>, the <code class="command">/sbin/restorecon</code> command changes the type to <code class="computeroutput">samba_share_t</code>:
</div><pre class="screen"># /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">rm -i /etc/file1</code> command to remove <code class="filename">file1</code>.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d /etc/file1</code> command to remove the context added for <code class="filename">/etc/file1</code>. When the context is removed, running <code class="command">restorecon</code> changes the type to <code class="computeroutput">etc_t</code>, rather than <code class="computeroutput">samba_share_t</code>.
</div></li></ol></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directorys_Type">Changing a Directory's Type</h5>
The following example demonstrates creating a new directory and changing that directory's file type, to a type used by Apache HTTP Server:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">mkdir /web</code> command to create a new directory. This directory is labeled with the <code class="computeroutput">default_t</code> type:
</div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
</pre><div class="para">
The <code class="command">ls</code> <code class="option">-d</code> option makes <code class="command">ls</code> list information about a directory, rather than its contents, and the <code class="option">-Z</code> option makes <code class="command">ls</code> display the SELinux context (in this example, <code class="computeroutput">unconfined_u:object_r:default_t:s0</code>).
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web</code> command to change the <code class="filename">/web/</code> type to <code class="computeroutput">httpd_sys_content_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (<code class="computeroutput">httpd_sys_content_t</code>). Note: running this command does not directly change the type - <code class="filename">/web/</code> is still labeled with the <code class="computeroutput">default_t</code> type:
</div><pre class="screen"># /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
</pre><div class="para">
The <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web</code> command adds the following entry to <code class="command">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
</div><pre class="screen">/web unconfined_u:object_r:httpd_sys_content_t:s0
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/restorecon -v /web</code> command to change the type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="filename">/web</code>, the <code class="command">/sbin/restorecon</code> command changes the type to <code class="computeroutput">httpd_sys_content_t</code>:
</div><pre class="screen"># /sbin/restorecon -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
By default, newly-created files and directories inherit the SELinux type of their parent folders. When using this example, and before removing the SELinux context added for <code class="filename">/web/</code>, files and directories created in the <code class="filename">/web/</code> directory are labeled with the <code class="computeroutput">httpd_sys_content_t</code> type.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d /web</code> command to remove the context added for <code class="filename">/web/</code>.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/restorecon -v /web</code> command to restore the default SELinux context.
</div></li></ol></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directory_and_its_Contents_Types">Changing a Directory and its Contents Types</h5>
The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of <code class="filename">/var/www/html/</code>):
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">mkdir /web</code> command to create a new directory, and then the <code class="command">touch /web/file{1,2,3}</code> command to create 3 empty files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). The <code class="filename">/web/</code> directory and files in it are labeled with the <code class="computeroutput">default_t</code> type:
</div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</code> command to change the type of the <code class="filename">/web/</code> directory and the files in it, to <code class="computeroutput">httpd_sys_content_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (httpd_sys_content_t). The <code class="computeroutput">"/web(/.*)?"</code> regular expression causes the <code class="command">semanage</code> command to apply changes to the <code class="filename">/web/</code> directory, as well as the files in it. Note: running this command does not directly change the type - <code class="filename">/web/</code> and files in it are still labeled with the <code class="computeroutput">default_t</code> type:
</div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
</pre><div class="para">
The <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</code> command adds the following entry to <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
</div><pre class="screen">/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/restorecon -R -v /web</code> command to change the type of the <code class="filename">/web/</code> directory, as well as all files in it. The <code class="option">-R</code> is for recursive, which means all files and directories under the <code class="filename">/web/</code> directory are labeled with the <code class="computeroutput">httpd_sys_content_t</code> type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="computeroutput">/web(/.*)?</code>, the <code class="command">/sbin/restorecon</code> command changes the types to <code class="computeroutput">httpd_sys_content_t</code>:
</div><pre class="screen"># /sbin/restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
By default, newly-created files and directories inherit the SELinux type of their parents. In this example, files and directories created in the <code class="filename">/web/</code> directory will be labeled with the <code class="computeroutput">httpd_sys_content_t</code> type.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d "/web(/.*)?"</code> command to remove the context added for <code class="computeroutput">"/web(/.*)?"</code>.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/restorecon -R -v /web</code> command to restore the default SELinux contexts.
</div></li></ol></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Deleting_an_added_Context">Deleting an added Context</h5>
The following example demonstrates adding and removing an SELinux context:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /test</code> command. The <code class="filename">/test/</code> directory does not have to exist. This command adds the following context to <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
</div><pre class="screen">/test system_u:object_r:httpd_sys_content_t:s0
</pre></li><li><div class="para">
To remove the context, as the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d <em class="replaceable"><code>file-name</code></em>|<em class="replaceable"><code>directory-name</code></em></code> command, where <em class="replaceable"><code>file-name</code></em>|<em class="replaceable"><code>directory-name</code></em> is the first part in <code class="filename">file_contexts.local</code>. The following is an example of a context in <code class="filename">file_contexts.local</code>:
</div><pre class="screen">/test system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
With the first part being <code class="computeroutput">/test</code>. To prevent the <code class="filename">/test/</code> directory from being labeled with the <code class="computeroutput">httpd_sys_content_t</code> after running <code class="command">/sbin/restorecon</code>, or after a file system relabel, run the following command as the Linux root user to delete the context from <code class="filename">file_contexts.local</code>:
</div><div class="para">
<code class="command">/usr/sbin/semanage fcontext -d /test</code>
</div></li></ol></div><div class="para">
If the context is part of a regular expression, for example, <code class="computeroutput">/web(/.*)?</code>, use quotation marks around the regular expression:
</div><div class="para">
<code class="command">/usr/sbin/semanage fcontext -d "/web(/.*)?"</code>
</div><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">semanage</span>(8)</span> manual page for further information about <code class="command">/usr/sbin/semanage</code>.
</div><div class="important"><h2>Important</h2><div class="para">
When changing the SELinux context with <code class="command">/usr/sbin/semanage fcontext -a</code>, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the <code class="command">/sbin/restorecon</code> command is run.
</div></div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</h2></div></div></div><div class="para">
On file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The <code class="computeroutput">file_t</code> type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the <code class="computeroutput">file_t</code> type is never used in file-context configuration<sup>[<a id="d0e3729" href="#ftn.d0e3729">11</a>]</sup>.
</div><div class="para">
The <code class="computeroutput">default_t</code> type is used on files that do not match any other pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally kept inaccessible to confined domains. If you create a new top-level directory, such as <code class="filename">/mydirectory/</code>, this directory may be labeled with the <code class="computeroutput">default_t</code> type. If services need access to such a directory, update the file-contexts configuration for this location. Refer to <a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext" title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2, “Persistent Changes: semanage fcontext”</a> for details on adding a context to the file-context configuration.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</h2></div></div></div><div class="para">
By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the <span class="emphasis"><em>security.selinux</em></span> extended attribute of the file. Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type.
</div><div class="para">
Use the <code class="command">mount -o context</code> command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The <code class="command">mount -o context</code> command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS file systems. The context specified with the <code class="option">context</code> is not written to disk: the original contexts are preserved, and are seen when mounting without a <code class="option">context</code> option (if the file system had extended attributes in the first place).
</div><div class="para">
For further information about file system labeling, refer to James Morris's "Filesystem Labeling in SELinux" article: <a href="http://www.linuxjournal.com/article/7426">http://www.linuxjournal.com/article/7426</a>.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</h3></div></div></div><div class="para">
To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the Linux root user, use the <code class="command">mount -o context=<em class="replaceable"><code>SELinux_user:role:type:level</code></em></code> command when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <code class="computeroutput">nfs_t</code> type. Without additional mount options, this may prevent sharing NFS file systems via other services, such as the Apache HTTP Server. The following example mounts an NFS file system so that it can be shared via the Apache HTTP Server:
</div><div class="para">
<pre class="screen"># mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
</pre>
</div><div class="para">
Newly-created files and directories on this file system appear to have the SELinux context specified with <code class="option">-o context</code>; however, since context changes are not written to disk for these situations, the context specified with the <code class="option">context</code> option is only retained if the <code class="option">context</code> option is used on the next mount, and if the same context is specified.
</div><div class="para">
Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with <code class="option">-o context</code>, use the SELinux <code class="computeroutput">system_u</code> user and <code class="computeroutput">object_r</code> role, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the <code class="computeroutput">s0</code> level.
</div><div class="note"><h2>Note</h2><div class="para">
When a file system is mounted with a <code class="option">context</code> option, context changes (by users and processes) are prohibited. For example, running <code class="command">chcon</code> on a file system mounted with a <code class="option">context</code> option results in a <code class="computeroutput">Operation not supported</code> error.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</h3></div></div></div><div class="para">
As mentioned in <a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types" title="5.8. The file_t and default_t Types">Section 5.8, “The file_t and default_t Types”</a>, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. If it is desirable to use a different default context, mount the file system with the <code class="option">defcontext</code> option.
</div><div class="para">
The following example mounts a newly-created file system (on <code class="filename">/dev/sda2</code>) to the newly-created <code class="filename">/test/</code> directory. It assumes that there are no rules in <code class="filename">/etc/selinux/targeted/contexts/files/</code> that define a context for the <code class="filename">/test/</code> directory:
</div><pre class="screen">
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
</pre><div class="para">
In this example:
</div><div class="itemizedlist"><ul><li><div class="para">
the <code class="option">defcontext</code> option defines that <code class="computeroutput">system_u:object_r:samba_share_t:s0</code> is "the default security context for unlabeled files"<sup>[<a id="d0e3880" href="#ftn.d0e3880">12</a>]</sup>.
</div></li><li><div class="para">
when mounted, the root directory (<code class="filename">/test/</code>) of the file system is treated as if it is labeled with the context specified by <code class="option">defcontext</code> (this label is not stored on disk). This affects the labeling for files created under <code class="filename">/test/</code>: new files inherit the <code class="computeroutput">samba_share_t</code> type, and these labels are stored on disk.
</div></li><li><div class="para">
files created under <code class="filename">/test/</code> while the file system was mounted with a <code class="option">defcontext</code> option retain their labels.
</div></li></ul></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</h3></div></div></div><div class="para">
By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <code class="computeroutput">nfs_t</code> type. Depending on policy configuration, services, such as Apache HTTP Server and MySQL, may not be able to read files labeled with the <code class="computeroutput">nfs_t</code> type. This may prevent file systems labeled with this type from being mounted and then read or exported by other services.
</div><div class="para">
If you would like to mount an NFS file system and read or export that file system with another service, use the <code class="option">context</code> option when mounting to override the <code class="computeroutput">nfs_t</code> type. Use the following context option to mount NFS file systems so that they can be shared via the Apache HTTP Server:
</div><pre class="screen">mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
</pre><div class="para">
Since context changes are not written to disk for these situations, the context specified with the <code class="option">context</code> option is only retained if the <code class="option">context</code> option is used on the next mount, and if the same context is specified.
</div><div class="para">
As an alternative to mounting file systems with <code class="option">context</code> options, Booleans can be turned on to allow services access to file systems labeled with the <code class="computeroutput">nfs_t</code> type. Refer to <a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS" title="5.6.3. Booleans for NFS and CIFS">Section 5.6.3, “Booleans for NFS and CIFS”</a> for instructions on configuring Booleans to allow services access to the <code class="computeroutput">nfs_t</code> type.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</h3></div></div></div><div class="para">
When mounting multiple mounts from the same NFS export, attempting to override the SELinux context of each mount with a different context, results in subsequent mount commands failing. In the following example, the NFS server has a single export, <code class="filename">/export</code>, which has two subdirectories, <code class="filename">web/</code> and <code class="filename">database/</code>. The following commands attempt two mounts from a single NFS export, and try to override the context for each one:
</div><pre class="screen">
# mount server:/export/web /local/web -o\
context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/database /local/database -o\
context="system_u:object_r:mysqld_db_t:s0"
</pre><div class="para">
The second mount command fails, and the following is logged to <code class="filename">/var/log/messages</code>:
</div><pre class="screen">
kernel: SELinux: mount invalid. Same superblock, different security settings for (dev 0:15, type nfs)
</pre><div class="para">
To mount multiple mounts from a single NFS export, with each mount having a different context, use the <code class="option">-o nosharecache,context</code> options. The following example mounts multiple mounts from a single NFS export, with a different context for each mount (allowing a single service access to each one):
</div><pre class="screen">
# mount server:/export/web /local/web -o\
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/database /local/database -o\
nosharecache,context="system_u:object_r:mysqld_db_t:s0"
</pre><div class="para">
In this example, <code class="computeroutput">server:/export/web</code> is mounted locally to <code class="filename">/local/web/</code>, with all files being labeled with the <code class="computeroutput">httpd_sys_content_t</code> type, allowing Apache HTTP Server access. <code class="computeroutput">server:/export/database</code> is mounted locally to <code class="filename">/local/database</code>, with all files being labeled with the <code class="computeroutput">mysqld_db_t</code> type, allowing MySQL access. These type changes are not written to disk.
