Author: mdious
Update of /cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23851/selinux-user-guide/f10/en-US
Modified Files:
appe-Security-Enhanced_Linux-Revision_History.html
chap-Security-Enhanced_Linux-Confining_Users.html
chap-Security-Enhanced_Linux-Further_Information.html
chap-Security-Enhanced_Linux-Introduction.html
chap-Security-Enhanced_Linux-SELinux_Contexts.html
chap-Security-Enhanced_Linux-Targeted_Policy.html
chap-Security-Enhanced_Linux-Trademark_Information.html
chap-Security-Enhanced_Linux-Troubleshooting.html
chap-Security-Enhanced_Linux-Working_with_SELinux.html
index.html pr01s02.html
pref-Security-Enhanced_Linux-Preface.html
sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html
sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html
sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html
sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html
sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html
sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html
sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html
sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html
sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html
sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html
sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html
sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html
sect-Security-Enhanced_Linux-Introduction-Examples.html
sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html
sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html
sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html
sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html
sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html
sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html
sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html
sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html
sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html
sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html
sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html
sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html
sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html
sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html
sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html
sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html
sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html
Added Files:
sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html
sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html
sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html
Log Message:
- updating content for multi-page HTML.
- adding single-page HTML content.
- adding PDF.
- updating index.php to reflect above mentioned changes.
--- NEW FILE sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html ---
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
for NFS and CIFS</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"
title="5.6.2. Configuring Booleans"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"
title="5.7. SELinux Contexts - Labeling Files"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Com
mon_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans
for NFS and CIFS</h3></div></div></div><div
class="para">
By default, NFS mounts on the client side are labeled with a default context defined
by policy for NFS file systems. In common policies, this default context uses the <code
class="computeroutput">nfs_t</code> type. Also, by default, Samba
shares mounted on the client side are labeled with a default context defined by policy. In
common policies, this default context uses the <code
class="computeroutput">cifs_t</code> type.
</div><div class="para">
Depending on policy configuration, services may not be able to read files labeled with
the <code class="computeroutput">nfs_t</code> or <code
class="computeroutput">cifs_t</code> types. This may prevent file
systems labeled with these types from being mounted and then read or exported by other
services. Booleans can be turned on or off to control which services are allowed to access
the <code class="computeroutput">nfs_t</code> and <code
class="computeroutput">cifs_t</code> types.
</div><div class="para">
The <code class="command">setsebool</code> and <code
class="command">semanage</code> commands must be run as the Linux root
user. The <code class="command">setsebool -P</code> command makes
persistent changes. Do not use the <code class="option">-P</code>
option if you do not want changes to persist across reboots:
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Apache_HTTP_Server">Apache
HTTP Server</h5>
To allow access to NFS file systems (files labeled with the <code
class="computeroutput">nfs_t</code> type):
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P httpd_use_nfs
on</code>
</div><div class="para">
To allow access to Samba file systems (files labeled with the <code
class="computeroutput">cifs_t</code> type):
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P httpd_use_cifs
on</code>
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Samba">Samba</h5>
To export NFS file systems:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P samba_share_nfs
on</code>
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-FTP_vsftpd">FTP
(<code class="systemitem">vsftpd</code>)</h5>
To allow access to NFS file systems:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_ftpd_use_nfs
on</code>
</div><div class="para">
To allow access to Samba file systems:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_ftpd_use_cifs
on</code>
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_NFS_and_CIFS-Other_Services">Other
Services</h5>
For a list of NFS related Booleans for other services:
</div><div class="para">
<code class="command">/usr/sbin/semanage boolean -l | grep
nfs</code>
</div><div class="para">
For a list of Samba related Booleans for other services:
</div><div class="para">
<code class="command">/usr/sbin/semanage boolean -l | grep
cifs</code>
</div><div class="note"><h2>Note</h2><div
class="para">
These Booleans exist in SELinux policy as shipped with Fedora 10. They may not exist
in policy shipped with other versions of Fedora or other operating systems.
</div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Prev</strong>5.6.2. Configuring
Booleans</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Next</strong>5.7. SELinux
Contexts - Labeling Files</a></li></ul></body></html>
--- NEW FILE
sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html
---
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
for Users Executing Applications</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"
title="6.5. xguest: Kiosk Mode"/><link rel="next"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png
" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans
for Users Executing Applications</h2></div></div></div><div
class="para">
Not allowing Linux users to execute applications (which inherit users' permissions)
in their home directories and <code class="filename">/tmp/</code>,
which they have write access to, helps prevent flawed or malicious applications from
modifying files users' own. In Fedora 10, by default, Linux users in the <code
class="computeroutput">guest_t</code> and <code
class="computeroutput">xguest_t</code> domains can not execute
applications in their home directories or <code
class="filename">/tmp/</code>; however, by default, Linux users in the
<code class="computeroutput">user_t</code> and <code
class="computeroutput">staff_t</code> domains can.
</div><div class="para">
Booleans are available to change this behavior, and are configured with the <code
class="command">setsebool</code> command. The <code
class="command">setsebool</code> command must be run as the Linux root
user. The <code class="command">setsebool -P</code> command makes
persistent changes. Do not use the <code class="option">-P</code>
option if you do not want changes to persist across reboots:
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-guest_t">guest_t</h5>
To <span class="emphasis"><em>allow</em></span>
Linux users in the <code class="computeroutput">guest_t</code>
domain to execute applications in their home directories and <code
class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_guest_exec_content
on</code>
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-xguest_t">xguest_t</h5>
To <span class="emphasis"><em>allow</em></span>
Linux users in the <code class="computeroutput">xguest_t</code>
domain to execute applications in their home directories and <code
class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_xguest_exec_content
on</code>
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-user_t">user_t</h5>
To <span class="emphasis"><em>prevent</em></span>
Linux users in the <code class="computeroutput">user_t</code> domain
from executing applications in their home directories and <code
class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_user_exec_content
off</code>
</div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Booleans_for_Users_Executing_Applications-staff_t">staff_t</h5>
To <span class="emphasis"><em>prevent</em></span>
Linux users in the <code class="computeroutput">staff_t</code>
domain from executing applications in their home directories and <code
class="filename">/tmp/</code>:
</div><div class="para">
<code class="command">/usr/sbin/setsebool -P allow_staff_exec_content
off</code>
</div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong>6.5. xguest:
Kiosk Mode</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Next</strong>Chapter 7. Troubleshooting</a></li></ul></body></html>
--- NEW FILE
sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html ---
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... on
Other Operating Systems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"
title="2.3. SELinux Architecture"/><link rel="next"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Do
cumentation Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux
on Other Operating Systems</h2></div></div></div><div
class="para">
Refer to the following for information about running SELinux on operating systems:
</div><div class="itemizedlist"><ul><li><div
class="para">
Hardened Gentoo: <a
href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handboo...;.
</div></li><li><div class="para">
Debian: <a
href="http://wiki.debian.org/SELinux">http://wiki.debian.org...;.
</div></li><li><div class="para">
Ubuntu: <a
href="https://wiki.ubuntu.com/SELinux">https://wiki.ubuntu.c...
and <a
href="https://help.ubuntu.com/community/SELinux">https://hel...;.
</div></li><li><div class="para">
Red Hat Enterprise Linux: <a
href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/...
Hat Enterprise Linux Deployment Guide</a> and <a
href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/se...
Hat Enterprise Linux 4 SELinux Guide</a>.
</div></li><li><div class="para">
Fedora: <a
href="http://fedoraproject.org/wiki/SELinux">http://fedorapr...
and the <a
href="http://docs.fedoraproject.org/selinux-faq-fc5/">Fedora
Core 5 SELinux FAQ</a>.
</div></li></ul></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><strong>Prev</strong>2.3. SELinux
Architecture</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Next</strong>Chapter 3. SELinux
Contexts</a></li></ul></body></html>
Index: appe-Security-Enhanced_Linux-Revision_History.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/appe-Security-Enhanced_Linux-Revision_History.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- appe-Security-Enhanced_Linux-Revision_History.html 24 Nov 2008 23:53:52 -0000 1.2
+++ appe-Security-Enhanced_Linux-Revision_History.html 24 Jan 2009 03:48:02 -0000 1.3
@@ -1,8 +1,12 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
History</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Further_Information.html"
title="Chapter 8. Further Information"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Appendix A. Revision
History</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Prev</strong></a></li><li
class="next"/></ul><div class="appendix"
lang="en-US"><div
class="titlepage"><div><div><h1
id="appe-Security-Enhanced_Linux-Revision_History"
class="title">Revision
History</h1></div></div></div><p>
- <div class="revhistory"><table border="0"
width="100%" summary="Revision history"><tr><th
align="left" valign="top" colspan="3"><b>Revision
History</b></th></tr><tr><td align="left">Revision
1.0</td><td align="left">Tuesday November 25 2008</td><td
align="left"><span class="author"><span
class="firstname">Murray</span> <span
class="surname">McAllister</span></span></td></tr><tr><td
align="left" colspan="3">
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
History</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Further_Information.html"
title="Chapter 8. Further Information"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Prev</strong></a
</li><li class="next"/></ul><div
class="appendix" lang="en-US"><div
class="titlepage"><div><div><h1
id="appe-Security-Enhanced_Linux-Revision_History"
class="title">Revision
History</h1></div></div></div><div class="para">
+ <div class="revhistory"><table border="0"
width="100%" summary="Revision history"><tr><th
align="left" valign="top" colspan="3"><b>Revision
History</b></th></tr><tr><td align="left">Revision
1.2</td><td align="left">Mon Jan 19 2009</td><td
align="left"><span class="author"><span
class="firstname">Murray</span> <span
class="surname">McAllister</span></span></td></tr><tr><td
align="left" colspan="3">
+ <table class="simplelist" border="0" summary="Simple
list"><tr><td>Updating hyperlinks to NSA
websites</td></tr></table>
+ </td></tr><tr><td align="left">Revision
1.1</td><td align="left">Sat Dec 6 2008</td><td
align="left"><span class="author"><span
class="firstname">Murray</span> <span
class="surname">McAllister</span></span></td></tr><tr><td
align="left" colspan="3">
+ <table class="simplelist" border="0" summary="Simple
list"><tr><td>Resolving <a
href="https://bugzilla.redhat.com/show_bug.cgi?id=472986">Red Hat Bugzilla
#472986, "httpd does not write to
/etc/httpd/logs/"</a></td></tr><tr><td>Added new
section, "6.6. Booleans for Users Executing
Applications"</td></tr><tr><td>Minor text
revisions</td></tr></table>
+ </td></tr><tr><td align="left">Revision
1.0</td><td align="left">Tue Nov 25 2008</td><td
align="left"><span class="author"><span
class="firstname">Murray</span> <span
class="surname">McAllister</span></span></td></tr><tr><td
align="left" colspan="3">
<table class="simplelist" border="0" summary="Simple
list"><tr><td>Initial content release on <a
href="http://docs.fedoraproject.org/">http://docs.fedoraproj...
</td></tr></table></div>
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Prev</strong>Chapter 8. Further
Information</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Prev</strong>Chapter 8. Further
Information</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Confining_Users.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Confining_Users.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-Confining_Users.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,19 +1,19 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Users</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"
title="5.10.5. Archiving Files with star"/><link rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"
title="6.2. Confining New Linux Users:
useradd"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 6. Confining
Users</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archivi
ng_Files_with_star.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Confining_Users">Chapter 6. Confining
Users</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1.
Linux and SELinux User Mappings</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2.
Confining New Linux Users: useradd</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3.
Confining Existing Linux Users: semanage
login</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4.
Changing the Default Mapping</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5.
xguest: Kiosk Mode</a></span></dt></dl></div><p>
- A number of confined SELinux users are available in Fedora 10. Each Linux user is
mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the
restrictions on SELinux users, for example (depending on the user), not being able to: run
the X Window System, use networking, run setuid applications (unless SELinux policy
permits it), or run the <code class="command">su</code> and <code
class="command">sudo</code> commands to become the Linux root user.
This helps protect the system from the user. Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
title="4.3. Confined and Unconfined Users">Section 4.3, “Confined and
Unconfined Users”</a> for further information about confined users in Fedora 10.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux
and SELinux User Mappings</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Users</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"
title="5.10.5. Archiving Files with star"/><link rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"
title="6.2. Confining New Linux Users: useradd"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/i
mage_right.png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Confining_Users">Chapter 6. Confining
Users</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1.
Linux and SELinux User Mappings</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2.
Confining New Linux Users: useradd</a></span></dt>
<dt><span class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3.
Confining Existing Linux Users: semanage
login</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4.
Changing the Default Mapping</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5.
xguest: Kiosk Mode</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html">6.6.
Booleans for Users Executing
Applications</a></span></dt></dl></div><div
class="para">
+ A number of confined SELinux users are available in Fedora 10. Each Linux user is
mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the
restrictions on SELinux users, for example (depending on the user), not being able to: run
the X Window System; use networking; run setuid applications (unless SELinux policy
permits it); or run the <code class="command">su</code> and <code
class="command">sudo</code> commands to become the Linux root user.
This helps protect the system from the user. Refer to <a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
title="4.3. Confined and Unconfined Users">Section 4.3, “Confined and
Unconfined Users”</a> for further information about confined users in Fedora 10.
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux
and SELinux User Mappings</h2></div></div></div><div
class="para">
As the Linux root user, run the <code class="command">semanage login
-l</code> command to view the mapping between Linux users and SELinux users:
- </p><pre class="screen"># /usr/sbin/semanage login -l
+ </div><pre class="screen"># /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre><p>
+</pre><div class="para">
In Fedora 10, Linux users are mapped to the SELinux <code
class="computeroutput">__default__</code> login by default (which is
mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user). When a Linux user is
created with the <code class="command">useradd</code> command, if no
options are specified, they are mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user. The following defines
the default-mapping:
- </p><pre class="screen">
+ </div><pre class="screen">
__default__ unconfined_u s0-s0:c0.c1023
</pre></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Prev</strong>5.10.5. Archiving
Files with star</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong>6.2. Confining
New Linux Users: useradd</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Further_Information.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Further_Information.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Further_Information.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-Further_Information.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,54 +1,54 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Information</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"
title="7.3.8. Allowing Access: audit2allow"/><link rel="next"
href="appe-Security-Enhanced_Linux-Revision_History.html"
title="Appendix A. Revision History"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 8. Further
Information</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Prev</strong></a></l
i><li class="next"><a accesskey="n"
href="appe-Security-Enhanced_Linux-Revision_History.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Further_Information">Chapter 8. Further
Information</h2></div></div></div><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-The_National_Security_Agency_NSA">The
National Security Agency (NSA)</h5>
- From the NSA <a
href="http://www.nsa.gov/selinux/info/contrib.cfm">Contributors to
SELinux</a> page:
- <p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Information</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"
title="7.3.8. Allowing Access: audit2allow"/><link rel="next"
href="appe-Security-Enhanced_Linux-Revision_History.html"
title="Appendix A. Revision History"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a><
/p><ul class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="appe-Security-Enhanced_Linux-Revision_History.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Further_Information">Chapter 8. Further
Information</h2></div></div></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-The_National_Security_Agency_NSA">The
National Security Agency (NSA)</h5>
+ From the NSA <a
href="http://www.nsa.gov/research/selinux/contrib.shtml">Con... to
SELinux</a> page:
+ </div><div class="para">
<span class="emphasis"><em>Researchers in NSA's National
Information Assurance Research Laboratory (NIARL) designed and implemented flexible
mandatory access controls in the major subsystems of the Linux kernel and implemented the
new operating system components provided by the Flask architecture, namely the security
server and the access vector cache. The NSA researchers reworked the LSM-based SELinux for
inclusion in Linux 2.6. NSA has also led the development of similar controls for the X
Window System (XACE/XSELinux) and for Xen (XSM/Flask).</em></span>
- </p><div class="itemizedlist"><ul><li><p>
- Main SELinux website: <a
href="http://www.nsa.gov/selinux/">http://www.nsa.gov/selinu...;.
- </p></li><li><p>
- SELinux documentation: <a
href="http://www.nsa.gov/selinux/info/docs.cfm">http://www.n...;.
- </p></li><li><p>
- SELinux background: <a
href="http://www.nsa.gov/selinux/info/">http://www.nsa.gov/s...;.
- </p></li></ul></div><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-Tresys_Technology">Tresys
Technology</h5>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
+ Main SELinux website: <a
href="http://www.nsa.gov/research/selinux/index.shtml">http:...;.
+ </div></li><li><div class="para">
+ SELinux documentation: <a
href="http://www.nsa.gov/research/selinux/docs.shtml">http:/...;.
+ </div></li><li><div class="para">
+ SELinux background: <a
href="http://www.nsa.gov/research/selinux/background.shtml">...;.
+ </div></li></ul></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-Tresys_Technology">Tresys
Technology</h5>
<a
href="http://www.tresys.com/">Tresys Technology</a> are the
upstream for:
- <div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
<a
href="http://userspace.selinuxproject.org/trac/">SELinux userland
libraries and tools</a>.
- </p></li><li><p>
+ </div></li><li><div class="para">
<a
href="http://oss.tresys.com/projects/refpolicy">SELinux Reference
Policy</a>.
- </p></li></ul></div><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-SELinux_News">SELinux
News</h5>
- <div class="itemizedlist"><ul><li><p>
+ </div></li></ul></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-SELinux_News">SELinux
News</h5>
+ <div class="itemizedlist"><ul><li><div
class="para">
News: <a
href="http://selinuxnews.org/wp/">http://selinuxnews.org/wp/...;.
- </p></li><li><p>
+ </div></li><li><div class="para">
Planet SELinux (blogs): <a
href="http://selinuxnews.org/planet/">http://selinuxnews.org...;.
- </p></li></ul></div>
- <h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-SELinux_Project_Wiki">SELinux
Project Wiki</h5>
- <div class="itemizedlist"><ul><li><p>
+ </div></li></ul></div>
+ </div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-SELinux_Project_Wiki">SELinux
Project Wiki</h5>
+ <div class="itemizedlist"><ul><li><div
class="para">
Main page: <a
href="http://selinuxproject.org/page/Main_Page">http://selin...;.
- </p></li><li><p>
+ </div></li><li><div class="para">
User resources, including links to documentation, mailing lists, websites, and
tools: <a
href="http://selinuxproject.org/page/User_Resources">http://...;.
- </p></li></ul></div>
- <h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-Red_Hat_Enterprise_Linux">Red
Hat Enterprise Linux</h5>
- <div class="itemizedlist"><ul><li><p>
+ </div></li></ul></div>
+ </div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-Red_Hat_Enterprise_Linux">Red
Hat Enterprise Linux</h5>
+ <div class="itemizedlist"><ul><li><div
class="para">
The <a
href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/...
Hat Enterprise Linux Deployment Guide</a> contains an SELinux <a
href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/...
section, that has links to SELinux tutorials, general information, and the technology
behind SELinux.
- </p></li><li><p>
+ </div></li><li><div class="para">
The <a
href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/se...
Hat Enterprise Linux 4 SELinux Guide</a>.
- </p></li></ul></div>
- <h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-Fedora">Fedora</h5>
- <div class="itemizedlist"><ul><li><p>
+ </div></li></ul></div>
+ </div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-Fedora">Fedora</h5>
+ <div class="itemizedlist"><ul><li><div
class="para">
Main page: <a
href="http://fedoraproject.org/wiki/SELinux">http://fedorapr...;.
- </p></li><li><p>
+ </div></li><li><div class="para">
Troubleshooting: <a
href="http://fedoraproject.org/wiki/SELinux/Troubleshooting">...;.
- </p></li><li><p>
+ </div></li><li><div class="para">
Fedora Core 5 SELinux FAQ: <a
href="http://docs.fedoraproject.org/selinux-faq-fc5/">http:/...;.
- </p></li></ul></div>
- <h5 class="formalpara" id="d0e6654">The UnOfficial SELinux
FAQ</h5>
+ </div></li></ul></div>
+ </div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-The_UnOfficial_SELinux_FAQ">The
UnOfficial SELinux FAQ</h5>
<a
href="http://www.crypt.gen.nz/selinux/faq.html">http://www.crypt.gen.nz/selinux/faq.html</a>
- <h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-IRC">IRC</h5>
+ </div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Further_Information-IRC">IRC</h5>
On <a
href="http://freenode.net/">Freenode</a>:
- <div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
#selinux
- </p></li><li><p>
+ </div></li><li><div class="para">
#fedora-selinux
- </p></li></ul></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Prev</strong>7.3.8. Allowing
Access: audit2allow</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="appe-Security-Enhanced_Linux-Revision_History.html"><strong>Next</strong>Appendix A. Revision
History</a></li></ul></body></html>
\ No newline at end of file
+ </div></li></ul></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Prev</strong>7.3.8. Allowing
Access: audit2allow</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="appe-Security-Enhanced_Linux-Revision_History.html"><strong>Next</strong>Appendix A. Revision
History</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Introduction.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Introduction.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Introduction.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-Introduction.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,48 +1,48 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"
title="Chapter 1. Trademark Information"/><link rel="next"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"
title="2.2. Examples"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 2. Introduction</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-
Introduction-Examples.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Introduction">Chapter 2. Introduction</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1.
Benefits of running SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2.
Examples</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html">2.3.
SELinux Architecture</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html">2.4.
SELinux on Other Operating
Systems</a></span></dt></dl></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"
title="Chapter 1. Trademark Information"/><link rel="next"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"
title="2.2. Examples"/></head><body class=""><p
id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"
<a accesskey="p"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Introduction">Chapter 2. Introduction</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1.
Benefits of running SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2.
Examples</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html">2.3.
SELinux Architecture</a></span></dt><dt><span
class="section"><a href="sect-Security-Enhanced_Linux-Introduction-S
ELinux_on_Other_Operating_Systems.html">2.4. SELinux on Other Operating
Systems</a></span></dt></dl></div><div
class="para">
Files, such as directories and devices, are called objects. Processes, such as a user
running a command or the <span
class="trademark">Mozilla</span>®<span
class="trademark"> Firefox</span>® application, are called subjects.
Most operating systems use a Discretionary Access Control (DAC) system that controls how
subjects interact with objects, and how subjects interact with each other. On operating
systems using DAC, users control the permissions of files (objects) that they own. For
example, on <span class="trademark">Linux</span>® operating systems,
users can make their home directories world-readable, giving users and processes
(subjects) access to potentially sensitive information.
- </p><p>
- DAC mechanisms are fundamentally inadequate for strong system security. DAC access
decisions are only based on user identity and ownership, ignoring other security-relevant
information such as the role of the user, the function and trustworthiness of the program,
and the sensitivity and integrity of the data. Each user has complete discretion over
their files, making it impossible to enforce a system-wide security policy. Furthermore,
every program run by a user inherits all of the permissions granted to the user and is
free to change access to the user's files, so no protection is provided against
malicious software. Many system services and privileged programs must run with
coarse-grained privileges that far exceed their requirements, so that a flaw in any one of
these programs can be exploited to obtain complete system access.<sup>[<a
id="d0e465" href="#ftn.d0e465"
class="footnote">1</a>]</sup>
- </p><p>
+ </div><div class="para">
+ DAC mechanisms are fundamentally inadequate for strong system security. DAC access
decisions are only based on user identity and ownership, ignoring other security-relevant
information such as the role of the user, the function and trustworthiness of the program,
and the sensitivity and integrity of the data. Each user has complete discretion over
their files, making it impossible to enforce a system-wide security policy. Furthermore,
every program run by a user inherits all of the permissions granted to the user and is
free to change access to the user's files, so no protection is provided against
malicious software. Many system services and privileged programs must run with
coarse-grained privileges that far exceed their requirements, so that a flaw in any one of
these programs can be exploited to obtain complete system access.<sup>[<a
id="d0e465" href="#ftn.d0e465">1</a>]</sup>
+ </div><div class="para">
The following is an example of permissions used on Linux operating systems that do not
run Security-Enhanced Linux (SELinux). The permissions in these examples may differ from
your system. Use the <code class="command">ls -l</code> command to
view file permissions:
- </p><pre class="screen">$ ls -l file1
+ </div><pre class="screen">$ ls -l file1
-rwxrw-r-- 1 user1 group1 0 2008-11-21 15:42 file1
-</pre><p>
+</pre><div class="para">
The first three permission bits, <code
class="computeroutput">rwx</code>, control the access the Linux
<code class="computeroutput">user1</code> user (in this case, the
owner) has to <code class="filename">file1</code>. The next three
permission bits, <code class="computeroutput">rw-</code>, control
the access the Linux <code class="computeroutput">group1</code>
group has to <code class="filename">file1</code>. The last three
permission bits, <code class="computeroutput">r--</code>, control
the access everyone else has to <code class="filename">file1</code>,
which includes all users and processes.
- </p><p>
- Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux
kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the
ability to enforce an administratively-set security policy over all processes and files in
the system, basing decisions on labels containing a variety of security-relevant
information. When properly implemented, it enables a system to adequately defend itself
and offers critical support for application security by protecting against the tampering
with, and bypassing of, secured applications. MAC provides strong separation of
applications that permits the safe execution of untrustworthy applications. Its ability to
limit the privileges associated with executing processes limits the scope of potential
damage that can result from the exploitation of vulnerabilities in applications and system
services. MAC enables information to be protected from legitimate users with limited
authorization as well as from a
uthorized users who have unwittingly executed malicious applications.<sup>[<a
id="d0e507" href="#ftn.d0e507"
class="footnote">2</a>]</sup>
- </p><p>
+ </div><div class="para">
+ Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux
kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the
ability to enforce an administratively-set security policy over all processes and files in
the system, basing decisions on labels containing a variety of security-relevant
information. When properly implemented, it enables a system to adequately defend itself
and offers critical support for application security by protecting against the tampering
with, and bypassing of, secured applications. MAC provides strong separation of
applications that permits the safe execution of untrustworthy applications. Its ability to
limit the privileges associated with executing processes limits the scope of potential
damage that can result from the exploitation of vulnerabilities in applications and system
services. MAC enables information to be protected from legitimate users with limited
authorization as well as from a
uthorized users who have unwittingly executed malicious applications.<sup>[<a
id="d0e507" href="#ftn.d0e507">2</a>]</sup>
+ </div><div class="para">
The following is an example of the labels containing security-relevant information that
are used on processes, Linux users, and files, on Linux operating systems that run
SELinux. This information is called the SELinux context, and is viewed using the <code
class="command">ls -Z</code> command:
- </p><pre class="screen">$ ls -Z file1
+ </div><pre class="screen">$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</pre><p>
+</pre><div class="para">
In this example, SELinux provides a user (<code
class="computeroutput">unconfined_u</code>), a role (<code
class="computeroutput">object_r</code>), a type (<code
class="computeroutput">user_home_t</code>), and a level (<code
class="computeroutput">s0</code>). This information is used to make
access control decisions. With DAC, access is controlled based only on Linux user and
group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not
used if DAC rules deny access first.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Introduction-Linux_and_SELinux_Users">Linux
and SELinux Users</h5>
+ </div><div class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Introduction-Linux_and_SELinux_Users">Linux
and SELinux Users</h5>
On Linux operating systems that run SELinux, there are Linux users as well as SELinux
users. SELinux users are part of SELinux policy. Linux users are mapped to SELinux users.
To avoid confusion, this guide uses "Linux user" and "SELinux user" to
differentiate between the two.
- <div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits
of running SELinux</h2></div></div></div><div
class="itemizedlist"><ul><li><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits
of running SELinux</h2></div></div></div><div
class="itemizedlist"><ul><li><div class="para">
All processes and files are labeled with a type. A type defines a domain for
processes, and a type for files. Processes are separated from each other by running in
their own domains, and SELinux policy rules define how processes interact with files, as
well as how processes interact with each other. Access is only allowed if an SELinux
policy rule exists that specifically allows it.
- </p></li><li><p>
+ </div></li><li><div class="para">
Fine-grained access control. Stepping beyond traditional <span
class="trademark">UNIX</span>® permissions that are controlled at user
discretion and based on Linux user and group IDs, SELinux access decisions are based on
all available information, such as an SELinux user, role, type, and, optionally, a level.
- </p></li><li><p>
+ </div></li><li><div class="para">
SELinux policy is administratively-defined, enforced system-wide, and is not set at
user discretion.
- </p></li><li><p>
+ </div></li><li><div class="para">
Reduced vulnerability to privilege escalation attacks. One example: since processes
run in domains, and are therefore separated from each other, and SELinux policy rules
define how processes access files and other processes, if a process is compromised, the
attacker only has access to the normal functions of that process, and to files the process
has been configured to have access to. For example, if the Apache HTTP Server is
compromised, an attacker can not use that process to read files in user home directories,
unless a specific SELinux policy rule was added or configured to allow such access.
- </p></li><li><p>
+ </div></li><li><div class="para">
SELinux can be used to enforce data confidentiality and integrity, as well as
protecting processes from untrusted inputs.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
SELinux is not:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
antivirus software.
- </p></li><li><p>
+ </div></li><li><div class="para">
a replacement for passwords, firewalls, or other security systems.
- </p></li><li><p>
+ </div></li><li><div class="para">
an all-in-one security solution.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
SELinux is designed to enhance existing security solutions, not replace them. Even
when running SELinux, continue to follow good security practices, such as keeping software
up-to-date, using hard-to-guess passwords, firewalls, and so on.
- </p></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e465"
href="#d0e465" class="para">1</a>] </sup>
- "Integrating Flexible Support for Security Policies into the Linux Operating
System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared
for the National Security Agency and is, consequently, in the public domain. Refer to the
<a
href="http://www.nsa.gov/selinux/papers/freenix01/freenix01.html&quo...
paper</a> for details and the document as it was first released. Any edits and
changes were done by Murray McAllister.
- </p></div><div class="footnote"><p><sup>[<a
id="ftn.d0e507" href="#d0e507" class="para">2</a>]
</sup>
- "Meeting Critical Security Objectives with Security-Enhanced Linux", by
Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National
Security Agency and is, consequently, in the public domain. Refer to the <a
href="http://www.nsa.gov/selinux/papers/ottawa01/index.html">...
paper</a> for details and the document as it was first released. Any edits and
changes were done by Murray McAllister.
