From fedora-docs-commits@redhat.com Wed Jun 10 15:37:32 2015
From: fedora-docs-commits@redhat.com
To: docs-commits@lists.fedoraproject.org
Subject: selinux-faq/FC-5/en_US doc-entities.xml, NONE, 1.1 rpm-info.xml,
NONE, 1.1 selinux-faq.xml, NONE, 1.1
Date: Fri, 16 Nov 2007 08:05:08 -0500
Message-ID: <200711161305.lAGD58KR012798@cvs-int.fedora.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0888498432384027672=="
--===============0888498432384027672==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Author: pfrields
Update of /cvs/docs/selinux-faq/FC-5/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12637/FC-5/en_US
Added Files:
doc-entities.xml rpm-info.xml selinux-faq.xml=20
Log Message:
Add FC-5 and F-8 branches. For right now, these are duplicate copies of one a=
nother. The F-8 branch is where new work is to be done to bring the FAQ up to=
date with better and more content.
--- NEW FILE doc-entities.xml ---
These entities are absolutely essential in this document.
A per-document entity
Per-document Entity
Should match the name of this module
selinux-faq
Last revision number, bump when you change the doc
1.5.2
Last revision date, format YYYY-MM-DD
2006-03-24
Same for every document
Useful pre-filled bug report; note the changes of the
ampersand and percentage characters to their entity equivalent.
https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=3DFedo=
ra%20Documentation&op_sys=3DLinux&target_milestone=
=3D---&bug_status=3DNEW&version=3Ddevel&component=3Ds=
elinux-faq&rep_platform=3DAll&priority=3Dnormal&bug_s=
everity=3Dnormal&assigned_to=3Dkwade%40redhat.com&=
cc=3D&estimated_time_presets=3D0.0&estimated_time=3D0.0&a=
mp;bug_file_loc=3Dhttp%3A%2F%2Ffedora.redhat=
.com%2Fdocs%2Fselinux-faq%2F&short_d=
esc=3DCHANGE%20TO%20A%20REAL%20SU=
MMARY&comment=3D%5B%5B%20Description=
%20of%20change%2FFAQ%20addition.&=
amp;percnt;20%20If%20a%20change%2=
C%20include%20the%20original%0D&a=
mp;percnt;0Atext&!
;percnt;20first%2C%20then%20the%=
20changed%20text%3A%20%5D&per=
cnt;5D%0D%0A%0D%0A%0D&=
amp;percnt;0A%5B%5B%20Version-Release&pe=
rcnt;20of%20FAQ%20%0D%0A&perc=
nt;28found%20on%0D%0Ahttp%3A&=
percnt;2F%2Ffedora.redhat.com%2Fdocs%2Fselin=
ux-faq-fc5%2Fln-legalnotice.html%29%3A&p=
ercnt;0D%0A%0D%0A%20for&percn=
t;20example%3A%20%20selinux-faq-1.5.2&pe=
rcnt;20%282006-03-20%29&status_whiteboard=3D&am=
p;amp;keywords=3D&issuetrackers=3D&dependson=3D&block=
ed=3D&ext_bz_id=3D0&ext_bz_bug_id=3D&data=3D&=
desc!
ription=3D&contenttypemethod=3Dlist&contenttypesel!
ection
xt%2Fplain&contenttypeentry=3D&maketemplate=3DReme=
mber%20values%20as%20bookmarkable&percnt=
;20template&form_name=3Denter_bug
Locally useful.
Apache HTTP
Set value to your choice, usefule for when guide
version is out of sync with FC release, use instead of FEDVER or
FEDTESTVER
5
--- NEW FILE rpm-info.xml ---
OPL
1.0
2004
2005
Red Hat, Inc.
Karsten Wade
2006
Chad Sellers
Paul W. Frields
Fedora Core 5 SELinux FAQ
Frequently asked questions about SELinux in Fedora Core 5
Fix for bz #18727, bz#139744, bz#144696, bz#147915,
and bz#190181; other fixes, including from
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
Fix for bz #188219; legal notice fix.
Updated log file location for FC5 release, added
targeted domains FAQ
Numerous content updates for FC5 release
Make admonition more easily maintainable
Style and readability editing; some element
clarifications
First round of editing.
--- NEW FILE selinux-faq.xml ---
%FDP-ENTITIES;
%DOCUMENT-ENTITIES;
]>
WHERE IS MY FDP-INFO, DUDE
&SEL; Notes and FAQ
The information in this FAQ is valuable for those who are new to &SEL;.=
It
is also valuable if you are new to the latest &SEL; implementation in
&FC;, since some of the behavior may be different than you have
experienced.=20
This FAQ is specific to &FC; &LOCALVER;
If you are looking for the FAQ for other versions of &FC;, refer to
.
For more information about how &SEL; works, how to use &SEL; for general
and specific Linux distributions, and how to write policy, these resour=
ces
are useful:
External Link List
NSA &SEL; main website —
NSA &SEL; FAQ —
&SEL; community page —
UnOfficial FAQ —
Writing traditional SE Linux policy HOWTO —
Reference Policy (the new policy found in &FC; 5) —
SELinux policy development training courses — and
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) &mda=
sh;
List of SELinux object classes and permissions —
On IRC — irc.freenode.net, #fedora-selinux
&FED; mailing list — ;
read the archives or subscribe at
Making changes/additions to the &FED; &SEL; FAQ
This FAQ is available at http://fedor=
a.redhat.com/docs/selinux-faq-fc5/.