</div><div class="important"><h2>Important</h2><div class="para">
The <code class="option">nosharecache</code> options allows you to mount the same subdirectory of an export multiple times with different contexts (for example, mounting <code class="filename">/export/web</code> multiple times). Do not mount the same subdirectory from an export multiple times with different contexts, as this creates an overlapping mount, where files are accessible under two different contexts.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</h3></div></div></div><div class="para">
To make context mounts persistent across remounting and reboots, add entries for the file systems in <code class="filename">/etc/fstab</code> or an automounter map, and use the desired context as a mount option. The following example adds an entry to <code class="filename">/etc/fstab</code> for an NFS context mount:
</div><pre class="screen">
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
</pre><div class="para">
Refer to the <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deploy...">Red Hat Enterprise Linux 5 Deployment Guide, Section 19.2. "NFS Client Configuration"</a> for information about mounting NFS file systems.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </h2></div></div></div><div class="para">
These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</h3></div></div></div><div class="para">
When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context (unless options were used to preserve the original context). For example, files created in user home directories are labeled with the <code class="computeroutput">user_home_t</code> type:
</div><pre class="screen">
$ touch file1
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre><div class="para">
If such a file is copied to another directory, such as <code class="filename">/etc/</code>, the new file is created in accordance to default-labeling rules for the <code class="filename">/etc/</code> directory. Copying a file (without additional options) may not preserve the original context:
</div><pre class="screen">
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
# cp file1 /etc/
$ ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</pre><div class="para">
When <code class="filename">file1</code> is copied to <code class="filename">/etc/</code>, if <code class="filename">/etc/file1</code> does not exist, <code class="filename">/etc/file1</code> is created as a new file. As shown in the example above, <code class="filename">/etc/file1</code> is labeled with the <code class="computeroutput">etc_t</code> type, in accordance to default-labeling rules.
</div><div class="para">
When a file is copied over an existing file, the existing file's context is preserved, unless the user specified <code class="command">cp</code> options to preserve the context of the original file, such as <code class="option">--preserve=context</code>. SELinux policy may prevent contexts from being preserved during copies.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_Without_Preserving_SELinux_Contexts">Copying Without Preserving SELinux Contexts</h5>
When copying a file with the <code class="command">cp</code> command, if no options are given, the type is inherited from the targeted, parent directory:
</div><pre class="screen">
$ touch file1
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
</pre><div class="para">
In this example, <code class="filename">file1</code> is created in a user's home directory, and is labeled with the <code class="computeroutput">user_home_t</code> type. The <code class="filename">/var/www/html/</code> directory is labeled with the <code class="computeroutput">httpd_sys_content_t</code> type, as shown with the <code class="command">ls -dZ /var/www/html/</code> command. When <code class="filename">file1</code> is copied to <code class="filename">/var/www/html/</code>, it inherits the <code class="computeroutput">httpd_sys_content_t</code> type, as shown with the <code class="command">ls -Z /var/www/html/file1</code> command.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Preserving_SELinux_Contexts_When_Copying">Preserving SELinux Contexts When Copying</h5>
Use the <code class="command">cp --preserve=context</code> command to preserve contexts when copying:
</div><pre class="screen">
$ touch file1
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp --preserve=context file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
</pre><div class="para">
In this example, <code class="filename">file1</code> is created in a user's home directory, and is labeled with the <code class="computeroutput">user_home_t</code> type. The <code class="filename">/var/www/html/</code> directory is labeled with the <code class="computeroutput">httpd_sys_content_t</code> type, as shown with the <code class="command">ls -dZ /var/www/html/</code> command. Using the <code class="option">--preserve=context</code> option preserves SELinux contexts during copy operations. As shown with the <code class="command">ls -Z /var/www/html/file1</code> command, the <code class="filename">file1</code> <code class="computeroutput">user_home_t</code> type was preserved when the file was copied to <code class="filename">/var/www/html/</code>.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_and_Changing_the_Context">Copying and Changing the Context</h5>
Use the <code class="command">cp -Z</code> command to change the destination copy's context. The following example was performed in the user's home directory:
</div><pre class="screen">
$ touch file1
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z file1 file2
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2
$ rm file1 file2
</pre><div class="para">
In this example, the context is defined with the <code class="option">-Z</code> option. Without the <code class="option">-Z</code> option, <code class="filename">file2</code> would be labeled with the <code class="computeroutput">unconfined_u:object_r:user_home_t</code> context.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_a_File_Over_an_Existing_File">Copying a File Over an Existing File</h5>
When a file is copied over an existing file, the existing file's context is preserved (unless an option is used to preserve contexts). For example:
</div><pre class="screen">
# touch /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
# touch /tmp/file2
# ls -Z /tmp/file2
-rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
# cp /tmp/file2 /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
</pre><div class="para">
In this example, two files are created: <code class="filename">/etc/file1</code>, labeled with the <code class="computeroutput">etc_t</code> type, and <code class="filename">/tmp/file2</code>, labeled with the <code class="computeroutput">user_tmp_t</code> type. The <code class="command">cp /tmp/file2 /etc/file1</code> command overwrites <code class="filename">file1</code> with <code class="filename">file2</code>. After copying, the <code class="command">ls -Z /etc/file1</code> command shows <code class="filename">file1</code> labeled with the <code class="computeroutput">etc_t</code> type, not the <code class="computeroutput">user_tmp_t</code> type from <code class="filename">/tmp/file2</code> that replaced <code class="filename">/etc/file1</code>.
</div><div class="important"><h2>Important</h2><div class="para">
Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</h3></div></div></div><div class="para">
File and directories keep their current SELinux context when they are moved. In many cases, this is incorrect for the location they are being moved to. The following example demonstrates moving a file from a user's home directory to <code class="filename">/var/www/html/</code>, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
</div><div class="orderedlist"><ol><li><div class="para">
Run the <code class="command">cd</code> command without any arguments to change into your home directory. Once in your home directory, run the <code class="command">touch file1</code> command to create a file. This file is labeled with the <code class="computeroutput">user_home_t</code> type:
</div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
</pre></li><li><div class="para">
Run the <code class="command">ls -dZ /var/www/html/</code> command to view the SELinux context of the <code class="filename">/var/www/html/</code> directory:
</div><pre class="screen">$ ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
</pre><div class="para">
By default, the <code class="filename">/var/www/html/</code> directory is labeled with the <code class="computeroutput">httpd_sys_content_t</code> type. Files and directories created under the <code class="filename">/var/www/html/</code> directory inherit this type, and as such, they are labeled with this type.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">mv file1 /var/www/html/</code> command to move <code class="filename">file1</code> to the <code class="filename">/var/www/html/</code> directory. Since this file is moved, it keeps its current <code class="computeroutput">user_home_t</code> type:
</div><pre class="screen"># mv file1 /var/www/html/
# ls -Z /var/www/html/file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
</pre></li></ol></div><div class="para">
By default, the Apache HTTP Server can not read files that are labeled with the <code class="computeroutput">user_home_t</code> type. If all files comprising a web page are labeled with the <code class="computeroutput">user_home_t</code> type, or another type that the Apache HTTP Server can not read, permission is denied when attempting to access them via Firefox or text-based Web browsers.
</div><div class="important"><h2>Important</h2><div class="para">
Moving files and directories with the <code class="command">mv</code> command may result in the wrong SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</h3></div></div></div><div class="para">
Use the <code class="command">/usr/sbin/matchpathcon</code> command to check if files and directories have the correct SELinux context. From the <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page: "<code class="command">matchpathcon</code> queries the system policy and outputs the default security context associated with the file path."<sup>[<a id="d0e4331" href="#ftn.d0e4331">13</a>]</sup>. The following example demonstrates using the <code class="command">/usr/sbin/matchpathcon</code> command to verify that files in <code class="filename">/var/www/html/</code> directory are labeled correctly:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
</div><pre class="screen"># touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">chcon -t samba_share_t /var/www/html/file1</code> command to change the <code class="filename">file1</code> type to <code class="computeroutput">samba_share_t</code>. Note: the Apache HTTP Server can not read files or directories labeled with the <code class="computeroutput">samba_share_t</code> type.
</div></li><li><div class="para">
The <code class="command">/usr/sbin/matchpathcon</code> <code class="option">-V</code> option compares the current SELinux context to the correct, default context in SELinux policy. Run the <code class="command">/usr/sbin/matchpathcon -V /var/www/html/*</code> command to check all files in the <code class="filename">/var/www/html/</code> directory:
</div><pre class="screen">$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.
</pre></li></ol></div><div class="para">
The following output from the <code class="command">/usr/sbin/matchpathcon</code> command explains that <code class="filename">file1</code> is labeled with the <code class="computeroutput">samba_share_t</code> type, but should be labeled with the <code class="computeroutput">httpd_sys_content_t</code> type:
</div><pre class="screen">/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
To resolve the label problem and allow the Apache HTTP Server access to <code class="filename">file1</code>, as the Linux root user, run the <code class="command">/sbin/restorecon -v /var/www/html/file1</code> command:
</div><pre class="screen"># /sbin/restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</h3></div></div></div><div class="para">
<code class="command">tar</code> does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use <code class="command">tar --selinux</code> to create archives that retain contexts. If a Tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, run the archive through <code class="command">/sbin/restorecon</code>:
</div><pre class="screen">
$ tar -xf <em class="replaceable"><code>archive.tar</code></em> | /sbin/restorecon -f -
</pre><div class="para">
Note: depending on the directory, you may need to be the Linux root user to run the <code class="command">/sbin/restorecon</code> command.
</div><div class="para">
The following example demonstrates creating a Tar archive that retains SELinux contexts:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
</div><pre class="screen">
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</pre></li><li><div class="para">
Run the <code class="command">cd /var/www/html/</code> command to change into the <code class="filename">/var/www/html/</code> directory. Once in this directory, as the Linux root user, run the <code class="command">tar --selinux -cf test.tar file{1,2,3}</code> command to create a Tar archive named <code class="filename">test.tar</code>.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">mkdir /test</code> command to create a new directory, and then, run the <code class="command">chmod 777 /test/</code> command to allow all users full-access to the <code class="filename">/test/</code> directory.
</div></li><li><div class="para">
Run the <code class="command">cp /var/www/html/test.tar /test/</code> command to copy the <code class="filename">test.tar</code> file in to the <code class="filename">/test/</code> directory.
</div></li><li><div class="para">
Run the <code class="command">cd /test/</code> command to change into the <code class="filename">/test/</code> directory. Once in this directory, run the <code class="command">tar -xf test.tar</code> command to extract the Tar archive.
</div></li><li><div class="para">
Run the <code class="command">ls -lZ /test/</code> command to view the SELinux contexts. The <code class="computeroutput">httpd_sys_content_t</code> type has been retained, rather than being changed to <code class="computeroutput">default_t</code>, which would have happened had the <code class="option">--selinux</code> not been used:
</div><pre class="screen">
$ ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.tar
</pre></li><li><div class="para">
If the <code class="filename">/test/</code> directory is no longer required, as the Linux root user, run the <code class="command"> rm -ri /test/</code> command to remove it, as well as all files in it.
</div></li></ol></div><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">tar</span>(1)</span> manual page for further information about <code class="command">tar</code>, such as the <code class="option">--xattrs</code> option that retains all extended attributes.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</h3></div></div></div><div class="para">
<code class="command">star</code> does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use <code class="command">star -xattr -H=exustar</code> to create archives that retain contexts. The <span class="package">star</span> package is not installed by default. To install <code class="command">star</code>, run the <code class="command">yum install star</code> command as the Linux root user.
</div><div class="para">
The following example demonstrates creating a Star archive that retains SELinux contexts:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
</div><pre class="screen">
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
</pre></li><li><div class="para">
Run the <code class="command">cd /var/www/html/</code> command to change into the <code class="filename">/var/www/html/</code> directory. Once in this directory, as the Linux root user, run the <code class="command">star -xattr -H=exustar -c -f=test.star file{1,2,3}</code> command to create a Star archive named <code class="filename">test.star</code>:
</div><pre class="screen">
# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">mkdir /test</code> command to create a new directory, and then, run the <code class="command">chmod 777 /test/</code> command to allow all users full-access to the <code class="filename">/test/</code> directory.