+ </div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e465"
href="#d0e465">1</a>] </sup>
+ "Integrating Flexible Support for Security Policies into the Linux Operating
System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared
for the National Security Agency and is, consequently, in the public domain. Refer to the
<a
href="http://www.nsa.gov/research/_files/selinux/papers/freenix01/in...
paper</a> for details and the document as it was first released. Any edits and
changes were done by Murray McAllister.
+ </p></div><div class="footnote"><p><sup>[<a
id="ftn.d0e507" href="#d0e507">2</a>] </sup>
+ "Meeting Critical Security Objectives with Security-Enhanced Linux", by
Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National
Security Agency and is, consequently, in the public domain. Refer to the <a
href="http://www.nsa.gov/research/_files/selinux/papers/ottawa01/ind...
paper</a> for details and the document as it was first released. Any edits and
changes were done by Murray McAllister.
</p></div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Prev</strong>Chapter 1. Trademark
Information</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Next</strong>2.2. Examples</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-SELinux_Contexts.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-SELinux_Contexts.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-SELinux_Contexts.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-SELinux_Contexts.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"
title="2.4. SELinux on Other Operating Systems"/><link
rel="next"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"
title="3.2. SELinux Contexts for Processes"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 3. SELinux
Contexts</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating
_Systems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-SELinux_Contexts">Chapter 3. SELinux
Contexts</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1.
Domain Transitions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2.
SELinux Contexts for Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3.
SELinux Contexts for
Users</a></span></dt></dl></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html"
title="2.4. SELinux on Other Operating Systems"/><link
rel="next"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"
title="3.2. SELinux Contexts for Processes"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_
right.png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-SELinux_Contexts">Chapter 3. SELinux
Contexts</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1.
Domain Transitions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2.
SELinux Contexts for Processes</a></span></dt><dt><span
class="section"><a href="sect-S
ecurity-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3.
SELinux Contexts for Users</a></span></dt></dl></div><div
class="para">
Processes and files are labeled with an SELinux context that contains additional
information, such as an SELinux user, role, type, and, optionally, a level. When running
SELinux, all of this information is used to make access control decisions. In Fedora 10,
SELinux provides a combination of Role-Based Access Control (RBAC), <span
class="trademark">Type Enforcement</span>® (TE), and, optionally,
Multi-Level Security (MLS).
- </p><p>
+ </div><div class="para">
The following is an example SELinux context. SELinux contexts are used on processes,
Linux users, and files, on Linux operating systems that run SELinux. Use the <code
class="command">ls -Z</code> command to view the SELinux context of
files and directories:
- </p><pre class="screen">$ ls -Z file1
+ </div><pre class="screen">$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</pre><p>
+</pre><div class="para">
SELinux contexts follow the <span class="emphasis"><em>SELinux
user:role:type:level</em></span> syntax:
- </p><div class="variablelist"><dl><dt><span
class="term"><span class="emphasis"><em>SELinux
user</em></span></span></dt><dd><p>
+ </div><div class="variablelist"><dl><dt><span
class="term"><span class="emphasis"><em>SELinux
user</em></span></span></dt><dd><div
class="para">
The SELinux user identity is an identity known to the policy that is authorized for
a specific set of roles, and for a specific MLS range. Each Linux user is mapped to an
SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on
SELinux users. The mapped SELinux user identity is used in the SELinux context for
processes in that session, in order to bound what roles and levels they can enter. Run the
<code class="command">semanage login -l</code> command as the Linux
root user to view a list of mappings between SELinux and Linux user accounts:
- </p><pre class="screen">
+ </div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
@@ -19,42 +19,42 @@
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre><p>
+</pre><div class="para">
Output may differ from system to system. The <code
class="computeroutput">Login Name</code> column lists Linux users, and
the the <code class="computeroutput">SELinux User</code> column
lists which SELinux user is mapped to which Linux user. For processes, the SELinux user
limits which roles and levels are accessible. The last column, <code
class="computeroutput">MLS/MCS Range</code>, is the level used by
Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are briefly discussed
later.
- </p></dd><dt><span class="term"><span
class="emphasis"><em>role</em></span></span></dt><dd><p>
+ </div></dd><dt><span class="term"><span
class="emphasis"><em>role</em></span></span></dt><dd><div
class="para">
Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is
an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for
domains. The role serves as an intermediary between domains and SELinux users. The roles
that can be entered determine which domains can be entered - ultimately, this controls
which object types can be accessed. This helps reduce vulnerability to privilege
escalation attacks.
- </p></dd><dt><span class="term"><span
class="emphasis"><em>type</em></span></span></dt><dd><p>
+ </div></dd><dt><span class="term"><span
class="emphasis"><em>type</em></span></span></dt><dd><div
class="para">
The type is an attribute of Type Enforcement. The type defines a domain for
processes, and a type for files. SELinux policy rules define how types access each other,
whether it be a domain accessing a type, or a domain accessing another domain. Access is
only allowed if a specific SELinux policy rule exists that allows it.
- </p></dd><dt><span class="term"><span
class="emphasis"><em>level</em></span></span></dt><dd><p>
+ </div></dd><dt><span class="term"><span
class="emphasis"><em>level</em></span></span></dt><dd><div
class="para">
The level is an attribute of MLS and Multi-Category Security (MCS). An MLS range is
a pair of levels, written as <span
class="emphasis"><em>lowlevel-highlevel</em></span> if the
levels differ, or <span
class="emphasis"><em>lowlevel</em></span> if the levels are
identical (<code class="computeroutput">s0-s0</code> is the same as
<code class="computeroutput">s0</code>). Each level is a
sensitivity-category pair, with categories being optional. If there are categories, the
level is written as <span
class="emphasis"><em>sensitivity:category-set</em></span>.
If there are no categories, it is written as <span
class="emphasis"><em>sensitivity</em></span>.
- </p><p>
+ </div><div class="para">
If the category set is a contiguous series, it can be abbreviated. For example,
<code class="computeroutput">c0.c3</code> is the same as <code
class="computeroutput">c0,c1,c2,c3</code>. The <code
class="filename">/etc/selinux/targeted/setrans.conf</code> file maps
levels (<code class="computeroutput">s0:c0</code>) to human-readable
form (<code class="computeroutput">CompanyConfidential</code>). Do
not edit <code class="filename">setrans.conf</code> with a text
editor: use <code class="command">semanage</code> to make changes.
Refer to the <span class="citerefentry"><span
class="refentrytitle">semanage</span>(8)</span> manual page for
further information. In Fedora 10, targeted policy enforces MCS, and in MCS, there is one
sensitivity, <code class="computeroutput">s0</code>. MCS in Fedora
10 supports 1024 different categories: <code
class="computeroutput">c0</code> through to <code
class="computeroutput">c1023</code>. <code
class="computeroutput">s0-s0:c0.c1023</code> is
sensitivity <code class="computeroutput">s0</code> and authorized
for all categories.
- </p><p>
+ </div><div class="para">
MLS enforces the <a
href="http://en.wikipedia.org/wiki/Bell-LaPadula_model">Bell...
Mandatory Access Model</a>, and is used in Labeled Security Protection Profile
(LSPP) environments. To use MLS restrictions, install the <span
class="package">selinux-policy-mls</span> package, and configure MLS to
be the default SELinux policy. The MLS policy shipped with Fedora omits many program
domains that were not part of the evaluated configuration, and therefore, MLS on a desktop
workstation is unusable (no support for the X Window System); however, an MLS policy from
the <a
href="http://oss.tresys.com/projects/refpolicy">upstream SELinux
Reference Policy</a> can be built that includes all program domains.
- </p></dd></dl></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain
Transitions</h2></div></div></div><p>
+ </div></dd></dl></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain
Transitions</h2></div></div></div><div
class="para">
A process in one domain transitions to another domain by executing an application that
has the <code class="computeroutput">entrypoint</code> type for the
new domain. The <code class="computeroutput">entrypoint</code>
permission is used in SELinux policy, and controls which applications can be used to enter
a domain. The following example demonstrates a domain transition:
- </p><div class="orderedlist"><ol><li><p>
- A users wants to change their password. To change their password, they run the
<code class="command">passwd</code> application. The <code
class="filename">/usr/bin/passwd</code> file is labeled with the
<code class="computeroutput">passwd_exec_t</code> type:
- </p><pre class="screen">$ ls -Z /usr/bin/passwd
+ </div><div class="orderedlist"><ol><li><div
class="para">
+ A users wants to change their password. To change their password, they run the
<code class="command">passwd</code> application. The <code
class="filename">/usr/bin/passwd</code> executable is labeled with the
<code class="computeroutput">passwd_exec_t</code> type:
+ </div><pre class="screen">$ ls -Z /usr/bin/passwd
-rwsr-xr-x root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
-</pre><p>
- The <span
class="application"><strong>passwd</strong></span>
application accesses <code class="filename">/etc/shadow</code>,
which is labeled with the <code
class="computeroutput">shadow_t</code> type:
- </p><pre class="screen">$ ls -Z /etc/shadow
+</pre><div class="para">
+ The <span><strong
class="application">passwd</strong></span> application accesses
<code class="filename">/etc/shadow</code>, which is labeled with the
<code class="computeroutput">shadow_t</code> type:
+ </div><pre class="screen">$ ls -Z /etc/shadow
-r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow
-</pre></li><li><p>
- An SELinux policy rule states that processes running in the <code
class="computeroutput">passwd_t</code> domain are allowed to read and
write to files labeled with the <code
class="computeroutput">shadow_t</code> type. Only files and their back
up copies that are required for a password change, such as <code
class="filename">/etc/gshadow</code>, <code
class="filename">/etc/gshadow-</code> and <code
class="filename">/etc/shadow</code>, are labeled with the <code
class="computeroutput">shadow_t</code> type.
- </p></li><li><p>
+</pre></li><li><div class="para">
+ An SELinux policy rule states that processes running in the <code
class="computeroutput">passwd_t</code> domain are allowed to read and
write to files labeled with the <code
class="computeroutput">shadow_t</code> type. The <code
class="computeroutput">shadow_t</code> type is only applied to files
that are required for a password change. This includes <code
class="filename">/etc/gshadow</code>, <code
class="filename">/etc/shadow</code>, and their backup files.
+ </div></li><li><div class="para">
An SELinux policy rule states that the <code
class="computeroutput">passwd_t</code> domain has <code
class="computeroutput">entrypoint</code> permission to the <code
class="computeroutput">passwd_exec_t</code> type.
- </p></li><li><p>
- When a user runs the <code
class="command">/usr/bin/passwd</code> application, the user's
shell process transitions to the <code
class="computeroutput">passwd_t</code> domain. With SELinux, since the
default action is to deny, and a rule exists that allows (among other things) applications
running in the <code class="computeroutput">passwd_t</code> domain
to access files labeled with the <code
class="computeroutput">shadow_t</code> type, the <span
class="application"><strong>passwd</strong></span>
application is allowed to access <code
class="filename">/etc/shadow</code>, and update the user's
password.
- </p></li></ol></div><p>
+ </div></li><li><div class="para">
+ When a user runs the <code
class="command">/usr/bin/passwd</code> application, the user's
shell process transitions to the <code
class="computeroutput">passwd_t</code> domain. With SELinux, since the
default action is to deny, and a rule exists that allows (among other things) applications
running in the <code class="computeroutput">passwd_t</code> domain
to access files labeled with the <code
class="computeroutput">shadow_t</code> type, the <span><strong
class="application">passwd</strong></span> application is allowed
to access <code class="filename">/etc/shadow</code>, and update the
user's password.
+ </div></li></ol></div><div class="para">
This example is not exhaustive, and is used as a basic example to explain domain
transition. Although there is an actual rule that allows subjects running in the <code
class="computeroutput">passwd_t</code> domain to access objects labeled
with the <code class="computeroutput">shadow_t</code> file type,
other SELinux policy rules must be met before the subject can transition to a new domain.
In this example, Type Enforcement ensures:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
the <code class="computeroutput">passwd_t</code> domain can
only be entered by executing an application labeled with the <code
class="computeroutput">passwd_exec_t</code> type; can only execute from
authorized shared libraries, such as the <code
class="computeroutput">lib_t</code> type; and can not execute any other
applications.
- </p></li><li><p>
+ </div></li><li><div class="para">
only authorized domains, such as <code
class="computeroutput">passwd_t</code>, can write to files labeled with
the <code class="computeroutput">shadow_t</code> type. Even if other
processes are running with superuser privileges, those processes can not write to files
labeled with the <code class="computeroutput">shadow_t</code> type,
as they are not running in the <code
class="computeroutput">passwd_t</code> domain.
- </p></li><li><p>
- only authorized domains can transition to the <code
class="computeroutput">passwd_t</code> domain. For example, the
<code class="systemitem">sendmail</code> process running in the
<code class="computeroutput">sendmail_t</code> domain does not have
a legitimate reason to execute <code
class="command">/usr/bin/passwd</code>; therefore, it can never
transition to the <code class="computeroutput">passwd_t</code>
domain.
- </p></li><li><p>
- processes running in the <code
class="computeroutput">passwd_t</code> domain can only read and write
to authorized types, such as files labeled with the <code
class="computeroutput">etc_t</code> or <code
class="computeroutput">shadow_t</code> types. This prevents the
<span class="application"><strong>passwd</strong></span>
application from being tricked into reading or writing arbitrary files.
- </p></li></ul></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"><strong>Prev</strong>2.4. SELinux
on Other Operating Systems</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong>3.2. SELinux
Contexts for Processes</a></li></ul></body></html>
\ No newline at end of file
+ </div></li><li><div class="para">
+ only authorized domains can transition to the <code
class="computeroutput">passwd_t</code> domain. For example, the
<code class="systemitem">sendmail</code> process running in the
<code class="computeroutput">sendmail_t</code> domain does not have
a legitimate reason to execute <code class="command">passwd</code>;
therefore, it can never transition to the <code
class="computeroutput">passwd_t</code> domain.
+ </div></li><li><div class="para">
+ processes running in the <code
class="computeroutput">passwd_t</code> domain can only read and write
to authorized types, such as files labeled with the <code
class="computeroutput">etc_t</code> or <code
class="computeroutput">shadow_t</code> types. This prevents the
<span><strong class="application">passwd</strong></span>
application from being tricked into reading or writing arbitrary files.
+ </div></li></ul></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html"><strong>Prev</strong>2.4. SELinux
on Other Operating Systems</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong>3.2. SELinux
Contexts for Processes</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Targeted_Policy.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Targeted_Policy.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Targeted_Policy.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-Targeted_Policy.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,38 +1,40 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Policy</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"
title="3.3. SELinux Contexts for Users"/><link rel="next"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"
title="4.2. Unconfined Processes"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 4. Targeted
Policy</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Prev</strong></a
</li><li class="next"><a
accesskey="n"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Targeted_Policy">Chapter 4. Targeted
Policy</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1.
Confined Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2.
Unconfined Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3.
Confined and Unconfined
Users</a></span></dt></dl></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Policy</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"
title="3.3. SELinux Contexts for Users"/><link rel="next"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"
title="4.2. Unconfined Processes"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation Site
"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Targeted_Policy">Chapter 4. Targeted
Policy</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1.
Confined Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2.
Unconfined Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
4.3. Confined and Unconfined
Users</a></span></dt></dl></div><div
class="para">
Targeted policy is the default SELinux policy used in
Fedora 10. When using targeted policy, processes that are targeted run in a confined
domain, and processes that are not targeted run in an unconfined domain. For example, by
default, logged in users run in the <code
class="computeroutput">unconfined_t</code> domain, and system processes
started by init run in the <code
class="computeroutput">initrc_t</code> domain - both of these domains
are unconfined.
- </p><p>
+ </div><div class="para">
Unconfined domains (as well as confined domains) are subject to executable and
writeable memory checks. By default, subjects running in an unconfined domain can not
allocate writeable memory and execute it. This reduces vulnerability to <a
href="http://en.wikipedia.org/wiki/Buffer_overflow">buffer overflow
attacks</a>. These memory checks are disable by setting Booleans, which allow the
SELinux policy to be modified at runtime. Boolean configuration is discussed later.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined
Processes</h2></div></div></div><p>
- Almost every process that has network access is confined in Fedora 10. Most processes
that run as the Linux root user and perform tasks for users, such as the <span
class="application"><strong>passwd</strong></span>
application, are confined. When a process is confined, it runs in its own domain, such as
the <code class="systemitem">httpd</code> process running in the
<code class="computeroutput">httpd_t</code> domain. If a confined
process is compromised by an attacker, depending on SELinux policy configuration, an
attacker's access to resources and the possible damage they can do is limited.
- </p><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined
Processes</h2></div></div></div><div
class="para">
+ Almost every service that listens on a network is confined in Fedora 10. Also, most
processes that run as the Linux root user and perform tasks for users, such as the
<span><strong class="application">passwd</strong></span>
application, are confined. When a process is confined, it runs in its own domain, such as
the <code class="systemitem">httpd</code> process running in the
<code class="computeroutput">httpd_t</code> domain. If a confined
process is compromised by an attacker, depending on SELinux policy configuration, an
attacker's access to resources and the possible damage they can do is limited.
+ </div><div class="para">
The following example demonstrates how SELinux prevents the Apache HTTP Server
(<code class="systemitem">httpd</code>) from reading files that are
not correctly labeled, such as files intended for use by Samba. This is an example, and
should not be used in production. It assumes that the <span
class="package">httpd</span>, <span
class="package">wget</span>, <span
class="package">setroubleshoot-server</span>, and <span
class="package">audit</span> packages are installed, that the SELinux
targeted policy is used, and that SELinux is running in enforcing mode:
- </p><div class="orderedlist"><ol><li><p>
- Run the <code class="command">/usr/sbin/sestatus</code>
command to confirm that SELinux is enabled, is running in enforcing mode, and that
targeted policy is being used:
- </p><pre class="screen">SELinux status:
enabled
+ </div><div class="orderedlist"><ol><li><div
class="para">
+ Run the <code class="command">sestatus</code> command to
confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is
being used:
+ </div><pre class="screen">
+$ /usr/sbin/sestatus
+SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
-</pre><p>
+</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is
returned when SELinux is enabled. <code class="computeroutput">Current
mode: enforcing</code> is returned when SELinux is running in enforcing mode.
<code class="computeroutput">Policy from config file:
targeted</code> is returned when the SELinux targeted policy is used.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">touch
/var/www/html/testfile</code> command to create a file.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">ls -Z
/var/www/html/testfile</code> command to view the SELinux context:
- </p><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
-</pre><p>
- By default, Linux users run unconfined in Fedora 10, which is why the <code
class="filename">testfile</code> file is labeled with the SELinux
<code class="computeroutput">unconfined_u</code> user. RBAC is used
for processes, not files. Roles do not have a meaning for files - the <code
class="computeroutput">object_r</code> role is a generic role used for
files (on persistent storage and network file systems). Under the <code
class="filename">/proc/</code> directory, files related to processes
may use the <code class="computeroutput">system_r</code>
role.<sup>[<a id="d0e1219" href="#ftn.d0e1219"
class="footnote">6</a>]</sup> The <code
class="computeroutput">httpd_sys_content_t</code> type allows the
<code class="systemitem">httpd</code> process to access this file.
- </p></li><li><p>
- As the Linux root user, run the <code class="command">/sbin/service
httpd start</code> command to start the <code
class="systemitem">httpd</code> process. The output is as follows if
<code class="systemitem">httpd</code> starts successfully:
- </p><pre class="screen"># /sbin/service httpd start
+ </div><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
+</pre><div class="para">
+ By default, Linux users run unconfined in Fedora 10, which is why the <code
class="filename">testfile</code> file is labeled with the SELinux
<code class="computeroutput">unconfined_u</code> user. RBAC is used
for processes, not files. Roles do not have a meaning for files - the <code
class="computeroutput">object_r</code> role is a generic role used for
files (on persistent storage and network file systems). Under the <code
class="filename">/proc/</code> directory, files related to processes
may use the <code class="computeroutput">system_r</code>
role.<sup>[<a id="d0e1213"
href="#ftn.d0e1213">6</a>]</sup> The <code
class="computeroutput">httpd_sys_content_t</code> type allows the
<code class="systemitem">httpd</code> process to access this file.
+ </div></li><li><div class="para">
+ As the Linux root user, run the <code class="command">service httpd
start</code> command to start the <code
class="systemitem">httpd</code> process. The output is as follows if
<code class="systemitem">httpd</code> starts successfully:
+ </div><pre class="screen"># /sbin/service httpd start
Starting httpd: [ OK ]
-</pre></li><li><p>
- Change into a directory where your Linux user has write access to, and run the
<code class="command">wget
http://localhost/testfile</code> command.
Unless there are any changes to the default configuration, this command succeeds:
- </p><pre class="screen">--2008-09-06 23:00:01--
http://localhost/testfile
+</pre></li><li><div class="para">
+ Change into a directory where your Linux user has write access to, and run the
<code class="command">wget
http://localhost/testfile</code> command.
Unless there are changes to the default configuration, this command succeeds:
+ </div><pre class="screen">--2008-09-06 23:00:01--
http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
@@ -42,41 +44,41 @@
[ <=> ] 0 --.-K/s in 0s
2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
-</pre></li><li><p>
- The <code class="command">/usr/bin/chcon</code> command
relabels files; however, such label changes do not survive when the file system is
relabeled. For permanent changes that survive a file system relabel, use the <code
class="command">semanage</code> command, which is discussed later. As
the Linux root user, run the following command to change the type to a type used by
Samba:
- </p><p>
- <code class="command">/usr/bin/chcon -t samba_share_t
/var/www/html/testfile</code>
- </p><p>
+</pre></li><li><div class="para">
+ The <code class="command">chcon</code> command relabels files;
however, such label changes do not survive when the file system is relabeled. For
permanent changes that survive a file system relabel, use the <code
class="command">semanage</code> command, which is discussed later. As
the Linux root user, run the following command to change the type to a type used by
Samba:
+ </div><div class="para">
+ <code class="command">chcon -t samba_share_t
/var/www/html/testfile</code>
+ </div><div class="para">
Run the <code class="command">ls -Z
/var/www/html/testfile</code> command to view the changes:
- </p><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
-</pre></li><li><p>
- Note: the current DAC permissions allow the <code
class="systemitem">httpd</code> process access to <code
class="filename">testfile</code>. Change into a directory where your
Linux user has write access to, and run the <code class="command">wget
http://localhost/testfile</code> command. Unless there are any changes to the
default configuration, this command fails:
- </p><pre class="screen">--2008-09-06 23:00:54--
http://localhost/testfile
+ </div><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
+</pre></li><li><div class="para">
+ Note: the current DAC permissions allow the <code
class="systemitem">httpd</code> process access to <code
class="filename">testfile</code>. Change into a directory where your
Linux user has write access to, and run the <code class="command">wget
http://localhost/testfile</code> command. Unless there are changes to the default
configuration, this command fails:
+ </div><pre class="screen">--2008-09-06 23:00:54--
http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2008-09-06 23:00:54 ERROR 403: Forbidden.
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">rm -i
/var/www/html/testfile</code> command to remove <code
class="filename">testfile</code>.
- </p></li><li><p>
- If you do not require <code class="systemitem">httpd</code> to
be running, as the Linux root user, run the <code
class="command">/sbin/service httpd stop</code> command to stop
<code class="systemitem">httpd</code>:
- </p><pre class="screen"># /sbin/service httpd stop
+ </div></li><li><div class="para">
+ If you do not require <code class="systemitem">httpd</code> to
be running, as the Linux root user, run the <code class="command">service
httpd stop</code> command to stop <code
class="systemitem">httpd</code>:
+ </div><pre class="screen"># /sbin/service httpd stop
Stopping httpd: [ OK ]
-</pre></li></ol></div><p>
+</pre></li></ol></div><div class="para">
This example demonstrates the additional security added by SELinux. Although DAC rules
allowed the <code class="systemitem">httpd</code> process access to
<code class="filename">testfile</code> in step 7, because the file
was labeled with a type that the <code
class="systemitem">httpd</code> process does not have access to,
SELinux denied access. After step 7, an error similar to the following is logged to
<code class="filename">/var/log/messages</code>:
- </p><pre class="screen">Sep 6 23:00:54 localhost setroubleshoot:
SELinux is preventing httpd (httpd_t) "getattr"
+ </div><pre class="screen">Sep 6 23:00:54 localhost
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
-</pre><p>
- Previous log files may use a <code
class="filename">/var/log/messages.<em
class="replaceable"><code>YYYYMMDD</code></em></code>
format. When running <span
class="application"><strong>syslog-ng</strong></span>,
previous log files may use a <code
class="filename">/var/log/messages.<em
class="replaceable"><code>X</code></em></code>
format. If the <code class="systemitem">setroubleshootd</code> and
<code class="systemitem">auditd</code> processes are running, errors
similar to the following are logged to <code
class="filename">/var/log/audit/audit.log</code>:
- </p><pre class="screen">type=AVC msg=audit(1220706212.937:70):
avc: denied { getattr } for pid=1904 comm="httpd"
path="/var/www/html/testfile" dev=sda5 ino=247576
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0
tclass=file
+</pre><div class="para">
+ Previous log files may use a <code
class="filename">/var/log/messages.<em
class="replaceable"><code>YYYYMMDD</code></em></code>
format. When running <span><strong
class="application">syslog-ng</strong></span>, previous log files
may use a <code class="filename">/var/log/messages.<em
class="replaceable"><code>X</code></em></code>
format. If the <code class="systemitem">setroubleshootd</code> and
<code class="systemitem">auditd</code> processes are running, errors
similar to the following are logged to <code
class="filename">/var/log/audit/audit.log</code>:
+ </div><pre class="screen">type=AVC msg=audit(1220706212.937:70):
avc: denied { getattr } for pid=1904 comm="httpd"
path="/var/www/html/testfile" dev=sda5 ino=247576
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0
tclass=file
type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13
a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1
comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-</pre><p>
- Also, an error similar to the following is logged to <code
class="filename">/etc/httpd/logs/error_log</code>:
- </p><pre class="screen">[Sat Sep 06 23:00:54 2008] [error]
[client <em
class="replaceable"><code>127.0.0.1</code></em>]
(13)Permission denied: access to /testfile denied
-</pre><div class="note"><h2>Note</h2><p>
- In Fedora 10, the <span
class="package">setroubleshoot-server</span> and <span
class="package">audit</span> packages are installed by default. These
packages include the <code class="systemitem">setroubleshootd</code>
and <code class="systemitem">auditd</code> daemons respectively.
These daemons run by default. Stopping either of these daemons changes where SELinux
denials are written to. Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used">Section 5.2, “Which Log File is
Used”</a> for further information.
- </p></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e1219"
href="#d0e1219" class="para">6</a>] </sup>
+</pre><div class="para">
+ Also, an error similar to the following is logged to <code
class="filename">/var/log/httpd/error_log</code>:
+ </div><pre class="screen">[Sat Sep 06 23:00:54 2008] [error]
[client <em
class="replaceable"><code>127.0.0.1</code></em>]
(13)Permission denied: access to /testfile denied
+</pre><div class="note"><h2>Note</h2><div
class="para">
+ In Fedora 10, the <span
class="package">setroubleshoot-server</span> and <span
class="package">audit</span> packages are installed by default. These
packages include the <code class="systemitem">setroubleshootd</code>
and <code class="systemitem">auditd</code> daemons respectively.
These daemons run by default. Stopping either of these daemons changes where SELinux
denials are written to. Refer to <a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used">Section 5.2, “Which Log File is
Used”</a> for further information.
+ </div></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e1213"
href="#d0e1213">6</a>] </sup>
When using other policies, such as MLS, other roles may be used, for example,
<code class="computeroutput">secadm_r</code>.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Prev</strong>3.3. SELinux
Contexts for Users</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Next</strong>4.2. Unconfined
Processes</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Trademark_Information.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Trademark_Information.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Trademark_Information.html 24 Nov 2008 22:43:10
-0000 1.1
+++ chap-Security-Enhanced_Linux-Trademark_Information.html 24 Jan 2009 03:48:02
-0000 1.2
@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Information</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="pr01s02.html" title="2. We Need Feedback!"/><link
rel="next" href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 1. Trademark
Information</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pr01s02.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang
="en-US"><div class="titlepage"><div><div><h2
class="title"
id="chap-Security-Enhanced_Linux-Trademark_Information">Chapter 1. Trademark
Information</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Information</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="pr01s02.html" title="2. We Need Feedback!"/><link
rel="next" href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pr01s02.html"><strong
Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Trademark_Information">Chapter 1. Trademark
Information</h2></div></div></div><div
class="para">
<span
class="trademark">Linux</span>® is the registered trademark of Linus
Torvalds in the U.S. and other countries.
- </p><p>
+ </div><div class="para">
UNIX is a registered trademark of The Open Group.
- </p><p>
+ </div><div class="para">
Type Enforcement is a trademark of Secure Computing Corporation, registered in the U.S.
and in other countries. Secure Computing Corporation has not consented to the use or
reference to this trademark by the author outside of this guide.
- </p><p>
+ </div><div class="para">
Apache is a trademark of The Apache Software Foundation.
- </p><p>
+ </div><div class="para">
MySQL is a trademark or registered trademark of MySQL AB in the U.S. and other
countries.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pr01s02.html"><strong>Prev</strong>2. We Need
Feedback!</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Next</strong>Chapter 2. Introduction</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pr01s02.html"><strong>Prev</strong>2. We Need
Feedback!</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Next</strong>Chapter 2. Introduction</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Troubleshooting.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Troubleshooting.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Troubleshooting.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-Troubleshooting.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,22 +1,22 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"
title="6.5. xguest: Kiosk Mode"/><link rel="next"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 7. Troubleshooting</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong></a></li><li
cl
ass="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Troubleshooting">Chapter 7. Troubleshooting</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1.
What Happens when Access is Denied</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2.
Top Three Causes of
Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1.
Labeling Problems</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2.
How are Confined Services Running?</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3.
Evolving Rules and Broken
Applications</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3.
Fixing Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1.
Linux Permissions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html">7.3.2.
