Author: pfrields
Update of /cvs/docs/selinux-faq/F-8/en_US In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12637/F-8/en_US
Added Files: doc-entities.xml rpm-info.xml selinux-faq.xml Log Message: Add FC-5 and F-8 branches. For right now, these are duplicate copies of one another. The F-8 branch is where new work is to be done to bring the FAQ up to date with better and more content.
--- NEW FILE doc-entities.xml --- <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE entities SYSTEM "../../docs-common/common/entities/entities.dtd">
<entities> <title>These entities are absolutely essential in this document.</title> <group name="Example Tutorial Entities"> <entity name="LOCAL-ENT"> <comment>A per-document entity</comment> <text><wordasword>Per-document Entity</wordasword> </text> </entity> <entity name="DOCNAME"> <comment>Should match the name of this module</comment> <text>selinux-faq</text> </entity> <entity name="DOCVERSION"> <comment>Last revision number, bump when you change the doc</comment> <text>1.5.2</text> </entity> <entity name="DOCDATE"> <comment>Last revision date, format YYYY-MM-DD</comment> <text>2006-03-24</text> </entity> <entity name="DOCID"> <comment>Same for every document</comment> <text> <use entity="DOCNAME"/>-<use entity="DOCVERSION"/> (<use entity="DOCDATE"/>)</text> </entity> <entity name="BUG-URL"> <comment>Useful pre-filled bug report; note the changes of the ampersand and percentage characters to their entity equivalent. </comment> <text>https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&percnt... ;percnt;20first&percnt;2C&percnt;20then&percnt;20the&percnt;20changed&percnt;20text&percnt;3A&percnt;20&percnt;5D&percnt;5D&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;5B&percnt;5B&percnt;20Version-Release&percnt;20of&percnt;20FAQ&percnt;20&percnt;0D&percnt;0A&percnt;28found&percnt;20on&percnt;0D&percnt;0Ahttp&percnt;3A&percnt;2F&percnt;2Ffedora.redhat.com&percnt;2Fdocs&percnt;2Fselinux-faq-fc5&percnt;2Fln-legalnotice.html&percnt;29&percnt;3A&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;20for&percnt;20example&percnt;3A&percnt;20&percnt;20selinux-faq-1.5.2&percnt;20&percnt;282006-03-20&percnt;29&amp;status_whiteboard=&amp;keywords=&amp;issuetrackers=&amp;dependson=&amp;blocked=&amp;ext_bz_id=0&amp;ext_bz_bug_id=&amp;data=&amp;desc! ription=&amp;contenttypemethod=list&amp;contenttypesel! ection xt&percnt;2Fplain&amp;contenttypeentry=&amp;maketemplate=Remember&percnt;20values&percnt;20as&percnt;20bookmarkable&percnt;20template&amp;form_name=enter_bug</text> </entity> <entity name="APACHE"> <comment>Locally useful.</comment> <text>Apache HTTP</text> </entity> <entity name="LOCALVER"> <comment>Set value to your choice, usefule for when guide version is out of sync with FC release, use instead of FEDVER or FEDTESTVER</comment> <text>5</text> </entity> </group> </entities>
--- NEW FILE rpm-info.xml --- <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE rpm-info SYSTEM "../../docs-common/packaging/rpm-info.dtd"> <rpm-info> <colophon> <worker surname="Wade" firstname="Karsten" id="KarstenWade" email="kwade@redhat.com" wholename="Karsten Wade" initials="KW"/> <worker surname="Sellers" firstname="Chad" id="ChadSellers" email="csellers@tresys.com" wholename="Chad Sellers" initials="CS"/> <worker surname="Tombolini" firstname="Francesco" id="FrancescoTombolini" email="tombo@adamantio.net" wholename="Francesco Tombolini" initials="FT"/> <worker firstname="Paul" othername="W." surname="Frields" initials="PWF" email="stickster@gmail.com" wholename="Paul W. Frields" id="PaulWFrields"/> </colophon> <author worker="KarstenWade"/> <author worker="ChadSellers"/> <translator worker="FrancescoTombolini"/> <license> <rights>OPL</rights> <version>1.0</version> </license> <copyright> <year>2004</year> <year>2005</year> <holder>Red Hat, Inc.</holder> <holder>Karsten Wade</holder> </copyright> <copyright> <year>2006</year> <holder>Chad Sellers</holder> <holder>Paul W. Frields</holder> </copyright> <title>Fedora Core 5 SELinux FAQ</title> <desc>Frequently asked questions about SELinux in Fedora Core 5</desc> <changelog order="newest-first"> <revision date="2006-04-28" number="1.5.6" role="doc"> <author worker="ChadSellers"/> <details>Fix for bz #18727, bz#139744, bz#144696, bz#147915, and bz#190181; other fixes, including from http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions</details> </revision> <revision date="2006-04-07" number="1.5.5" role="doc"> <author worker="KarstenWade"/> <details>Fix for bz #188219; legal notice fix.