</div></li><li><div class="para">
Run the <code class="command">cp /var/www/html/test.star /test/</code> command to copy the <code class="filename">test.star</code> file in to the <code class="filename">/test/</code> directory.
</div></li><li><div class="para">
Run the <code class="command">cd /test/</code> command to change into the <code class="filename">/test/</code> directory. Once in this directory, run the <code class="command">star -x -f=test.star</code> command to extract the Star archive:
</div><pre class="screen">
$ star -x -f=test.star
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
</pre></li><li><div class="para">
Run the <code class="command">ls -lZ /test/</code> command to view the SELinux contexts. The <code class="computeroutput">httpd_sys_content_t</code> type has been retained, rather than being changed to <code class="computeroutput">default_t</code>, which would have happened had the <code class="option">--selinux</code> not been used:
</div><pre class="screen">
$ ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.star
</pre></li><li><div class="para">
If the <code class="filename">/test/</code> directory is no longer required, as the Linux root user, run the <code class="command"> rm -ri /test/</code> command to remove it, as well as all files in it.
</div></li><li><div class="para">
If <code class="command">star</code> is no longer required, as the Linux root user, run the <code class="command">yum remove star</code> command to remove the package.
</div></li></ol></div><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">star</span>(1)</span> manual page for further information about <code class="command">star</code>.
</div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e2044" href="#d0e2044">8</a>] </sup>
Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2156" href="#d0e2156">9</a>] </sup>
Managing Software with yum, written by Stuart Ellis, edited by Paul W. Frields, Rodrigo Menezes, and Hugo Cisneiros.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2484" href="#d0e2484">10</a>] </sup>
Refer to <a href="http://en.wikipedia.org/wiki/Runlevel">http://en.wikipedia.org/wiki/Runlevel</a> for information about runlevels.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e3729" href="#d0e3729">11</a>] </sup>
Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e3880" href="#d0e3880">12</a>] </sup>
Morris, James. "Filesystem Labeling in SELinux". Published 1 October 2004. Accessed 14 October 2008: <a href="http://www.linuxjournal.com/article/7426">http://www.linuxjournal.com/article/7426</a>.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e4331" href="#d0e4331">13</a>] </sup>
The <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page, as shipped with the <span class="package">libselinux-utils</span> package in Fedora, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.
</p></div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Confining_Users">Chapter 6. Confining Users</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-
Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></div><div class="para">
A number of confined SELinux users are available in Fedora 10. Each Linux user is mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the restrictions on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the <code class="command">su</code> and <code class="command">sudo</code> commands to become the Linux root user. This helps protect the system from the user. Refer to <a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users" title="4.3. Confined and Unconfined Users">Section 4.3, “Confined and Unconfined Users”</a> for further information about confined users in Fedora 10.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</h2></div></div></div><div class="para">
As the Linux root user, run the <code class="command">semanage login -l</code> command to view the mapping between Linux users and SELinux users:
</div><pre class="screen"># /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre><div class="para">
In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). When a Linux user is created with the <code class="command">useradd</code> command, if no options are specified, they are mapped to the SELinux <code class="computeroutput">unconfined_u</code> user. The following defines the default-mapping:
</div><pre class="screen">
__default__ unconfined_u s0-s0:c0.c1023
</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</h2></div></div></div><div class="para">
Linux users mapped to the SELinux <code class="computeroutput">unconfined_u</code> user run in the <code class="computeroutput">unconfined_t</code> domain. This is seen by running the <code class="command">id -Z</code> command while logged-in as a Linux user mapped to <code class="computeroutput">unconfined_u</code>:
</div><pre class="screen">
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</pre><div class="para">
When Linux users run in the <code class="computeroutput">unconfined_t</code> domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the <code class="computeroutput">unconfined_t</code> domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the <code class="computeroutput">unconfined_t</code> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy. Note: this does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
</div><div class="para">
When creating Linux users with <code class="command">useradd</code>, use the <code class="option">-Z</code> option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser, and maps that user to the SELinux <code class="computeroutput">user_u</code> user. Linux users mapped to the SELinux <code class="computeroutput">user_u</code> user run in the <code class="computeroutput">user_t</code> domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as <code class="command">passwd</code>), and can not run <code class="command">su</code> or <code class="command">sudo</code>, preventing them from becoming the Linux root user with these commands.
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/useradd -Z user_u useruuser</code> command to create a new Linux user (useruuser) that is mapped to the SELinux <code class="computeroutput">user_u</code> user.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">semanage login -l</code> command to view the mapping between the Linux <code class="computeroutput">useruuser</code> user and <code class="computeroutput">user_u</code>:
</div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
useruuser user_u s0
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">passwd useruuser</code> command to assign a password to the Linux useruuser user:
</div><pre class="screen">
# passwd useruuser
Changing password for user useruuser.
New UNIX password: <em class="replaceable"><code>Enter a password</code></em>
Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em>
passwd: all authentication tokens updated successfully.
</pre></li><li><div class="para">
Log out of your current session, and log in as the Linux useruuser user. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case, <code class="computeroutput">user_u</code>), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run the <code class="command">id -Z</code> command to view the context of a Linux user:
</div><pre class="screen">
[useruuser@localhost ~]$ id -Z
user_u:user_r:user_t:s0
</pre></li><li><div class="para">
Log out of the Linux useruuser's session, and log back in with your account. If you do not want the Linux useruuser user, run the <code class="command">/usr/sbin/userdel -r useruuser</code> command as the Linux root user to remove it, along with its home directory.
</div></li></ol></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining Existing Linux Users: semanage login</h2></div></div></div><div class="para">
If a Linux user is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user (the default behavior), and you would like to change which SELinux user they are mapped to, use the <code class="command">semanage login</code> command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux <code class="computeroutput">user_u</code> user:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run the <code class="command">/usr/sbin/useradd newuser</code> command to create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the <code class="command">/usr/sbin/semanage login -l</code> output:
</div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre></li><li><div class="para">
To map the Linux newuser user to the SELinux <code class="computeroutput">user_u</code> user, run the following command as the Linux root user:
</div><div class="para">
<code class="command">/usr/sbin/semanage login -a -s user_u newuser</code>
</div><div class="para">
The <code class="option">-a</code> option adds a new record, and the <code class="option">-s</code> option specifies the SELinux user to map a Linux user to. The last argument, <code class="computeroutput">newuser</code>, is the Linux user you want mapped to the specified SELinux user.
</div></li><li><div class="para">
To view the mapping between the Linux newuser user and <code class="computeroutput">user_u</code>, run the <code class="command">semanage login -l</code> command as the Linux root user:
</div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
newuser user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">passwd newuser</code> command to assign a password to the Linux newuser user:
</div><pre class="screen">
# passwd newuser
Changing password for user newuser.
New UNIX password: <em class="replaceable"><code>Enter a password</code></em>
Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em>
passwd: all authentication tokens updated successfully.
</pre></li><li><div class="para">
Log out of your current session, and log in as the Linux newuser user. Run the <code class="command">id -Z</code> command to view the newuser's SELinux context:
</div><pre class="screen">
[newuser@rlocalhost ~]$ id -Z
user_u:user_r:user_t:s0
</pre></li><li><div class="para">
Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, run the <code class="command">userdel -r newuser</code> command as the Linux root user to remove it, along with its home directory. Also, the mapping between the Linux newuser user and <code class="computeroutput">user_u</code> is removed:
</div><pre class="screen">
# /usr/sbin/userdel -r newuser
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre></li></ol></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</h2></div></div></div><div class="para">
In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). If you would like new Linux users, and Linux users not specifically mapped to an SELinux user to be confined by default, change the default mapping with the <code class="command">semanage login</code> command.
</div><div class="para">
For example, run the following command as the Linux root user to change the default mapping from <code class="computeroutput">unconfined_u</code> to <code class="computeroutput">user_u</code>:
</div><div class="para">
<code class="command">/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__</code>
</div><div class="para">
Run the <code class="command">semanage login -l</code> command as the Linux root user to verify the <code class="computeroutput">__default__</code> login is mapped to <code class="computeroutput">user_u</code>:
</div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
</pre><div class="para">
If a new Linux user is created and an SELinux user is not specified, or if an existing Linux user logs in and does not match a specific entry from the <code class="command">semanage login -l</code> output, they are mapped to <code class="computeroutput">user_u</code>, as per the <code class="computeroutput">__default__</code> login.
</div><div class="para">
To change back to the default behavior, run the following command as the Linux root user to map the <code class="computeroutput">__default__</code> login to the SELinux <code class="computeroutput">unconfined_u</code> user:
</div><div class="para">
<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
s0-s0:c0.c1023 __default__
</pre>
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</h2></div></div></div><div class="para">
The <span class="package">xguest</span> package provides a kiosk user account. This account is used to secure machines that people walk up to and use, such as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk user account is very locked down: essentially, it only allows users to log in and use <span><strong class="application">Firefox</strong></span> to browse Internet websites. Any changes made while logged in with his account, such as creating files or changing settings, are lost when you log out.
</div><div class="para">
To set up the kiosk account:
</div><div class="orderedlist"><ol><li><div class="para">
As the Linux root user, run <code class="command">yum install xguest</code> command to install the <span class="package">xguest</span> package. Install dependencies as required.
</div></li><li><div class="para">
In order to allow the kiosk account to be used by a variety of people, the account is not password-protected, and as such, the account can only be protected if SELinux is running in enforcing mode. Before logging in with this account, use the <code class="command">getenforce</code> command to confirm that SELinux is running in enforcing mode:
</div><pre class="screen">
$ /usr/sbin/getenforce
Enforcing
</pre><div class="para">
If this is not the case, refer to <a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes" title="5.5. SELinux Modes">Section 5.5, “SELinux Modes”</a> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
</div></li><li><div class="para">
You can only log in to this account via the GNOME Display Manager (GDM). Once the <span class="package">xguest</span> package is installed, a <code class="computeroutput">Guest</code> account is added to GDM. To log in, click on the <code class="computeroutput">Guest</code> account:
</div><div class="mediaobject"><img src="./images/xguest.png"/></div></li></ol></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</h2></div></div></div><div class="para">
Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and <code class="filename">/tmp/</code>, which they have write access to, helps prevent flawed or malicious applications from modifying files users' own. In Fedora 10, by default, Linux users in the <code class="computeroutput">guest_t</code> and <code class="computeroutput">xguest_t</code> domains can not execute applications in their home directories or <code class="filename">/tmp/</code>; however, by default, Linux users in the <code class="computeroutput">user_t</code> and <code class="computeroutput">staff_t</code> domains can.
</div><div class="para">
Booleans are available to change this behavior, and are configured with the <code class="command">setsebool</code> command. The <code class="command">setsebool</code> command must be run as the Linux root user. The <code class="command">setsebool -P</code> command makes persistent changes. Do not use the <code class="option">-P</code> option if you do not want changes to persist across reboots:
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-guest_t">guest_t</h5>
To <span class="emphasis"><em>allow</em></span> Linux users in the <code class="computeroutput">guest_t</code> domain to execute applications in their home directories and <code class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_guest_exec_content on</code>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-xguest_t">xguest_t</h5>
To <span class="emphasis"><em>allow</em></span> Linux users in the <code class="computeroutput">xguest_t</code> domain to execute applications in their home directories and <code class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_xguest_exec_content on</code>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-user_t">user_t</h5>
To <span class="emphasis"><em>prevent</em></span> Linux users in the <code class="computeroutput">user_t</code> domain from executing applications in their home directories and <code class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_user_exec_content off</code>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-staff_t">staff_t</h5>
To <span class="emphasis"><em>prevent</em></span> Linux users in the <code class="computeroutput">staff_t</code> domain from executing applications in their home directories and <code class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_staff_exec_content off</code>
</div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Troubleshooting">Chapter 7. Troubleshooting</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of
_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">
7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl></div><div class="para">
The following chapter describes what happens when SELinux denies access; the top three causes of problems; where to find information about correct labeling; analyzing SELinux denials; and creating custom policy modules with <code class="command">audit2allow</code>.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</h2></div></div></div><div class="para">
SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also know as "AVC denials", and are logged to a different location, depending on which daemons are running:
</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">setroubleshootd, rsyslogd, and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><div class="para">
If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons are running, a yellow star and a warning are displayed when access is denied by SELinux:
</div><div class="mediaobject"><img src="./images/setroubleshoot_denial.png"/></div><div class="para">
Clicking on the star presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:
</div><pre class="screen">
Forbidden
You don't have permission to access <em class="replaceable"><code>file name</code></em> on this server
</pre><div class="para">
For these situations, if DAC rules (standard Linux permissions) allow access, check <code class="filename">/var/log/messages</code> and <code class="filename">/var/log/audit/audit.log</code> for <code class="computeroutput">"SELinux is preventing"</code> and <code class="computeroutput">"denied"</code> errors respectively. This can be done by running the following commands as the Linux root user:
</div><div class="para">
<code class="command">grep "SELinux is preventing" /var/log/messages</code>
</div><div class="para">
<code class="command">grep "denied" /var/log/audit/audit.log</code>
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top Three Causes of Problems</h2></div></div></div><div class="para">
The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</h3></div></div></div><div class="para">
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files.