Possible Causes of Silent Denials</a></span></dt><dt><span
class="section"><a href="sect-Security-Enhanced_Linux-Fixing_P
roblems-Manual_Pages_for_Services.html">7.3.3. Manual Pages for
Services</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html">7.3.4.
Permissive Domains</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.5.
Searching For and Viewing Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.6.
Raw Audit Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.7.
sealert Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">7.3.8.
Allowing Access:
audit2allow</a></span></dt></dl></dd></dl></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"
title="6.6. Booleans for Users Executing Applications"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Common_Content/im
ages/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Troubleshooting">Chapter 7. Troubleshooting</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1.
What Happens when Access is Denied</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2.
Top Three Causes of Problems</a></span></dt>
<dd><dl><dt><span class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1.
Labeling Problems</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2.
How are Confined Services Running?</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3.
Evolving Rules and Broken
Applications</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3.
Fixing Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1.
Linux Permissions</a></span></dt>
<dt><span class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html">7.3.2.
Possible Causes of Silent Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html">7.3.3.
Manual Pages for Services</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html">7.3.4.
Permissive Domains</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.5.
Searching For and Viewing Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.6.
Raw Audit Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.7.
sealert Messages</a></span></dt><dt><span
class="section"><a href="sect-Sec
urity-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">7.3.8.
Allowing Access:
audit2allow</a></span></dt></dl></dd></dl></div><div
class="para">
The following chapter describes what happens when SELinux denies access; the top three
causes of problems; where to find information about correct labeling; analyzing SELinux
denials; and creating custom policy modules with <code
class="command">audit2allow</code>.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What
Happens when Access is Denied</h2></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What
Happens when Access is Denied</h2></div></div></div><div
class="para">
SELinux decisions, such as allowing or disallowing access, are cached. This cache is
known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies
access. These denials are also know as "AVC denials", and are logged to a
different location, depending on which daemons are running:
- </p><div class="segmentedlist"><table
border="0"><thead><tr
class="segtitle"><th>Daemon</th><th>Log
Location</th></tr></thead><tbody><tr
class="seglistitem"><td class="seg">auditd
on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code></td></tr><tr
class="seglistitem"><td class="seg">auditd off; rsyslogd
on</td><td class="seg"><code
class="filename">/var/log/messages</code></td></tr><tr
class="seglistitem"><td class="seg">setroubleshootd,
rsyslogd, and auditd on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial
messages also sent to <code
class="filename">/var/log/messages</code></td></tr></tbody></table></div><p>
- If you are running the X Window System, have the <span
class="package">setroubleshoot</span> and <span
class="package">setroubleshoot-server</span> packages installed, and
the <code class="systemitem">setroubleshootd</code> daemon running,
a yellow star and a warning are displayed when access is denied by SELinux:
- </p><div class="mediaobject"><img
src="./images/setroubleshoot_denial.png"/></div><p>
+ </div><div class="segmentedlist"><table
border="0"><thead><tr
class="segtitle"><th>Daemon</th><th>Log
Location</th></tr></thead><tbody><tr
class="seglistitem"><td class="seg">auditd
on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code></td></tr><tr
class="seglistitem"><td class="seg">auditd off; rsyslogd
on</td><td class="seg"><code
class="filename">/var/log/messages</code></td></tr><tr
class="seglistitem"><td class="seg">setroubleshootd,
rsyslogd, and auditd on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial
messages also sent to <code
class="filename">/var/log/messages</code></td></tr></tbody></table></div><div
class="para">
+ If you are running the X Window System, have the <span
class="package">setroubleshoot</span> and <span
class="package">setroubleshoot-server</span> packages installed, and
the <code class="systemitem">setroubleshootd</code> and <code
class="systemitem">auditd</code> daemons are running, a yellow star and
a warning are displayed when access is denied by SELinux:
+ </div><div class="mediaobject"><img
src="./images/setroubleshoot_denial.png"/></div><div
class="para">
Clicking on the star presents a detailed analysis of why SELinux denied access, and a
possible solution for allowing access. If you are not running the X Window System, it is
less obvious when access is denied by SELinux. For example, users browsing your website
may receive an error similar to the following:
- </p><pre class="screen">
+ </div><pre class="screen">
Forbidden
You don't have permission to access <em
class="replaceable"><code>file name</code></em> on this
server
-</pre><p>
- For these situations, if DAC rules (standard Linux permissions) allow access, check
<code class="filename">/var/log/messages</code> and <code
class="filename">/var/log/audit/audit.log</code> for <code
class="computeroutput">SELinux is preventing</code> and <code
class="computeroutput">denied</code> errors respectively. This can be
done by running the following commands as the Linux root user:
- </p><p>
+</pre><div class="para">
+ For these situations, if DAC rules (standard Linux permissions) allow access, check
<code class="filename">/var/log/messages</code> and <code
class="filename">/var/log/audit/audit.log</code> for <code
class="computeroutput">"SELinux is preventing"</code> and
<code class="computeroutput">"denied"</code> errors
respectively. This can be done by running the following commands as the Linux root user:
+ </div><div class="para">
<code class="command">grep "SELinux is preventing"
/var/log/messages</code>
- </p><p>
+ </div><div class="para">
<code class="command">grep "denied"
/var/log/audit/audit.log</code>
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong>6.5. xguest:
Kiosk Mode</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Next</strong>7.2. Top
Three Causes of Problems</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"><strong>Prev</strong>6.6. Booleans
for Users Executing Applications</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Next</strong>7.2. Top
Three Causes of Problems</a></li></ul></body></html>
\ No newline at end of file
Index: chap-Security-Enhanced_Linux-Working_with_SELinux.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Working_with_SELinux.html 24 Nov 2008 22:43:10 -0000 1.1
+++ chap-Security-Enhanced_Linux-Working_with_SELinux.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,34 +1,34 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
with SELinux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
title="4.3. Confined and Unconfined Users"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>Chapter 5. Working with
SELinux</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Working_with_SELinux">Chapter 5. Working
with SELinux</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1.
SELinux Packages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2.
Which Log File is Used</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3.
Main Configuration File</a></span></dt><dt><span
class="section"><a href="sect-Security-Enhanced_Linux-Working_wit
h_SELinux-Enabling_and_Disabling_SELinux.html">5.4. Enabling and Disabling
SELinux</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1.
Enabling SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2.
Disabling
SELinux</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5.
SELinux Modes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6.
Booleans</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1.
Listing Booleans</a></span></dt><dt><s
pan class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html">5.6.2.
Configuring Booleans</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html">5.6.3.
Examples: Booleans for NFS and
CIFS</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7.
SELinux Contexts - Labeling
Files</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1.
Temporary Changes: chcon</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2.
Persistent Changes: semanage
fcontext</a></span></dt></dl></dd><dt><span
class="sect
ion"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html">5.8.
The file_t and default_t Types</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9.
Mounting File
Systems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1.
Context Mounts</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2.
Changing the Default Context</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3.
Mounting an NFS File System</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.
4. Multiple NFS Mounts</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5.
Making Context Mounts
Persistent</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10.
Maintaining SELinux Labels
</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1.
Copying Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2.
Moving Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3.
Chec
king the Default SELinux Context</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4.
Archiving Files with tar</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5.
Archiving Files with
star</a></span></dt></dl></dd></dl></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
with SELinux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
title="4.3. Confined and Unconfined Users"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt=
"Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Next</strong></a></li></ul><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security-Enhanced_Linux-Working_with_SELinux">Chapter 5. Working
with SELinux</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1.
SELinux Packages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2.
Which Log File is Used</a></span></dt><dt><span
class="section"><a href="sect-Security-Enhanced_Linu
x-Working_with_SELinux-Main_Configuration_File.html">5.3. Main Configuration
File</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">5.4.
Enabling and Disabling
SELinux</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1.
Enabling SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2.
Disabling
SELinux</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5.
SELinux Modes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6.
Booleans</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1.
Listing Booleans</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html">5.6.2.
Configuring Booleans</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html">5.6.3.
Booleans for NFS and
CIFS</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7.
SELinux Contexts - Labeling
Files</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1.
Temporary Changes: chcon</a></span></dt><dt><span
class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Conte
xts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2. Persistent
Changes: semanage
fcontext</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html">5.8.
The file_t and default_t Types</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9.
Mounting File
Systems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1.
Context Mounts</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2.
Changing the Default Context</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3.
Mounti
ng an NFS File System</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.4.
Multiple NFS Mounts</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5.
Making Context Mounts
Persistent</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10.
Maintaining SELinux Labels
</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1.
Copying Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2.
Moving Files and Directories</a></span
</dt><dt><span class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3.
Checking the Default SELinux Context</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4.
Archiving Files with tar</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5.
Archiving Files with
star</a></span></dt></dl></dd></dl></div><div
class="para">
The following sections give a brief overview of the
main SELinux packages in Fedora 10; installing and updating packages; which log files are
used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes;
configuring Booleans; temporarily and persistently changing file and directory labels;
overriding file system labels with the <code
class="command">mount</code> command; mounting NFS file systems; and
how to preserve SELinux contexts when copying and archiving files and directories.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux
Packages</h2></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux
Packages</h2></div></div></div><div class="para">
In Fedora 10, the SELinux packages are installed by default, unless they are manually
excluded during installation. By default, SELinux targeted policy is used, and SELinux
runs in enforcing mode. The following is a brief description of the main SELinux
packages:
- </p><p>
+ </div><div class="para">
<span class="package">policycoreutils</span>: provides
utilities, such as <code class="command">semanage</code>, <code
class="command">restorecon</code>, <code
class="command">audit2allow</code>, <code
class="command">semodule</code>, <code
class="command">load_policy</code>, and <code
class="command">setsebool</code>, for operating and managing SELinux.
- </p><p>
+ </div><div class="para">
<span class="package">policycoreutils-gui</span>: provides
<code class="command">system-config-selinux</code>, a graphical tool
for managing SELinux.
- </p><p>
+ </div><div class="para">
<span class="package">selinux-policy</span>: provides the
SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and
is used as a basis for other policies, such as the SELinux targeted policy. Refer to the
Tresys Technology <a
href="http://oss.tresys.com/projects/refpolicy">SELinux Reference
Policy</a> page for further information. The <span
class="package">selinux-policy-devel</span> package provides
development tools, such as <code
class="command">/usr/share/selinux/devel/policygentool</code> and
<code class="command">/usr/share/selinux/devel/policyhelp</code>, as
well as example policy files. This package was merged into the <span
class="package">selinux-policy</span> package.
- </p><p>
+ </div><div class="para">
<span class="package">selinux-policy-<em
class="replaceable"><code>policy</code></em></span>:
provides SELinux policies. For targeted policy, install <span
class="package">selinux-policy-targeted</span>. For MLS, install
<span class="package">selinux-policy-mls</span>. In Fedora 8, the
strict policy was merged into targeted policy, allowing confined and unconfined users to
co-exist on the same system.
- </p><p>
+ </div><div class="para">
<span class="package">setroubleshoot-server</span>: translates
denial messages, produced when access is denied by SELinux, into detailed descriptions
that are viewed with <code class="command">sealert</code> (which is
provided by this package).
- </p><p>
- <span class="package">setools</span>, <span
class="package">setools-gui</span>, and <span
class="package">setools-console</span>: these packages provide the
<a
href="http://oss.tresys.com/projects/setools">Tresys Technology SETools
distribution</a>, a number of tools and libraries for analyzing and querying policy,
audit log monitoring and reporting, and file context management<sup>[<a
id="d0e2035" href="#ftn.d0e2035"
class="footnote">8</a>]</sup>. The <span
class="package">setools</span> package is a meta-package for SETools.
The <span class="package">setools-gui</span> package provides the
<code class="command">apol</code>, <code
class="command">seaudit</code>, and <code
class="command">sediffx</code> tools. The <span
class="package">setools-console</span> package provides the <code
class="command">seaudit-report</code>, <code
class="command">sechecker</code>, <code
class="command">sediff</code>, <code
class="command">seinfo</code>, <code
class="command">sesearch</code>
, <code class="command">findcon</code>, <code
class="command">replcon</code>, and <code
class="command">indexcon</code> command line tools. Refer to the <a
href="http://oss.tresys.com/projects/setools">Tresys Technology
SETools</a> page for information about these tools.
- </p><p>
+ </div><div class="para">
+ <span class="package">setools</span>, <span
class="package">setools-gui</span>, and <span
class="package">setools-console</span>: these packages provide the
<a
href="http://oss.tresys.com/projects/setools">Tresys Technology SETools
distribution</a>, a number of tools and libraries for analyzing and querying policy,
audit log monitoring and reporting, and file context management<sup>[<a
id="d0e2044" href="#ftn.d0e2044">8</a>]</sup>. The
<span class="package">setools</span> package is a meta-package for
SETools. The <span class="package">setools-gui</span> package
provides the <code class="command">apol</code>, <code
class="command">seaudit</code>, and <code
class="command">sediffx</code> tools. The <span
class="package">setools-console</span> package provides the <code
class="command">seaudit-report</code>, <code
class="command">sechecker</code>, <code
class="command">sediff</code>, <code
class="command">seinfo</code>, <code
class="command">sesearch</code>, <code class="co
mmand">findcon</code>, <code
class="command">replcon</code>, and <code
class="command">indexcon</code> command line tools. Refer to the <a
href="http://oss.tresys.com/projects/setools">Tresys Technology
SETools</a> page for information about these tools.
+ </div><div class="para">
<span class="package">libselinux-utils</span>: provides the
<code class="command">avcstat</code>, <code
class="command">getenforce</code>, <code
class="command">getsebool</code>, <code
class="command">matchpathcon</code>, <code
class="command">selinuxconlist</code>, <code
class="command">selinuxdefcon</code>, <code
class="command">selinuxenabled</code>, <code
class="command">setenforce</code>, <code
class="command">togglesebool</code> tools.
- </p><p>
+ </div><div class="para">
<span class="package">mcstrans</span>: translates levels, such
as <code class="computeroutput">s0-s0:c0.c1023</code>, to an easier
to read form, such as <code
class="computeroutput">SystemLow-SystemHigh</code>. This package is not
installed by default.
- </p><p>
+ </div><div class="para">
To install packages in Fedora 10, as the Linux root user, run the <code
class="command">yum install <em
class="replaceable"><code>package-name</code></em></code>
command. For example, to install the <span
class="package">mcstrans</span> package, run the <code
class="command">yum install mcstrans</code> command. To upgrade all
installed packages in Fedora 10, run the <code class="command">yum
update</code> command.
- </p><p>
- Refer to <a
href="http://docs.fedoraproject.org/yum/en/">Managing
Software with yum</a><sup>[<a id="d0e2147"
href="#ftn.d0e2147" class="footnote">9</a>]</sup> for
further information about using <code class="command">yum</code> to
manage packages.
- </p><div class="note"><h2>Note</h2><p>
+ </div><div class="para">
+ Refer to <a
href="http://docs.fedoraproject.org/yum/en/">Managing
Software with yum</a><sup>[<a id="d0e2156"
href="#ftn.d0e2156">9</a>]</sup> for further information about
using <code class="command">yum</code> to manage packages.
+ </div><div class="note"><h2>Note</h2><div
class="para">
In previous versions of Fedora, the <span
class="package">selinux-policy-devel</span> package is required when
making a local policy module with <code class="command">audit2allow
-M</code>.
- </p></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e2035"
href="#d0e2035" class="para">8</a>] </sup>
+ </div></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e2044"
href="#d0e2044">8</a>] </sup>
Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray
McAllister. 1 November 2008. Any edits or changes in this version were done by Murray
McAllister.
- </p></div><div class="footnote"><p><sup>[<a
id="ftn.d0e2147" href="#d0e2147"
class="para">9</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a
id="ftn.d0e2156" href="#d0e2156">9</a>] </sup>
Managing Software with yum, written by Stuart Ellis, edited by Paul W. Frields,
Rodrigo Menezes, and Hugo Cisneiros.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Prev</strong>4.3. Confined
and Unconfined Users</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Next</strong>5.2. Which
Log File is Used</a></li></ul></body></html>
\ No newline at end of file
Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html 24 Nov 2008 22:43:10 -0000 1.1
+++ index.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Linux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><meta
name="description" content="This book is about managing and using
Security-Enhanced Linux."/><link rel="start"
href="index.html" title="Security-Enhanced Linux"/><link
rel="next" href="pref-Security-Enhanced_Linux-Preface.html"
title="Preface"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>Security-Enhanced
Linux</strong></a></p><ul class="docnav"><li
class="previous"/><li class="next"><a
accesskey="n"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong></a></li></ul><div
class="book" lang="en-US"><div
class="titlepage"><div><div
class="producttitle"><span
class="productname">Fedora</span> <span
class="productnumber">10</span></div><div><h1
id="d0e1" class="title">Security-Enhanced
Linux</h1></div><div><h2 class="subtitle">User
Guide</h2></div><p class="edition">Edition
1.0</p><div><h3 class="corpauthor">
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Linux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><meta
name="description" content="This book is about managing and using
Security-Enhanced Linux."/><link rel="start"
href="index.html" title="Security-Enhanced Linux"/><link
rel="next" href="pref-Security-Enhanced_Linux-Preface.html"
title="Preface"/></head><body class=""><p
id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"/><li class="next"><a
accesskey="n"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong></a></li
</ul><div class="book"
lang="en-US"><div class="titlepage"><div><div
class="producttitle"><span
class="productname">Fedora</span> <span
class="productnumber">10</span></div><div><h1
id="d0e1" class="title">Security-Enhanced
Linux</h1></div><div><h2 class="subtitle">User
Guide</h2></div><p class="edition">Edition
1.1</p><div><h3 class="corpauthor">
<span
class="inlinemediaobject"><object
data="Common_Content/images/title_logo.svg"
type="image/svg+xml"/></span>
- </h3></div><div><div class="authorgroup"><div
class="author"><h3 class="author"><span
class="firstname">Murray</span> <span
class="surname">McAllister</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span> <span class="orgdiv">Engineering Content
Services</span></div><code class="email"><a
class="email"
href="mailto:mmcallis@redhat.com">mmcallis@redhat.com</a></code></div><div
class="author"><h3 class="author"><span
class="firstname">Daniel</span> <span
class="surname">Walsh</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span> <span class="orgdiv">Security
Engineering</span></div><code class="email"><a
class="email"
href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></code></div><div
class="othercredit"><h3 class="othercredit"><span
class="firstname">Dominick</span> <span
class="surname">Grift</span></h3><span
class="contrib">Technical editor for the Introduction, SELinux Contexts,
Targeted Policy, Working with SELinux, Confining Us
ers, and Troubleshooting chapters.</span> <div
class="affiliation"><span class="orgname"/> <span
class="orgdiv"/></div><code class="email"><a
class="email"
href="mailto:domg472@gmail.com">domg472@gmail.com</a></code></div><div
class="othercredit"><h3 class="othercredit"><span
class="firstname">Eric</span> <span
class="surname">Paris</span></h3><span
class="contrib">Technical editor for the Mounting File Systems and Raw Audit
Messages sections.</span> <div class="affiliation"><span
class="orgname">Red Hat</span> <span
class="orgdiv">Security Engineering</span></div><code
class="email"><a class="email"
href="mailto:eparis@parisplace.org">eparis@parisplace.org</a></code></div><div
class="othercredit"><h3 class="othercredit"><span
class="firstname">James</span> <span
class="surname">Morris</span></h3><span
class="contrib">Technical editor for the Introduction and Targeted Policy
chapters.</span> <div class="affiliation"><span
class="orgname">Red Hat</span> <span class="orgdiv
">Security Engineering</span></div><code
class="email"><a class="email"
href="mailto:jmorris@redhat.com">jmorris@redhat.com</a></code></div></div></div><div><p
class="copyright">Copyright © 2008 Red Hat,
Inc.</p></div><hr/><div><div id="d0e35"
class="legalnotice"><h1 class="legalnotice">Legal
Notice</h1><p>
+ </h3></div><div><div class="authorgroup"><div
class="author"><h3 class="author"><span
class="firstname">Murray</span> <span
class="surname">McAllister</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span> <span class="orgdiv">Engineering Content
Services</span></div><code class="email"><a
href="mailto:mmcallis@redhat.com">mmcallis@redhat.com</a></code></div><div
class="author"><h3 class="author"><span
class="firstname">Daniel</span> <span
class="surname">Walsh</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span> <span class="orgdiv">Security
Engineering</span></div><code class="email"><a
href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></code></div><div
class="othercredit"><h3 class="othercredit"><span
class="firstname">Dominick</span> <span
class="surname">Grift</span></h3><span
class="contrib">Technical editor for the Introduction, SELinux Contexts,
Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting cha
pters.</span><div class="affiliation"><span
class="orgname"/> <span class="orgdiv"/></div><code
class="email"><a
href="mailto:domg472@gmail.com">domg472@gmail.com</a></code></div><div
class="othercredit"><h3 class="othercredit"><span
class="firstname">Eric</span> <span
class="surname">Paris</span></h3><span
class="contrib">Technical editor for the Mounting File Systems and Raw Audit
Messages sections.</span><div class="affiliation"><span
class="orgname">Red Hat</span> <span
class="orgdiv">Security Engineering</span></div><code
class="email"><a
href="mailto:eparis@parisplace.org">eparis@parisplace.org</a></code></div><div
class="othercredit"><h3 class="othercredit"><span
class="firstname">James</span> <span
class="surname">Morris</span></h3><span
class="contrib">Technical editor for the Introduction and Targeted Policy
chapters.</span><div class="affiliation"><span
class="orgname">Red Hat</span> <span
class="orgdiv">Security Engineering</span></div><code
class="email"><a href
="mailto:jmorris@redhat.com">jmorris@redhat.com</a></code></div></div></div><div><p
class="copyright">Copyright © 2008 Red Hat,
Inc.</p></div><hr/><div><div id="d0e35"
class="legalnotice"><h1 class="legalnotice">Legal
Notice</h1><div class="para">
Copyright <span class="trademark"/>© 2008 Red Hat, Inc. This material
may only be distributed subject to the terms and conditions set forth in the Open
Publication License, V1.0, (the latest version is presently available at <a
href="http://www.opencontent.org/openpub/">http://www.openco...>).
- </p><p>
+ </div><div class="para">
Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of
Red Hat, Inc., in the U.S. and other countries.
- </p><p>
+ </div><div class="para">
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red
Hat Inc. in the United States and other countries.
- </p><p>
+ </div><div class="para">
All other trademarks and copyrights referred to are the property of their respective
owners.
- </p><p>
+ </div><div class="para">
Documentation, as with software itself, may be subject to export control. Read about
Fedora Project export controls at <a
href="http://fedoraproject.org/wiki/Legal/Export">http://fed...;.
- </p></div></div><div><div
class="abstract"><h6>Abstract</h6><p>This book is about
managing and using Security-Enhanced <span
class="trademark">Linux</span>®.</p></div></div></div><hr/></div><div
class="toc"><dl><dt><span class="preface"><a
href="pref-Security-Enhanced_Linux-Preface.html">Preface</a></span></dt><dd><dl><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e146">1. Document
Conventions</a></span></dt><dd><dl><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e156">1.1. Typographic
Conventions</a></span></dt><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e372">1.2. Pull-quote
Conventions</a></span></dt><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e391">1.3. Notes and
Warnings</a></span></dt></dl></dd><dt><span
class="section"><a href="pr01s02.html">2. We Need
Feedback!</a></span></dt></dl></dd><dt><span
class="chapter"><a href="chap-Security-
Enhanced_Linux-Trademark_Information.html">1. Trademark
Information</a></span></dt><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Introduction.html">2.
Introduction</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1.
Benefits of running SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2.
Examples</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html">2.3.
SELinux Architecture</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html">2.4.
SELinux on Other Operating
Systems</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html">3. SELinux
Contexts</a></span></dt><dd><dl><dt>
<span class="section"><a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1.
Domain Transitions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2.
SELinux Contexts for Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3.
SELinux Contexts for
Users</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Targeted_Policy.html">4. Targeted
Policy</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1.
Confined Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2.
Unconfined Processes</a></span></
dt><dt><span class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3.
Confined and Unconfined
Users</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html">5. Working with
SELinux</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1.
SELinux Packages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2.
Which Log File is Used</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3.
Main Configuration File</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">5.4.
Enabling and Disabling SELinux</a>
</span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1.
Enabling SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2.
Disabling
SELinux</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5.
SELinux Modes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6.
Booleans</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1.
Listing Booleans</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Boolean
s.html">5.6.2. Configuring
Booleans</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html">5.6.3.
Examples: Booleans for NFS and
CIFS</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7.
SELinux Contexts - Labeling
Files</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1.
Temporary Changes: chcon</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2.
Persistent Changes: semanage
fcontext</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default
_t_Types.html">5.8. The file_t and default_t
Types</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9.
Mounting File
Systems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1.
Context Mounts</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2.
Changing the Default Context</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3.
Mounting an NFS File System</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.4.
Multiple NFS Mounts</a></span></dt><dt><span
class="section"><a href="sect-Security
-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5.
Making Context Mounts
Persistent</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10.
Maintaining SELinux Labels
</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1.
Copying Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2.
Moving Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3.
Checking the Default SELinux Context</a></span></dt><dt><span
class="section"><a href="sec
t-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4.
Archiving Files with tar</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5.
Archiving Files with
star</a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Confining_Users.html">6. Confining
Users</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1.
Linux and SELinux User Mappings</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2.
Confining New Linux Users: useradd</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3.
Confinin
g Existing Linux Users: semanage
login</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4.
Changing the Default Mapping</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5.
xguest: Kiosk
Mode</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Troubleshooting.html">7.
Troubleshooting</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1.
What Happens when Access is Denied</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2.
Top Three Causes of
Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_
of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1.
Labeling Problems</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2.
How are Confined Services Running?</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3.
Evolving Rules and Broken
Applications</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3.
Fixing Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1.
Linux Permissions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent
_Denials.html">7.3.2. Possible Causes of Silent
Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html">7.3.3.
Manual Pages for Services</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html">7.3.4.
Permissive Domains</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.5.
Searching For and Viewing Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.6.
Raw Audit Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.7.
sealert Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">7.3.8.
Allowing Access: audit2allo
w</a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Further_Information.html">8. Further
Information</a></span></dt><dt><span
class="appendix"><a
href="appe-Security-Enhanced_Linux-Revision_History.html">A. Revision
History</a></span></dt></dl></div></div><ul
class="docnav"><li class="previous"/><li
class="next"><a accesskey="n"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong>Preface</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><div><div
class="abstract"><h6>Abstract</h6><div
class="para">This book is about managing and using Security-Enhanced <span
class="trademark">Linux</span>®.</div></div></div></div><hr/></div><div
class="toc"><dl><dt><span class="preface"><a
href="pref-Security-Enhanced_Linux-Preface.html">Preface</a></span></dt><dd><dl><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e146">1. Document
Conventions</a></span></dt><dd><dl><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e156">1.1. Typographic
Conventions</a></span></dt><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e372">1.2. Pull-quote
Conventions</a></span></dt><dt><span
class="section"><a
href="pref-Security-Enhanced_Linux-Preface.html#d0e391">1.3. Notes and
Warnings</a></span></dt></dl></dd><dt><span
class="section"><a href="pr01s02.html">2. We Need
Feedback!</a></span></dt></dl></dd><dt><span
class="chapter"><a h
ref="chap-Security-Enhanced_Linux-Trademark_Information.html">1. Trademark
Information</a></span></dt><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Introduction.html">2.
Introduction</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1.
Benefits of running SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2.
Examples</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html">2.3.
SELinux Architecture</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html">2.4.
SELinux on Other Operating
Systems</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html">3. SELinux
Contexts</a></spa
n></dt><dd><dl><dt><span class="section"><a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1.
Domain Transitions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2.
SELinux Contexts for Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3.
SELinux Contexts for
Users</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Targeted_Policy.html">4. Targeted
Policy</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1.
Confined Processes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2.
Unconfined Pro
cesses</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3.
Confined and Unconfined
Users</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html">5. Working with
SELinux</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1.
SELinux Packages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2.
Which Log File is Used</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3.
Main Configuration File</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">5.4.
Enabling and Di
sabling SELinux</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1.
Enabling SELinux</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2.
Disabling
SELinux</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5.
SELinux Modes</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6.
Booleans</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1.
Listing Booleans</a></span></dt><dt><span
class="section"><a href="sect-Security-Enhanced_Linux-Booleans-
Configuring_Booleans.html">5.6.2. Configuring
Booleans</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html">5.6.3.
Booleans for NFS and
CIFS</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7.
SELinux Contexts - Labeling
Files</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1.
Temporary Changes: chcon</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2.
Persistent Changes: semanage
fcontext</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default
_t_Types.html">5.8. The file_t and default_t
Types</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9.
Mounting File
Systems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1.
Context Mounts</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2.
Changing the Default Context</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3.
Mounting an NFS File System</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.4.
Multiple NFS Mounts</a></span></dt><dt><span
class="section"><a href="sect-Security
-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5.
Making Context Mounts
Persistent</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10.
Maintaining SELinux Labels
</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1.
Copying Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2.
Moving Files and Directories</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3.
Checking the Default SELinux Context</a></span></dt><dt><span
class="section"><a href="sec
t-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4.
Archiving Files with tar</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5.
Archiving Files with
star</a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Confining_Users.html">6. Confining
Users</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1.
Linux and SELinux User Mappings</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2.
Confining New Linux Users: useradd</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3.
Confinin
g Existing Linux Users: semanage
login</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4.
Changing the Default Mapping</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5.
xguest: Kiosk Mode</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html">6.6.
Booleans for Users Executing
Applications</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Troubleshooting.html">7.
Troubleshooting</a></span></dt><dd><dl><dt><span
class="section"><a
href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1.
What Happens when Access is Denied</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting
-Top_Three_Causes_of_Problems.html">7.2. Top Three Causes of
Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1.
Labeling Problems</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2.
How are Confined Services Running?</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3.
Evolving Rules and Broken
Applications</a></span></dt></dl></dd><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3.
Fixing Problems</a></span></dt><dd><dl><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhan
ced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux
Permissions</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html">7.3.2.
Possible Causes of Silent Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html">7.3.3.
Manual Pages for Services</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html">7.3.4.