For changes or additions to the &FED; &SEL; FAQ, use this bugzilla template, which pre-fills most o=
f the
bug report. Patches should be a diff -u against the
XML, which is available from CVS (refer to for details on
obtaining the fedora-docs/selinux-faq module from anonymous CVS; you =
can
get just the fedora-docs/selinux-faq module if y=
ou
don't want the entire fedora-docs tree.) Otherwi=
se,
plain text showing before and after is sufficient.
For a list of all bug reports filed against this FAQ, refer to https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=3D118757=
.
=20
Understanding &SEL;
What is &SEL;?
&SEL; (Security-Enhanced Linux) in &FC; =
is
an implementation of mandatory access
control in the Linux kernel using the
Linux Security Modules
(LSM) framework. Standard Linux security is a
discretionary access control model.
Discretionary access control (DAC)
DAC is standard Linux security, and it provides no
protection from broken software or malware running as a
normal user or root. Users can grant risky levels of access
to files they own.
Mandatory access control (MAC)
MAC provides full control over all interactions of
software. Administratively defined policy closely controls
user and process interactions with the system, and can
provide protection from broken software or malware running
as any user.
In a DAC model, file and resource decisions are based solely on
user identity and ownership of the objects. Each user and prog=
ram
run by that user has complete discretion over the user's object=
s.
Malicious or flawed software can do anything with the files and
resources it controls through the user that started the process.
If the user is the super-user or the application is
setuid or setgid to root,
the process can have root level control over the entire file
system.
A MAC system does not suffer from these problems. First, you c=
an
administratively define a security policy over all processes and
objects. Second, you control all processes and objects, in the
case of &SEL; through the kernel. Third, decisions are based on
all the security relevant information available, and not just
[...2335 lines suppressed...]
I am setting up swapping to a file, but I am seeing AVC messages
in my log files?
You need to identify the swapfile to SELinux by setting its file
context to swapfile_t.
chcon -t swapfile_t SWAPFILE
Please explain the
relabelto/relabelfrom=
permissions?
For files, relabelfrom means "Can
domain D relabel a file from (i.e. currently in) type T1?" and
relabelto means "Can domain D
relabel a file to type T2?", so both checks are applied upon a
file relabeling, where T1 is the original type of the type and T2
is the new type specified by the program.
Useful documents to look at:=20
Object class and permission summary by Tresys
Implementing SELinux as an LSM technical report (describes
permission checks on a per-hook basis) .
This is also available in the selinux-doc package
(and more up-to-date there).
Integrating Flexible Support for Security Policies into the
Linux Operating System - technical report (describes original
design and implementation, including summary tables of
classes, permissions, and what permission checks are applied
to what system calls. It is not entirely up-to-date with
current implementation, but a good resource nonetheless).
Deploying &SEL;
What file systems can I use for &SEL;?
The file system must support
xattr labels in the right
security.* namespace. In addition to
ext2/ext3, XFS has recently added support for the necessary
labels.
Note that XFS SELinux support is broken in upstream kernel
2.6.14 and 2.6.15, but fixed (worked around)
in 2.6.16. Your kernel must include this fix if
you choose to use XFS with &SEL;.
How does &SEL; impact system performance?
This is a variable that is hard to measure, and is heavily
dependent on the tuning and usage of the system running &SEL;.
When performance was last measured, the impact was around 7% for
completely untuned code. Subsequent changes in system components
such as networking are likely to have made that worse in some
cases. &SEL; performance tuning continues to be a priority of the
development team.
What types of deployments, applications, and systems should I
leverage &SEL; in?
Initially, &SEL; has been used on Internet facing servers that =
are
performing a few specialized functions, where it is critical to
keep extremely tight security. Administrators typically strip
such a box of all extra software and services, and run a very
small, focused set of services. A Web server or mail server is a
good example.
In these edge servers, you can lock down the policy very tightl=
y.
The smaller number of interactions with other components makes
such a lock down easier. A dedicated system running a specialized
third-party application would also be a good candidate.
In the future, &SEL; will be targeted at all environments. In
order to achieve this goal, the community and
independent software vendors
(ISVs) must work with the &SEL; developers to
produce the necessary policy. So far, a very restrictive
strict policy has been written, as well as
a targeted policy that focuses on specific,
vulnerable daemons.
For more information about these policies, refer to and .
How does &SEL; affect third-party applications?
One goal of implementing a targeted &SEL; policy in &FC; is to
allow third-party applications to work without modification. The
targeted policy is transparent to those unaddressed applications,
and it falls back on standard Linux DAC security. These
applications, however, will not be running in an extra-secure
manner. You or another provider must write policy to protect these
applications with MAC security.
It is impossible to predict how every third-party application
might behave with &SEL;, even running the targeted policy. You
may be able to fix issues that arise by changing the policy. You
may find that &SEL; exposes previously unknown security issues
with your application. You may have to modify the application to
work under &SEL;.
Note that with the addition of , it is now possible
for third-party developers to include policy modules with their
application. If you are a third-party developer or a
package-maintainer, please consider including a policy module
in your package. This will allow you to secure the behavior
of your application with the power of &SEL; for any user
installing your package.
One important value that &FC; testers and users bring to the
community is extensive testing of third-party applications. With
that in mind, please bring your experiences to the appropriate
mailing list, such as the fedora-selinux list, for discussion. For
more information about that list, refer to .
=20
--===============0888498432384027672==--