</div><div class="para">
A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using <code class="filename">/var/www/html/</code> for a website, an administrator wants to use <code class="filename">/srv/myweb/</code>. On Fedora 10, the <code class="filename">/srv/</code> directory is labeled with the <code class="computeroutput">var_t</code> type. Files and directories created and <code class="filename">/srv/</code> inherit this type. Also, newly-created top-level directories (such as <code class="filename">/myserver/</code>) may be labeled with the <code class="computeroutput">default_t</code> type. SELinux prevents the Apache HTTP Server (<code class="systemitem">httpd</code>) from accessing both of these types. To allow access, SELinux must know that the files in <code class="filename">/srv/myweb/</code> are to be accessible to <code class="systemitem">httpd</code>:
</div><pre class="screen">
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
"/srv/myweb(/.*)?"
</pre><div class="para">
This <code class="command">semanage</code> command adds the context for the <code class="filename">/srv/myweb/</code> directory (and all files and directories under it) to the SELinux file-context configuration<sup>[<a id="d0e5328" href="#ftn.d0e5328">14</a>]</sup>. The <code class="command">semanage</code> command does not change the context. As the Linux root user, run the <code class="command">restorecon</code> command to apply the changes:
</div><pre class="screen">
# /sbin/restorecon -R -v /srv/myweb
</pre><div class="para">
Refer to <a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext" title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2, “Persistent Changes: semanage fcontext”</a> for further information about adding contexts to the file-context configuration.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security-Enhanced_Linux-Labeling_Problems-What_is_the_Correct_Context">7.2.1.1. What is the Correct Context?</h4></div></div></div><div class="para">
The <code class="command">matchpathcon</code> command checks the context of a file path and compares it to the default label for that path. The following example demonstrates using <code class="command">matchpathcon</code> on a directory that contains incorrectly labeled files:
</div><pre class="screen">
$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
In this example, the <code class="filename">index.html</code> and <code class="filename">page1.html</code> files are labeled with the <code class="computeroutput">user_home_t</code> type. This type is used for files in user home directories. Using the <code class="command">mv</code> command to move files from your home directory may result in files being labeled with the <code class="computeroutput">user_home_t</code> type. This type should not exist outside of home directories. Use the <code class="command">restorecon</code> command to restore such files to their correct type:
</div><pre class="screen">
# /sbin/restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
To restore the context for all files under a directory, use the <code class="option">-R</code> option:
</div><pre class="screen">
# /sbin/restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
</pre><div class="para">
Refer to <a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context" title="5.10.3. Checking the Default SELinux Context">Section 5.10.3, “Checking the Default SELinux Context”</a> for a more detailed example of <code class="command">matchpathcon</code>.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</h3></div></div></div><div class="para">
Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the <code class="command">semanage</code> command.
</div><div class="para">
For example, to allow the Apache HTTP Server to communicate with MySQL, turn the <code class="computeroutput">httpd_can_network_connect_db</code> Boolean on:
</div><pre class="screen">
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
</pre><div class="para">
If access is denied for a particular service, use the <code class="command">getsebool</code> and <code class="command">grep</code> commands to see if any Booleans are available to allow access. For example, use the <code class="command">getsebool -a | grep ftp</code> command to search for FTP related Booleans:
</div><pre class="screen">
$ /usr/sbin/getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
</pre><div class="para">
For a list of Booleans and whether they are on or off, run the <code class="command">/usr/sbin/getsebool -a</code> command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <code class="command">/usr/sbin/semanage boolean -l</code> command as the Linux root user. Refer to <a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans" title="5.6. Booleans">Section 5.6, “Booleans”</a> for information about listing and configuring Booleans.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-How_are_Confined_Services_Running-Port_Numbers">Port Numbers</h5>
Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the <code class="command">semanage port -l | grep http</code> command as the Linux root user to list <code class="systemitem">http</code> related ports:
</div><pre class="screen">
# /usr/sbin/semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
</pre><div class="para">
The <code class="computeroutput">http_port_t</code> port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures <code class="filename">httpd.conf</code> so that <code class="systemitem">httpd</code> listens on port 9876 (<code class="option">Listen 9876</code>), but policy is not updated to reflect this, the <code class="command">service httpd start</code> command fails:
</div><pre class="screen">
# /sbin/service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
no listening sockets available, shutting down
Unable to open logs
[FAILED]
</pre><div class="para">
An SELinux denial similar to the following is logged to <code class="filename">/var/log/audit/audit.log</code>:
</div><pre class="screen">
type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
</pre><div class="para">
To allow <code class="systemitem">httpd</code> to listen on a port that is not listed for the <code class="computeroutput">http_port_t</code> port type, run the <code class="command">semanage port</code> command to add a port to policy configuration<sup>[<a id="d0e5490" href="#ftn.d0e5490">15</a>]</sup>:
</div><pre class="screen">
# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
</pre><div class="para">
The <code class="option">-a</code> option adds a new record; the <code class="option">-t</code> option defines a type; and the <code class="option">-p</code> option defines a protocol. The last argument is the port number to add.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</h3></div></div></div><div class="para">
Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving - SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released, it may perform actions the current policy has not seen before, causing access to be denied, even though access should be allowed.
</div><div class="para">
For these situations, after access is denied, use <code class="command">audit2allow</code> to create a custom policy module to allow access. Refer to <a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow" title="7.3.8. Allowing Access: audit2allow">Section 7.3.8, “Allowing Access: audit2allow”</a> for information about using <code class="command">audit2allow</code>.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</h2></div></div></div><div class="para">
The following sections help troubleshoot issues. They go over: checking Linux permissions, which are checked before SELinux rules; possible causes of SELinux denying access, but no denials being logged; manual pages for services, which contain information about labeling and Booleans; permissive domains, for allowing one process to run permissive, rather than the whole system; how to search for and view denial messages; analyzing denials; and creating custom policy modules with <code class="command">audit2allow</code>.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</h3></div></div></div><div class="para">
When access is denied, check standard Linux permissions. As mentioned in <a href="#chap-Security-Enhanced_Linux-Introduction" title="Chapter 2. Introduction">Chapter 2, <i xmlns:xlink="http://www.w3.org/1999/xlink">Introduction</i></a>, most operating systems use a Discretionary Access Control (DAC) system to control access, allowing users to control the permissions of files that they own. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
</div><div class="para">
If access is denied and no SELinux denials are logged, use the <code class="command">ls -l</code> command to view the standard Linux permissions:
</div><pre class="screen">
$ ls -l /var/www/html/index.html
-rw-r----- 1 root root 0 2008-11-07 11:06 index.html
</pre><div class="para">
In this example, <code class="filename">index.html</code> is owned by the root user and group. The root user has read and write permissions (<code class="computeroutput">-rw</code>), and members of the root group have read permissions (<code class="computeroutput">-r-</code>). Everyone else has no access (<code class="computeroutput">---</code>). By default, such permissions do not allow <code class="systemitem">httpd</code> to read this file. To resolve this issue, use the <code class="command">chown</code> command to change the owner and group. This command must be run as the Linux root user:
</div><pre class="screen">
# chown apache:apache /var/www/html/index.html
</pre><div class="para">
This assumes the default configuration, in which <code class="systemitem">httpd</code> runs as the Linux apache user. If you run <code class="systemitem">httpd</code> with a different user, replace <code class="computeroutput">apache:apache</code> with that user.
</div><div class="para">
Refer to the <a href="http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions">Fedora Documentation Project "Permissions"</a> draft for information about managing Linux permissions.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible Causes of Silent Denials</h3></div></div></div><div class="para">
In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using <code class="computeroutput">dontaudit</code> rules. These rules are common in standard policy. The downside of <code class="computeroutput">dontaudit</code> is that, although SELinux denies access, denial messages are not logged, making troubleshooting hard.
</div><div class="para">
To temporarily disable <code class="computeroutput">dontaudit</code> rules, allowing all denials to be logged, run the following command as the Linux root user:
</div><div class="para">
<code class="command">/usr/sbin/semodule -DB</code>
</div><div class="para">
The <code class="option">-D</code> option disables <code class="computeroutput">dontaudit</code> rules; the <code class="option">-B</code> option rebuilds policy. After running <code class="command">semodule -DB</code>, try exercising the application that was encountering permission problems, and see if SELinux denials — relevant to the application — are now being logged. Take care in deciding which denials should be allowed, as some should be ignored and handled via <code class="computeroutput">dontaudit</code> rules. If in doubt, or in search of guidance, contact other SELinux users and developers on an SELinux list, such as <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">fedora-selinux-list</a>.
</div><div class="para">
To rebuild policy and enable <code class="computeroutput">dontaudit</code> rules, run the following command as the Linux root user:
</div><div class="para">
<code class="command">/usr/sbin/semodule -B</code>
</div><div class="para">
This restores the policy to its original state. For a full list of <code class="computeroutput">dontaudit</code> rules, run the <code class="command">sesearch --dontaudit</code> command. Narrow down searches using the <code class="option">-s <em class="replaceable"><code>domain</code></em></code> option and the <code class="command">grep</code> command. For example:
</div><pre class="screen">
$ sesearch --dontaudit -s smbd_t | grep squid
WARNING: This policy contained disabled aliases; they have been removed.
dontaudit smbd_t squid_port_t : tcp_socket name_bind ;
dontaudit smbd_t squid_port_t : udp_socket name_bind ;
</pre><div class="para">
Refer to <a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages" title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit Messages”</a> and <a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a> for information about analyzing denials.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</h3></div></div></div><div class="para">
Manual pages for services contain valuable information, such as what file type to use for a given situation, and Booleans to change the access a service has (such as <code class="systemitem">httpd</code> accessing NFS file systems). This information may be in the standard manual page, or a manual page with <code class="computeroutput">selinux</code> prepended or appended.
</div><div class="para">
For example, the <span class="citerefentry"><span class="refentrytitle">httpd_selinux</span>(8)</span> manual page has information about what file type to use for a given situation, as well as Booleans to allow scripts, sharing files, accessing directories inside user home directories, and so on. Other manual pages with SELinux information for services include:
</div><div class="itemizedlist"><ul><li><div class="para">
Samba: the <span class="citerefentry"><span class="refentrytitle">samba_selinux</span>(8)</span> manual page describes that files and directories to be exported via Samba must be labeled with the <code class="computeroutput">samba_share_t</code> type, as well as Booleans to allow files labeled with types other than <code class="computeroutput">samba_share_t</code> to be exported via Samba.
</div></li><li><div class="para">
NFS: the <span class="citerefentry"><span class="refentrytitle">nfs_selinux</span>(8)</span> manual page describes that, by default, file systems can not be exported via NFS, and that to allow file systems to be exported, Booleans such as <code class="computeroutput">nfs_export_all_ro</code> or <code class="computeroutput">nfs_export_all_rw</code> must be turned on.
</div></li><li><div class="para">
Berkeley Internet Name Domain (BIND): the <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span> manual page describes what file type to use for a given situation (see the <code class="computeroutput">Red Hat SELinux BIND Security Profile</code> section). The <span class="citerefentry"><span class="refentrytitle">named_selinux</span>(8)</span> manual page describes that, by default, <code class="systemitem">named</code> can not write to master zone files, and to allow such access, the <code class="computeroutput">named_write_master_zones</code> Boolean must be turned on.
</div></li></ul></div><div class="para">
The information in manual pages helps you configure the correct file types and Booleans, helping to prevent SELinux from denying access.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</h3></div></div></div><div class="para">
When SELinux is running in permissive mode, SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Previously, it was not possible to make a single domain permissive (remember: processes run in domains). In certain situations, this led to making the whole system permissive to troubleshoot issues.
</div><div class="para">
Fedora 10 introduces permissive domains, where an administrator can configure a single process (domain) to run permissive, rather than making the whole system permissive. SELinux checks are still performed for permissive domains; however, the kernel allows access and reports an AVC denial for situations where SELinux would have denied access. Permissive domains are also available in Fedora 9 (with the latest updates applied).