Permissive Domains</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.5.
Searching For and Viewing Denials</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.6.
Raw Audit Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.htm
l">7.3.7. sealert Messages</a></span></dt><dt><span
class="section"><a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">7.3.8.
Allowing Access:
audit2allow</a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a
href="chap-Security-Enhanced_Linux-Further_Information.html">8. Further
Information</a></span></dt><dt><span
class="appendix"><a
href="appe-Security-Enhanced_Linux-Revision_History.html">A. Revision
History</a></span></dt></dl></div></div><ul
class="docnav"><li class="previous"/><li
class="next"><a accesskey="n"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong>Preface</a></li></ul></body></html>
\ No newline at end of file
Index: pr01s02.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/pr01s02.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- pr01s02.html 24 Nov 2008 22:43:10 -0000 1.1
+++ pr01s02.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,11 +1,11 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Need Feedback!</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="pref-Security-Enhanced_Linux-Preface.html"
title="Preface"/><link rel="prev"
href="pref-Security-Enhanced_Linux-Preface.html"
title="Preface"/><link rel="next"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"
title="Chapter 1. Trademark Information"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>2. We Need
Feedback!</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Trademark_Information.html">
<strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="d0e411">2. We Need
Feedback!</h2></div></div></div><a id="d0e414"
class="indexterm"/><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Need Feedback!</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="pref-Security-Enhanced_Linux-Preface.html"
title="Preface"/><link rel="prev"
href="pref-Security-Enhanced_Linux-Preface.html"
title="Preface"/><link rel="next"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"
title="Chapter 1. Trademark Information"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a access
key="p"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="d0e411">2. We Need
Feedback!</h2></div></div></div><a id="d0e414"
class="indexterm"/><div class="para">
If you find a typographical error in this manual, or if you have thought of a way to
make this manual better, we would love to hear from you! Please submit a report in
Bugzilla: <a
href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla....
- against the product <span class="application"><strong>Fedora
Documentation.</strong></span>
- </p><p>
+ against the product <span><strong class="application">Fedora
Documentation.</strong></span>
+ </div><div class="para">
When submitting a bug report, be sure to mention the manual's identifier: <em
class="citetitle">selinux-user-guide</em>
- </p><p>
+ </div><div class="para">
If you have a suggestion for improving the documentation, try to be as specific as
possible when describing it. If you have found an error, please include the section number
and some of the surrounding text so we can find it easily.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong>Preface</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Next</strong>Chapter 1. Trademark
Information</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong>Preface</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Next</strong>Chapter 1. Trademark
Information</a></li></ul></body></html>
\ No newline at end of file
Index: pref-Security-Enhanced_Linux-Preface.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/pref-Security-Enhanced_Linux-Preface.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- pref-Security-Enhanced_Linux-Preface.html 24 Nov 2008 22:43:10 -0000 1.1
+++ pref-Security-Enhanced_Linux-Preface.html 24 Jan 2009 03:48:02 -0000 1.2
@@ -1,108 +1,108 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="index.html" title="Security-Enhanced Linux"/><link
rel="next" href="pr01s02.html" title="2. We Need
Feedback!"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>Preface</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="index.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="pr01s02.html"><strong>Next</strong></a></li></ul><div
class="preface" lang="en-US"><div
class="titlepage"><div><div><h1
id="pref-Security-Enhanced_Linux-Preface"
class="title">Preface</h1></div></div></
div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up" href="index.html"
title="Security-Enhanced Linux"/><link rel="prev"
href="index.html" title="Security-Enhanced Linux"/><link
rel="next" href="pr01s02.html" title="2. We Need
Feedback!"/></head><body class=""><p
id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="index.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n" href="pr01
s02.html"><strong>Next</strong></a></li></ul><div
class="preface" lang="en-US"><div
class="titlepage"><div><div><h1
id="pref-Security-Enhanced_Linux-Preface"
class="title">Preface</h1></div></div></div><div
class="para">
The Fedora 10 SELinux User Guide is for people with minimal or no experience with
SELinux. Although system administration experience is not necessary, content in this guide
is written for system administration tasks. This guide provides an introduction to
fundamental concepts and practical applications of SELinux. After reading this guide you
should have an intermediate understanding of SELinux.
- </p><p>
+ </div><div class="para">
Thank you to everyone who offered encouragement, help, and testing - it is most
appreciated. Very special thanks to:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
Dominick Grift, Stephen Smalley, and Russell Coker for their contributions, help, and
patience.
- </p></li><li><p>
+ </div></li><li><div class="para">
Karsten Wade for his help, adding a component for this guide to <a
href="https://bugzilla.redhat.com/"> Red Hat Bugzilla</a>, and sorting
out web hosting on <a
href="http://docs.fedoraproject.org/">http://docs.fedoraproj...;.
- </p></li><li><p>
+ </div></li><li><div class="para">
The <a
href="http://fedoraproject.org/wiki/Infrastructure">Fedora
Infrastructure Team</a> for providing hosting.
- </p></li><li><p>
+ </div></li><li><div class="para">
Jens-Ulrik Petersen for making sure the Red Hat Brisbane office has up-to-date Fedora
mirrors.
- </p></li></ul></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="d0e146">1. Document
Conventions</h2></div></div></div><p>
+ </div></li></ul></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="d0e146">1. Document
Conventions</h2></div></div></div><div
class="para">
This manual uses several conventions to highlight certain words and phrases and draw
attention to specific pieces of information.
- </p><p>
+ </div><div class="para">
In PDF and paper editions, this manual uses typefaces drawn from the <a
href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a>
set. The Liberation Fonts set is also used in HTML editions if the set is installed on
your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat
Enterprise Linux 5 and later includes the Liberation Fonts set by default.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e156">1.1. Typographic
Conventions</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e156">1.1. Typographic
Conventions</h3></div></div></div><div
class="para">
Four typographic conventions are used to call attention to specific words and phrases.
These conventions, and the circumstances they apply to, are as follows.
- </p><p>
+ </div><div class="para">
<code class="literal">Mono-spaced Bold</code>
- </p><p>
+ </div><div class="para">
Used to highlight system input, including shell commands, file names and paths. Also
used to highlight key caps and key-combinations. For example:
- </p><div class="blockquote"><blockquote
class="blockquote"><p>
- To see the contents of the file <code
class="filename">my_next_bestselling_novel</code> in your current
working directory, enter the <code class="command">cat
my_next_bestselling_novel</code> command at the shell prompt and press <span
class="keycap"><strong>Enter</strong></span> to execute the
command.
- </p></blockquote></div><p>
+ </div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
+ To see the contents of the file <code
class="filename">my_next_bestselling_novel</code> in your current
working directory, enter the <code class="command">cat
my_next_bestselling_novel</code> command at the shell prompt and press
<span><strong class="keycap">Enter</strong></span> to
execute the command.
+ </div></blockquote></div><div class="para">
The above includes a file name, a shell command and a key cap, all presented in
Mono-spaced Bold and all distinguishable thanks to context.
- </p><p>
+ </div><div class="para">
Key-combinations can be distinguished from key caps by the hyphen connecting each part
of a key-combination. For example:
- </p><div class="blockquote"><blockquote
class="blockquote"><p>
- Press <span
class="keycap"><strong>Enter</strong></span> to execute the
command.
- </p><p>
- Press <span
class="keycap"><strong>Ctrl</strong></span>+<span
class="keycap"><strong>Alt</strong></span>+<span
class="keycap"><strong>F1</strong></span> to switch to the
first virtual terminal. Press <span
class="keycap"><strong>Ctrl</strong></span>+<span
class="keycap"><strong>Alt</strong></span>+<span
class="keycap"><strong>F7</strong></span> to return to your
X-Windows session.
- </p></blockquote></div><p>
+ </div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
+ Press <span><strong
class="keycap">Enter</strong></span> to execute the command.
+ </div><div class="para">
+ Press <span><strong
class="keycap">Ctrl</strong></span>-<span><strong
class="keycap">Alt</strong></span>-<span><strong
class="keycap">F1</strong></span> to switch to the first virtual
terminal. Press <span><strong
class="keycap">Ctrl</strong></span>-<span><strong
class="keycap">Alt</strong></span>-<span><strong
class="keycap">F7</strong></span> to return to your X-Windows
session.
+ </div></blockquote></div><div class="para">
The first sentence highlights the particular key cap to press. The second highlights
two sets of three key caps, each set pressed simultaneously.
- </p><p>
+ </div><div class="para">
If source code is discussed, class names, methods, functions, variable names and
returned values mentioned within a paragraph will be presented as above, in <code
class="literal">Mono-spaced Bold</code>. For example:
- </p><div class="blockquote"><blockquote
class="blockquote"><p>
+ </div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
File-related classes include <code
class="classname">filesystem</code> for file systems, <code
class="classname">file</code> for files, and <code
class="classname">dir</code> for directories. Each class has its own
associated set of permissions.
- </p></blockquote></div><p>
- <span class="application"><strong>Proportional
Bold</strong></span>
- </p><p>
+ </div></blockquote></div><div class="para">
+ <span><strong class="application">Proportional
Bold</strong></span>
+ </div><div class="para">
This denotes words or phrases encountered on a system, including application names;
dialogue box text; labelled buttons; check-box and radio button labels; menu titles and
sub-menu titles. For example:
- </p><div class="blockquote"><blockquote
class="blockquote"><p>
- Choose <span class="guimenu"><strong>System >
Preferences > Mouse</strong></span> from the main menu bar to launch
<span class="application"><strong>Mouse
Preferences</strong></span>. In the <span
class="guilabel"><strong>Buttons</strong></span> tab, click
the <span class="guilabel"><strong>Left-handed
mouse</strong></span> check box and click <span
class="guibutton"><strong>Close</strong></span> to switch
the primary mouse button from the left to the right (making the mouse suitable for use in
the left hand).
- </p><p>
- To insert a special character into a <span
class="application"><strong>gedit</strong></span> file,
choose <span class="guimenu"><strong>Applications >
Accessories > Character Map</strong></span> from the main menu bar.
Next, choose <span class="guimenu"><strong>Search >
Find…</strong></span> from the <span
class="application"><strong>Character Map</strong></span>
menu bar, type the name of the character in the <span
class="guilabel"><strong>Search</strong></span> field and
click <span
class="guibutton"><strong>Next</strong></span>. The
character you sought will be highlighted in the <span
class="guilabel"><strong>Character Table</strong></span>.
Double-click this highlighted character to place it in the <span
class="guilabel"><strong>Text to copy</strong></span> field
and then click the <span
class="guibutton"><strong>Copy</strong></span> button. Now
switch back to your document and choose <span
class="guimenu"><strong>Edit > Paste</strong></span>
from the
<span class="application"><strong>gedit</strong></span>
menu bar.
- </p></blockquote></div><p>
+ </div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
+ Choose <span><strong class="guimenu">System >
Preferences > Mouse</strong></span> from the main menu bar to launch
<span><strong class="application">Mouse
Preferences</strong></span>. In the <span><strong
class="guilabel">Buttons</strong></span> tab, click the
<span><strong class="guilabel">Left-handed
mouse</strong></span> check box and click <span><strong
class="guibutton">Close</strong></span> to switch the primary
mouse button from the left to the right (making the mouse suitable for use in the left
hand).
+ </div><div class="para">
+ To insert a special character into a <span><strong
class="application">gedit</strong></span> file, choose
<span><strong class="guimenu">Applications > Accessories
> Character Map</strong></span> from the main menu bar. Next, choose
<span><strong class="guimenu">Search >
Find…</strong></span> from the <span><strong
class="application">Character Map</strong></span> menu bar, type
the name of the character in the <span><strong
class="guilabel">Search</strong></span> field and click
<span><strong class="guibutton">Next</strong></span>.
The character you sought will be highlighted in the <span><strong
class="guilabel">Character Table</strong></span>. Double-click
this highlighted character to place it in the <span><strong
class="guilabel">Text to copy</strong></span> field and then
click the <span><strong
class="guibutton">Copy</strong></span> button. Now switch back to
your document and choose <span><strong class="guimenu">Edit >
Paste</strong></span> from the
<span><strong class="application">gedit</strong></span>
menu bar.
+ </div></blockquote></div><div class="para">
The above text includes application names; system-wide menu names and items;
application-specific menu names; and buttons and text found within a GUI interface, all
presented in Proportional Bold and all distinguishable by context.
- </p><p>
- Note the <span
class="guimenu"><strong>></strong></span> shorthand
used to indicate traversal through a menu and its sub-menus. This is to avoid the
difficult-to-follow 'Select <span
class="guimenuitem"><strong>Mouse</strong></span> from the
<span
class="guimenu"><strong>Preferences</strong></span>
sub-menu in the <span
class="guimenu"><strong>System</strong></span> menu of the
main menu bar' approach.
- </p><p>
- <code class="command"><em
class="replaceable"><code>Mono-spaced Bold
Italic</code></em></code> or <span
class="application"><strong><em
class="replaceable"><code>Proportional Bold
Italic</code></em></strong></span>
- </p><p>
+ </div><div class="para">
+ Note the <span><strong
class="guimenu">></strong></span> shorthand used to
indicate traversal through a menu and its sub-menus. This is to avoid the
difficult-to-follow 'Select <span><strong
class="guimenuitem">Mouse</strong></span> from the
<span><strong
class="guimenu">Preferences</strong></span> sub-menu in the
<span><strong class="guimenu">System</strong></span>
menu of the main menu bar' approach.
+ </div><div class="para">
+ <code class="command"><em
class="replaceable"><code>Mono-spaced Bold
Italic</code></em></code> or <span><strong
class="application"><em
class="replaceable"><code>Proportional Bold
Italic</code></em></strong></span>
+ </div><div class="para">
Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates
replaceable or variable text. Italics denotes text you do not input literally or displayed
text that changes depending on circumstance. For example:
- </p><div class="blockquote"><blockquote
class="blockquote"><p>
+ </div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
To connect to a remote machine using ssh, type <code
class="command">ssh <em
class="replaceable"><code>username</code></em>@<em
class="replaceable"><code>domain.name</code></em></code>
at a shell prompt. If the remote machine is <code
class="filename">example.com</code> and your username on that machine
is john, type <code class="command">ssh john(a)example.com</code>.
- </p><p>
+ </div><div class="para">
The <code class="command">mount -o remount <em
class="replaceable"><code>file-system</code></em></code>
command remounts the named file system. For example, to remount the <code
class="filename">/home</code> file system, the command is <code
class="command">mount -o remount /home</code>.
- </p><p>
+ </div><div class="para">
To see the version of a currently installed package, use the <code
class="command">rpm -q <em
class="replaceable"><code>package</code></em></code>
command. It will return a result as follows: <code class="command"><em
class="replaceable"><code>package-version-release</code></em></code>.
- </p></blockquote></div><p>
+ </div></blockquote></div><div class="para">
Note the words in bold italics above — username, domain.name, file-system, package,
version and release. Each word is a placeholder, either for text you enter when issuing a
command or for text displayed by the system.
- </p><p>
+ </div><div class="para">
Aside from standard usage for presenting the title of a work, italics denotes the
first use of a new and important term. For example:
- </p><div class="blockquote"><blockquote
class="blockquote"><p>
+ </div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
When the Apache HTTP Server accepts requests, it dispatches child processes or
threads to handle them. This group of child processes or threads is known as a <em
class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the
responsibility for creating and maintaining these server-pools has been abstracted to a
group of modules called <em class="firstterm">Multi-Processing
Modules</em> (<em class="firstterm">MPMs</em>). Unlike other
modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
- </p></blockquote></div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e372">1.2. Pull-quote
Conventions</h3></div></div></div><p>
+ </div></blockquote></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e372">1.2. Pull-quote
Conventions</h3></div></div></div><div
class="para">
Two, commonly multi-line, data types are set off visually from the surrounding text.
- </p><p>
+ </div><div class="para">
Output sent to a terminal is set in <code
class="computeroutput">Mono-spaced Roman</code> and presented thus:
- </p><pre class="screen">
+ </div><pre class="screen">
books Desktop documentation drafts mss photos stuff svn
books_tests Desktop1 downloads images notes scripts svgs
-</pre><p>
+</pre><div class="para">
Source-code listings are also set in <code
class="computeroutput">Mono-spaced Roman</code> but are presented and
highlighted as follows:
- </p><pre class="programlisting">
-package org.jboss.book.jca.ex1;
+ </div><pre class="programlisting">
+<span class="hl-keyword">package</span> org.jboss.book.jca.ex1;
-import javax.naming.InitialContext;
+<span class="hl-keyword">import</span>
javax.naming.InitialContext;
-public class ExClient
+<span class="hl-keyword">public</span> <span
class="hl-keyword">class</span> ExClient
{
- public static void main(String args[])
- throws Exception
+ <span class="hl-keyword">public</span> <span
class="hl-keyword">static</span> <span
class="hl-keyword">void</span> main(String args[])
+ <span class="hl-keyword">throws</span> Exception
{
- InitialContext iniCtx = new InitialContext();
- Object ref = iniCtx.lookup("EchoBean");
+ InitialContext iniCtx = <span class="hl-keyword">new</span>
InitialContext();
+ Object ref = iniCtx.lookup(<span
class="hl-string">"EchoBean"</span>);
EchoHome home = (EchoHome) ref;
Echo echo = home.create();
- System.out.println("Created Echo");
+ System.out.println(<span class="hl-string">"Created
Echo"</span>);
- System.out.println("Echo.echo('Hello') = " +
echo.echo("Hello"));
+ System.out.println(<span
class="hl-string">"Echo.echo('Hello') = "</span> +
echo.echo(<span class="hl-string">"Hello"</span>));
}
}
-</pre></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e391">1.3. Notes and
Warnings</h3></div></div></div><p>
+</pre></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e391">1.3. Notes and
Warnings</h3></div></div></div><div class="para">
Finally, we use three visual styles to draw attention to information that might
otherwise be overlooked.
- </p><div class="note"><h2>Note</h2><p>
+ </div><div class="note"><h2>Note</h2><div
class="para">
A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a
note should have no negative consequences, but you might miss out on a trick that makes
your life easier.
- </p></div><div
class="important"><h2>Important</h2><p>
+ </div></div><div
class="important"><h2>Important</h2><div
class="para">
Important boxes detail things that are easily missed: configuration changes that only
apply to the current session, or services that need restarting before an update will
apply. Ignoring Important boxes won't cause data loss but may cause irritation and
frustration.
- </p></div><div
class="warning"><h2>Warning</h2><p>
+ </div></div><div
class="warning"><h2>Warning</h2><div
class="para">
A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
- </p></div></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="index.html"><strong>Prev</strong>Security-Enhanced
Linux</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="pr01s02.html"><strong>Next</strong>2. We Need
Feedback!</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="index.html"><strong>Prev</strong>Security-Enhanced
Linux</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="pr01s02.html"><strong>Next</strong>2. We Need
Feedback!</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html 24 Nov 2008 22:43:10
-0000 1.1
+++ sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html 24 Jan 2009 03:48:02
-0000 1.2
@@ -1,25 +1,25 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Booleans</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/><link rel="next"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"
title="5.6.3. Examples: Booleans for NFS and
CIFS"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>5.6.2. Configuring
Booleans</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><s
trong>Prev</strong></a></li><li class="next"><a
accesskey="n"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring
Booleans</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Booleans</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/><link rel="next"
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"
title="5.6.3. Booleans for NFS and CIFS"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="D
ocumentation Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring
Booleans</h3></div></div></div><div class="para">
The <code class="command">setsebool <em
class="replaceable"><code>boolean-name</code></em> <em
class="replaceable"><code>x</code></em></code>
command turns Booleans on or off, where <em
class="replaceable"><code>boolean-name</code></em> is a
Boolean name, and <em
class="replaceable"><code>x</code></em> is either <code
class="option">on</code> to turn the Boolean on, or <code
class="option">off</code> to turn it off.
- </p><p>
+ </div><div class="para">
The following example demonstrates configuring the <code
class="computeroutput">httpd_can_network_connect_db</code> Boolean:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
By default, the <code
class="computeroutput">httpd_can_network_connect_db</code> Boolean is
off, preventing Apache HTTP Server scripts and modules from connecting to database
servers:
- </p><pre class="screen">$ /usr/sbin/getsebool
httpd_can_network_connect_db
+ </div><pre class="screen">$ /usr/sbin/getsebool
httpd_can_network_connect_db
httpd_can_network_connect_db --> off
-</pre></li><li><p>
+</pre></li><li><div class="para">
To temporarily enable Apache HTTP Server scripts and modules to connect to database
servers, run the <code class="command">setsebool
httpd_can_network_connect_db on</code> command as the Linux root user.
- </p></li><li><p>
+ </div></li><li><div class="para">
Use the <code class="command">getsebool
httpd_can_network_connect_db</code> command to verify the Boolean is turned on:
- </p><pre class="screen">$ /usr/sbin/getsebool
httpd_can_network_connect_db
+ </div><pre class="screen">$ /usr/sbin/getsebool
httpd_can_network_connect_db
httpd_can_network_connect_db --> on
-</pre><p>
+</pre><div class="para">
This allows Apache HTTP Server scripts and modules to connect to database servers.
- </p></li><li><p>
+ </div></li><li><div class="para">
This change is not persistent across reboots. To make changes persistent across
reboots, run the <code class="command">setsebool -P <em
class="replaceable"><code>boolean-name</code></em>
on</code> command as the Linux root user:
- </p><pre class="screen"># /usr/sbin/setsebool -P
httpd_can_network_connect_db on
-</pre></li><li><p>
+ </div><pre class="screen"># /usr/sbin/setsebool -P
httpd_can_network_connect_db on
+</pre></li><li><div class="para">
To temporarily revert to the default behavior, as the Linux root user, run the
<code class="command">setsebool httpd_can_network_connect_db
off</code> command. For changes that persist across reboots, run the <code
class="command">setsebool -P httpd_can_network_connect_db off</code>
command.
- </p></li></ol></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Prev</strong>5.6. Booleans</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Next</strong>5.6.3. Examples:
Booleans for NFS and CIFS</a></li></ul></body></html>
\ No newline at end of file
+ </div></li></ol></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Prev</strong>5.6. Booleans</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"><strong>Next</strong>5.6.3. Booleans
for NFS and CIFS</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html 24 Nov
2008 22:43:10 -0000 1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html 24 Jan
2009 03:48:02 -0000 1.2
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
the Default Mapping</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"
title="6.3. Confining Existing Linux Users: semanage login"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"
title="6.5. xguest: Kiosk Mode"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>6.4. Changing the Default
Mapping</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="sect-Security-
Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing
the Default Mapping</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
the Default Mapping</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"
title="6.3. Confining Existing Linux Users: semanage login"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"
title="6.5. xguest: Kiosk Mode"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://docs.fedorapr
oject.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing
the Default Mapping</h2></div></div></div><div
class="para">
In Fedora 10, Linux users are mapped to the SELinux <code
class="computeroutput">__default__</code> login by default (which is
mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user). If you would like new
Linux users, and Linux users not specifically mapped to an SELinux user to be confined by
default, change the default mapping with the <code
class="command">semanage login</code> command.
- </p><p>
+ </div><div class="para">
For example, run the following command as the Linux root user to change the default
mapping from <code class="computeroutput">unconfined_u</code> to
<code class="computeroutput">user_u</code>:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semanage login -m -S targeted -s
"user_u" -r s0 __default__</code>
- </p><p>
- As the Linux root user, run the <code class="command">semanage login
-l</code> command to verify that the <code
class="computeroutput">__default__</code> login is mapped to <code
class="computeroutput">user_u</code>:
- </p><pre class="screen">
+ </div><div class="para">
+ Run the <code class="command">semanage login -l</code> command
as the Linux root user to verify the <code
class="computeroutput">__default__</code> login is mapped to <code
class="computeroutput">user_u</code>:
+ </div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
@@ -17,13 +17,13 @@
__default__ user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre><p>
+</pre><div class="para">
If a new Linux user is created and an SELinux user is not specified, or if an existing
Linux user logs in and does not match a specific entry from the <code
class="command">semanage login -l</code> output, they are mapped to
<code class="computeroutput">user_u</code>, as per the <code
class="computeroutput">__default__</code> login.
- </p><p>
+ </div><div class="para">
To change back to the default behavior, run the following command as the Linux root
user to map the <code class="computeroutput">__default__</code>
login to the SELinux <code
class="computeroutput">unconfined_u</code> user:
- </p><p>
+ </div><div class="para">
<pre class="screen">/usr/sbin/semanage login -m -S targeted -s
"unconfined_u" -r\
s0-s0:c0.c1023 __default__
</pre>
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Prev</strong>6.3. Confining
Existing Linux Users: semanage log...</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong>6.5. xguest:
Kiosk Mode</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Prev</strong>6.3. Confining
Existing Linux Users: semanage log...</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong>6.5. xguest:
Kiosk Mode</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html 24
Nov 2008 22:43:10 -0000 1.1
+++
sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,11 +1,11 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Existing Linux Users: semanage login</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"
title="6.2. Confining New Linux Users: useradd"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"
title="6.4. Changing the Default Mapping"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>6.3. Confining Existing
Linux Users: semanage login</strong></a></p><ul
class="docnav"><li class="previous"><a a
ccesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining
Existing Linux Users: semanage
login</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Existing Linux Users: semanage login</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"
title="6.2. Confining New Linux Users: useradd"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"
title="6.4. Changing the Default Mapping"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http:
//docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining
Existing Linux Users: semanage login</h2></div></div></div><div
class="para">
If a Linux user is mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user (the default behavior),
and you would like to change which SELinux user they are mapped to, use the <code
class="command">semanage login</code> command. The following example
creates a new Linux user named newuser, then maps that Linux user to the SELinux <code
class="computeroutput">user_u</code> user:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/useradd newuser</code> command to create a
new Linux user (newuser). Since this user uses the default mapping, it does not appear in
the <code class="command">/usr/sbin/semanage login -l</code>
output:
- </p><pre class="screen">
+ </div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
@@ -13,15 +13,15 @@
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre></li><li><p>
+</pre></li><li><div class="para">
To map the Linux newuser user to the SELinux <code
class="computeroutput">user_u</code> user, run the following command as
the Linux root user:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semanage login -a -s user_u
newuser</code>
- </p><p>
+ </div><div class="para">
The <code class="option">-a</code> option adds a new record,
and the <code class="option">-s</code> option specifies the SELinux
user to map a Linux user to. The last argument, <code
class="computeroutput">newuser</code>, is the Linux user you want
mapped to the specified SELinux user.
- </p></li><li><p>
- To view the mapping between the Linux newuser user and <code
class="computeroutput">user_u</code>, run the <code
class="command">/usr/sbin/semanage login -l</code> command as the Linux
root user:
- </p><pre class="screen">
+ </div></li><li><div class="para">
+ To view the mapping between the Linux newuser user and <code
class="computeroutput">user_u</code>, run the <code
class="command">semanage login -l</code> command as the Linux root
user:
+ </div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
@@ -30,22 +30,22 @@
newuser user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">passwd
newuser</code> command to assign a password to the Linux newuser user:
- </p><pre class="screen">
+ </div><pre class="screen">
# passwd newuser
Changing password for user newuser.
New UNIX password: <em class="replaceable"><code>Enter a
password</code></em>
Retype new UNIX password: <em class="replaceable"><code>Enter the
same password again</code></em>
passwd: all authentication tokens updated successfully.
-</pre></li><li><p>
- Log out of your current session, and log in as the Linux newuser user. Run the
<code class="command">id -Z</code> command to the newuser's
SELinux context:
- </p><pre class="screen">
+</pre></li><li><div class="para">
+ Log out of your current session, and log in as the Linux newuser user. Run the
<code class="command">id -Z</code> command to view the newuser's
SELinux context:
+ </div><pre class="screen">
[newuser@rlocalhost ~]$ id -Z
user_u:user_r:user_t:s0
-</pre></li><li><p>
- Log out of the Linux newuser's session, and log back in with your account. If
you do not want the Linux newuser user, as the Linux root user, run the <code
class="command">/usr/sbin/userdel -r newuser</code> command to remove
it, along with its home directory. Also, the mapping between the Linux newuser user and
<code class="computeroutput">user_u</code> is removed:
- </p><pre class="screen">
+</pre></li><li><div class="para">
+ Log out of the Linux newuser's session, and log back in with your account. If
you do not want the Linux newuser user, run the <code
class="command">userdel -r newuser</code> command as the Linux root
user to remove it, along with its home directory. Also, the mapping between the Linux
newuser user and <code class="computeroutput">user_u</code> is
removed:
+ </div><pre class="screen">
# /usr/sbin/userdel -r newuser
# /usr/sbin/semanage login -l
Index:
sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html 24
Nov 2008 22:43:10 -0000 1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,20 +1,20 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
New Linux Users: useradd</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"
title="6.3. Confining Existing Linux Users: semanage
login"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>6.2. Confining New Linux
Users: useradd</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="chap-Security-En
hanced_Linux-Confining_Users.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining
New Linux Users: useradd</h2></div></div></div><p>
- Linux users mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user run in the <code
class="computeroutput">unconfined_t</code> domain. This is seen by
running the <code class="command">id -Z</code> command while
logged-in as a Linux users mapped to <code
class="computeroutput">unconfined_u</code>:
- </p><pre class="screen">
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
New Linux Users: useradd</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"
title="6.3. Confining Existing Linux Users: semanage
login"/></head><body class=""><p
id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.or
g"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining
New Linux Users: useradd</h2></div></div></div><div
class="para">
+ Linux users mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user run in the <code
class="computeroutput">unconfined_t</code> domain. This is seen by
running the <code class="command">id -Z</code> command while
logged-in as a Linux user mapped to <code
class="computeroutput">unconfined_u</code>:
+ </div><pre class="screen">
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-</pre><p>
+</pre><div class="para">
When Linux users run in the <code
class="computeroutput">unconfined_t</code> domain, SELinux policy rules
are applied, but policy rules exist that allow Linux users running in the <code
class="computeroutput">unconfined_t</code> domain almost all access. If
unconfined Linux users execute an application that SELinux policy defines can transition
from the <code class="computeroutput">unconfined_t</code> domain to
its own confined domain, unconfined Linux users are still subject to the restrictions of
that confined domain. The security benefit of this is that, even though a Linux user is
running unconfined, the application remains confined, and therefore, the exploitation of a
flaw in the application can be limited by policy. Note: this does not protect the system
from the user. Instead, the user and the system are being protected from possible damage
caused by a flaw in the application.