</details> </revision> <revision date="2006-03-21" number="1.5.4" role="doc"> <author worker="ChadSellers"/> <details>Updated log file location for FC5 release, added targeted domains FAQ</details> </revision> <revision date="2006-03-21" number="1.5.3" role="doc"> <author worker="ChadSellers"/> <details>Numerous content updates for FC5 release</details> </revision> <revision date="2006-02-10" number="1.5.2" role="doc"> <author worker="PaulWFrields"/> <details>Make admonition more easily maintainable</details> </revision> <revision date="2006-02-05" number="1.5.1" role="doc"> <author worker="PaulWFrields"/> <details>Style and readability editing; some element clarifications</details> </revision> <revision date="2006-02-03" number="1.5" role="doc"> <author worker="ChadSellers"/> <details>First round of editing.</details> </revision> </changelog> </rpm-info>
--- NEW FILE selinux-faq.xml --- <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!-- *************** Bring in Fedora entities *************** --> <!ENTITY % FDP-ENTITIES SYSTEM "fdp-entities.ent"> %FDP-ENTITIES;
<!ENTITY % DOCUMENT-ENTITIES SYSTEM "doc-entities.ent"> %DOCUMENT-ENTITIES;
]> <!-- test content --> <article id="selinux-faq" lang="en"> <xi:include href="fdp-info.xml" xmlns:xi="http://www.w3.org/2001/XInclude%22%3E xi:fallbackWHERE IS MY FDP-INFO, DUDE</xi:fallback> </xi:include>
<section id="sn-selinux-faq"> <title>&SEL; Notes and FAQ</title> <para> The information in this FAQ is valuable for those who are new to &SEL;. It is also valuable if you are new to the latest &SEL; implementation in &FC;, since some of the behavior may be different than you have experienced. </para> <note> <title>This FAQ is specific to &FC; &LOCALVER;</title> <para> If you are looking for the FAQ for other versions of &FC;, refer to <ulink url="http://fedora.redhat.com/docs/selinux-faq/"/>. </para> </note> <para> For more information about how &SEL; works, how to use &SEL; for general and specific Linux distributions, and how to write policy, these resources are useful: </para> <itemizedlist id="external-link-list"> <title>External Link List</title> <listitem> <para> NSA &SEL; main website — <ulink url="http://www.nsa.gov/selinux/" /> </para> </listitem> <listitem> <para> NSA &SEL; FAQ — <ulink url="http://www.nsa.gov/selinux/info/faq.cfm" /> </para> </listitem> <listitem> <para> &SEL; community page — <ulink url="http://selinux.sourceforge.net" /> </para> </listitem> <listitem> <para> UnOfficial FAQ — <ulink url="http://www.crypt.gen.nz/selinux/faq.html" /> </para> </listitem> <listitem> <para> Writing traditional SE Linux policy HOWTO — <ulink url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266" /> </para> </listitem> <listitem> <para> Reference Policy (the new policy found in &FC; 5) — <ulink url="http://serefpolicy.sourceforge.net/" /> </para> </listitem> <listitem> <para> SELinux policy development training courses — <ulink url="http://tresys.com/services/training.shtml" /> and <ulink url="https://www.redhat.com/training/security/courses/rhs429.html" /> </para> </listitem> <listitem> <para> Getting Started with SE Linux HOWTO: the new SE Linux (Debian) — <ulink url="https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266" /> </para> </listitem> <listitem> <para> List of SELinux object classes and permissions — <ulink url="http://tresys.com/selinux/obj_perms_help.shtml" /> </para> </listitem> <listitem> <para> On IRC — irc.freenode.net, #fedora-selinux </para> </listitem> <listitem> <para> &FED; mailing list — <ulink url="mailto:fedora-selinux-list@redhat.com" />; read the archives or subscribe at <ulink url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list" /> </para> </listitem> </itemizedlist> <tip> <title>Making changes/additions to the &FED; &SEL; FAQ</title> <para> This FAQ is available at <ulink url="http://fedora.redhat.com/docs/selinux-faq-fc5/">http://fedora.redhat.com/docs/selinux-faq-fc5/</ulink>. </para> <para> For changes