</div><div class="para">
In Red Hat Enterprise Linux 4 and 5, <code class="computeroutput"><em class="replaceable"><code>domain</code></em>_disable_trans</code> Booleans are available to prevent an application from transitioning to a confined domain, and therefore, the process runs in an unconfined domain, such as <code class="computeroutput">initrc_t</code>. Turning such Booleans on can cause major problems. For example, if the <code class="computeroutput">httpd_disable_trans</code> Boolean is turned on:
</div><div class="itemizedlist"><ul><li><div class="para">
<code class="systemitem">httpd</code> runs in the unconfined <code class="computeroutput">initrc_t</code> domain. Files created by processes running in the <code class="computeroutput">initrc_t</code> domain may not have the same labeling rules applied as files created by a process running in the <code class="computeroutput">httpd_t</code> domain, potentially allowing processes to create mislabeled files. This causes access problems later on.
</div></li><li><div class="para">
confined domains that are allowed to communicate with <code class="computeroutput">httpd_t</code> can not communicate with <code class="computeroutput">initrc_t</code>, possibly causing additional failures.
</div></li></ul></div><div class="para">
The <code class="computeroutput"><em class="replaceable"><code>domain</code></em>_disable_trans</code> Booleans were removed from Fedora 7, even though there was no replacement. Permissive domains solve the above issues: transition rules apply, and files are created with the correct labels.
</div><div class="para">
Permissive domains can be used for:
</div><div class="itemizedlist"><ul><li><div class="para">
making a single process (domain) run permissive to troubleshoot an issue, rather than putting the entire system at risk by making the entire system permissive.
</div></li><li><div class="para">
creating policies for new applications. Previously, it was recommended that a minimal policy be created, and then the entire machine put into permissive mode, so that the application could run, but SELinux denials still logged. <code class="command">audit2allow</code> could then be used to help write the policy. This put the whole system at risk. With permissive domains, only the domain in the new policy can be marked permissive, without putting the whole system at risk.
</div></li></ul></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security-Enhanced_Linux-Permissive_Domains-Making_a_Domain_Permissive">7.3.4.1. Making a Domain Permissive</h4></div></div></div><div class="para">
To make a domain permissive, run the <code class="command">semanage permissive -a <em class="replaceable"><code>domain</code></em></code> command, where <em class="replaceable"><code>domain</code></em> is the domain you want to make permissive. For example, run the following command as the Linux root user to make the <code class="computeroutput">httpd_t</code> domain (the domain the Apache HTTP Server runs in) permissive:
</div><div class="para">
<code class="command">/usr/sbin/semanage permissive -a httpd_t</code>
</div><div class="para">
To view a list of domains you have made permissive, run the <code class="command">semodule -l | grep permissive</code> command as the Linux root user. For example:
</div><pre class="screen">
# /usr/sbin/semodule -l | grep permissive
permissive_httpd_t 1.0
</pre><div class="para">
If you no longer want a domain to be permissive, run the <code class="command">semanage permissive -d <em class="replaceable"><code>domain</code></em></code> command as the Linux root user. For example:
</div><div class="para">
<code class="command">/usr/sbin/semanage permissive -d httpd_t</code>
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains">7.3.4.2. Denials for Permissive Domains</h4></div></div></div><div class="para">
The <code class="computeroutput">SYSCALL</code> message is different for permissive domains. The following is an example AVC denial (and the associated system call) from the Apache HTTP Server:
</div><pre class="screen">
type=AVC msg=audit(1226882736.442:86): avc: denied { getattr } for pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre><div class="para">
By default, the <code class="computeroutput">httpd_t</code> domain is not permissive, and as such, the action is denied, and the <code class="computeroutput">SYSCALL</code> message contains <code class="computeroutput">success=no</code>. The following is an example AVC denial for the same situation, except the <code class="command">semanage permissive -a httpd_t</code> command has been run to make the <code class="computeroutput">httpd_t</code> domain permissive:
</div><pre class="screen">
type=AVC msg=audit(1226882925.714:136): avc: denied { read } for pid=2512 comm="httpd" name="file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes exit=11 a0=b962a1e8 a1=8000 a2=0 a3=8000 items=0 ppid=2511 pid=2512 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre><div class="para">
In this case, although an AVC denial was logged, access was not denied, as shown by <code class="computeroutput">success=yes</code> in the <code class="computeroutput">SYSCALL</code> message.
</div><div class="para">
Refer to Dan Walsh's <a href="http://danwalsh.livejournal.com/24537.html">"Permissive Domains"</a> blog entry for further information about permissive domains.
</div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</h3></div></div></div><div class="para">
This section assumes the <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, and that the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons are running. Refer to <a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used" title="5.2. Which Log File is Used">Section 5.2, “Which Log File is Used”</a> for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as <code class="command">ausearch</code>, <code class="command">aureport</code>, and <code class="command">sealert</code>.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-ausearch">ausearch</h5>
The <span class="package">audit</span> package provides <code class="command">ausearch</code>. From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page: "<code class="command">ausearch</code> is a tool that can query the audit daemon logs based for events based on different search criteria"<sup>[<a id="d0e5939" href="#ftn.d0e5939">16</a>]</sup>. The <code class="command">ausearch</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Searching For</th><th>Command</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">all denials</td><td class="seg"><code class="command">/sbin/ausearch -m avc</code></td></tr><tr class="seglistitem"><td class="seg">denials for that today</td><td class="seg"><code class="command">/sbin/ausearch -m avc -ts today</code></td></tr><tr class="seglistitem"><td class="seg">denials from the last 10 minutes</td><td class="seg"><code class="command">/sbin/ausearch -m avc -ts recent</code></td></tr></tbody></table></div><div class="para">
To search for SELinux denials for a particular service, use the <code class="option">-c <em class="replaceable"><code>comm-name</code></em></code> option, where <em class="replaceable"><code>comm-name</code></em> "is the executable’s name"<sup>[<a id="d0e5991" href="#ftn.d0e5991">17</a>]</sup>, for example, <code class="systemitem">httpd</code> for the Apache HTTP Server, and <code class="systemitem">smbd</code> for Samba:
</div><div class="para">
<code class="command">/sbin/ausearch -m avc -c httpd</code>
</div><div class="para">
<code class="command">/sbin/ausearch -m avc -c smbd</code>
</div><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page for further <code class="command">ausearch</code> options.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-aureport">aureport</h5>
The <span class="package">audit</span> package provides <code class="command">aureport</code>. From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page: "<code class="command">aureport</code> is a tool that produces summary reports of the audit system logs"<sup>[<a id="d0e6051" href="#ftn.d0e6051">18</a>]</sup>. The <code class="command">aureport</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <code class="command">aureport -a</code> command. The following is example output that includes two denials:
</div><pre class="screen">
# /sbin/aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
</pre><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page for further <code class="command">aureport</code> options.
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-sealert">sealert</h5>
The <span class="package">setroubleshoot-server</span> package provides <code class="command">sealert</code>, which reads denial messages translated by <span class="package">setroubleshoot-server</span>. Denials are assigned IDs, as seen in <code class="filename">/var/log/messages</code>. The following is an example denial from <code class="filename">messages</code>:
</div><pre class="screen">
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
</pre><div class="para">
In this example, the denial ID is <code class="computeroutput">84e0b04d-d0ad-4347-8317-22e74f6cd020</code>. The <code class="option">-l</code> option takes an ID as an argument. Running the <code class="command">sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
</div><div class="para">
If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons are running, a yellow star and a warning are displayed when access is denied by SELinux. Clicking on the star launches the <code class="command">sealert</code> GUI, and displays denials in HTML output:
</div><div class="mediaobject"><img src="./images/sealert_gui.png"/></div><div class="itemizedlist"><ul><li><div class="para">
Run the <code class="command">sealert -b</code> command to launch the <code class="command">sealert</code> GUI.
</div></li><li><div class="para">
Run the <code class="command">sealert -l \*</code> command to view a detailed analysis of all denials.
</div></li><li><div class="para">
As the Linux root user, run the <code class="command">sealert -a /var/log/audit/audit.log -H > audit.html</code> command to create a HTML version of the <code class="command">sealert</code> analysis, as seen with the <code class="command">sealert</code> GUI.
</div></li></ul></div><div class="para">
Refer to the <span class="citerefentry"><span class="refentrytitle">sealert</span>(8)</span> manual page for further <code class="command">sealert</code> options.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</h3></div></div></div><div class="para">
Raw audit messages are logged to <code class="filename">/var/log/audit/audit.log</code>. The following is an example AVC denial (and the associated system call) that occurred when the Apache HTTP Server (running in the <code class="computeroutput">httpd_t</code> domain) attempted to access the <code class="filename">/var/www/html/file1</code> file (labeled with the <code class="computeroutput">samba_share_t</code> type):
</div><pre class="screen">
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre><div class="variablelist"><dl><dt><span class="term"><em class="replaceable"><code>{ getattr }</code></em></span></dt><dd><div class="para">
The item in braces indicates the permission that was denied. <code class="computeroutput">getattr</code> indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include <code class="computeroutput">getattr</code>, <code class="computeroutput">read</code>, and <code class="computeroutput">write</code>.
</div></dd><dt><span class="term">comm="<em class="replaceable"><code>httpd</code></em>"</span></dt><dd><div class="para">
The executable that launched the process. The full path of the executable is found in the <code class="computeroutput">exe=</code> section of the system call (<code class="computeroutput">SYSCALL</code>) message, which in this case, is <code class="computeroutput">exe="/usr/sbin/httpd"</code>.
</div></dd><dt><span class="term">path="<em class="replaceable"><code>/var/www/html/file1</code></em>"</span></dt><dd><div class="para">
The path to the object (target) the process attempted to access.
</div></dd><dt><span class="term">scontext="<em class="replaceable"><code>unconfined_u:system_r:httpd_t:s0</code></em>"</span></dt><dd><div class="para">
The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the <code class="computeroutput">httpd_t</code> domain.
</div></dd><dt><span class="term">tcontext="<em class="replaceable"><code>unconfined_u:object_r:samba_share_t:s0</code></em>"</span></dt><dd><div class="para">
The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of <code class="filename">file1</code>. Note: the <code class="computeroutput">samba_share_t</code> type is not accessible to processes running in the <code class="computeroutput">httpd_t</code> domain.
</div><div class="para">
In certain situations, the <code class="computeroutput">tcontext</code> may match the <code class="computeroutput">scontext</code>, for example, when a process attempts to execute a system service that will change characteristics of that running process, such as the user ID. Also, the <code class="computeroutput">tcontext</code> may match the <code class="computeroutput">scontext</code> when a process tries to use more resources (such as memory) than normal limits allow, resulting in a security check to see if that process is allowed to break those limits.
</div></dd></dl></div><div class="para">
From the system call (<code class="computeroutput">SYSCALL</code>) message, two items are of interest:
</div><div class="itemizedlist"><ul><li><div class="para">
<code class="computeroutput">success=<em class="replaceable"><code>no</code></em></code>: indicates whether the denial (AVC) was enforced or not. <code class="computeroutput">success=no</code> indicates the system call was not successful (SELinux denied access). <code class="computeroutput">success=yes</code> indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as <code class="computeroutput">initrc_t</code> and <code class="computeroutput">kernel_t</code>.
</div></li><li><div class="para">
<code class="computeroutput">exe="<em class="replaceable"><code>/usr/sbin/httpd</code></em>"</code>: the full path to the executable that launched the process, which in this case, is <code class="computeroutput">exe="/usr/sbin/httpd"</code>.
</div></li></ul></div><div class="para">
An incorrect file type is a common cause for SELinux denying access. To start troubleshooting, compare the source context (<code class="computeroutput">scontext</code>) with the target context (<code class="computeroutput">tcontext</code>). Should the process (<code class="computeroutput">scontext</code>) be accessing such an object (<code class="computeroutput">tcontext</code>)? For example, the Apache HTTP Server (<code class="computeroutput">httpd_t</code>) should only be accessing types specified in the <span class="citerefentry"><span class="refentrytitle">httpd_selinux</span>(8)</span> manual page, such as <code class="computeroutput">httpd_sys_content_t</code>, <code class="computeroutput">public_content_t</code>, and so on, unless configured otherwise.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</h3></div></div></div><div class="para">
Denials are assigned IDs, as seen in <code class="filename">/var/log/messages</code>. The following is an example AVC denial (logged to <code class="filename">messages</code>) that occurred when the Apache HTTP Server (running in the <code class="computeroutput">httpd_t</code> domain) attempted to access the <code class="filename">/var/www/html/file1</code> file (labeled with the <code class="computeroutput">samba_share_t</code> type):
</div><pre class="screen">
<em class="replaceable"><code>hostname</code></em> setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
</pre><div class="para">
As suggested, run the <code class="command">sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command to view the complete message. This command only works on the local machine, and presents the same information as the <code class="command">sealert</code> GUI:
</div><pre class="screen">
$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
Summary:
SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
(samba_share_t).