- </p><p>
- When creating Linux users with <code
class="command">useradd</code>, use the <code
class="option">-Z</code> option to specify which SELinux user they are
mapped to. The following example creates a new Linux user, useruuser, and maps that user
to the SELinux <code class="computeroutput">user_u</code> user.
Linux users mapped to the SELinux <code
class="computeroutput">user_u</code> user run in the <code
class="computeroutput">user_t</code> domain. In this domain, Linux
users are unable to run setuid applications unless SELinux policy permits it (such as
<code class="command">passwd</code>), can not run <code
class="command">su</code> or <code
class="command">sudo</code>, preventing them from becoming the Linux
root user with these commands.
- </p><div class="orderedlist"><ol><li><p>
- As the Linux root, run the <code class="command">/usr/sbin/useradd
-Z user_u useruuser</code> command to create a new Linux user (useruuser) that is
mapped to the SELinux <code class="computeroutput">user_u</code>
user.
- </p></li><li><p>
+ </div><div class="para">
+ When creating Linux users with <code
class="command">useradd</code>, use the <code
class="option">-Z</code> option to specify which SELinux user they are
mapped to. The following example creates a new Linux user, useruuser, and maps that user
to the SELinux <code class="computeroutput">user_u</code> user.
Linux users mapped to the SELinux <code
class="computeroutput">user_u</code> user run in the <code
class="computeroutput">user_t</code> domain. In this domain, Linux
users are unable to run setuid applications unless SELinux policy permits it (such as
<code class="command">passwd</code>), and can not run <code
class="command">su</code> or <code
class="command">sudo</code>, preventing them from becoming the Linux
root user with these commands.
+ </div><div class="orderedlist"><ol><li><div
class="para">
+ As the Linux root user, run the <code
class="command">/usr/sbin/useradd -Z user_u useruuser</code> command to
create a new Linux user (useruuser) that is mapped to the SELinux <code
class="computeroutput">user_u</code> user.
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">semanage login
-l</code> command to view the mapping between the Linux <code
class="computeroutput">useruuser</code> user and <code
class="computeroutput">user_u</code>:
- </p><pre class="screen">
+ </div><pre class="screen">
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
@@ -23,19 +23,19 @@
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
useruuser user_u s0
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">passwd
useruuser</code> command to assign a password to the Linux useruuser user:
- </p><pre class="screen">
+ </div><pre class="screen">
# passwd useruuser
Changing password for user useruuser.
New UNIX password: <em class="replaceable"><code>Enter a
password</code></em>
Retype new UNIX password: <em class="replaceable"><code>Enter the
same password again</code></em>
passwd: all authentication tokens updated successfully.
-</pre></li><li><p>
- Log out of your current session, and log in as the Linux useruuser user. When you
log in, pam_selinux maps the Linux user to an SELinux user (in this case, <code
class="computeroutput">user_u</code>), and sets up the resulting
SELinux context. The Linux user's shell is then launched with this SELinux context. To
view the SELinux context for a Linux user, run the <code
class="command">id -Z</code> command:
- </p><pre class="screen">
+</pre></li><li><div class="para">
+ Log out of your current session, and log in as the Linux useruuser user. When you
log in, pam_selinux maps the Linux user to an SELinux user (in this case, <code
class="computeroutput">user_u</code>), and sets up the resulting
SELinux context. The Linux user's shell is then launched with this context. Run the
<code class="command">id -Z</code> command to view the context of a
Linux user:
+ </div><pre class="screen">
[useruuser@localhost ~]$ id -Z
user_u:user_r:user_t:s0
-</pre></li><li><p>
- Log out of the Linux useruuser's session, and log back in with your account. If
you do not want the Linux useruuser user, as the Linux root user, run the <code
class="command">/usr/sbin/userdel -r useruuser</code> command to remove
it, along with its home directory.
- </p></li></ol></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Prev</strong>Chapter 6. Confining
Users</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong>6.3. Confining
Existing Linux Users: semanage
log...</a></li></ul></body></html>
\ No newline at end of file
+</pre></li><li><div class="para">
+ Log out of the Linux useruuser's session, and log back in with your account. If
you do not want the Linux useruuser user, run the <code
class="command">/usr/sbin/userdel -r useruuser</code> command as the
Linux root user to remove it, along with its home directory.
+ </div></li></ol></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Prev</strong>Chapter 6. Confining
Users</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong>6.3. Confining
Existing Linux Users: semanage
log...</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html 24 Nov 2008
22:43:10 -0000 1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html 24 Jan 2009
03:48:02 -0000 1.2
@@ -1,19 +1,19 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...:
Kiosk Mode</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"
title="6.4. Changing the Default Mapping"/><link rel="next"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>6.5. xguest: Kiosk
Mode</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><st
rong>Prev</strong></a></li><li class="next"><a
accesskey="n"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest:
Kiosk Mode</h2></div></div></div><p>
- The <span class="package">xguest</span> package provides a kiosk
user account. This account is used to secure machines that people walk up to and use, such
as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk
user account is very locked down: essentially, it only allows users to log in, and then
use the <span
class="application"><strong>Firefox</strong></span>
application to browse Internet websites. Any changes made while logged in with his
account, such as creating files or changing settings, are lost when you log out.
- </p><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...:
Kiosk Mode</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"
title="6.4. Changing the Default Mapping"/><link rel="next"
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"
title="6.6. Booleans for Users Executing Applications"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://docs.fedora
project.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest:
Kiosk Mode</h2></div></div></div><div
class="para">
+ The <span class="package">xguest</span> package provides a kiosk
user account. This account is used to secure machines that people walk up to and use, such
as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk
user account is very locked down: essentially, it only allows users to log in and use
<span><strong
class="application">Firefox</strong></span> to browse Internet
websites. Any changes made while logged in with his account, such as creating files or
changing settings, are lost when you log out.
+ </div><div class="para">
To set up the kiosk account:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run <code class="command">yum install
xguest</code> command to install the <span
class="package">xguest</span> package. Install dependencies as
required.
- </p></li><li><p>
+ </div></li><li><div class="para">
In order to allow the kiosk account to be used by a variety of people, the account
is not password-protected, and as such, the account can only be protected if SELinux is
running in enforcing mode. Before logging in with this account, use the <code
class="command">getenforce</code> command to confirm that SELinux is
running in enforcing mode:
- </p><pre class="screen">
+ </div><pre class="screen">
$ /usr/sbin/getenforce
Enforcing
-</pre><p>
- If this is not the case, refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"
title="5.5. SELinux Modes">Section 5.5, “SELinux Modes”</a> for
information about changing to enforcing mode. It is not possible to log in with this
account if SELinux is in permissive mode or disabled.
- </p></li><li><p>
+</pre><div class="para">
+ If this is not the case, refer to <a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"
title="5.5. SELinux Modes">Section 5.5, “SELinux Modes”</a> for
information about changing to enforcing mode. It is not possible to log in with this
account if SELinux is in permissive mode or disabled.
+ </div></li><li><div class="para">
You can only log in to this account via the GNOME Display Manager (GDM). Once the
<span class="package">xguest</span> package is installed, a <code
class="computeroutput">Guest</code> account is added to GDM. To log in,
click on the <code class="computeroutput">Guest</code> account:
- </p><div class="mediaobject"><img
src="./images/xguest.png"/></div></li></ol></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Prev</strong>6.4. Changing
the Default Mapping</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Next</strong>Chapter 7. Troubleshooting</a></li></ul></body></html>
\ No newline at end of file
+ </div><div class="mediaobject"><img
src="./images/xguest.png"/></div></li></ol></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Prev</strong>6.4. Changing
the Default Mapping</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"><strong>Next</strong>6.6. Booleans
for Users Executing
Applications</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html 24
Nov 2008 22:43:10 -0000 1.1
+++ sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,9 +1,9 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
SELinux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"
title="5.5. SELinux Modes"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.4.2. Disabling
SELinux</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="sect-Security-Enha
nced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling
SELinux</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
SELinux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"
title="5.5. SELinux Modes"/></head><body class=""><p
id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://docs.fed
oraproject.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling
SELinux</h3></div></div></div><div class="para">
To disable SELinux, configure <code
class="option">SELINUX=disabled</code> in <code
class="filename">/etc/selinux/config</code>:
- </p><pre class="screen"># This file controls the state of
SELinux on the system.
+ </div><pre class="screen"># This file controls the state of
SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -13,8 +13,8 @@
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-</pre><p>
+</pre><div class="para">
Reboot your system. After reboot, confirm that the <code
class="command">getenforce</code> command returns <code
class="computeroutput">Disabled</code>:
- </p><pre class="screen">$ /usr/sbin/getenforce
+ </div><pre class="screen">$ /usr/sbin/getenforce
Disabled
</pre></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Prev</strong>5.4. Enabling
and Disabling SELinux</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong>5.5. SELinux
Modes</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html 24 Nov
2008 22:43:10 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html 24 Jan
2009 03:48:02 -0000 1.2
@@ -1,34 +1,44 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Access: audit2allow</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages"/><link rel="next"
href="chap-Security-Enhanced_Linux-Further_Information.html"
title="Chapter 8. Further Information"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.8. Allowing Access:
audit2allow</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.ht
ml"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing
Access: audit2allow</h3></div></div></div><p>
- The example in this section should not be used, as the example denial can be solved
with correct labeling. The example shown is used only to demonstrate the use of <code
class="command">audit2allow</code>.
- </p><p>
- From the <span class="citerefentry"><span
class="refentrytitle">audit2allow</span>(1)</span> manual page:
"<code class="command">audit2allow</code> - generate SELinux
policy allow rules from logs of denied operations"<sup>[<a
id="d0e6386" href="#ftn.d0e6386"
class="footnote">19</a>]</sup>. After analyzing denials as per
<a class="xref"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>,
and if no label changes or Booleans allowed access, use <code
class="command">audit2allow</code> to create a local policy module.
After access is denied by SELinux, running the <code
class="command">audit2allow</code> command presents Type Enforcement
rules that allow the previously denied access. The following example demonstrates a denial
and the associated system call logged to <code
class="filename">/var/log/audit/audit.log</code>:
- </p><pre class="screen">
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Access: audit2allow</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages"/><link rel="next"
href="chap-Security-Enhanced_Linux-Further_Information.html"
title="Chapter 8. Further Information"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_rig
ht.png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing
Access: audit2allow</h3></div></div></div><div
class="para">
+ Do not use the example in this section in production. It is used only to demonstrate
the use of <code class="command">audit2allow</code>.
+ </div><div class="para">
+ From the <span class="citerefentry"><span
class="refentrytitle">audit2allow</span>(1)</span> manual page:
"<code class="command">audit2allow</code> - generate SELinux
policy allow rules from logs of denied operations"<sup>[<a
id="d0e6493" href="#ftn.d0e6493">19</a>]</sup>. After
analyzing denials as per <a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>,
and if no label changes or Booleans allowed access, use <code
class="command">audit2allow</code> to create a local policy module.
After access is denied by SELinux, running the <code
class="command">audit2allow</code> command presents Type Enforcement
rules that allow the previously denied access.
+ </div><div class="para">
+ The following example demonstrates using <code
class="command">audit2allow</code> to create a policy module:
+ </div><div class="orderedlist"><ol><li><div
class="para">
+ A denial and the associated system call are logged to <code
class="filename">/var/log/audit/audit.log</code>:
+ </div><pre class="screen">
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349
comm="certwatch" name="cache" dev=dm-0 ino=218171
scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13
a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="certwatch" exe="/usr/bin/certwatch"
subj=system_u:system_r:certwatch_t:s0 key=(null)
-</pre><p>
- In this example, <span
class="application"><strong>certwatch</strong></span>
(<code class="computeroutput">comm="certwatch"</code>) was
denied write access (<code class="computeroutput">{ write }</code>)
to a directory labeled with the <code
class="computeroutput">var_t</code> type (<code
class="computeroutput">tcontext=system_u:object_r:var_t:s0</code>).
With such a denial logged, running <code
class="command">audit2allow</code> with the <code
class="option">-w</code> option produces a human-readable description
of why access was denied. The <code
class="command">audit2allow</code> tool accesses <code
class="filename">/var/log/audit/audit.log</code>, and as such, must be
run as the Linux root user:
- </p><pre class="screen">
+</pre><div class="para">
+ In this example, <span><strong
class="application">certwatch</strong></span> (<code
class="computeroutput">comm="certwatch"</code>) was denied
write access (<code class="computeroutput">{ write }</code>) to a
directory labeled with the <code class="computeroutput">var_t</code>
type (<code
class="computeroutput">tcontext=system_u:object_r:var_t:s0</code>).
Analyze the denial as per <a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>.
If no label changes or Booleans allowed access, use <code
class="command">audit2allow</code> to create a local policy module.
+ </div></li><li><div class="para">
+ With a denial logged, such as the <code
class="computeroutput">certwatch</code> denial in step 1, run the
<code class="command">audit2allow -w -a</code> command to produce a
human-readable description of why access was denied. The <code
class="option">-a</code> option causes all audit logs to be read. The
<code class="option">-w</code> option produces the human-readable
description. The <code class="command">audit2allow</code> tool
accesses <code class="filename">/var/log/audit/audit.log</code>, and
as such, must be run as the Linux root user:
+ </div><pre class="screen">
# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349
comm="certwatch" name="cache" dev=dm-0 ino=218171
scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
-</pre><p>
- As shown, access was denied due to a missing Type Enforcement rule. Run the <code
class="command">audit2allow -a</code> command to view the Type
Enforcement rule that allows the denied access:
- </p><pre class="screen">
+</pre><div class="para">
+ As shown, access was denied due to a missing Type Enforcement rule.
+ </div></li><li><div class="para">
+ Run the <code class="command">audit2allow -a</code> command
to view the Type Enforcement rule that allows the denied access:
+ </div><pre class="screen">
# audit2allow -a
#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
-</pre><p>
- To use this rule, run the <code class="command">audit2allow -a -M
<em
class="replaceable"><code>mycertwatch</code></em></code>
command as the Linux root user to create custom module. The <code
class="option">-M</code> option creates a Type Enforcement file
(<code class="filename">.te</code>) with the name specified with
<code class="option">-M</code>, in your current working directory:
- </p><pre class="screen">
+</pre><div class="important"><h2>Important</h2><div
class="para">
+ Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and
should be reported in <a
href="https://bugzilla.redhat.com/">Red Hat
Bugzilla</a>. For Fedora, create bugs against the <code
class="computeroutput">Fedora</code> product, and select the <code
class="computeroutput">selinux-policy</code> component. Include the
output of the <code class="command">audit2allow -w -a</code> and
<code class="command">audit2allow -a</code> commands in such bug
reports.
+ </div></div></li><li><div class="para">
+ To use the rule displayed by <code class="command">audit2allow
-a</code>, run the <code class="command">audit2allow -a -M <em
class="replaceable"><code>mycertwatch</code></em></code>
command as the Linux root user to create custom module. The <code
class="option">-M</code> option creates a Type Enforcement file
(<code class="filename">.te</code>) with the name specified with
<code class="option">-M</code>, in your current working directory:
+ </div><pre class="screen">
# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
@@ -38,20 +48,20 @@
# ls
mycertwatch.pp mycertwatch.te
-</pre><p>
- Also, <code class="command">audit2allow</code> compiles the
Type Enforcement rule into a policy package (<code
class="filename">.pp</code>). To install the module, run the <code
class="command">/usr/sbin/semodule -i <em
class="replaceable"><code>mycertwatch.pp</code></em></code>
command as the Linux root user.
- </p><p>
+</pre><div class="para">
+ Also, <code class="command">audit2allow</code> compiles the
Type Enforcement rule into a policy package (<code
class="filename">.pp</code>). To install the module, run the <code
class="command">/usr/sbin/semodule -i <em
class="replaceable"><code>mycertwatch.pp</code></em></code>
command as the Linux root user.
+ </div><div
class="important"><h2>Important</h2><div
class="para">
+ Modules created with <code
class="command">audit2allow</code> may allow more access than required.
It is recommended that policy created with <code
class="command">audit2allow</code> be posted to an SELinux list, such
as <a
href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list&quo...;,
for review. If you believe their is a bug in policy, create a bug in <a
href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>.
+ </div></div></li></ol></div><div
class="para">
If you have multiple denials from multiple processes, but only want to create a
custom policy for a single process, use the <code
class="command">grep</code> command to narrow down the input for
<code class="command">audit2allow</code>. The following example
demonstrates using <code class="command">grep</code> to only send
denials related to <code class="command">certwatch</code> through
<code class="command">audit2allow</code>:
- </p><pre class="screen">
+ </div><pre class="screen">
# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:
-# semodule -i mycertwatch2.pp
-</pre><p>
+# /usr/sbin/semodule -i mycertwatch2.pp
+</pre><div class="para">
Refer to Dan Walsh's <a
href="http://danwalsh.livejournal.com/24750.html">"Using audit2allow to
build policy modules. Revisited."</a> blog entry for further information about
using <code class="command">audit2allow</code> to build policy
modules.
- </p><div
class="important"><h2>Important</h2><p>
- Modules created with <code class="command">audit2allow</code>
may allow more access than required. It is recommended that policy created with <code
class="command">audit2allow</code> be posted to an SELinux list, such
as <a
href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list&quo...;,
for review. If you believe their is a bug in policy, create a bug in <a
href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>.
- </p></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e6386"
href="#d0e6386" class="para">19</a>] </sup>
+ </div><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e6493"
href="#d0e6493">19</a>] </sup>
From the <span class="citerefentry"><span
class="refentrytitle">audit2allow</span>(1)</span> manual page,
as shipped with the <span class="package">policycoreutils</span>
package in Fedora 10.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Prev</strong>7.3.7. sealert
Messages</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Next</strong>Chapter 8. Further
Information</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html 24 Nov
2008 22:43:10 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html 24 Jan
2009 03:48:02 -0000 1.2
@@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Pages for Services</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"
title="7.3.2. Possible Causes of Silent Denials"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"
title="7.3.4. Permissive Domains"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.3. Manual Pages for
Services</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linu
x-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual
Pages for Services</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Pages for Services</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"
title="7.3.2. Possible Causes of Silent Denials"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"
title="7.3.4. Permissive Domains"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><
img src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual
Pages for Services</h3></div></div></div><div
class="para">
Manual pages for services contain valuable information, such as what file type to use
for a given situation, and Booleans to change the access a service has (such as <code
class="systemitem">httpd</code> accessing NFS file systems). This
information may be in the standard manual page, or a manual page with <code
class="computeroutput">selinux</code> prepended or appended.
- </p><p>
+ </div><div class="para">
For example, the <span class="citerefentry"><span
class="refentrytitle">httpd_selinux</span>(8)</span> manual page
has information about what file type to use for a given situation, as well as Booleans to
allow scripts, sharing files, accessing directories inside user home directories, and so
on. Other manual pages with SELinux information for services include:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
Samba: the <span class="citerefentry"><span
class="refentrytitle">samba_selinux</span>(8)</span> manual page
describes that files and directories to be exported via Samba must be labeled with the
<code class="computeroutput">samba_share_t</code> type, as well as
Booleans to allow files labeled with types other than <code
class="computeroutput">samba_share_t</code> to be exported via Samba.
- </p></li><li><p>
+ </div></li><li><div class="para">
NFS: the <span class="citerefentry"><span
class="refentrytitle">nfs_selinux</span>(8)</span> manual page
describes that, by default, file systems can not be exported via NFS, and that to allow
file systems to be exported, Booleans such as <code
class="computeroutput">nfs_export_all_ro</code> or <code
class="computeroutput">nfs_export_all_rw</code> must be turned on.
- </p></li><li><p>
+ </div></li><li><div class="para">
Berkeley Internet Name Domain (BIND): the <span
class="citerefentry"><span
class="refentrytitle">named</span>(8)</span> manual page
describes what file type to use for a given situation (see the <code
class="computeroutput">Red Hat SELinux BIND Security Profile</code>
section). The <span class="citerefentry"><span
class="refentrytitle">named_selinux</span>(8)</span> manual page
describes that, by default, <code class="systemitem">named</code>
can not write to master zone files, and to allow such access, the <code
class="computeroutput">named_write_master_zones</code> Boolean must be
turned on.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
The information in manual pages helps you configure the correct file types and
Booleans, helping to prevent SELinux from denying access.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Prev</strong>7.3.2. Possible
Causes of Silent Denials</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Next</strong>7.3.4. Permissive
Domains</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Prev</strong>7.3.2. Possible
Causes of Silent Denials</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Next</strong>7.3.4. Permissive
Domains</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html 24 Nov 2008
22:43:11 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html 24 Jan 2009
03:48:02 -0000 1.2
@@ -1,35 +1,35 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Domains</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"
title="7.3.3. Manual Pages for Services"/><link rel="next"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"
title="7.3.4.2. Denials for Permissive
Domains"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.4. Permissive
Domains</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux
-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive
Domains</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Domains</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"
title="7.3.3. Manual Pages for Services"/><link rel="next"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"
title="7.3.4.2. Denials for Permissive Domains"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.
org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive
Domains</h3></div></div></div><div class="para">
When SELinux is running in permissive mode, SELinux does not deny access, but denials
are logged for actions that would have been denied if running in enforcing mode.
Previously, it was not possible to make a single domain permissive (remember: processes
run in domains). In certain situations, this led to making the whole system permissive to
troubleshoot issues.
- </p><p>
+ </div><div class="para">
Fedora 10 introduces permissive domains, where an administrator can configure a
single process (domain) to run permissive, rather than making the whole system permissive.
SELinux checks are still performed for permissive domains; however, the kernel allows
access and reports an AVC denial for situations where SELinux would have denied access.
Permissive domains are also available in Fedora 9 (with the latest updates applied).
- </p><p>
+ </div><div class="para">
In Red Hat Enterprise Linux 4 and 5, <code
class="computeroutput"><em
class="replaceable"><code>domain</code></em>_disable_trans</code>
Booleans are available to prevent an application from transitioning to a confined domain,
and therefore, the process runs in an unconfined domain, such as <code
class="computeroutput">initrc_t</code>. Turning such Booleans on can
cause major problems. For example, if the <code
class="computeroutput">httpd_disable_trans</code> Boolean is turned
on:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
<code class="systemitem">httpd</code> runs in the unconfined
<code class="computeroutput">initrc_t</code> domain. Files created
by processes running in the <code
class="computeroutput">initrc_t</code> domain may not have the same
labeling rules applied as files created by a process running in the <code
class="computeroutput">httpd_t</code> domain, potentially allowing
processes to create mislabeled files. This causes access problems later on.
- </p></li><li><p>
+ </div></li><li><div class="para">
confined domains that are allowed to communicate with <code
class="computeroutput">httpd_t</code> can not communicate with <code
class="computeroutput">initrc_t</code>, possibly causing additional
failures.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
The <code class="computeroutput"><em
class="replaceable"><code>domain</code></em>_disable_trans</code>
Booleans were removed from Fedora 7, even though there was no replacement. Permissive
domains solve the above issues: transition rules apply, and files are created with the
correct labels.
- </p><p>
+ </div><div class="para">
Permissive domains can be used for:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
making a single process (domain) run permissive to troubleshoot an issue, rather
than putting the entire system at risk by making the entire system permissive.
- </p></li><li><p>
+ </div></li><li><div class="para">
creating policies for new applications. Previously, it was recommended that a
minimal policy be created, and then the entire machine put into permissive mode, so that
the application could run, but SELinux denials still logged. <code
class="command">audit2allow</code> could then be used to help write the
policy. This put the whole system at risk. With permissive domains, only the domain in the
new policy can be marked permissive, without putting the whole system at risk.
- </p></li></ul></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security-Enhanced_Linux-Permissive_Domains-Making_a_Domain_Permissive">7.3.4.1. Making
a Domain Permissive</h4></div></div></div><p>
+ </div></li></ul></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security-Enhanced_Linux-Permissive_Domains-Making_a_Domain_Permissive">7.3.4.1. Making
a Domain Permissive</h4></div></div></div><div
class="para">
To make a domain permissive, run the <code class="command">semanage
permissive -a <em
class="replaceable"><code>domain</code></em></code>
command, where <em
class="replaceable"><code>domain</code></em> is the domain
you want to make permissive. For example, run the following command as the Linux root user
to make the <code class="computeroutput">httpd_t</code> domain (the
domain the Apache HTTP Server runs in) permissive:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semanage permissive -a
httpd_t</code>
- </p><p>
+ </div><div class="para">
To view a list of domains you have made permissive, run the <code
class="command">semodule -l | grep permissive</code> command as the
Linux root user. For example:
- </p><pre class="screen">
+ </div><pre class="screen">
# /usr/sbin/semodule -l | grep permissive
permissive_httpd_t 1.0
-</pre><p>
+</pre><div class="para">
If you no longer want a domain to be permissive, run the <code
class="command">semanage permissive -d <em
class="replaceable"><code>domain</code></em></code>
command as the Linux root user. For example:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semanage permissive -d
httpd_t</code>
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Prev</strong>7.3.3. Manual
Pages for Services</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Next</strong>7.3.4.2. Denials
for Permissive Domains</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Prev</strong>7.3.3. Manual
Pages for Services</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Next</strong>7.3.4.2. Denials
for Permissive Domains</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html 24
Nov 2008 22:43:11 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,25 +1,25 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Causes of Silent Denials</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"
title="7.3.3. Manual Pages for Services"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.2. Possible Causes of
Silent Denials</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Troubl
eshooting-Fixing_Problems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible
Causes of Silent Denials</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Causes of Silent Denials</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"
title="7.3.3. Manual Pages for Services"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Common_
Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible
Causes of Silent Denials</h3></div></div></div><div
class="para">
In certain situations, AVC denials may not be logged when SELinux denies access.
Applications and system library functions often probe for more access than required to
perform their tasks. To maintain least privilege without filling audit logs with AVC
denials for harmless application probing, the policy can silence AVC denials without
allowing a permission by using <code
class="computeroutput">dontaudit</code> rules. These rules are common
in standard policy. The downside of <code
class="computeroutput">dontaudit</code> is that, although SELinux
denies access, denial messages are not logged, making troubleshooting hard.
- </p><p>
+ </div><div class="para">
To temporarily disable <code
class="computeroutput">dontaudit</code> rules, allowing all denials to
be logged, run the following command as the Linux root user:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semodule -DB</code>
- </p><p>
+ </div><div class="para">
The <code class="option">-D</code> option disables <code
class="computeroutput">dontaudit</code> rules; the <code
class="option">-B</code> option rebuilds policy. After running <code
class="command">semodule -DB</code>, try exercising the application
that was encountering permission problems, and see if SELinux denials — relevant to the
application — are now being logged. Take care in deciding which denials should be allowed,
as some should be ignored and handled via <code
class="computeroutput">dontaudit</code> rules. If in doubt, or in
search of guidance, contact other SELinux users and developers on an SELinux list, such as
<a
href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list&quo...;.
- </p><p>
+ </div><div class="para">
To rebuild policy and enable <code
class="computeroutput">dontaudit</code> rules, run the following
command as the Linux root user:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semodule -B</code>
- </p><p>
+ </div><div class="para">
This restores the policy to its original state. For a full list of <code
class="computeroutput">dontaudit</code> rules, run the <code
class="command">sesearch --dontaudit</code> command. Narrow down
searches using the <code class="option">-s <em
class="replaceable"><code>domain</code></em></code>
option and the <code class="command">grep</code> command. For
example:
- </p><pre class="screen">
+ </div><pre class="screen">
$ sesearch --dontaudit -s smbd_t | grep squid
WARNING: This policy contained disabled aliases; they have been removed.
dontaudit smbd_t squid_port_t : tcp_socket name_bind ;
dontaudit smbd_t squid_port_t : udp_socket name_bind ;
-</pre><p>
- Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit
Messages”</a> and <a class="xref"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>
for information about analyzing denials.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Prev</strong>7.3. Fixing
Problems</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Next</strong>7.3.3. Manual
Pages for Services</a></li></ul></body></html>
\ No newline at end of file
+</pre><div class="para">
+ Refer to <a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit
Messages”</a> and <a
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>
for information about analyzing denials.
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Prev</strong>7.3. Fixing
Problems</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html"><strong>Next</strong>7.3.3. Manual
Pages for Services</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html 24 Nov 2008
22:43:11 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html 24 Jan 2009
03:48:02 -0000 1.2
@@ -1,30 +1,30 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Audit Messages</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"
title="7.3.5. Searching For and Viewing Denials"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.6. Raw Audit
Messages</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-
Searching_For_and_Viewing_Denials.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw
Audit Messages</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Audit Messages</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"
title="7.3.5. Searching For and Viewing Denials"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"
title="7.3.7. sealert Messages"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Co
mmon_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw
Audit Messages</h3></div></div></div><div
class="para">
Raw audit messages are logged to <code
class="filename">/var/log/audit/audit.log</code>. The following is an
example AVC denial (and the associated system call) that occurred when the Apache HTTP
Server (running in the <code class="computeroutput">httpd_t</code>
domain) attempted to access the <code
class="filename">/var/www/html/file1</code> file (labeled with the
<code class="computeroutput">samba_share_t</code> type):
- </p><pre class="screen">
+ </div><pre class="screen">
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465
comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0
tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6
comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-</pre><div class="variablelist"><dl><dt><span
class="term"><em class="replaceable"><code>{ getattr
}</code></em></span></dt><dd><p>
+</pre><div class="variablelist"><dl><dt><span
class="term"><em class="replaceable"><code>{ getattr
}</code></em></span></dt><dd><div
class="para">
The item in braces indicates the permission that was denied. <code
class="computeroutput">getattr</code> indicates the source process was
trying to read the target file's status information. This occurs before reading files.