or additions to the &FED; &SEL; FAQ, use this <ulink url="&BUG-URL;">bugzilla template</ulink>, which pre-fills most of the bug report. Patches should be a <command>diff -u</command> against the XML, which is available from CVS (refer to <ulink url="http://fedora.redhat.com/projects/docs/" /> for details on obtaining the fedora-docs/selinux-faq module from anonymous CVS; you can get just the <filename>fedora-docs/selinux-faq</filename> module if you don't want the entire <filename>fedora-docs</filename> tree.) Otherwise, plain text showing before and after is sufficient. </para> <para> For a list of all bug reports filed against this FAQ, refer to <ulink url="https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757">https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757</ulink>. </para> </tip>
<qandaset defaultlabel="qanda" id="selinux-faq-list"> <?dbhtml toc="1"?> <qandadiv id="faq-div-understanding-selinux"> <title>Understanding &SEL;</title> <qandaentry> <question> <para> What is &SEL;? </para> </question> <answer> <para> &SEL; (<firstterm>Security-Enhanced Linux</firstterm>) in &FC; is an implementation of <firstterm>mandatory access control</firstterm> in the Linux kernel using the <firstterm>Linux Security Modules</firstterm> (<abbrev>LSM</abbrev>) framework. Standard Linux security is a <firstterm>discretionary access control</firstterm> model. </para> <variablelist> <varlistentry> <term>Discretionary access control (<abbrev>DAC</abbrev>)</term> <listitem> <para> DAC is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own. </para> </listitem> </varlistentry> <varlistentry> <term>Mandatory access control (<abbrev>MAC</abbrev>)</term> <listitem> <para> MAC provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user. </para> </listitem> </varlistentry> </variablelist> <para> In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is <command>setuid</command> or <command>setgid</command> to root, the process can have root level control over the entire file system. </para> <para> A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of &SEL; through the kernel. Third, decisions are based on all the security relevant information available, and not just [...2335 lines suppressed...] </para> </answer> </qandaentry> <qandaentry> <question> <para> I am setting up swapping to a file, but I am seeing AVC messages in my log files? </para> </question> <answer> <para> You need to identify the swapfile to SELinux by setting its file context to <computeroutput>swapfile_t</computeroutput>. </para> <screen> <command>chcon -t swapfile_t <replaceable>SWAPFILE</replaceable></command> </screen> </answer> </qandaentry> <qandaentry> <question> <para> Please explain the <computeroutput>relabelto</computeroutput>/<computeroutput>relabelfrom</computeroutput> permissions? </para> </question> <answer> <para> For files, <computeroutput>relabelfrom</computeroutput> means "Can domain D relabel a file from (i.e. currently in) type T1?" and <computeroutput>relabelto</computeroutput> means "Can domain D relabel a file to type T2?", so both checks are applied upon a file relabeling, where T1 is the original type of the type and T2 is the new type specified by the program. </para> <para> Useful documents to look at: </para> <itemizedlist> <listitem> <para> Object class and permission summary by Tresys <ulink url="http://tresys.com/selinux/obj_perms_help.shtml"/> </para> </listitem> <listitem> <para> Implementing SELinux as an LSM technical report (describes permission checks on a per-hook basis) <ulink url="http://www.nsa.gov/selinux/papers/module-abs.cfm"/>. This is also available in the selinux-doc package (and more up-to-date there). </para> </listitem> <listitem> <para> Integrating Flexible Support for Security Policies into the Linux Operating System - technical report (describes original design and implementation, including summary tables of classes, permissions, and what permission checks are applied to what system calls. It is not entirely up-to-date with current implementation, but a good resource nonetheless). <ulink url="http://www.nsa.gov/selinux/papers/slinux-abs.cfm"/> </para> </listitem> </itemizedlist> </answer> </qandaentry> </qandadiv> <qandadiv id="faq-div-deploying-selinux"> <title>Deploying &SEL;</title> <qandaentry> <question> <para> What file systems can I use for &SEL;? </para> </question> <answer> <para> The file system must support <computeroutput>xattr</computeroutput> labels in the right <parameter>security.