Detailed Description:
SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different program. If you
would like to share /var/www/html/file1 from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'
Fix Command:
chcon -t public_content_t '/var/www/html/file1'
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:samba_share_t:s0
Target Objects /var/www/html/file1 [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <em class="replaceable"><code>hostname</code></em>
Source RPM Packages httpd-2.2.10-2
Target RPM Packages
Policy RPM selinux-policy-3.5.13-11.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name public_content
Host Name <em class="replaceable"><code>hostname</code></em>
Platform <em class="replaceable"><code>Linux hostname 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct</code></em>
30 00:49:42 EDT 2008 i686 i686
Alert Count 4
First Seen Wed Nov 5 18:53:05 2008
Last Seen Wed Nov 5 01:22:58 2008
Local ID 84e0b04d-d0ad-4347-8317-22e74f6cd020
Line Numbers
Raw Audit Messages
node=<em class="replaceable"><code>hostname</code></em> type=AVC msg=audit(1225812178.788:101): avc: denied { getattr } for pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
node=<em class="replaceable"><code>hostname</code></em> type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre><div class="variablelist"><dl><dt><span class="term">Summary</span></dt><dd><div class="para">
A brief summary of the denied action. This is the same as the denial in <code class="filename">/var/log/messages</code>. In this example, the <code class="systemitem">httpd</code> process was denied access to a file (<code class="filename">file1</code>), which is labeled with the <code class="computeroutput">samba_share_t</code> type.
</div></dd><dt><span class="term">Detailed Description</span></dt><dd><div class="para">
A more verbose description. In this example, <code class="filename">file1</code> is labeled with the <code class="computeroutput">samba_share_t</code> type. This type is used for files and directories that you want to export via Samba. The description suggests changing the type to a type that can be accessed by the Apache HTTP Server and Samba, if such access is desired.
</div></dd><dt><span class="term">Allowing Access</span></dt><dd><div class="para">
A suggestion for how to allow access. This may be relabeling files, turning a Boolean on, or making a local policy module. In this case, the suggestion is to label the file with a type accessible to both the Apache HTTP Server and Samba.
</div></dd><dt><span class="term">Fix Command</span></dt><dd><div class="para">
A suggested command to allow access and resolve the denial. In this example, it gives the command to change the <code class="filename">file1</code> type to <code class="computeroutput">public_content_t</code>, which is accessible to the Apache HTTP Server and Samba.
</div></dd><dt><span class="term">Additional Information</span></dt><dd><div class="para">
Information that is useful in bug reports, such as the policy package name and version (<code class="computeroutput">selinux-policy-3.5.13-11.fc10</code>), but may not help towards solving why the denial occurred.
</div></dd><dt><span class="term">Raw Audit Messages</span></dt><dd><div class="para">
The raw audit messages from <code class="filename">/var/log/audit/audit.log</code> that are associated with the denial. Refer to <a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages" title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit Messages”</a> for information about each item in the AVC denial.
</div></dd></dl></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</h3></div></div></div><div class="para">
Do not use the example in this section in production. It is used only to demonstrate the use of <code class="command">audit2allow</code>.
</div><div class="para">
From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page: "<code class="command">audit2allow</code> - generate SELinux policy allow rules from logs of denied operations"<sup>[<a id="d0e6493" href="#ftn.d0e6493">19</a>]</sup>. After analyzing denials as per <a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>, and if no label changes or Booleans allowed access, use <code class="command">audit2allow</code> to create a local policy module. After access is denied by SELinux, running the <code class="command">audit2allow</code> command presents Type Enforcement rules that allow the previously denied access.
</div><div class="para">
The following example demonstrates using <code class="command">audit2allow</code> to create a policy module:
</div><div class="orderedlist"><ol><li><div class="para">
A denial and the associated system call are logged to <code class="filename">/var/log/audit/audit.log</code>:
</div><pre class="screen">
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
</pre><div class="para">
In this example, <span><strong class="application">certwatch</strong></span> (<code class="computeroutput">comm="certwatch"</code>) was denied write access (<code class="computeroutput">{ write }</code>) to a directory labeled with the <code class="computeroutput">var_t</code> type (<code class="computeroutput">tcontext=system_u:object_r:var_t:s0</code>). Analyze the denial as per <a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>. If no label changes or Booleans allowed access, use <code class="command">audit2allow</code> to create a local policy module.
</div></li><li><div class="para">
With a denial logged, such as the <code class="computeroutput">certwatch</code> denial in step 1, run the <code class="command">audit2allow -w -a</code> command to produce a human-readable description of why access was denied. The <code class="option">-a</code> option causes all audit logs to be read. The <code class="option">-w</code> option produces the human-readable description. The <code class="command">audit2allow</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
</div><pre class="screen">
# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
</pre><div class="para">
As shown, access was denied due to a missing Type Enforcement rule.
</div></li><li><div class="para">
Run the <code class="command">audit2allow -a</code> command to view the Type Enforcement rule that allows the denied access:
</div><pre class="screen">
# audit2allow -a
#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
</pre><div class="important"><h2>Important</h2><div class="para">
Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in <a href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>. For Fedora, create bugs against the <code class="computeroutput">Fedora</code> product, and select the <code class="computeroutput">selinux-policy</code> component. Include the output of the <code class="command">audit2allow -w -a</code> and <code class="command">audit2allow -a</code> commands in such bug reports.
</div></div></li><li><div class="para">
To use the rule displayed by <code class="command">audit2allow -a</code>, run the <code class="command">audit2allow -a -M <em class="replaceable"><code>mycertwatch</code></em></code> command as the Linux root user to create custom module. The <code class="option">-M</code> option creates a Type Enforcement file (<code class="filename">.te</code>) with the name specified with <code class="option">-M</code>, in your current working directory:
</div><pre class="screen">
# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mycertwatch.pp
# ls
mycertwatch.pp mycertwatch.te
</pre><div class="para">
Also, <code class="command">audit2allow</code> compiles the Type Enforcement rule into a policy package (<code class="filename">.pp</code>). To install the module, run the <code class="command">/usr/sbin/semodule -i <em class="replaceable"><code>mycertwatch.pp</code></em></code> command as the Linux root user.
</div><div class="important"><h2>Important</h2><div class="para">
Modules created with <code class="command">audit2allow</code> may allow more access than required. It is recommended that policy created with <code class="command">audit2allow</code> be posted to an SELinux list, such as <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">fedora-selinux-list</a>, for review. If you believe their is a bug in policy, create a bug in <a href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>.
</div></div></li></ol></div><div class="para">
If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the <code class="command">grep</code> command to narrow down the input for <code class="command">audit2allow</code>. The following example demonstrates using <code class="command">grep</code> to only send denials related to <code class="command">certwatch</code> through <code class="command">audit2allow</code>:
</div><pre class="screen">
# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:
# /usr/sbin/semodule -i mycertwatch2.pp
</pre><div class="para">
Refer to Dan Walsh's <a href="http://danwalsh.livejournal.com/24750.html">"Using audit2allow to build policy modules. Revisited."</a> blog entry for further information about using <code class="command">audit2allow</code> to build policy modules.
</div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e5328" href="#d0e5328">14</a>] </sup>
Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5490" href="#d0e5490">15</a>] </sup>
The <code class="command">semanage port -a</code> command adds an entry to the <code class="filename">/etc/selinux/targeted/modules/active/ports.local</code> file. Note: by default, this file can only be viewed by the Linux root user.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5939" href="#d0e5939">16</a>] </sup>
From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 10.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5991" href="#d0e5991">17</a>] </sup>
From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 10.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e6051" href="#d0e6051">18</a>] </sup>
From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 10.
</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e6493" href="#d0e6493">19</a>] </sup>
From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page, as shipped with the <span class="package">policycoreutils</span> package in Fedora 10.
</p></div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Further_Information">Chapter 8. Further Information</h2></div></div></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-The_National_Security_Agency_NSA">The National Security Agency (NSA)</h5>
From the NSA <a href="http://www.nsa.gov/research/selinux/contrib.shtml">Contributors to SELinux</a> page:
</div><div class="para">
<span class="emphasis"><em>Researchers in NSA's National Information Assurance Research Laboratory (NIARL) designed and implemented flexible mandatory access controls in the major subsystems of the Linux kernel and implemented the new operating system components provided by the Flask architecture, namely the security server and the access vector cache. The NSA researchers reworked the LSM-based SELinux for inclusion in Linux 2.6. NSA has also led the development of similar controls for the X Window System (XACE/XSELinux) and for Xen (XSM/Flask).</em></span>
</div><div class="itemizedlist"><ul><li><div class="para">
Main SELinux website: <a href="http://www.nsa.gov/research/selinux/index.shtml">http://www.nsa.gov/research/selinux/index.shtml</a>.
</div></li><li><div class="para">
SELinux documentation: <a href="http://www.nsa.gov/research/selinux/docs.shtml">http://www.nsa.gov/research/selinux/docs.shtml</a>.
</div></li><li><div class="para">
SELinux background: <a href="http://www.nsa.gov/research/selinux/background.shtml">http://www.nsa.gov/research/selinux/background.shtml</a>.
</div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-Tresys_Technology">Tresys Technology</h5>
<a href="http://www.tresys.com/">Tresys Technology</a> are the upstream for:
</div><div class="itemizedlist"><ul><li><div class="para">
<a href="http://userspace.selinuxproject.org/trac/">SELinux userland libraries and tools</a>.
</div></li><li><div class="para">
<a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>.
</div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-SELinux_News">SELinux News</h5>
<div class="itemizedlist"><ul><li><div class="para">
News: <a href="http://selinuxnews.org/wp/">http://selinuxnews.org/wp/</a>.
</div></li><li><div class="para">
Planet SELinux (blogs): <a href="http://selinuxnews.org/planet/">http://selinuxnews.org/planet/</a>.
</div></li></ul></div>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-SELinux_Project_Wiki">SELinux Project Wiki</h5>
<div class="itemizedlist"><ul><li><div class="para">
Main page: <a href="http://selinuxproject.org/page/Main_Page">http://selinuxproject.org/page/Main_Page</a>.
</div></li><li><div class="para">
User resources, including links to documentation, mailing lists, websites, and tools: <a href="http://selinuxproject.org/page/User_Resources">http://selinuxproject.org/page/User_Resources</a>.
</div></li></ul></div>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-Red_Hat_Enterprise_Linux">Red Hat Enterprise Linux</h5>
<div class="itemizedlist"><ul><li><div class="para">
The <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deploy...">Red Hat Enterprise Linux Deployment Guide</a> contains an SELinux <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deploy...">References</a> section, that has links to SELinux tutorials, general information, and the technology behind SELinux.
</div></li><li><div class="para">
The <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide...">Red Hat Enterprise Linux 4 SELinux Guide</a>.
</div></li></ul></div>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-Fedora">Fedora</h5>
<div class="itemizedlist"><ul><li><div class="para">
Main page: <a href="http://fedoraproject.org/wiki/SELinux">http://fedoraproject.org/wiki/SELinux</a>.
</div></li><li><div class="para">
Troubleshooting: <a href="http://fedoraproject.org/wiki/SELinux/Troubleshooting">http://fedoraproject.org/wiki/SELinux/Troubleshooting</a>.
</div></li><li><div class="para">
Fedora Core 5 SELinux FAQ: <a href="http://docs.fedoraproject.org/selinux-faq-fc5/">http://docs.fedoraproject.org/selinux-faq-fc5/</a>.