This action is denied due to the file being accessed having the wrong label. Commonly seen
permissions include <code class="computeroutput">getattr</code>,
<code class="computeroutput">read</code>, and <code
class="computeroutput">write</code>.
- </p></dd><dt><span class="term">comm="<em
class="replaceable"><code>httpd</code></em>"</span></dt><dd><p>
+ </div></dd><dt><span
class="term">comm="<em
class="replaceable"><code>httpd</code></em>"</span></dt><dd><div
class="para">
The executable that launched the process. The full path of the executable is found
in the <code class="computeroutput">exe=</code> section of the
system call (<code class="computeroutput">SYSCALL</code>) message,
which in this case, is <code
class="computeroutput">exe="/usr/sbin/httpd"</code>.
- </p></dd><dt><span class="term">path="<em
class="replaceable"><code>/var/www/html/file1</code></em>"</span></dt><dd><p>
- The path to the object (target) that the process attempted to access.
- </p></dd><dt><span
class="term">scontext="<em
class="replaceable"><code>unconfined_u:system_r:httpd_t:s0</code></em>"</span></dt><dd><p>
+ </div></dd><dt><span
class="term">path="<em
class="replaceable"><code>/var/www/html/file1</code></em>"</span></dt><dd><div
class="para">
+ The path to the object (target) the process attempted to access.
+ </div></dd><dt><span
class="term">scontext="<em
class="replaceable"><code>unconfined_u:system_r:httpd_t:s0</code></em>"</span></dt><dd><div
class="para">
The SELinux context of the process that attempted the denied action. In this case,
it is the SELinux context of the Apache HTTP Server, which is running in the <code
class="computeroutput">httpd_t</code> domain.
- </p></dd><dt><span
class="term">tcontext="<em
class="replaceable"><code>unconfined_u:object_r:samba_share_t:s0</code></em>"</span></dt><dd><p>
- The SELinux context of the object (target) that the process attempted to access.
In this case, it is the SELinux context of <code
class="filename">file1</code>. Note: the <code
class="computeroutput">samba_share_t</code> type is not accessible to
processes running in the <code class="computeroutput">httpd_t</code>
domain.
- </p><p>
+ </div></dd><dt><span
class="term">tcontext="<em
class="replaceable"><code>unconfined_u:object_r:samba_share_t:s0</code></em>"</span></dt><dd><div
class="para">
+ The SELinux context of the object (target) the process attempted to access. In
this case, it is the SELinux context of <code
class="filename">file1</code>. Note: the <code
class="computeroutput">samba_share_t</code> type is not accessible to
processes running in the <code class="computeroutput">httpd_t</code>
domain.
+ </div><div class="para">
In certain situations, the <code
class="computeroutput">tcontext</code> may match the <code
class="computeroutput">scontext</code>, for example, when a process
attempts to execute a system service that will change characteristics of that running
process, such as the user ID. Also, the <code
class="computeroutput">tcontext</code> may match the <code
class="computeroutput">scontext</code> when a process tries to use more
resources (such as memory) than normal limits allow, resulting in a security check to see
if that process is allowed to break those limits.
- </p></dd></dl></div><p>
+ </div></dd></dl></div><div class="para">
From the system call (<code
class="computeroutput">SYSCALL</code>) message, two items are of
interest:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
<code class="computeroutput">success=<em
class="replaceable"><code>no</code></em></code>:
indicates whether the denial (AVC) was enforced or not. <code
class="computeroutput">success=no</code> indicates the system call was
not successful (SELinux denied access). <code
class="computeroutput">success=yes</code> indicates the system call was
successful - this can be seen for permissive domains or unconfined domains, such as
<code class="computeroutput">initrc_t</code> and <code
class="computeroutput">kernel_t</code>.
- </p></li><li><p>
+ </div></li><li><div class="para">
<code class="computeroutput">exe="<em
class="replaceable"><code>/usr/sbin/httpd</code></em>"</code>:
the full path to the executable that launched the process, which in this case, is <code
class="computeroutput">exe="/usr/sbin/httpd"</code>.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
An incorrect file type is a common cause for SELinux denying access. To start
troubleshooting, compare the source context (<code
class="computeroutput">scontext</code>) with the target context
(<code class="computeroutput">tcontext</code>). Should the process
(<code class="computeroutput">scontext</code>) be accessing such an
object (<code class="computeroutput">tcontext</code>)? For example,
the Apache HTTP Server (<code class="computeroutput">httpd_t</code>)
should only be accessing types specified in the <span
class="citerefentry"><span
class="refentrytitle">httpd_selinux</span>(8)</span> manual page,
such as <code class="computeroutput">httpd_sys_content_t</code>,
<code class="computeroutput">public_content_t</code>, and so on,
unless configured otherwise.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Prev</strong>7.3.5. Searching
For and Viewing Denials</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong>7.3.7. sealert
Messages</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Prev</strong>7.3.5. Searching
For and Viewing Denials</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong>7.3.7. sealert
Messages</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html 24
Nov 2008 22:43:11 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,21 +1,21 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
For and Viewing Denials</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"
title="7.3.4.2. Denials for Permissive Domains"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.5. Searching For and
Viewing Denials</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p" href="sect-Securit
y-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching
For and Viewing Denials</h3></div></div></div><p>
- This section assumes the <span
class="package">setroubleshoot</span>, <span
class="package">setroubleshoot-server</span>, and <span
class="package">audit</span> packages are installed, and that the
<code class="systemitem">auditd</code>, <code
class="systemitem">rsyslogd</code>, and <code
class="systemitem">setroubleshootd</code> daemons are running. Refer to
<a class="xref"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used">Section 5.2, “Which Log File is
Used”</a> for information about starting these daemons. A number of tools are
available for searching for and viewing SELinux denials, such as <code
class="command">ausearch</code>, <code
class="command">aureport</code>, and <code
class="command">sealert</code>.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-ausearch">ausearch</h5>
- The <span class="package">audit</span> package provides
<code class="command">ausearch</code>. From the <span
class="citerefentry"><span
class="refentrytitle">ausearch</span>(8)</span> manual page:
"<code class="command">ausearch</code> is a tool that can query
the audit daemon logs based for events based on different search
criteria"<sup>[<a id="d0e5841" href="#ftn.d0e5841"
class="footnote">16</a>]</sup>. The <code
class="command">ausearch</code> tool accesses <code
class="filename">/var/log/audit/audit.log</code>, and as such, must be
run as the Linux root user:
- <div class="segmentedlist"><table
border="0"><thead><tr
class="segtitle"><th>Searching
For</th><th>Command</th></tr></thead><tbody><tr
class="seglistitem"><td class="seg">all
denials</td><td class="seg"><code
class="command">/sbin/ausearch -m
avc</code></td></tr><tr class="seglistitem"><td
class="seg">denials for that today</td><td
class="seg"><code class="command">/sbin/ausearch -m avc -ts
today</code></td></tr><tr class="seglistitem"><td
class="seg">denials from the last 10 minutes</td><td
class="seg"><code class="command">/sbin/ausearch -m avc -ts
recent</code></td></tr></tbody></table></div><p>
- To search for SELinux denials for a particular service, use the <code
class="option">-c <em
class="replaceable"><code>comm-name</code></em></code>
option, where <em
class="replaceable"><code>comm-name</code></em> "is
the executable’s name"<sup>[<a id="d0e5893"
href="#ftn.d0e5893" class="footnote">17</a>]</sup>, for
example, <code class="systemitem">httpd</code> for the Apache HTTP
Server, and <code class="systemitem">smbd</code> for Samba:
- </p><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
For and Viewing Denials</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"
title="7.3.4.2. Denials for Permissive Domains"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject
.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching
For and Viewing Denials</h3></div></div></div><div
class="para">
+ This section assumes the <span
class="package">setroubleshoot</span>, <span
class="package">setroubleshoot-server</span>, and <span
class="package">audit</span> packages are installed, and that the
<code class="systemitem">auditd</code>, <code
class="systemitem">rsyslogd</code>, and <code
class="systemitem">setroubleshootd</code> daemons are running. Refer to
<a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used">Section 5.2, “Which Log File is
Used”</a> for information about starting these daemons. A number of tools are
available for searching for and viewing SELinux denials, such as <code
class="command">ausearch</code>, <code
class="command">aureport</code>, and <code
class="command">sealert</code>.
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-ausearch">ausearch</h5>
+ The <span class="package">audit</span> package provides
<code class="command">ausearch</code>. From the <span
class="citerefentry"><span
class="refentrytitle">ausearch</span>(8)</span> manual page:
"<code class="command">ausearch</code> is a tool that can query
the audit daemon logs based for events based on different search
criteria"<sup>[<a id="d0e5939"
href="#ftn.d0e5939">16</a>]</sup>. The <code
class="command">ausearch</code> tool accesses <code
class="filename">/var/log/audit/audit.log</code>, and as such, must be
run as the Linux root user:
+ </div><div class="segmentedlist"><table
border="0"><thead><tr
class="segtitle"><th>Searching
For</th><th>Command</th></tr></thead><tbody><tr
class="seglistitem"><td class="seg">all
denials</td><td class="seg"><code
class="command">/sbin/ausearch -m
avc</code></td></tr><tr class="seglistitem"><td
class="seg">denials for that today</td><td
class="seg"><code class="command">/sbin/ausearch -m avc -ts
today</code></td></tr><tr class="seglistitem"><td
class="seg">denials from the last 10 minutes</td><td
class="seg"><code class="command">/sbin/ausearch -m avc -ts
recent</code></td></tr></tbody></table></div><div
class="para">
+ To search for SELinux denials for a particular service, use the <code
class="option">-c <em
class="replaceable"><code>comm-name</code></em></code>
option, where <em
class="replaceable"><code>comm-name</code></em> "is
the executable’s name"<sup>[<a id="d0e5991"
href="#ftn.d0e5991">17</a>]</sup>, for example, <code
class="systemitem">httpd</code> for the Apache HTTP Server, and
<code class="systemitem">smbd</code> for Samba:
+ </div><div class="para">
<code class="command">/sbin/ausearch -m avc -c httpd</code>
- </p><p>
+ </div><div class="para">
<code class="command">/sbin/ausearch -m avc -c smbd</code>
- </p><p>
+ </div><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">ausearch</span>(8)</span> manual page for
further <code class="command">ausearch</code> options.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-aureport">aureport</h5>
- The <span class="package">audit</span> package provides
<code class="command">aureport</code>. From the <span
class="citerefentry"><span
class="refentrytitle">aureport</span>(8)</span> manual page:
"<code class="command">aureport</code> is a tool that produces
summary reports of the audit system logs"<sup>[<a id="d0e5953"
href="#ftn.d0e5953" class="footnote">18</a>]</sup>. The
<code class="command">aureport</code> tool accesses <code
class="filename">/var/log/audit/audit.log</code>, and as such, must be
run as the Linux root user. To view a list of SELinux denials and how often each one
occurred, run the <code class="command">aureport -a</code> command.
The following is example output that includes two denials:
- <pre class="screen">
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-aureport">aureport</h5>
+ The <span class="package">audit</span> package provides
<code class="command">aureport</code>. From the <span
class="citerefentry"><span
class="refentrytitle">aureport</span>(8)</span> manual page:
"<code class="command">aureport</code> is a tool that produces
summary reports of the audit system logs"<sup>[<a id="d0e6051"
href="#ftn.d0e6051">18</a>]</sup>. The <code
class="command">aureport</code> tool accesses <code
class="filename">/var/log/audit/audit.log</code>, and as such, must be
run as the Linux root user. To view a list of SELinux denials and how often each one
occurred, run the <code class="command">aureport -a</code> command.
The following is example output that includes two denials:
+ </div><pre class="screen">
# /sbin/aureport -a
AVC Report
@@ -24,28 +24,28 @@
========================================================
1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr
system_u:object_r:samba_share_t:s0 denied 2
2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read
unconfined_u:object_r:cifs_t:s0 denied 4
-</pre><p>
+</pre><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">aureport</span>(8)</span> manual page for
further <code class="command">aureport</code> options.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-sealert">sealert</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-sealert">sealert</h5>
The <span class="package">setroubleshoot-server</span> package
provides <code class="command">sealert</code>, which reads denial
messages translated by <span
class="package">setroubleshoot-server</span>. Denials are assigned IDs,
as seen in <code class="filename">/var/log/messages</code>. The
following is an example denial from <code
class="filename">messages</code>:
- <pre class="screen">
+ </div><pre class="screen">
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to
/var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l
84e0b04d-d0ad-4347-8317-22e74f6cd020
-</pre><p>
+</pre><div class="para">
In this example, the denial ID is <code
class="computeroutput">84e0b04d-d0ad-4347-8317-22e74f6cd020</code>. The
<code class="option">-l</code> option takes an ID as an argument.
Running the <code class="command">sealert -l
84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command presents a detailed analysis of
why SELinux denied access, and a possible solution for allowing access.
- </p><p>
- If you are running the X Window System, have the <span
class="package">setroubleshoot</span> and <span
class="package">setroubleshoot-server</span> packages installed, and
the <code class="systemitem">setroubleshootd</code> daemon running,
a yellow star and a warning are displayed when access is denied by SELinux. Clicking on
the star launches the <code class="command">sealert</code> GUI, and
displays denials in HTML output:
- </p><div class="mediaobject"><img
src="./images/sealert_gui.png"/></div><div
class="itemizedlist"><ul><li><p>
+ </div><div class="para">
+ If you are running the X Window System, have the <span
class="package">setroubleshoot</span> and <span
class="package">setroubleshoot-server</span> packages installed, and
the <code class="systemitem">setroubleshootd</code> and <code
class="systemitem">auditd</code> daemons are running, a yellow star and
a warning are displayed when access is denied by SELinux. Clicking on the star launches
the <code class="command">sealert</code> GUI, and displays denials
in HTML output:
+ </div><div class="mediaobject"><img
src="./images/sealert_gui.png"/></div><div
class="itemizedlist"><ul><li><div class="para">
Run the <code class="command">sealert -b</code> command to
launch the <code class="command">sealert</code> GUI.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">sealert -l \*</code> command to
view a detailed analysis of all denials.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">sealert -a
/var/log/audit/audit.log -H > audit.html</code> command to create a HTML
version of the <code class="command">sealert</code> analysis, as
seen with the <code class="command">sealert</code> GUI.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">sealert</span>(8)</span> manual page for
further <code class="command">sealert</code> options.
- </p><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e5841"
href="#d0e5841" class="para">16</a>] </sup>
+ </div><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e5939"
href="#d0e5939">16</a>] </sup>
From the <span class="citerefentry"><span
class="refentrytitle">ausearch</span>(8)</span> manual page, as
shipped with the <span class="package">audit</span> package in
Fedora 10.
- </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e5893"
href="#d0e5893" class="para">17</a>] </sup>
+ </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e5991"
href="#d0e5991">17</a>] </sup>
From the <span class="citerefentry"><span
class="refentrytitle">ausearch</span>(8)</span> manual page, as
shipped with the <span class="package">audit</span> package in
Fedora 10.
- </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e5953"
href="#d0e5953" class="para">18</a>] </sup>
+ </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e6051"
href="#d0e6051">18</a>] </sup>
From the <span class="citerefentry"><span
class="refentrytitle">aureport</span>(8)</span> manual page, as
shipped with the <span class="package">audit</span> package in
Fedora 10.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Prev</strong>7.3.4.2. Denials
for Permissive Domains</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong>7.3.6. Raw
Audit Messages</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html 24 Nov 2008
22:43:11 -0000 1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html 24 Jan 2009
03:48:02 -0000 1.2
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Messages</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages"/><link rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"
title="7.3.8. Allowing Access: audit2allow"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.7. sealert
Messages</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_M
essages.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert
Messages</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Messages</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages"/><link rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"
title="7.3.8. Allowing Access: audit2allow"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Common_Cont
ent/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert
Messages</h3></div></div></div><div class="para">
Denials are assigned IDs, as seen in <code
class="filename">/var/log/messages</code>. The following is an example
AVC denial (logged to <code class="filename">messages</code>) that
occurred when the Apache HTTP Server (running in the <code
class="computeroutput">httpd_t</code> domain) attempted to access the
<code class="filename">/var/www/html/file1</code> file (labeled with
the <code class="computeroutput">samba_share_t</code> type):
- </p><pre class="screen">
+ </div><pre class="screen">
<em class="replaceable"><code>hostname</code></em>
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to
/var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l
84e0b04d-d0ad-4347-8317-22e74f6cd020
-</pre><p>
+</pre><div class="para">
As suggested, run the <code class="command">sealert -l
84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command to view the complete message.
This command only works on the local machine, and presents the same information as the
<code class="command">sealert</code> GUI:
- </p><pre class="screen">
+ </div><pre class="screen">
$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
Summary:
@@ -49,8 +49,8 @@
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name public_content
-Host Name rawhide
-Platform Linux rawhide 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct
+Host Name <em
class="replaceable"><code>hostname</code></em>
+Platform <em class="replaceable"><code>Linux
hostname 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct</code></em>
30 00:49:42 EDT 2008 i686 i686
Alert Count 4
First Seen Wed Nov 5 18:53:05 2008
@@ -63,16 +63,16 @@
node=<em class="replaceable"><code>hostname</code></em>
type=AVC msg=audit(1225812178.788:101): avc: denied { getattr } for pid=2441
comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0
tclass=file
node=<em class="replaceable"><code>hostname</code></em>
type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13
a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3
comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-</pre><div class="variablelist"><dl><dt><span
class="term">Summary</span></dt><dd><p>
+</pre><div class="variablelist"><dl><dt><span
class="term">Summary</span></dt><dd><div
class="para">
A brief summary of the denied action. This is the same as the denial in <code
class="filename">/var/log/messages</code>. In this example, the
<code class="systemitem">httpd</code> process was denied access to a
file (<code class="filename">file1</code>), which is labeled with
the <code class="computeroutput">samba_share_t</code> type.
- </p></dd><dt><span class="term">Detailed
Description</span></dt><dd><p>
- A more verbose description. In this example, <code
class="filename">file1</code> is labeled with the <code
class="computeroutput">samba_share_t</code>. This type is used for
files and directories that you want to export via Samba. The description suggests changing
the type to a type that can be accessed by the Apache HTTP Server and Samba, if such
access is desired.
- </p></dd><dt><span class="term">Allowing
Access</span></dt><dd><p>
- A suggestion for how to allow access. This may be relabeling files, turning a
Boolean on, or making a local policy module. In this case, the suggestion is to label the
file with a type accessable to both the Apache HTTP Server and Samba.
- </p></dd><dt><span class="term">Fix
Command</span></dt><dd><p>
- A suggested command to allow access and resolve the denial. In this example, it
gives the command to change the <code class="filename">file1</code>
type to <code class="computeroutput">public_content_t</code>, which
is accessable to the Apache HTTP Server and Samba.
- </p></dd><dt><span class="term">Additional
Information</span></dt><dd><p>
+ </div></dd><dt><span class="term">Detailed
Description</span></dt><dd><div class="para">
+ A more verbose description. In this example, <code
class="filename">file1</code> is labeled with the <code
class="computeroutput">samba_share_t</code> type. This type is used for
files and directories that you want to export via Samba. The description suggests changing
the type to a type that can be accessed by the Apache HTTP Server and Samba, if such
access is desired.
+ </div></dd><dt><span class="term">Allowing
Access</span></dt><dd><div class="para">
+ A suggestion for how to allow access. This may be relabeling files, turning a
Boolean on, or making a local policy module. In this case, the suggestion is to label the
file with a type accessible to both the Apache HTTP Server and Samba.
+ </div></dd><dt><span class="term">Fix
Command</span></dt><dd><div class="para">
+ A suggested command to allow access and resolve the denial. In this example, it
gives the command to change the <code class="filename">file1</code>
type to <code class="computeroutput">public_content_t</code>, which
is accessible to the Apache HTTP Server and Samba.
+ </div></dd><dt><span class="term">Additional
Information</span></dt><dd><div class="para">
Information that is useful in bug reports, such as the policy package name and
version (<code
class="computeroutput">selinux-policy-3.5.13-11.fc10</code>), but may
not help towards solving why the denial occurred.
- </p></dd><dt><span class="term">Raw Audit
Messages</span></dt><dd><p>
- The raw audit messages from <code
class="filename">/var/log/audit/audit.log</code> that are associated
with the denial. Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit
Messages”</a> for information about each item in the AVC denial.
- </p></dd></dl></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Prev</strong>7.3.6. Raw
Audit Messages</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Next</strong>7.3.8. Allowing
Access: audit2allow</a></li></ul></body></html>
\ No newline at end of file
+ </div></dd><dt><span class="term">Raw Audit
Messages</span></dt><dd><div class="para">
+ The raw audit messages from <code
class="filename">/var/log/audit/audit.log</code> that are associated
with the denial. Refer to <a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"
title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit
Messages”</a> for information about each item in the AVC denial.
+ </div></dd></dl></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Prev</strong>7.3.6. Raw
Audit Messages</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Next</strong>7.3.8. Allowing
Access: audit2allow</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Introduction-Examples.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Introduction-Examples.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Introduction-Examples.html 24 Nov 2008 22:43:11
-0000 1.1
+++ sect-Security-Enhanced_Linux-Introduction-Examples.html 24 Jan 2009 03:48:02
-0000 1.2
@@ -1,28 +1,28 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="next"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"
title="2.3. SELinux Architecture"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>2.2. Examples</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n" href="sect-Security-En
hanced_Linux-Introduction-SELinux_Architecture.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="next"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"
title="2.3. SELinux Architecture"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul cl
ass="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</h2></div></div></div><div
class="para">
The following examples demonstrate how SELinux increases security:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
the default action is deny. If an SELinux policy rule does not exist to allow
access, such as for a process opening a file, access is denied.
- </p></li><li><p>
+ </div></li><li><div class="para">
SELinux can confine Linux users. A number of confined SELinux users exist. Linux
users can be mapped to SELinux users to take advantage of confined SELinux users. For
example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is
not able to run (unless configured otherwise) set user ID (setuid) applications, such as
<code class="command">sudo</code> and <code
class="command">su</code>, as well as preventing them from executing
files and applications in their home directory- if configured, this prevents users from
executing malicious files from their home directories.
- </p></li><li><p>
+ </div></li><li><div class="para">
process separation. Processes run in their own domains, preventing processes from
accessing files used by other processes, as well as processes accessing other processes.
For example, when running SELinux, unless otherwise configured, an attacker can not
compromise a Samba server, and then use that Samba server to read and write to files used
by other processes, such as databases used by <span
class="trademark">MySQL</span>®.
- </p></li><li><p>
- help limit the damage done by configuration mistakes. <a
href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System
(DNS)</a> servers can replicate information between each other. This is known as a
zone transfer. Attackers can use zone transfers to update DNS servers with false
information. When running the <a
href="https://www.isc.org/software/bind">Berkeley Internet Name Domain
(BIND)</a> DNS server in Fedora 10, even if an administrator forgets to limit which
servers can perform a zone transfer, the default SELinux policy prevents zone files
<sup>[<a id="d0e609" href="#ftn.d0e609"
class="footnote">3</a>]</sup> from being updated by zone
transfers, the BIND <code class="systemitem">named</code> daemon,
and other processes.
- </p></li><li><p>
- refer to the <a
href="http://www.redhatmagazine.com/"><span
class="trademark">Red Hat</span>® Magazine</a> article, <a
href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-yea...
report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a
id="d0e626" href="#ftn.d0e626"
class="footnote">4</a>]</sup>, for exploits that were restricted
due to the default SELinux targeted policy in <span class="trademark">Red
Hat</span>® Enterprise <span class="trademark">Linux</span>®
4.
- </p></li><li><p>
- refer to the <a
href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a
href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1...
seatbelt for server software: SELinux blocks real-world
exploits</a><sup>[<a id="d0e646" href="#ftn.d0e646"
class="footnote">5</a>]</sup>, for background information about
SELinux, and information about various exploits that SELinux has prevented.
- </p></li><li><p>
+ </div></li><li><div class="para">
+ help limit the damage done by configuration mistakes. <a
href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System
(DNS)</a> servers can replicate information between each other. This is known as a
zone transfer. Attackers can use zone transfers to update DNS servers with false
information. When running the <a
href="https://www.isc.org/software/bind">Berkeley Internet Name Domain
(BIND)</a> DNS server in Fedora 10, even if an administrator forgets to limit which
servers can perform a zone transfer, the default SELinux policy prevents zone files
<sup>[<a id="d0e609"
href="#ftn.d0e609">3</a>]</sup> from being updated by zone
transfers, the BIND <code class="systemitem">named</code> daemon,
and other processes.
+ </div></li><li><div class="para">
+ refer to the <a
href="http://www.redhatmagazine.com/"><span
class="trademark">Red Hat</span>® Magazine</a> article, <a
href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-yea...
report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a
id="d0e626" href="#ftn.d0e626">4</a>]</sup>, for
exploits that were restricted due to the default SELinux targeted policy in <span
class="trademark">Red Hat</span>® Enterprise <span
class="trademark">Linux</span>® 4.
+ </div></li><li><div class="para">
+ refer to the <a
href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a
href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1...
seatbelt for server software: SELinux blocks real-world
exploits</a><sup>[<a id="d0e646"
href="#ftn.d0e646">5</a>]</sup>, for background information about
SELinux, and information about various exploits that SELinux has prevented.
+ </div></li><li><div class="para">
refer to James Morris's <a
href="http://james-morris.livejournal.com/25421.html">SELinux mitigates
remote root vulnerability in OpenPegasus</a> blog post, for information about an
exploit in <a
href="http://www.openpegasus.org/">OpenPegasus</a>
that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
The <a
href="http://www.tresys.com/">Tresys Technology</a>
website has an <a
href="http://www.tresys.com/innovation.php">SELinux
Mitigation News</a> section (on the right-hand side), that lists recent exploits
that have been mitigated or prevented by SELinux.
- </p><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e609"
href="#d0e609" class="para">3</a>] </sup>
+ </div><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e609"
href="#d0e609">3</a>] </sup>
Text files that include information, such as hostname to IP address mappings, that
are used by DNS servers.
- </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e626"
href="#d0e626" class="para">4</a>] </sup>
+ </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e626"
href="#d0e626">4</a>] </sup>
Cox, Mark. "Risk report: Three years of Red Hat Enterprise Linux 4".
Published 26 February 2008. Accessed 28 August 2008: <a
href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-yea...;.
- </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e646"
href="#d0e646" class="para">5</a>] </sup>
+ </p></div><div
class="footnote"><p><sup>[<a id="ftn.d0e646"
href="#d0e646">5</a>] </sup>
Marti, Don. "A seatbelt for server software: SELinux blocks real-world
exploits". Published 24 February 2008. Accessed 28 August 2008: <a
href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1...;.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong>Chapter 2. Introduction</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><strong>Next</strong>2.3. SELinux
Architecture</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html 24 Nov 2008
22:43:11 -0000 1.1
+++ sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html 24 Jan 2009
03:48:02 -0000 1.2
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Architecture</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"
title="2.2. Examples"/><link rel="next"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"
title="2.4. SELinux on Other Operating
Systems"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>2.3. SELinux
Architecture</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Prev</strong></a></
li><li class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux
Architecture</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Architecture</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"
title="2.2. Examples"/><link rel="next"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html"
title="2.4. SELinux on Other Operating Systems"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" al
t="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux
Architecture</h2></div></div></div><div
class="para">
SELinux is a Linux security module that is built into the Linux kernel. SELinux is
driven by loadable policy rules. When security-relevant access is taking place, such as
when a process attempts to open a file, the operation is intercepted in the kernel by
SELinux. If an SELinux policy rule allows the operation, it continues, otherwise, the
operation is blocked and the process receives an error.
- </p><p>
+ </div><div class="para">
SELinux decisions, such as allowing or disallowing access, are cached. This cache is
known as the Access Vector Cache (AVC). Caching decisions decreases how often SELinux
policy rules need to be checked, which increases performance. SELinux policy rules have no
affect if DAC rules deny access first.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Prev</strong>2.2. Examples</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"><strong>Next</strong>2.4. SELinux
on Other Operating Systems</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Prev</strong>2.2. Examples</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems.html"><strong>Next</strong>2.4. SELinux
on Other Operating Systems</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html 24
Nov 2008 22:43:11 -0000 1.1
+++
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,44 +1,44 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Files with star</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"
title="5.10.4. Archiving Files with tar"/><link rel="next"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.10.5. Archiving Files
with star</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="sect-Security-Enha
nced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving
Files with star</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Files with star</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"
title="5.10.4. Archiving Files with tar"/><link rel="next"
href="chap-Security-Enhanced_Linux-Confining_Users.html"
title="Chapter 6. Confining Users"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraprojec
t.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving
Files with star</h3></div></div></div><div
class="para">
<code class="command">star</code> does not retain extended
attributes by default. Since SELinux contexts are stored in extended attributes, contexts
can be lost when archiving files. Use <code class="command">star -xattr
-H=exustar</code> to create archives that retain contexts. The <span
class="package">star</span> package is not installed by default. To
install <code class="command">star</code>, run the <code
class="command">yum install star</code> command as the Linux root
user.