*</parameter> namespace. In addition to ext2/ext3, XFS has recently added support for the necessary labels. </para> <para> Note that XFS SELinux support is broken in upstream kernel 2.6.14 and 2.6.15, but fixed (worked around) in 2.6.16. Your kernel must include this fix if you choose to use XFS with &SEL;. </para> </answer> </qandaentry> <qandaentry> <question> <para> How does &SEL; impact system performance? </para> </question> <answer> <para> This is a variable that is hard to measure, and is heavily dependent on the tuning and usage of the system running &SEL;. When performance was last measured, the impact was around 7% for completely untuned code. Subsequent changes in system components such as networking are likely to have made that worse in some cases. &SEL; performance tuning continues to be a priority of the development team. </para> </answer> </qandaentry> <qandaentry> <question> <para> What types of deployments, applications, and systems should I leverage &SEL; in? </para> </question> <answer> <para> Initially, &SEL; has been used on Internet facing servers that are performing a few specialized functions, where it is critical to keep extremely tight security. Administrators typically strip such a box of all extra software and services, and run a very small, focused set of services. A Web server or mail server is a good example. </para> <para> In these edge servers, you can lock down the policy very tightly. The smaller number of interactions with other components makes such a lock down easier. A dedicated system running a specialized third-party application would also be a good candidate. </para> <para> In the future, &SEL; will be targeted at all environments. In order to achieve this goal, the community and <firstterm>independent software vendors</firstterm> (<abbrev>ISV</abbrev>s) must work with the &SEL; developers to produce the necessary policy. So far, a very restrictive <firstterm>strict policy</firstterm> has been written, as well as a <firstterm>targeted policy</firstterm> that focuses on specific, vulnerable daemons. </para> <para>For more information about these policies, refer to <xref linkend="qa-whatis-policy"/> and <xref linkend="qa-whatis-targeted-policy"/>. </para> </answer> </qandaentry> <qandaentry> <question> <para> How does &SEL; affect third-party applications? </para> </question> <answer> <para> One goal of implementing a targeted &SEL; policy in &FC; is to allow third-party applications to work without modification. The targeted policy is transparent to those unaddressed applications, and it falls back on standard Linux DAC security. These applications, however, will not be running in an extra-secure manner. You or another provider must write policy to protect these applications with MAC security. </para> <para> It is impossible to predict how every third-party application might behave with &SEL;, even running the targeted policy. You may be able to fix issues that arise by changing the policy. You may find that &SEL; exposes previously unknown security issues with your application. You may have to modify the application to work under &SEL;. </para> <para> Note that with the addition of <xref linkend="faq-entry-whatare-policy-modules"/>, it is now possible for third-party developers to include policy modules with their application. If you are a third-party developer or a package-maintainer, please consider including a policy module in your package. This will allow you to secure the behavior of your application with the power of &SEL; for any user installing your package. </para> <para> One important value that &FC; testers and users bring to the community is extensive testing of third-party applications. With that in mind, please bring your experiences to the appropriate mailing list, such as the fedora-selinux list, for discussion. For more information about that list, refer to <ulink url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/"/>. </para> </answer> </qandaentry> </qandadiv> </qandaset> </section> </article>