</div></li></ul></div>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-The_UnOfficial_SELinux_FAQ">The UnOfficial SELinux FAQ</h5>
<a href="http://www.crypt.gen.nz/selinux/faq.html">http://www.crypt.gen.nz/selinux/faq.html</a>
</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-IRC">IRC</h5>
On <a href="http://freenode.net/">Freenode</a>:
</div><div class="itemizedlist"><ul><li><div class="para">
#selinux
</div></li><li><div class="para">
#fedora-selinux
</div></li></ul></div></div><div class="appendix" lang="en-US"><div class="titlepage"><div><div><h1 id="appe-Security-Enhanced_Linux-Revision_History" class="title">Revision History</h1></div></div></div><div class="para">
<div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 1.2</td><td align="left">Mon Jan 19 2009</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
<table class="simplelist" border="0" summary="Simple list"><tr><td>Updating hyperlinks to NSA websites</td></tr></table>
</td></tr><tr><td align="left">Revision 1.1</td><td align="left">Sat Dec 6 2008</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
<table class="simplelist" border="0" summary="Simple list"><tr><td>Resolving <a href="https://bugzilla.redhat.com/show_bug.cgi?id=472986">Red Hat Bugzilla #472986, "httpd does not write to /etc/httpd/logs/"</a></td></tr><tr><td>Added new section, "6.6. Booleans for Users Executing Applications"</td></tr><tr><td>Minor text revisions</td></tr></table>
</td></tr><tr><td align="left">Revision 1.0</td><td align="left">Tue Nov 25 2008</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
<table class="simplelist" border="0" summary="Simple list"><tr><td>Initial content release on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a></td></tr></table>
</td></tr></table></div>
</div></div></div></body></html>
15 years, 3 months
web/html/docs/selinux-user-guide/f10/html-single/Common_Content/css common.css, NONE, 1.1 default.css, NONE, 1.1 overrides.css, NONE, 1.1
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/Common_Content/css
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23851/selinux-user-guide/f10/html-single/Common_Content/css
Added Files:
common.css default.css overrides.css
Log Message:
- updating content for multi-page HTML.
- adding single-page HTML content.
- adding PDF.
- updating index.php to reflect above mentioned changes.
--- NEW FILE common.css ---
body, h1, h2, h3, h4, h5, h6, pre, li, div {
line-height: 1.29em;
}
body {
background-color: white;
margin:0 auto;
font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
font-size:12px;
max-width:55em;
color:black;
}
body.toc_embeded {
/*for web hosting system only*/
margin-left: 300px;
}
object.toc {
/*for web hosting system only*/
border-style:none;
position:fixed;
width:290px;
height:99.99%;
top:0;
left:0;
z-index: 100;
border-style:none;
border-right:1px solid #999;
}
/* desktop styles */
body.desktop {
margin-left: 26em;
}
body.desktop .book > .toc {
display:block;
width:24em;
height:99%;
position:fixed;
overflow:auto;
top:0px;
left:0px;
padding-left:1em;
background-color:#EEEEEE;
}
.toc {
line-height:1.35em;
}
.toc .chapter, .toc .appendix, .toc .glossary {
margin-top:1em;
}
.toc .part {
margin-top:1em;
display:block;
}
span.appendix, span.glossary {
display:block;
margin-top:0.5em;
}
div {
padding-top:0px;
}
div.section {
padding-top:1em;
}
p, div.para, div.formalpara {
padding-top:0px;
margin-top:0.3em;
padding-bottom:0px;
margin-bottom:1em;
}
/*Links*/
a:link {
text-decoration:none;
border-bottom: 1px dotted ;
color:#3366cc;
}
a:visited {
text-decoration:none;
border-bottom: 1px dotted ;
color:#003366;
}
div.longdesc-link {
float:right;
color:#999;
}
.toc a, .qandaset a {
font-weight:normal;
}
/*headings*/
h1, h2, h3, h4, h5, h6 {
color: #336699;
margin-top: 0em;
margin-bottom: 0em;
background-color: transparent;
}
h1 {
font-size:2.0em;
}
.titlepage h1.title {
font-size: 3.0em;
padding-top: 1em;
text-align:left;
}
.book > .titlepage h1.title {
text-align:center;
}
.article > .titlepage h1.title {
text-align:center;
}
.producttitle {
margin-top: 0em;
margin-bottom: 0em;
font-size: 3.0em;
font-weight: bold;
background: #336699 url(../images/h1-bg.png) top left repeat;
color: white;
text-align: center;
padding: 0.7em;
}
.titlepage .corpauthor {
margin-top: 1em;
text-align: center;
}
.section h1.title {
font-size: 1.6em;
padding: 0em;
color: #336699;
text-align: left;
background: white;
}
h2 {
font-size:1.6em;
}
h2.subtitle, h3.subtitle {
margin-top: 1em;
margin-bottom: 1em;
font-size: 1.4em;
text-align: center;
}
.preface > div > div > div > h2.title {
margin-top: 1em;
font-size: 2.0em;
}
.appendix h2 {
margin-top: 1em;
font-size: 2.0em;
}
h3 {
font-size:1.3em;
padding-top:0em;
padding-bottom:0em;
}
h4 {
font-size:1.1em;
padding-top:0em;
padding-bottom:0em;
}
h5 {
font-size:1em;
}
h6 {
font-size:1em;
}
h5.formalpara {
font-size:1em;
margin-top:2em;
margin-bottom:.8em;
}
.abstract h6 {
margin-top:1em;
margin-bottom:.5em;
font-size:2em;
}
/*element rules*/
hr {
border-collapse: collapse;
border-style:none;
border-top: 1px dotted #ccc;
width:100%;
margin-top: 3em;
}
sup {
color:#999;
}
/* web site rules */
ul.languages, .languages li {
display:inline;
padding:0em;
}
.languages li a {
padding:0em .5em;
text-decoration: none;
}
.languages li p, .languages li div.para {
display:inline;
}
.languages li a:link, .languages li a:visited {
color:#444;
}
.languages li a:hover, .languages li a:focus, .languages li a:active {
color:black;
}
ul.languages {
display:block;
background-color:#eee;
padding:.5em;
}
/*supporting stylesheets*/
/*unique to the webpage only*/
.article ul {
padding-left:2em;
list-style: disc;
}
.article li {
margin:0em;
padding-left:0em;
}
.books {
position:relative;
}
.versions li {
width:100%;
clear:both;
display:block;
}
a.version {
font-size:2em;
text-decoration:none;
width:100%;
display:block;
padding:1em 0em .2em 0em;
clear:both;
}
a.version:before {
content:"Version";
font-size:smaller;
}
a.version:visited, a.version:link {
color:#666;
}
a.version:focus, a.version:hover {
color:black;
}
.books {
display:block;
position:relative;
clear:both;
width:100%;
}
.books li {
display:block;
width:200px;
float:left;
position:relative;
clear: none ;
}
.books .html {
width:170px;
display:block;
}
.books .pdf {
position:absolute;
left:170px;
top:0px;
font-size:smaller;
}
.books .pdf:link, .books .pdf:visited {
color:#555;
}
.books .pdf:hover, .books .pdf:focus {
color:#000;
}
.books li a {
text-decoration:none;
}
.books li a:hover {
color:black;
}
/*products*/
.products li {
display: block;
width:300px;
float:left;
}
.products li a {
width:300px;
padding:.5em 0em;
}
.products ul {
clear:both;
}
/*revision history*/
.revhistory {
display:block;
}
.revhistory table {
background-color:transparent;
border-color:#fff;
padding:0em;
margin: 0;
border-collapse:collapse;
border-style:none;
}
.revhistory td {
text-align:right;
padding:0em;
border-top: 1px solid #fff;
}
.revhistory tr td:first-child {
text-align:left;
}
.revhistory tr td p, .revhistory tr td div.para {
text-align:left;
font-weight:bold;
display:block;
margin:0em;
padding:0em;
padding-bottom:0.7em;
border-bottom:1px solid #eee;
}
.revhistory table th {
background-color:transparent;
color:#336699;
font-size:2em;
padding: 1em 0em;
border-bottom:1px solid #eee;
}
/*credits*/
.authorgroup div {
clear:both;
text-align: center;
}
h3.author {
margin: 0em;
padding: 0em;
padding-top: 1em;
}
.authorgroup h4 {
padding: 0em;
margin: 0em;
padding-top: 1em;
margin-top: 1em;
}
.author,
.editor,
.translator,
.othercredit,
.contrib {
display: block;
}
.revhistory .author {
display: inline;
}
.othercredit h3 {
padding-top: 1em;
}
.othercredit {
margin:0em;
padding:0em;
}
.releaseinfo {
clear: both;
}
.copyright {
margin-top: 1em;
}
/* qanda sets */
.answer {
margin-bottom:1em;
border-bottom:1px dotted #ccc;
}
.qandaset .toc {
border-bottom:1px dotted #ccc;
}
.question {
font-weight:bold;
}
.answer .data, .question .data {
padding-left: 2.6em;
}
.answer label, .question label {
float:left;
font-weight:bold;
}
.package {
font-style:italic;
}
/* inline syntax highlighting */
/* inline syntax highlighting */
.hl-keyword {
color: #002F5D;
}
.hl-string {
color: #5C3566;
}
.hl-comment {
color: #FF00FF;
}
.hl-tag {
color: #A62C2C;
font-weight:bold;
}
.hl-attribute {
color: #a70000;
}
.hl-value {
color: #5C3566;
}
.hl-html {
color: #002F5D;
}
.hl-xslt {
color: #00774B;
}
.hl-section {
color: #00774B;
}
.hl-directive {
color: #4E9A06;
}
.hl-doctype {
color: #CE5C00;
}
.hl-annotation {
color: #CE5C00;
}
.hl-number {
color: #CE5C00;
}
.hl-doccomment {
color: #CE5C00;
}
/*Lists*/
ul {
padding-left:1.6em;
list-style-image:url(../images/dot.png);
list-style-type: circle;
}
ul ul {
list-style-image:url(../images/dot2.png);
list-style-type: circle;
}
ol {
list-style-image:none;
list-style-type: decimal;
}
ol.loweralpha {
list-style-type: lower-alpha;
}
ol.lowerroman {
list-style-type: lower-roman;
}
ol.upperalpha {
list-style-type: upper-alpha;
}
ol.upperroman {
list-style-type: upper-roman;
}
dt {
font-weight:bold;
margin-bottom:0em;
padding-bottom:0em;
}
dd {
margin:0em;
margin-left:2em;
padding-top:0em;
padding-bottom: 1em;
}
li {
padding-top:0px;
margin-top:0em;
padding-bottom:0px;
margin-bottom:0.4em;
}
li p, li div.para {
padding-top:0px;
margin-top:0em;
padding-bottom:0px;
margin-bottom:0.3em;
}
/*images*/
img {
display:block;
margin:2em 0;
}
.inlinemediaobject, .inlinemediaobject img {
display:inline;
margin:0em;
}
.figure img {
display:block;
margin:0;
}
.figure .title {
margin:0em;
margin-bottom:2em;
padding:0px;
}
/*document modes*/
.confidential {
background-color:#900;
color:White;
padding:.5em .5em;
text-transform:uppercase;
text-align:center;
}
.longdesc-link {
display:none;
}
.longdesc {
display:none;
}
.prompt {
background-color:#ede7c8;
padding:0em .3em;
}
/*user interface styles*/
.screen .replaceable {
color:#444;
}
pre, code, .guibutton, .keycap, .guilabel {
font-family:"liberation mono", "bitstream vera mono", "dejavu mono", monospace;
}
.guibutton, .keycap, .guilabel {
font-weight:bold;
white-space:nowrap;
}
.example {
background-color:#dc9f2e;
padding:5px;
margin-bottom:10px;
}
/*terminal/console text*/
.computeroutput,
.citetitle,
.replaceable,
.option {
font-family:"liberation mono", "bitstream vera mono", "dejavu mono", monospace;
}
.replaceable {
font-family:"liberation mono", "bitstream vera mono", "dejavu mono", monospace;
font-style: italic;
}
.command, .filename, .keycap, .classname, .literal {
font-family:"liberation mono", "bitstream vera mono", "dejavu mono", monospace;
font-weight:bold;
}
pre {
font-family:"liberation mono", "bitstream vera mono", "dejavu mono", monospace;
display:block;
background-color:#eeeeee;
margin-bottom: 0.3em;
padding:.5em 1em;
white-space: pre-wrap; /* css-3 */
white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
white-space: -pre-wrap; /* Opera 4-6 */
white-space: -o-pre-wrap; /* Opera 7 */
word-wrap: break-word; /* Internet Explorer 5.5+ */
}
pre .replaceable,
pre .keycap {
color:white;
}
code {
white-space: nowrap;
}
/*Notifications*/
div.note, div.important, div.warning {
padding:1em;
padding-bottom:20px;
margin-top:.5em;