- </p><p>
+ </div><div class="para">
The following example demonstrates creating a Star archive that retains SELinux
contexts:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">touch
/var/www/html/file{1,2,3}</code> command to create three files (<code
class="filename">file1</code>, <code
class="filename">file2</code>, and <code
class="filename">file3</code>). These files inherit the <code
class="computeroutput">httpd_sys_content_t</code> type from the
<code class="filename">/var/www/html/</code> directory:
- </p><pre class="screen">
+ </div><pre class="screen">
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
-</pre></li><li><p>
+</pre></li><li><div class="para">
Run the <code class="command">cd /var/www/html/</code>
command to change into the <code
class="filename">/var/www/html/</code> directory. Once in this
directory, as the Linux root user, run the <code class="command">star
-xattr -H=exustar -c -f=test.star file{1,2,3}</code> command to create a Star
archive named <code class="filename">test.star</code>:
- </p><pre class="screen">
+ </div><pre class="screen">
# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">mkdir
/test</code> command to create a new directory, and then, run the <code
class="command">chmod 777 /test/</code> command to allow all users
full-access to the <code class="filename">/test/</code> directory.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">cp /var/www/html/test.star
/test/</code> command to copy the <code
class="filename">test.star</code> file in to the <code
class="filename">/test/</code> directory.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">cd /test/</code> command to
change into the <code class="filename">/test/</code> directory. Once
in this directory, run the <code class="command">star -x
-f=test.star</code> command to extract the Star archive:
- </p><pre class="screen">
+ </div><pre class="screen">
$ star -x -f=test.star
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
-</pre></li><li><p>
+</pre></li><li><div class="para">
Run the <code class="command">ls -lZ /test/</code> command to
view the SELinux contexts. The <code
class="computeroutput">httpd_sys_content_t</code> type has been
retained, rather than being changed to <code
class="computeroutput">default_t</code>, which would have happened had
the <code class="option">--selinux</code> not been used:
- </p><pre class="screen">
+ </div><pre class="screen">
$ ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.star
-</pre></li><li><p>
+</pre></li><li><div class="para">
If the <code class="filename">/test/</code> directory is no
longer required, as the Linux root user, run the <code class="command"> rm
-ri /test/</code> command to remove it, as well as all files in it.
- </p></li><li><p>
+ </div></li><li><div class="para">
If <code class="command">star</code> is no longer required,
as the Linux root user, run the <code class="command">yum remove
star</code> command to remove the package.
- </p></li></ol></div><p>
+ </div></li></ol></div><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">star</span>(1)</span> manual page for
further information about <code class="command">star</code>.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Prev</strong>5.10.4. Archiving
Files with tar</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Next</strong>Chapter 6. Confining
Users</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Prev</strong>5.10.4. Archiving
Files with tar</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Next</strong>Chapter 6. Confining
Users</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html 24
Nov 2008 22:43:11 -0000 1.1
+++
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,40 +1,40 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Files with tar</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"
title="5.10.3. Checking the Default SELinux Context"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"
title="5.10.5. Archiving Files with star"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.10.4. Archiving Files
with tar</strong></a></p><ul class="docn
av"><li class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving
Files with tar</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Files with tar</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"
title="5.10.3. Checking the Default SELinux Context"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"
title="5.10.5. Archiving Files with star"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt=
"Product Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving
Files with tar</h3></div></div></div><div
class="para">
<code class="command">tar</code> does not retain extended
attributes by default. Since SELinux contexts are stored in extended attributes, contexts
can be lost when archiving files. Use <code class="command">tar
--selinux</code> to create archives that retain contexts. If a Tar archive contains
files without extended attributes, or if you want the extended attributes to match the
system defaults, run the archive through <code
class="command">/sbin/restorecon</code>:
- </p><pre class="screen">
+ </div><pre class="screen">
$ tar -xf <em
class="replaceable"><code>archive.tar</code></em> |
/sbin/restorecon -f -
-</pre><p>
+</pre><div class="para">
Note: depending on the directory, you may need to be the Linux root user to run the
<code class="command">/sbin/restorecon</code> command.
- </p><p>
+ </div><div class="para">
The following example demonstrates creating a Tar archive that retains SELinux
contexts:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">touch
/var/www/html/file{1,2,3}</code> command to create three files (<code
class="filename">file1</code>, <code
class="filename">file2</code>, and <code
class="filename">file3</code>). These files inherit the <code
class="computeroutput">httpd_sys_content_t</code> type from the
<code class="filename">/var/www/html/</code> directory:
- </p><pre class="screen">
+ </div><pre class="screen">
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
-</pre></li><li><p>
+</pre></li><li><div class="para">
Run the <code class="command">cd /var/www/html/</code>
command to change into the <code
class="filename">/var/www/html/</code> directory. Once in this
directory, as the Linux root user, run the <code class="command">tar
--selinux -cf test.tar file{1,2,3}</code> command to create a Tar archive named
<code class="filename">test.tar</code>.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">mkdir
/test</code> command to create a new directory, and then, run the <code
class="command">chmod 777 /test/</code> command to allow all users
full-access to the <code class="filename">/test/</code> directory.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">cp /var/www/html/test.tar
/test/</code> command to copy the <code
class="filename">test.tar</code> file in to the <code
class="filename">/test/</code> directory.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">cd /test/</code> command to
change into the <code class="filename">/test/</code> directory. Once
in this directory, run the <code class="command">tar -xf
test.tar</code> command to extract the Tar archive.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">ls -lZ /test/</code> command to
view the SELinux contexts. The <code
class="computeroutput">httpd_sys_content_t</code> type has been
retained, rather than being changed to <code
class="computeroutput">default_t</code>, which would have happened had
the <code class="option">--selinux</code> not been used:
- </p><pre class="screen">
+ </div><pre class="screen">
$ ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.tar
-</pre></li><li><p>
+</pre></li><li><div class="para">
If the <code class="filename">/test/</code> directory is no
longer required, as the Linux root user, run the <code class="command"> rm
-ri /test/</code> command to remove it, as well as all files in it.
- </p></li></ol></div><p>
+ </div></li></ol></div><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">tar</span>(1)</span> manual page for
further information about <code class="command">tar</code>, such as
the <code class="option">--xattrs</code> option that retains all
extended attributes.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Prev</strong>5.10.3. Checking
the Default SELinux Context</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Next</strong>5.10.5. Archiving
Files with star</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Prev</strong>5.10.3. Checking
the Default SELinux Context</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Next</strong>5.10.5. Archiving
Files with star</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,30 +1,30 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
the Default SELinux Context</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"
title="5.10.2. Moving Files and Directories"/><link rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"
title="5.10.4. Archiving Files with tar"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.10.3. Checking the
Default SELinux Context</strong></a></p><ul class
="docnav"><li class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking
the Default SELinux Context</h3></div></div></div><p>
- Use the <code class="command">/usr/sbin/matchpathcon</code>
command to check if files and directories have the correct SELinux context. From the
<span class="citerefentry"><span
class="refentrytitle">matchpathcon</span>(8)</span> manual page:
"<code class="command">matchpathcon</code> queries the system
policy and outputs the default security context associated with the file
path."<sup>[<a id="d0e4322" href="#ftn.d0e4322"
class="footnote">13</a>]</sup>. The following example
demonstrates using the <code
class="command">/usr/sbin/matchpathcon</code> command to verify that
files in <code class="filename">/var/www/html/</code> directory are
labeled correctly:
- </p><div class="orderedlist"><ol><li><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
the Default SELinux Context</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"
title="5.10.2. Moving Files and Directories"/><link rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"
title="5.10.4. Archiving Files with tar"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Produ
ct Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking
the Default SELinux Context</h3></div></div></div><div
class="para">
+ Use the <code class="command">/usr/sbin/matchpathcon</code>
command to check if files and directories have the correct SELinux context. From the
<span class="citerefentry"><span
class="refentrytitle">matchpathcon</span>(8)</span> manual page:
"<code class="command">matchpathcon</code> queries the system
policy and outputs the default security context associated with the file
path."<sup>[<a id="d0e4331"
href="#ftn.d0e4331">13</a>]</sup>. The following example
demonstrates using the <code
class="command">/usr/sbin/matchpathcon</code> command to verify that
files in <code class="filename">/var/www/html/</code> directory are
labeled correctly:
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">touch
/var/www/html/file{1,2,3}</code> command to create three files (<code
class="filename">file1</code>, <code
class="filename">file2</code>, and <code
class="filename">file3</code>). These files inherit the <code
class="computeroutput">httpd_sys_content_t</code> type from the
<code class="filename">/var/www/html/</code> directory:
- </p><pre class="screen"># touch /var/www/html/file{1,2,3}
+ </div><pre class="screen"># touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">chcon -t
samba_share_t /var/www/html/file1</code> command to change the <code
class="filename">file1</code> type to <code
class="computeroutput">samba_share_t</code>. Note: the Apache HTTP
Server can not read files or directories labeled with the <code
class="computeroutput">samba_share_t</code> type.
- </p></li><li><p>
+ </div></li><li><div class="para">
The <code class="command">/usr/sbin/matchpathcon</code>
<code class="option">-V</code> option compares the current SELinux
context to the correct, default context in SELinux policy. Run the <code
class="command">/usr/sbin/matchpathcon -V /var/www/html/*</code>
command to check all files in the <code
class="filename">/var/www/html/</code> directory:
- </p><pre class="screen">$ /usr/sbin/matchpathcon -V
/var/www/html/*
+ </div><pre class="screen">$ /usr/sbin/matchpathcon -V
/var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be
system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.
-</pre></li></ol></div><p>
+</pre></li></ol></div><div class="para">
The following output from the <code
class="command">/usr/sbin/matchpathcon</code> command explains that
<code class="filename">file1</code> is labeled with the <code
class="computeroutput">samba_share_t</code> type, but should be labeled
with the <code class="computeroutput">httpd_sys_content_t</code>
type:
- </p><pre class="screen">/var/www/html/file1 has context
unconfined_u:object_r:samba_share_t:s0, should be
system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
+ </div><pre class="screen">/var/www/html/file1 has context
unconfined_u:object_r:samba_share_t:s0, should be
system_u:object_r:httpd_sys_content_t:s0
+</pre><div class="para">
To resolve the label problem and allow the Apache HTTP Server access to <code
class="filename">file1</code>, as the Linux root user, run the <code
class="command">/sbin/restorecon -v /var/www/html/file1</code>
command:
- </p><pre class="screen"># /sbin/restorecon -v
/var/www/html/file1
+ </div><pre class="screen"># /sbin/restorecon -v
/var/www/html/file1
restorecon reset /var/www/html/file1 context
unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
-</pre><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e4322"
href="#d0e4322" class="para">13</a>] </sup>
+</pre><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e4331"
href="#d0e4331">13</a>] </sup>
The <span class="citerefentry"><span
class="refentrytitle">matchpathcon</span>(8)</span> manual page,
as shipped with the <span class="package">libselinux-utils</span>
package in Fedora, is written by Daniel Walsh. Any edits or changes in this version were
done by Murray McAllister.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Prev</strong>5.10.2. Moving
Files and Directories</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Next</strong>5.10.4. Archiving
Files with tar</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,25 +1,25 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Files and Directories</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"
title="5.10.3. Checking the Default SELinux
Context"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>5.10.2. Moving Files and
Directories</strong></a></p><ul class="do
cnav"><li class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving
Files and Directories</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Files and Directories</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/><link rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"
title="5.10.3. Checking the Default SELinux Context"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="P
roduct Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving
Files and Directories</h3></div></div></div><div
class="para">
File and directories keep their current SELinux context when they are moved. In many
cases, this is incorrect for the location they are being moved to. The following example
demonstrates moving a file from a user's home directory to <code
class="filename">/var/www/html/</code>, which is used by the Apache
HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
Run the <code class="command">cd</code> command without any
arguments to change into your home directory. Once in your home directory, run the
<code class="command">touch file1</code> command to create a file.
This file is labeled with the <code
class="computeroutput">user_home_t</code> type:
- </p><pre class="screen">$ ls -Z file1
+ </div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</pre></li><li><p>
+</pre></li><li><div class="para">
Run the <code class="command">ls -dZ /var/www/html/</code>
command to view the SELinux context of the <code
class="filename">/var/www/html/</code> directory:
- </p><pre class="screen">$ ls -dZ /var/www/html/
+ </div><pre class="screen">$ ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
-</pre><p>
+</pre><div class="para">
By default, the <code class="filename">/var/www/html/</code>
directory is labeled with the <code
class="computeroutput">httpd_sys_content_t</code> type. Files and
directories created under the <code
class="filename">/var/www/html/</code> directory inherit this type, and
as such, they are labeled with this type.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">mv file1
/var/www/html/</code> command to move <code
class="filename">file1</code> to the <code
class="filename">/var/www/html/</code> directory. Since this file is
moved, it keeps its current <code
class="computeroutput">user_home_t</code> type:
- </p><pre class="screen"># mv file1 /var/www/html/
+ </div><pre class="screen"># mv file1 /var/www/html/
# ls -Z /var/www/html/file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
-</pre></li></ol></div><p>
+</pre></li></ol></div><div class="para">
By default, the Apache HTTP Server can not read files that are labeled with the
<code class="computeroutput">user_home_t</code> type. If all files
comprising a web page are labeled with the <code
class="computeroutput">user_home_t</code> type, or another type that
the Apache HTTP Server can not read, permission is denied when attempting to access them
via Firefox or text-based Web browsers.
- </p><div
class="important"><h2>Important</h2><p>
+ </div><div
class="important"><h2>Important</h2><div
class="para">
Moving files and directories with the <code
class="command">mv</code> command may result in the wrong SELinux
context, preventing processes, such as the Apache HTTP Server and Samba, from accessing
such files and directories.
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Prev</strong>5.10. Maintaining
SELinux Labels </a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Next</strong>5.10.3. Checking
the Default SELinux Context</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Prev</strong>5.10. Maintaining
SELinux Labels </a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Next</strong>5.10.3. Checking
the Default SELinux Context</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,20 +1,20 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
the Default Context</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"
title="5.9.3. Mounting an NFS File System"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.9.2. Changing the
Default Context</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p" href="s
ect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing
the Default Context</h3></div></div></div><p>
- As mentioned in <a class="xref"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"
title="5.8. The file_t and default_t Types">Section 5.8, “The file_t and
default_t Types”</a>, on file systems that support extended attributes, when a file
that lacks an SELinux context on disk is accessed, it is treated as if it had a default
context as defined by SELinux policy. In common policies, this default context uses the
<code class="computeroutput">file_t</code> type. If it is desirable
to use a different default context, mount the file system with the <code
class="option">defcontext</code> option.
- </p><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
the Default Context</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"
title="5.9.3. Mounting an NFS File System"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://do
cs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing
the Default Context</h3></div></div></div><div
class="para">
+ As mentioned in <a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"
title="5.8. The file_t and default_t Types">Section 5.8, “The file_t and
default_t Types”</a>, on file systems that support extended attributes, when a file
that lacks an SELinux context on disk is accessed, it is treated as if it had a default
context as defined by SELinux policy. In common policies, this default context uses the
<code class="computeroutput">file_t</code> type. If it is desirable
to use a different default context, mount the file system with the <code
class="option">defcontext</code> option.
+ </div><div class="para">
The following example mounts a newly-created file system (on <code
class="filename">/dev/sda2</code>) to the newly-created <code
class="filename">/test/</code> directory. It assumes that there are no
rules in <code
class="filename">/etc/selinux/targeted/contexts/files/</code> that
define a context for the <code class="filename">/test/</code>
directory:
- </p><pre class="screen">
+ </div><pre class="screen">
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
-</pre><p>
+</pre><div class="para">
In this example:
- </p><div class="itemizedlist"><ul><li><p>
- the <code class="option">defcontext</code> option defines
that <code
class="computeroutput">system_u:object_r:samba_share_t:s0</code> is
"the default security context for unlabeled files"<sup>[<a
id="d0e3871" href="#ftn.d0e3871"
class="footnote">12</a>]</sup>.
- </p></li><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
+ the <code class="option">defcontext</code> option defines
that <code
class="computeroutput">system_u:object_r:samba_share_t:s0</code> is
"the default security context for unlabeled files"<sup>[<a
id="d0e3880" href="#ftn.d0e3880">12</a>]</sup>.
+ </div></li><li><div class="para">
when mounted, the root directory (<code
class="filename">/test/</code>) of the file system is treated as if it
is labeled with the context specified by <code
class="option">defcontext</code> (this label is not stored on disk).
This affects the labeling for files created under <code
class="filename">/test/</code>: new files inherit the <code
class="computeroutput">samba_share_t</code> type, and these labels are
stored on disk.
- </p></li><li><p>
+ </div></li><li><div class="para">
files created under <code class="filename">/test/</code>
while the file system was mounted with a <code
class="option">defcontext</code> option retain their labels.
- </p></li></ul></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e3871"
href="#d0e3871" class="para">12</a>] </sup>
+ </div></li></ul></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e3880"
href="#d0e3880">12</a>] </sup>
Morris, James. "Filesystem Labeling in SELinux". Published 1 October
2004. Accessed 14 October 2008: <a
href="http://www.linuxjournal.com/article/7426">http://www.l...;.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Prev</strong>5.9. Mounting
File Systems</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Next</strong>5.9.3. Mounting
an NFS File System</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,10 +1,10 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Context Mounts Persistent</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"
title="5.9.4. Multiple NFS Mounts"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.9.5. Making Context
Mounts Persistent</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p" hre
f="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making
Context Mounts Persistent</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Context Mounts Persistent</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"
title="5.9.4. Multiple NFS Mounts"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"
title="5.10. Maintaining SELinux Labels"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://do
cs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making
Context Mounts Persistent</h3></div></div></div><div
class="para">
To make context mounts persistent across remounting and reboots, add entries for the
file systems in <code class="filename">/etc/fstab</code> or an
automounter map, and use the desired context as a mount option. The following example adds
an entry to <code class="filename">/etc/fstab</code> for an NFS
context mount:
- </p><pre class="screen">
+ </div><pre class="screen">
server:/export /local/mount/ nfs
context="system_u:object_r:httpd_sys_content_t:s0" 0 0
-</pre><p>
+</pre><div class="para">
Refer to the <a
href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/...
Hat Enterprise Linux 5 Deployment Guide, Section 19.2. "NFS Client
Configuration"</a> for information about mounting NFS file systems.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Prev</strong>5.9.4. Multiple
NFS Mounts</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong>5.10. Maintaining
SELinux Labels </a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Prev</strong>5.9.4. Multiple
NFS Mounts</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong>5.10. Maintaining
SELinux Labels </a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html 24
Nov 2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
an NFS File System</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"
title="5.9.2. Changing the Default Context"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"
title="5.9.4. Multiple NFS Mounts"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.9.3. Mounting an NFS
File System</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="se
ct-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting
an NFS File System</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
an NFS File System</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"
title="5.9.2. Changing the Default Context"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"
title="5.9.4. Multiple NFS Mounts"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://do
cs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting
an NFS File System</h3></div></div></div><div
class="para">
By default, NFS mounts on the client side are labeled with a default context defined
by policy for NFS file systems. In common policies, this default context uses the <code
class="computeroutput">nfs_t</code> type. Depending on policy
configuration, services, such as Apache HTTP Server and MySQL, may not be able to read
files labeled with the <code class="computeroutput">nfs_t</code>
type. This may prevent file systems labeled with this type from being mounted and then
read or exported by other services.
- </p><p>
+ </div><div class="para">
If you would like to mount an NFS file system and read or export that file system
with another service, use the <code class="option">context</code>
option when mounting to override the <code
class="computeroutput">nfs_t</code> type. Use the following context
option to mount NFS file systems so that they can be shared via the Apache HTTP Server:
- </p><pre class="screen">mount server:/export /local/mount/point
-o\
+ </div><pre class="screen">mount server:/export
/local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
-</pre><p>
+</pre><div class="para">
Since context changes are not written to disk for these situations, the context
specified with the <code class="option">context</code> option is
only retained if the <code class="option">context</code> option is
used on the next mount, and if the same context is specified.
- </p><p>
- As an alternative to mounting file systems with <code
class="option">context</code> options, Booleans can be turned on to
allow services access to file systems labeled with the <code
class="computeroutput">nfs_t</code> type. Refer to <a
class="xref"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"
title="5.6.3. Examples: Booleans for NFS and CIFS">Section 5.6.3, “Examples:
Booleans for NFS and CIFS”</a> for instructions on configuring Booleans to allow
services access to the <code class="computeroutput">nfs_t</code>
type.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Prev</strong>5.9.2. Changing
the Default Context</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong>5.9.4. Multiple
NFS Mounts</a></li></ul></body></html>
\ No newline at end of file
+ </div><div class="para">
+ As an alternative to mounting file systems with <code
class="option">context</code> options, Booleans can be turned on to
allow services access to file systems labeled with the <code
class="computeroutput">nfs_t</code> type. Refer to <a
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"
title="5.6.3. Booleans for NFS and CIFS">Section 5.6.3, “Booleans for NFS and
CIFS”</a> for instructions on configuring Booleans to allow services access to the
<code class="computeroutput">nfs_t</code> type.
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Prev</strong>5.9.2. Changing
the Default Context</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong>5.9.4. Multiple
NFS Mounts</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html 24 Nov
2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html 24 Jan
2009 03:48:02 -0000 1.2
@@ -1,28 +1,28 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
NFS Mounts</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"
title="5.9.3. Mounting an NFS File System"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"
title="5.9.5. Making Context Mounts
Persistent"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>5.9.4. Multiple NFS
Mounts</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple
NFS Mounts</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
NFS Mounts</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"
title="5.9.3. Mounting an NFS File System"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"
title="5.9.5. Making Context Mounts Persistent"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple
NFS Mounts</h3></div></div></div><div
class="para">
When mounting multiple mounts from the same NFS export, attempting to override the
SELinux context of each mount with a different context, results in subsequent mount
commands failing. In the following example, the NFS server has a single export, <code
class="filename">/export</code>, which has two subdirectories, <code
class="filename">web/</code> and <code
class="filename">database/</code>. The following commands attempt two
mounts from a single NFS export, and try to override the context for each one:
- </p><pre class="screen">
+ </div><pre class="screen">
# mount server:/export/web /local/web -o\
context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/database /local/database -o\
context="system_u:object_r:mysqld_db_t:s0"
-</pre><p>
+</pre><div class="para">
The second mount command fails, and the following is logged to <code
class="filename">/var/log/messages</code>:
- </p><pre class="screen">
+ </div><pre class="screen">
kernel: SELinux: mount invalid. Same superblock, different security settings for (dev
0:15, type nfs)
-</pre><p>
+</pre><div class="para">
To mount multiple mounts from a single NFS export, with each mount having a different
context, use the <code class="option">-o nosharecache,context</code>
options. The following example mounts multiple mounts from a single NFS export, with a
different context for each mount (allowing a single service access to each one):
- </p><pre class="screen">
+ </div><pre class="screen">
# mount server:/export/web /local/web -o\
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/database /local/database -o\
nosharecache,context="system_u:object_r:mysqld_db_t:s0"
-</pre><p>
+</pre><div class="para">
In this example, <code
class="computeroutput">server:/export/web</code> is mounted locally to
<code class="filename">/local/web/</code>, with all files being
labeled with the <code
class="computeroutput">httpd_sys_content_t</code> type, allowing Apache
HTTP Server access. <code
class="computeroutput">server:/export/database</code> is mounted
locally to <code class="filename">/local/database</code>, with all
files being labeled with the <code
class="computeroutput">mysqld_db_t</code> type, allowing MySQL access.
These type changes are not written to disk.
- </p><div
class="important"><h2>Important</h2><p>
+ </div><div
class="important"><h2>Important</h2><div
class="para">
The <code class="option">nosharecache</code> options allows
you to mount the same subdirectory of an export multiple times with different contexts
(for example, mounting <code class="filename">/export/web</code>
multiple times). Do not mount the same subdirectory from an export multiple times with
different contexts, as this creates an overlapping mount, where files are accessible under
two different contexts.
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Prev</strong>5.9.3. Mounting
an NFS File System</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Next</strong>5.9.5. Making
Context Mounts Persistent</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Prev</strong>5.9.3. Mounting
an NFS File System</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Next</strong>5.9.5. Making
Context Mounts Persistent</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html 24
Nov 2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html 24
Jan 2009 03:48:02 -0000 1.2
@@ -1,20 +1,20 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
for Permissive Domains</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"
title="7.3.4. Permissive Domains"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"
title="7.3.4. Permissive Domains"/><link rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"
title="7.3.5. Searching For and Viewing
Denials"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3.4.2. Denials for
Permissive Domains</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p" href="sect-
Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains">7.3.4.2. Denials
for Permissive Domains</h4></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
for Permissive Domains</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"
title="7.3.4. Permissive Domains"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"
title="7.3.4. Permissive Domains"/><link rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"
title="7.3.5. Searching For and Viewing Denials"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://docs.fedor
aproject.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains">7.3.4.2. Denials
for Permissive Domains</h4></div></div></div><div
class="para">
The <code class="computeroutput">SYSCALL</code> message is
different for permissive domains. The following is an example AVC denial (and the
associated system call) from the Apache HTTP Server:
- </p><pre class="screen">
+ </div><pre class="screen">
type=AVC msg=audit(1226882736.442:86): avc: denied { getattr } for pid=2427
comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0
tclass=file
type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13
a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4
comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-</pre><p>
+</pre><div class="para">
By default, the <code class="computeroutput">httpd_t</code>
domain is not permissive, and as such, the action is denied, and the <code
class="computeroutput">SYSCALL</code> message contains <code
class="computeroutput">success=no</code>. The following is an example
AVC denial for the same situation, except the <code
class="command">semanage permissive -a httpd_t</code> command has been
run to make the <code class="computeroutput">httpd_t</code> domain
permissive:
- </p><pre class="screen">
+ </div><pre class="screen">
type=AVC msg=audit(1226882925.714:136): avc: denied { read } for pid=2512
comm="httpd" name="file1" dev=dm-0 ino=284133
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0
tclass=file
type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes exit=11
a0=b962a1e8 a1=8000 a2=0 a3=8000 items=0 ppid=2511 pid=2512 auid=502 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-</pre><p>
+</pre><div class="para">
In this case, although an AVC denial was logged, access was not denied, as shown by
<code class="computeroutput">success=yes</code> in the <code
class="computeroutput">SYSCALL</code> message.
- </p><p>
+ </div><div class="para">
Refer to Dan Walsh's <a
href="http://danwalsh.livejournal.com/24537.html">"Perm...
Domains"</a> blog entry for further information about permissive domains.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Prev</strong>7.3.4. Permissive
Domains</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Next</strong>7.3.5. Searching
For and Viewing Denials</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html"><strong>Prev</strong>7.3.4. Permissive
Domains</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Next</strong>7.3.5. Searching
For and Viewing Denials</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html 24
Nov 2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,28 +1,28 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts for Processes</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/><link rel="prev"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/><link rel="next"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"
title="3.3. SELinux Contexts for Users"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>3.2. SELinux Contexts for
Processes</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><stron
g>Prev</strong></a></li><li class="next"><a
accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux
Contexts for Processes</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts for Processes</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/><link rel="prev"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/><link rel="next"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"
title="3.3. SELinux Contexts for Users"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/ima
ge_right.png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux
Contexts for Processes</h2></div></div></div><div
class="para">
Use the <code class="command">ps -eZ</code> command to view the
SELinux context for processes. For example:
- </p><div class="orderedlist"><ol><li><p>
- Open a terminal, such as <span
class="guimenu"><strong>Applications</strong></span> →
<span class="guisubmenu"><strong>System
Tools</strong></span> → <span
class="guimenuitem"><strong>Terminal</strong></span>.
- </p></li><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
+ Open a terminal, such as <span><strong
class="guimenu">Applications</strong></span> →
<span><strong class="guisubmenu">System
Tools</strong></span> → <span><strong
class="guimenuitem">Terminal</strong></span>.
+ </div></li><li><div class="para">
Run the <code class="command">/usr/bin/passwd</code> command.
Do not enter a new password.
- </p></li><li><p>
+ </div></li><li><div class="para">
Open a new tab, or another terminal, and run the <code
class="command">ps -eZ | grep passwd</code> command. The output is
similar to the following:
- </p><pre
class="screen">unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1
00:00:00 passwd
-</pre></li><li><p>
- In the first tab, press <strong
class="userinput"><code>Ctrl+C</code></strong> to cancel
the <span
class="application"><strong>passwd</strong></span>
application.
- </p></li></ol></div><p>
+ </div><pre
class="screen">unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1
00:00:00 passwd
+</pre></li><li><div class="para">
+ In the first tab, press <strong
class="userinput"><code>Ctrl+C</code></strong> to cancel
the <span><strong
class="application">passwd</strong></span> application.
+ </div></li></ol></div><div class="para">
In this example, when the <code
class="filename">/usr/bin/passwd</code> application (labeled with the
<code class="computeroutput">passwd_exec_t</code> type) is executed,
the user's shell process transitions to the <code
class="computeroutput">passwd_t</code> domain. Remember: the type
defines a domain for processes, and a type for files.
- </p><p>
- Use the <code class="command">ps -eZ</code> command to view the
SELinux contexts for running processes. The following is a limited example of the <code
class="command">ps -eZ</code> output, and may differ on your system:
- </p><pre class="screen">system_u:system_r:setroubleshootd_t:s0
1866 ? 00:00:08 setroubleshootd
+ </div><div class="para">
+ Use the <code class="command">ps -eZ</code> command to view the
SELinux contexts for running processes. The following is a limited example of the output,
and may differ on your system:
+ </div><pre class="screen">system_u:system_r:setroubleshootd_t:s0
1866 ? 00:00:08 setroubleshootd
system_u:system_r:dhcpc_t:s0 1869 ? 00:00:00 dhclient
system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
system_u:system_r:gpm_t:s0 1964 ? 00:00:00 gpm
system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
system_u:system_r:kerneloops_t:s0 1983 ? 00:00:05 kerneloops
system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
-</pre><p>
+</pre><div class="para">
The <code class="computeroutput">system_r</code> role is used
for system processes, such as daemons. Type Enforcement then separates each domain.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Prev</strong>Chapter 3. SELinux
Contexts</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong>3.3. SELinux
Contexts for Users</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Prev</strong>Chapter 3. SELinux
Contexts</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong>3.3. SELinux
Contexts for Users</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html 24 Nov
2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html 24 Jan
2009 03:48:03 -0000 1.2
@@ -1,9 +1,9 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts for Users</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/><link rel="prev"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"
title="3.2. SELinux Contexts for Processes"/><link rel="next"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>3.3. SELinux Contexts for
Users</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contex
ts_for_Processes.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux
Contexts for Users</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts for Users</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts"/><link rel="prev"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"
title="3.2. SELinux Contexts for Processes"/><link rel="next"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/i
mage_right.png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux
Contexts for Users</h2></div></div></div><div
class="para">
Use the <code class="command">id -Z</code> command to view the
SELinux context associated with your Linux user:
- </p><pre
class="screen">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-</pre><p>
+ </div><pre
class="screen">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+</pre><div class="para">
In Fedora 10, Linux users run unconfined by default. This SELinux context shows that
the Linux user is mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user, running as the
<code class="computeroutput">unconfined_r</code> role, and is
running in the <code class="computeroutput">unconfined_t</code>
domain. <code class="computeroutput">s0-s0</code> is an MLS range,
which in this case, is the same as just <code
class="computeroutput">s0</code>. The categories the user has access to
is defined by <code class="computeroutput">c0.c1023</code>, which is
all categories (<code class="computeroutput">c0</code> through to
<code class="computeroutput">c1023</code>).