margin-bottom:1.5em;
background-repeat:no-repeat;
background-position:1em 1em;
}
div.note pre, div.important pre, div.warning pre {
background-color: #333;
color: white;
margin-left: 4.5em;
}
div.note {
background-image:url(../images/note.png);
background-color:#8e9f00;
color:white;
}
div.important {
background-color:#d08e13;
color:white;
background-image:url(../images/important.png);
}
div.warning {
background-color:#9e292b;
color:white;
background-image:url(../images/warning.png);
}
/* Admonition Headings */
div.note h2, div.important h2, div.warning h2 {
height:32px;
font-size:1.3em;
}
div.note h2, div.important h2, div.warning h2 {
color:white;
}
/* Admonition Inlines */
div.note .replaceable, div.important .replaceable, div.warning .replaceable {
color:#e3dcc0;
}
pre .replaceable, tt .replaceable {
color:#444;
}
div.note .guilabel, div.important .guilabel, div.warning .guilabel {
color:#e3dcc0;
}
/* Admonition Lists ... really? */
div.note li, div.warning li, div.important li {
padding-left:10px;
margin:0em;
}
div.note ul, div.warning ul, div.important ul {
padding-left:40px;
margin:0em;
}
/* Admonition links in verbatim ... *really* */
div.note pre pre a:visited, div.important pre pre a:visited,
div.warning pre pre a:visited, div.note pre a:link, div.important pre a:link, div.warning pre a:link {
color:#0066cc;
}
/* Admonition links */
div.note a:visited, div.important a:visited, div.warning a:visited, div.note a:link , div.important a:link , div.warning a:link {
color:#f7f2d0;
}
/*notification icons*/
div.note h2, div.note p, div.note div.para, div.warning h2, div.warning p, div.warning div.para, div.important h2, .important p, .important div.para {
padding:0em;
margin:0em;
padding-left:56px;
}
/*Page Title*/
#title {
display:block;
height:45px;
padding-bottom:1em;
margin:0em;
}
#title a.left{
display:inline;
border:none;
padding-left:200px;
}
#title a.left img{
border:none;
float:left;
margin:0em;
margin-top:.7em;
}
#title a.right {
padding-bottom:1em;
}
#title a.right img {
border:none;
float:right;
margin:0em;
}
/*Table*/
table {
border:1px solid #6c614b;
width:100%;
border-collapse:collapse;
}
table th {
text-align:left;
background-color:#6699cc;
padding:.3em .5em;
color:white;
}
table td {
padding:.15em .5em;
}
table tr.even td {
background-color:#f5f5f5;
}
table th p:first-child, table td p:first-child, table li p:first-child,
table th div.para:first-child, table td div.para:first-child, table li div.para:first-child {
margin-top:0em;
padding-top:0em;
display:inline;
}
th, td {
border-style:none;
vertical-align: top;
}
table table td {
border-bottom:1px dotted #aaa;
background-color:white;
padding:.6em 0em;
}
table table {
border:1px solid white;
}
td.remarkval {
color:#444;
}
td.fieldval {
font-weight:bold;
}
.lbname, .lbtype, .lbdescr, .lbdriver, .lbhost {
color:white;
font-weight:bold;
background-color:#999;
width:120px;
}
td.remarkval {
width:230px;
}
td.tname {
font-weight:bold;
}
th.dbfield {
width:120px;
}
th.dbtype {
width:70px;
}
th.dbdefault {
width:70px;
}
th.dbnul {
width:70px;
}
th.dbkey {
width:70px;
}
span.book {
margin-top:4em;
display:block;
}
span.chapter {
display:block;
margin-top:0.5em;
}
/*Breadcrumbs*/
#breadcrumbs ul li.first:before {
content:" ";
}
#breadcrumbs {
color:#900;
padding:3px;
margin-bottom:25px;
}
#breadcrumbs ul {
margin-left:0;
padding-left:0;
display:inline;
border:none;
}
#breadcrumbs ul li {
margin-left:0;
padding-left:2px;
border:none;
list-style:none;
display:inline;
}
#breadcrumbs ul li:before {
content:"\0020 \0020 \0020 \00BB \0020";
color:#333;
}
/*status*/
.alpha1 {
background: white url(../images/watermark-alpha1.png) top left repeat;
}
.alpha2 {
background: white url(../images/watermark-alpha2.png) top left repeat;
}
.beta1 {
background: white url(../images/watermark-beta1.png) top left repeat;
}
.beta2 {
background: white url(../images/watermark-beta2.png) top left repeat;
}
.pre-release-candidate {
background: white url(../images/watermark-pre-release-candidate.png) top left repeat;
}
.release-candidate {
background: white url(../images/watermark-release-candidate.png) top left repeat;
}
/*index*/
.glossary h3,
.index h3 {
font-size: 2em;
color:#aaa;
margin:0em;
}
.indexdiv {
margin-bottom:1em;
}
.glossary dt, .index dt {
color:#444;
padding-top:.5em;
}
.glossary dl dl dt,
.index dl dl dt {
color:#777;
font-weight:normal;
padding-top:0em;
}
.index dl dl dt:before {
content:"- ";
color:#ccc;
}
/*changes*/
.footnote {
padding:.2em 1em;
background-color:#c8c5ac;
font-size: .7em;
margin:0em;
margin-bottom:.5em;
color:#222;
}
table .footnote {
margin:1em .5em;
}
sup {
padding:0em .3em;
padding-left:0em;
}
.footnote {
position:relative;
}
.footnote sup {
color:#e3dcc0;
position:absolute;
left: .4em;
}
.footnote sup a:link,
.footnote sup a:visited {
color:#92917d;
text-decoration:none;
}
.footnote:hover sup a {
color:#fff;
text-decoration:none;
}
.footnote p,.footnote div.para {
padding-left:5em;
}
.footnote a:link,
.footnote a:visited {
color:#00537c;
}
.footnote a:hover {
color:white;
}
/**/
div.chapter {
margin-top:3em;
}
div.section {
margin-top:1em;
}
div.note .replaceable,
div.important .replaceable,
div.warning .replaceable,
div.note .keycap,
div.important .keycap,
div.warning .keycap
{
color:white;
}
ul li p:last-child, ul li div.para:last-child {
margin-bottom:0em;
padding-bottom:0em;
}
/*document navigation*/
.docnav a, .docnav strong {
border:none;
text-decoration:none;
font-weight:normal;
}
.docnav {
list-style:none;
margin:0em;
padding:0em;
position:relative;
width:100%;
padding-bottom:2em;
padding-top:1em;
border-top:1px dotted #ccc;
}
.docnav li {
list-style:none;
margin:0em;
padding:0em;
display:inline;
font-size:.8em;
}
.docnav li:before {
content:" ";
}
.docnav li.previous, .docnav li.next {
position:absolute;
top:1em;
}
.docnav li.up, .docnav li.home {
margin:0em 1.5em;
}
.docnav li.previous {
left:0px;
text-align:left;
}
.docnav li.next {
right:0px;
text-align:right;
}
.docnav li.previous strong, .docnav li.next strong {
height:22px;
display:block;
}
.docnav {
margin:0 auto;
text-align:center;
}
.docnav li.next a strong {
background: url(../images/stock-go-forward.png) top right no-repeat;
padding-top:3px;
padding-bottom:4px;
padding-right:28px;
font-size:1.2em;
}
.docnav li.previous a strong {
background: url(../images/stock-go-back.png) top left no-repeat;
padding-top:3px;
padding-bottom:4px;
padding-left:28px;
padding-right:0.5em;
font-size:1.2em;
}
.docnav li.home a strong {
background: url(../images/stock-home.png) top left no-repeat;
padding:5px;
padding-left:28px;
font-size:1.2em;
}
.docnav li.up a strong {
background: url(../images/stock-go-up.png) top left no-repeat;
padding:5px;
padding-left:28px;
font-size:1.2em;
}
.docnav a:link, .docnav a:visited {
color:#666;
}
.docnav a:hover, .docnav a:focus, .docnav a:active {
color:black;
}
.docnav a {
max-width: 10em;
overflow:hidden;
}
.docnav a:link strong {
text-decoration:none;
}
.docnav {
margin:0 auto;
text-align:center;
}
ul.docnav {
margin-bottom: 1em;
}
/* Reports */
.reports ul {
list-style:none;
margin:0em;
padding:0em;
}
.reports li{
margin:0em;
padding:0em;
}
.reports li.odd {
background-color: #eeeeee;
margin:0em;
padding:0em;
}
.reports dl {
display:inline;
margin:0em;
padding:0em;
float:right;
margin-right: 17em;
margin-top:-1.3em;
}
.reports dt {
display:inline;
margin:0em;
padding:0em;
}
.reports dd {
display:inline;
margin:0em;
padding:0em;
padding-right:.5em;
}
.reports h2, .reports h3{
display:inline;
padding-right:.5em;
font-size:10pt;
font-weight:normal;
}
.reports div.progress {
display:inline;
float:right;
width:16em;
background:#c00 url(../images/shine.png) top left repeat-x;
margin:0em;
margin-top:-1.3em;
padding:0em;
border:none;
}
/*uniform*/
body.results, body.reports {
max-width:57em ;
padding:0em;
}
/*Progress Bar*/
div.progress {
display:block;
float:left;
width:16em;
background:#c00 url(../images/shine.png) top left repeat-x;
height:1em;
}
div.progress span {
height:1em;
float:left;
}
div.progress span.translated {
background:#6c3 url(../images/shine.png) top left repeat-x;
}
div.progress span.fuzzy {
background:#ff9f00 url(../images/shine.png) top left repeat-x;
}
/*Results*/
.results ul {
list-style:none;
margin:0em;
padding:0em;
}
.results li{
margin:0em;
padding:0em;
}
.results li.odd {
background-color: #eeeeee;
margin:0em;
padding:0em;
}
.results dl {
display:inline;
margin:0em;
padding:0em;
float:right;
margin-right: 17em;
margin-top:-1.3em;
}
.results dt {
display:inline;
margin:0em;
padding:0em;
}
.results dd {
display:inline;
margin:0em;
padding:0em;
padding-right:.5em;
}
.results h2, .results h3{
display:inline;
padding-right:.5em;
font-size:10pt;
font-weight:normal;
}
.results div.progress {
display:inline;
float:right;
width:16em;
background:#c00 url(../images/shine.png) top left repeat-x;
margin:0em;
margin-top:-1.3em;
padding:0em;
border:none;
}
/* Dirty EVIL Mozilla hack for round corners */
pre {
-moz-border-radius:11px;
}
.example {
-moz-border-radius:15px;
}
.term{
color:#336699;
}
.package {
font-style: italic;
}
.edition {
color: #336699;
background-color: transparent;
margin-top: 1em;
margin-bottom: 1em;
font-size: 1.4em;
font-weight: bold;
text-align: center;
}
span.remark {
background-color: #ff00ff;
}
.draft {
background-image: url(../images/watermark-draft.png);
background-repeat: repeat-y;
background-position: center;
}
.foreignphrase {
font-style: inherit;
}
dt {
clear:both;
}
dt img {
border-style: none;
max-width: 112px;
}
dt object {
max-width: 112px;
}
dt .inlinemediaobject, dt object {
display: inline;
float: left;
margin-bottom: 1em;
padding-right: 1em;
width: 112px;
}
dl:after {
display: block;
clear: both;
content: "";
}
.toc dd {
padding-bottom: 0em;
margin-bottom: 1em;
padding-left: 1.3em;
margin-left: 0em;
}
div.toc > dl > dt {
padding-bottom: 0em;
margin-bottom: 0em;
margin-top: 1em;
}
--- NEW FILE default.css ---
@import url("common.css");
@import url("overrides.css");
--- NEW FILE overrides.css ---
a:link {
color:#0066cc;
}
a:hover, a:active {
color:#003366;
}
a:visited {
color:#6699cc;
}
h1 {
color:#3c6eb4
}
.producttitle {
background: #3c6eb4 url(../images/h1-bg.png) top left repeat;
}
.section h1.title {
color:#3c6eb4;
}
h2,h3,h4,h5,h6 {
color:#3c6eb4;
}
table {
border:1px solid #3c6eb4;
}
table th {
background-color:#3c6eb4;
}
table tr.even td {
background-color:#f5f5f5;
}
.term{
color:#3c6eb4
}
.revhistory table th {
color:#3c6eb4;
}
.edition {
color: #3c6eb4;
}
15 years, 3 months
web/html/docs/selinux-user-guide/f10/html-single/Common_Content - New directory
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/Common_Content
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8432/Common_Content
Log Message:
Directory /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/Common_Content added to the repository
15 years, 3 months
web/html/docs/selinux-user-guide/f10/html-single/images - New directory
by Murray McAllister
Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/images
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8324/images
Log Message:
Directory /cvs/fedora/web/html/docs/selinux-user-guide/f10/html-single/images added to the repository
15 years, 3 months