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Prev</strong>3.2. SELinux
Contexts for Processes</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong>Chapter 4. Targeted
Policy</a></li></ul></body></html>
\ No newline at end of file
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Prev</strong>3.2. SELinux
Contexts for Processes</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong>Chapter 4. Targeted
Policy</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,114 +1,114 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Changes: semanage fcontext</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"
title="5.7. SELinux Contexts - Labeling Files"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"
title="5.7. SELinux Contexts - Labeling Files"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"
title="5.8. The file_t and default_t Types"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.7.2. Persistent Changes:
semanage fcontext</strong></a></p
<ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent
Changes: semanage fcontext</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Changes: semanage fcontext</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"
title="5.7. SELinux Contexts - Labeling Files"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"
title="5.7. SELinux Contexts - Labeling Files"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"
title="5.8. The file_t and default_t Types"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png"
alt="Product Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent
Changes: semanage fcontext</h3></div></div></div><div
class="para">
The <code class="command">/usr/sbin/semanage fcontext</code>
command changes the SELinux context for files. When using targeted policy, changes made
with this command are added to the <code
class="filename">/etc/selinux/targeted/contexts/files/file_contexts</code>
file if the changes are to files that exists in <code
class="filename">file_contexts</code>, or are added to <code
class="filename">file_contexts.local</code> for new files and
directories, such as creating a <code class="filename">/web/</code>
directory. <code class="command">setfiles</code>, which is used when
a file system is relabeled, and <code
class="command">/sbin/restorecon</code>, which restores the default
SELinux contexts, read these files. This means that changes made by <code
class="command">/usr/sbin/semanage fcontext</code> are persistent, even
if the file system is relabeled. SELinux policy controls whether users are able to modify
the SELinux context for any given file.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Quick_Reference">Quick
Reference</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Quick_Reference">Quick
Reference</h5>
To make SELinux context changes that survive a file system relabel:
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
Run the <code class="command">/usr/sbin/semanage fcontext -a <em
class="replaceable"><code>options</code></em> <em
class="replaceable"><code>file-name</code></em>|<em
class="replaceable"><code>directory-name</code></em></code>
command, remembering to use the full path to the file or directory.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">/sbin/restorecon -v <em
class="replaceable"><code>file-name</code></em>|<em
class="replaceable"><code>directory-name</code></em></code>
command to apply the context changes.
- </p></li></ol></div><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Files_Type">Changing
a File's Type</h5>
+ </div></li></ol></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Files_Type">Changing
a File's Type</h5>
The following example demonstrates changing a file's type, and no other
attributes of the SELinux context:
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">touch
/etc/file1</code> command to create a new file. By default, newly-created files in
the <code class="filename">/etc/</code> directory are labeled with
the <code class="computeroutput">etc_t</code> type:
- </p><pre class="screen"># ls -Z /etc/file1
+ </div><pre class="screen"># ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -a -t samba_share_t
/etc/file1</code> command to change the <code
class="filename">file1</code> type to <code
class="computeroutput">samba_share_t</code>. The <code
class="option">-a</code> option adds a new record, and the <code
class="option">-t</code> option defines a type (<code
class="computeroutput">samba_share_t</code>). Note: running this
command does not directly change the type - <code
class="filename">file1</code> is still labeled with the <code
class="computeroutput">etc_t</code> type:
- </p><pre class="screen"># /usr/sbin/semanage fcontext -a -t
samba_share_t /etc/file1
+ </div><pre class="screen"># /usr/sbin/semanage fcontext -a -t
samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
-</pre><p>
+</pre><div class="para">
The <code class="command">/usr/sbin/semanage fcontext -a -t
samba_share_t /etc/file1</code> command adds the following entry to <code
class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
- </p><pre class="screen">/etc/file1
unconfined_u:object_r:samba_share_t:s0
-</pre></li><li><p>
+ </div><pre class="screen">/etc/file1
unconfined_u:object_r:samba_share_t:s0
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/sbin/restorecon -v /etc/file1</code> command to change
the type. Since the <code class="command">semanage</code> command
added an entry to <code class="filename">file.contexts.local</code>
for <code class="filename">/etc/file1</code>, the <code
class="command">/sbin/restorecon</code> command changes the type to
<code class="computeroutput">samba_share_t</code>:
- </p><pre class="screen"># /sbin/restorecon -v /etc/file1
+ </div><pre class="screen"># /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context
unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">rm -i
/etc/file1</code> command to remove <code
class="filename">file1</code>.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -d /etc/file1</code>
command to remove the context added for <code
class="filename">/etc/file1</code>. When the context is removed,
running <code class="command">restorecon</code> changes the type to
<code class="computeroutput">etc_t</code>, rather than <code
class="computeroutput">samba_share_t</code>.
- </p></li></ol></div><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directorys_Type">Changing
a Directory's Type</h5>
+ </div></li></ol></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directorys_Type">Changing
a Directory's Type</h5>
The following example demonstrates creating a new directory and changing that
directory's file type, to a type used by Apache HTTP Server:
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">mkdir
/web</code> command to create a new directory. This directory is labeled with the
<code class="computeroutput">default_t</code> type:
- </p><pre class="screen"># ls -dZ /web
+ </div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
-</pre><p>
+</pre><div class="para">
The <code class="command">ls</code> <code
class="option">-d</code> option makes <code
class="command">ls</code> list information about a directory, rather
than its contents, and the <code class="option">-Z</code> option
makes <code class="command">ls</code> display the SELinux context
(in this example, <code
class="computeroutput">unconfined_u:object_r:default_t:s0</code>).
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t
/web</code> command to change the <code
class="filename">/web/</code> type to <code
class="computeroutput">httpd_sys_content_t</code>. The <code
class="option">-a</code> option adds a new record, and the <code
class="option">-t</code> option defines a type (<code
class="computeroutput">httpd_sys_content_t</code>). Note: running this
command does not directly change the type - <code
class="filename">/web/</code> is still labeled with the <code
class="computeroutput">default_t</code> type:
- </p><pre class="screen"># /usr/sbin/semanage fcontext -a -t
httpd_sys_content_t /web
+ </div><pre class="screen"># /usr/sbin/semanage fcontext -a -t
httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
-</pre><p>
+</pre><div class="para">
The <code class="command">/usr/sbin/semanage fcontext -a -t
httpd_sys_content_t /web</code> command adds the following entry to <code
class="command">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
- </p><pre class="screen">/web
unconfined_u:object_r:httpd_sys_content_t:s0
-</pre></li><li><p>
+ </div><pre class="screen">/web
unconfined_u:object_r:httpd_sys_content_t:s0
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/sbin/restorecon -v /web</code> command to change the
type. Since the <code class="command">semanage</code> command added
an entry to <code class="filename">file.contexts.local</code> for
<code class="filename">/web</code>, the <code
class="command">/sbin/restorecon</code> command changes the type to
<code class="computeroutput">httpd_sys_content_t</code>:
- </p><pre class="screen"># /sbin/restorecon -v /web
+ </div><pre class="screen"># /sbin/restorecon -v /web
restorecon reset /web context
unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
+</pre><div class="para">
By default, newly-created files and directories inherit the SELinux type of their
parent folders. When using this example, and before removing the SELinux context added for
<code class="filename">/web/</code>, files and directories created
in the <code class="filename">/web/</code> directory are labeled
with the <code class="computeroutput">httpd_sys_content_t</code>
type.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -d /web</code> command to
remove the context added for <code class="filename">/web/</code>.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code
class="command">/sbin/restorecon -v /web</code> command to restore the
default SELinux context.
- </p></li></ol></div><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directory_and_its_Contents_Types">Changing
a Directory and its Contents Types</h5>
+ </div></li></ol></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directory_and_its_Contents_Types">Changing
a Directory and its Contents Types</h5>
The following example demonstrates creating a new directory, and changing the
directory's file type (along with its contents) to a type used by Apache HTTP Server.
The configuration in this example is used if you want Apache HTTP Server to use a
different document root (instead of <code
class="filename">/var/www/html/</code>):
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">mkdir
/web</code> command to create a new directory, and then the <code
class="command">touch /web/file{1,2,3}</code> command to create 3 empty
files (<code class="filename">file1</code>, <code
class="filename">file2</code>, and <code
class="filename">file3</code>). The <code
class="filename">/web/</code> directory and files in it are labeled
with the <code class="computeroutput">default_t</code> type:
- </p><pre class="screen"># ls -dZ /web
+ </div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t
"/web(/.*)?"</code> command to change the type of the <code
class="filename">/web/</code> directory and the files in it, to
<code class="computeroutput">httpd_sys_content_t</code>. The
<code class="option">-a</code> option adds a new record, and the
<code class="option">-t</code> option defines a type
(httpd_sys_content_t). The <code
class="computeroutput">"/web(/.*)?"</code> regular expression
causes the <code class="command">semanage</code> command to apply
changes to the <code class="filename">/web/</code> directory, as
well as the files in it. Note: running this command does not directly change the type -
<code class="filename">/web/</code> and files in it are still
labeled with the <code class="computeroutput">default_t</code>
type:
- </p><pre class="screen"># ls -dZ /web
+ </div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
-</pre><p>
- The <code class="command">/usr/sbin/semanage fcontext -a -t
httpd_sys_content_t "/web(/.*)?"</code> adds the following entry to
<code
class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
- </p><pre class="screen">/web(/.*)?
system_u:object_r:httpd_sys_content_t:s0
-</pre></li><li><p>
+</pre><div class="para">
+ The <code class="command">/usr/sbin/semanage fcontext -a -t
httpd_sys_content_t "/web(/.*)?"</code> command adds the following entry
to <code
class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
+ </div><pre class="screen">/web(/.*)?
system_u:object_r:httpd_sys_content_t:s0
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/sbin/restorecon -R -v /web</code> command to change
the type of the <code class="filename">/web/</code> directory, as
well as all files in it. The <code class="option">-R</code> is for
recursive, which means all files and directories under the <code
class="filename">/web/</code> directory are labeled with the <code
class="computeroutput">httpd_sys_content_t</code> type. Since the
<code class="command">semanage</code> command added an entry to
<code class="filename">file.contexts.local</code> for <code
class="computeroutput">/web(/.*)?</code>, the <code
class="command">/sbin/restorecon</code> command changes the types to
<code class="computeroutput">httpd_sys_content_t</code>:
- </p><pre class="screen"># /sbin/restorecon -R -v /web
+ </div><pre class="screen"># /sbin/restorecon -R -v /web
restorecon reset /web context
unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context
unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context
unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context
unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
+</pre><div class="para">
By default, newly-created files and directories inherit the SELinux type of their
parents. In this example, files and directories created in the <code
class="filename">/web/</code> directory will be labeled with the
<code class="computeroutput">httpd_sys_content_t</code> type.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -d
"/web(/.*)?"</code> command to remove the context added for <code
class="computeroutput">"/web(/.*)?"</code>.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code
class="command">/sbin/restorecon -R -v /web</code> command to restore
the default SELinux contexts.
- </p></li></ol></div><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Deleting_an_added_Context">Deleting
an added Context</h5>
+ </div></li></ol></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Deleting_an_added_Context">Deleting
an added Context</h5>
The following example demonstrates adding and removing an SELinux context:
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t
/test</code> command. The <code class="filename">/test/</code>
directory does not have to exist. This command adds the following context to <code
class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
- </p><pre class="screen">/test
system_u:object_r:httpd_sys_content_t:s0
-</pre></li><li><p>
+ </div><pre class="screen">/test
system_u:object_r:httpd_sys_content_t:s0
+</pre></li><li><div class="para">
To remove the context, as the Linux root user, run the <code
class="command">/usr/sbin/semanage fcontext -d <em
class="replaceable"><code>file-name</code></em>|<em
class="replaceable"><code>directory-name</code></em></code>
command, where <em
class="replaceable"><code>file-name</code></em>|<em
class="replaceable"><code>directory-name</code></em> is the
first part in <code class="filename">file_contexts.local</code>. The
following is an example of a context in <code
class="filename">file_contexts.local</code>:
- </p><pre class="screen">/test
system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
+ </div><pre class="screen">/test
system_u:object_r:httpd_sys_content_t:s0
+</pre><div class="para">
With the first part being <code
class="computeroutput">/test</code>. To prevent the <code
class="filename">/test/</code> directory from being labeled with the
<code class="computeroutput">httpd_sys_content_t</code> after
running <code class="command">/sbin/restorecon</code>, or after a
file system relabel, run the following command as the Linux root user to delete the
context from <code class="filename">file_contexts.local</code>:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semanage fcontext -d
/test</code>
- </p></li></ol></div><p>
+ </div></li></ol></div><div class="para">
If the context is part of a regular expression, for example, <code
class="computeroutput">/web(/.*)?</code>, use quotation marks around
the regular expression:
- </p><p>
+ </div><div class="para">
<code class="command">/usr/sbin/semanage fcontext -d
"/web(/.*)?"</code>
- </p><p>
+ </div><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">semanage</span>(8)</span> manual page for
further information about <code
class="command">/usr/sbin/semanage</code>.
- </p><div
class="important"><h2>Important</h2><p>
+ </div><div
class="important"><h2>Important</h2><div
class="para">
When changing the SELinux context with <code
class="command">/usr/sbin/semanage fcontext -a</code>, use the full
path to the file or directory to avoid files being mislabeled after a file system relabel,
or after the <code class="command">/sbin/restorecon</code> command
is run.
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Prev</strong>5.7. SELinux
Contexts - Labeling Files</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Next</strong>5.8. The
file_t and default_t Types</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Prev</strong>5.7. SELinux
Contexts - Labeling Files</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Next</strong>5.8. The
file_t and default_t Types</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html 24 Nov
2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html 24 Jan
2009 03:48:03 -0000 1.2
@@ -1,40 +1,40 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
and Unconfined Users</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"
title="4.2. Unconfined Processes"/><link rel="next"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>4.3. Confined and
Unconfined Users</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.h
tml"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined
and Unconfined Users</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
and Unconfined Users</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"
title="4.2. Unconfined Processes"/><link rel="next"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right
.png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined
and Unconfined Users</h2></div></div></div><div
class="para">
Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux
users to inherit the restrictions on SELinux users. This Linux user mapping is seen by
running the <code class="command">semanage login -l</code> command
as the Linux root user:
- </p><pre class="screen"># /usr/sbin/semanage login -l
+ </div><pre class="screen"># /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre><p>
+</pre><div class="para">
In Fedora 10, Linux users are mapped to the SELinux <code
class="computeroutput">__default__</code> login by default (which is
mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user). The following defines
the default-mapping:
- </p><pre class="screen">__default__ unconfined_u
s0-s0:c0.c1023
-</pre><p>
- The following example demonstrates adding a new Linux user, and that Linux user being
mapped to the SELinux unconfined_u user. It assumes that the Linux root user is running
unconfined, as it does by default in Fedora 10:
- </p><div class="orderedlist"><ol><li><p>
+ </div><pre class="screen">__default__ unconfined_u
s0-s0:c0.c1023
+</pre><div class="para">
+ The following example demonstrates adding a new Linux user, and that Linux user being
mapped to the SELinux <code
class="computeroutput">unconfined_u</code> user. It assumes that the
Linux root user is running unconfined, as it does by default in Fedora 10:
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/useradd newuser</code> command to create a
new Linux user named newuser.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">passwd
newuser</code> command to assign a password to the Linux newuser user:
- </p><pre class="screen"># passwd newuser
+ </div><pre class="screen"># passwd newuser
Changing password for user newuser.
New UNIX password: <em class="replaceable"><code>Enter a
password</code></em>
Retype new UNIX password: <em class="replaceable"><code>Enter the
same password again</code></em>
passwd: all authentication tokens updated successfully.
-</pre></li><li><p>
- Log out of your current session, and log in as the Linux newuser user. When you log
in, pam_selinux maps the Linux user to an SELinux user (in this case, unconfined_u), and
sets up the resulting SELinux context. The Linux user's shell is then launched with
this context. Run the <code class="command">id -Z</code> command to
view the context for a Linux user:
- </p><pre class="screen">[newuser@localhost ~]$ id -Z
+</pre></li><li><div class="para">
+ Log out of your current session, and log in as the Linux newuser user. When you log
in, pam_selinux maps the Linux user to an SELinux user (in this case, unconfined_u), and
sets up the resulting SELinux context. The Linux user's shell is then launched with
this context. Run the <code class="command">id -Z</code> command to
view the context of a Linux user:
+ </div><pre class="screen">[newuser@localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-</pre></li><li><p>
- Log out of the Linux newuser's session, and log in with your account. If you do
not want the Linux newuser user, as the Linux root user, run the <code
class="command">/usr/sbin/userdel -r newuser</code> command to remove
it, along with the Linux newuser's home directory.
- </p></li></ol></div><p>
+</pre></li><li><div class="para">
+ Log out of the Linux newuser's session, and log in with your account. If you do
not want the Linux newuser user, run the <code
class="command">/usr/sbin/userdel -r newuser</code> command as the
Linux root user to remove it, along with the Linux newuser's home directory.
+ </div></li></ol></div><div class="para">
Confined and unconfined Linux users are subject to executable and writeable memory
checks, and are also restricted by MCS (and MLS, if the MLS policy is used). If unconfined
Linux users execute an application that SELinux policy defines can transition from the
<code class="computeroutput">unconfined_t</code> domain to its own
confined domain, unconfined Linux users are still subject to the restrictions of that
confined domain. The security benefit of this is that, even though a Linux user is running
unconfined, the application remains confined, and therefore, the exploitation of a flaw in
the application can be limited by policy. Note: this does not protect the system from the
user. Instead, the user and the system are being protected from possible damage caused by
a flaw in the application.
- </p><p>
+ </div><div class="para">
The following confined SELinux users are available in Fedora 10:
- </p><div class="table"
id="tabl-Security-Enhanced_Linux-Confined_and_Unconfined_Users-SELinux_User_Capabilities"><div
class="table-contents"><table summary="SELinux User
Capabilities"
border="1"><colgroup><col/><col/><col/><col/><col/><col/></colgroup><thead><tr><th>
+ </div><div class="table"
id="tabl-Security-Enhanced_Linux-Confined_and_Unconfined_Users-SELinux_User_Capabilities"><div
class="table-contents"><table summary="SELinux User
Capabilities"
border="1"><colgroup><col/><col/><col/><col/><col/><col/></colgroup><thead><tr><th>
User
</th><th>
Domain
@@ -55,7 +55,7 @@
</td><td align="center">
no
</td><td align="center">
- no
+ optional
</td><td align="center">
no
</td></tr><tr><td>
@@ -67,9 +67,9 @@
</td><td align="center">
no
</td><td align="center">
- no
+ optional
</td><td align="center">
- only <span
class="application"><strong>Firefox</strong></span>
+ only <span><strong
class="application">Firefox</strong></span>
</td></tr><tr><td>
user_u
</td><td>
@@ -79,7 +79,7 @@
</td><td align="center">
no
</td><td align="center">
- no
+ optional
</td><td align="center">
yes
</td></tr><tr><td>
@@ -91,19 +91,21 @@
</td><td align="center">
only <code class="command">sudo</code>
</td><td align="center">
- yes
+ optional
</td><td align="center">
yes
- </td></tr></tbody></table></div><h6>Table 4.1. SELinux
User Capabilities</h6></div><br class="table-break"/><div
class="itemizedlist"><ul><li><p>
+ </td></tr></tbody></table></div><h6>Table 4.1. SELinux
User Capabilities</h6></div><br class="table-break"/><div
class="itemizedlist"><ul><li><div class="para">
Linux users in the <code
class="computeroutput">guest_t</code>, <code
class="computeroutput">xguest_t</code>, and <code
class="computeroutput">user_t</code> domains can only run set user ID
(setuid) applications if SELinux policy permits it (such as <code
class="command">passwd</code>). They can not run the <code
class="command">su</code> and <code
class="command">/usr/bin/sudo</code> setuid applications, and
therefore, can not use these applications to become the Linux root user.
- </p></li><li><p>
+ </div></li><li><div class="para">
Linux users in the <code class="computeroutput">guest_t</code>
domain have no network access, and can only log in via a terminal (including <code
class="systemitem">ssh</code>; they can log in via <code
class="systemitem">ssh</code>, but can not use <code
class="systemitem">ssh</code> to connect to another system).
- </p></li><li><p>
- The only network access Linux users in the <code
class="computeroutput">xguest_t</code> domain have is <span
class="application"><strong>Firefox</strong></span>
connecting to web pages.
- </p></li><li><p>
- By default, Linux users in the <code
class="computeroutput">guest_t</code>, <code
class="computeroutput">xguest_t</code>, and <code
class="computeroutput">user_t</code> domains can not execute
applications in their home directories or <code
class="filename">/tmp/</code>, preventing them from executing
applications (which inherit users' permissions) in directories that they have write
access to. This prevents flawed or malicious applications from modifying files users'
own.
- </p></li><li><p>
+ </div></li><li><div class="para">
+ The only network access Linux users in the <code
class="computeroutput">xguest_t</code> domain have is
<span><strong
class="application">Firefox</strong></span> connecting to web
pages.
+ </div></li><li><div class="para">
Linux users in the <code
class="computeroutput">xguest_t</code>, <code
class="computeroutput">user_t</code> and <code
class="computeroutput">staff_t</code> domains can log in via the X
Window System and a terminal.
- </p></li><li><p>
+ </div></li><li><div class="para">
By default, Linux users in the <code
class="computeroutput">staff_t</code> domain do not have permissions to
execute applications with <code
class="command">/usr/bin/sudo</code>. These permissions must be
configured by an administrator.
- </p></li></ul></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Prev</strong>4.2. Unconfined
Processes</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Next</strong>Chapter 5. Working
with SELinux</a></li></ul></body></html>
\ No newline at end of file
+ </div></li></ul></div><div class="para">
+ By default, Linux users in the <code
class="computeroutput">guest_t</code> and <code
class="computeroutput">xguest_t</code> domains can not execute
applications in their home directories or <code
class="filename">/tmp/</code>, preventing them from executing
applications (which inherit users' permissions) in directories they have write access
to. This helps prevent flawed or malicious applications from modifying files users'
own.
+ </div><div class="para">
+ By default, Linux users in the <code
class="computeroutput">user_t</code> and <code
class="computeroutput">staff_t</code> domains can execute applications
in their home directories and <code class="filename">/tmp/</code>.
Refer to <a
href="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications.html"
title="6.6. Booleans for Users Executing Applications">Section 6.6, “Booleans
for Users Executing Applications”</a> for information about allowing and preventing
users from executing applications in their home directories and <code
class="filename">/tmp/</code>.
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Prev</strong>4.2. Unconfined
Processes</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Next</strong>Chapter 5. Working
with SELinux</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html 24 Nov 2008
22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html 24 Jan 2009
03:48:03 -0000 1.2
@@ -1,56 +1,58 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Processes</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/><link rel="next"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
title="4.3. Confined and Unconfined Users"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>4.2. Unconfined
Processes</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Prev</strong></a><
/li><li class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined
Processes</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Processes</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"
title="Chapter 4. Targeted Policy"/><link rel="next"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"
title="4.3. Confined and Unconfined Users"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.
png" alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined
Processes</h2></div></div></div><div
class="para">
Unconfined processes run in unconfined domains, for example, init programs run in the
unconfined <code class="computeroutput">initrc_t</code> domain,
unconfined kernel processes run in the <code
class="computeroutput">kernel_t</code> domain, and unconfined Linux
users run in the <code class="computeroutput">unconfined_t</code>
domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist
that allow processes running in unconfined domains almost all access. Processes running in
unconfined domains fall back to using DAC rules exclusively. If an unconfined process is
compromised, SELinux does not prevent an attacker from gaining access to system resources
and data, but of course, DAC rules are still used. SELinux is a security enhancement on
top of DAC rules - it does not replace them.
- </p><p>
+ </div><div class="para">
The following example demonstrates how the Apache HTTP Server (<code
class="systemitem">httpd</code>) can access data intended for use by
Samba, when running unconfined. Note: in Fedora 10, the <code
class="systemitem">httpd</code> process runs in the confined <code
class="computeroutput">httpd_t</code> domain by default. This is an
example, and should not be used in production. It assumes that the <span
class="package">httpd</span>, <span
class="package">wget</span>, <span
class="package">setroubleshoot-server</span>, and <span
class="package">audit</span> packages are installed, that the SELinux
targeted policy is used, and that SELinux is running in enforcing mode:
- </p><div class="orderedlist"><ol><li><p>
- Run the <code class="command">/usr/sbin/sestatus</code>
command to confirm that SELinux is enabled, is running in enforcing mode, and that
targeted policy is being used:
- </p><pre class="screen">SELinux status:
enabled
+ </div><div class="orderedlist"><ol><li><div
class="para">
+ Run the <code class="command">sestatus</code> command to
confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is
being used:
+ </div><pre class="screen">
+$ /usr/sbin/sestatus
+SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
-</pre><p>
+</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is
returned when SELinux is enabled. <code class="computeroutput">Current
mode: enforcing</code> is returned when SELinux is running in enforcing mode.
<code class="computeroutput">Policy from config file:
targeted</code> is returned when the SELinux targeted policy is used.
- </p></li><li><p>
+ </div></li><li><div class="para">
As the Linux root user, run the <code class="command">touch
/var/www/html/test2file</code> command to create a file.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">ls -Z
/var/www/html/test2file</code> command to view the SELinux context:
- </p><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
-</pre><p>
- By default, Linux users run unconfined in Fedora 10, which is why the <code
class="filename">test2file</code> file is labeled with the SELinux
<code class="computeroutput">unconfined_u</code> user. RBAC is used
for processes, not files. Roles do not have a meaning for files - the <code
class="computeroutput">object_r</code> role is a generic role used for
files (on persistent storage and network file systems). Under the <code
class="filename">/proc/</code> directory, files related to processes
may use the <code class="computeroutput">system_r</code>
role.<sup>[<a id="d0e1469" href="#ftn.d0e1469"
class="footnote">7</a>]</sup> The <code
class="computeroutput">httpd_sys_content_t</code> type allows the
<code class="systemitem">httpd</code> process to access this file.
- </p></li><li><p>
- The <code class="command">/usr/bin/chcon</code> command
relabels files; however, such label changes do not survive when the file system is
relabeled. For permanent changes that survive a file system relabel, use the <code
class="command">semanage</code> command, which is discussed later. As
the Linux root user, run the following command to change the type to a type used by
Samba:
- </p><p>
- <code class="command">/usr/bin/chcon -t samba_share_t
/var/www/html/test2file</code>
- </p><p>
+ </div><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
+</pre><div class="para">
+ By default, Linux users run unconfined in Fedora 10, which is why the <code
class="filename">test2file</code> file is labeled with the SELinux
<code class="computeroutput">unconfined_u</code> user. RBAC is used
for processes, not files. Roles do not have a meaning for files - the <code
class="computeroutput">object_r</code> role is a generic role used for
files (on persistent storage and network file systems). Under the <code
class="filename">/proc/</code> directory, files related to processes
may use the <code class="computeroutput">system_r</code>
role.<sup>[<a id="d0e1463"
href="#ftn.d0e1463">7</a>]</sup> The <code
class="computeroutput">httpd_sys_content_t</code> type allows the
<code class="systemitem">httpd</code> process to access this file.
+ </div></li><li><div class="para">
+ The <code class="command">chcon</code> command relabels files;
however, such label changes do not survive when the file system is relabeled. For
permanent changes that survive a file system relabel, use the <code
class="command">semanage</code> command, which is discussed later. As
the Linux root user, run the following command to change the type to a type used by
Samba:
+ </div><div class="para">
+ <code class="command">chcon -t samba_share_t
/var/www/html/test2file</code>
+ </div><div class="para">
Run the <code class="command">ls -Z
/var/www/html/test2file</code> command to view the changes:
- </p><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
-</pre></li><li><p>
- Run the <code class="command">/sbin/service httpd
status</code> command to confirm that the <code
class="systemitem">httpd</code> process is not running:
- </p><pre class="screen">$ /sbin/service httpd status
+ </div><pre class="screen">-rw-r--r-- root root
unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
+</pre></li><li><div class="para">
+ Run the <code class="command">service httpd status</code>
command to confirm that the <code class="systemitem">httpd</code>
process is not running:
+ </div><pre class="screen">$ /sbin/service httpd status
httpd is stopped
-</pre><p>
- If the output differs, run the <code class="command">/sbin/service
httpd stop</code> command as the Linux root user to stop the <code
class="systemitem">httpd</code> process:
- </p><pre class="screen"># /sbin/service httpd stop
+</pre><div class="para">
+ If the output differs, run the <code class="command">service httpd
stop</code> command as the Linux root user to stop the <code
class="systemitem">httpd</code> process:
+ </div><pre class="screen"># /sbin/service httpd stop
Stopping httpd: [ OK ]
-</pre></li><li><p>
+</pre></li><li><div class="para">
To make the <code class="systemitem">httpd</code> process run
unconfined, run the following command as the Linux root user to change the type of
<code class="filename">/usr/sbin/httpd</code>, to a type that does
not transition to a confined domain:
- </p><p>
- <code class="command">/usr/bin/chcon -t unconfined_exec_t
/usr/sbin/httpd</code>
- </p></li><li><p>
+ </div><div class="para">
+ <code class="command">chcon -t unconfined_exec_t
/usr/sbin/httpd</code>
+ </div></li><li><div class="para">
Run the <code class="command">ls -Z /usr/sbin/httpd</code>
command to confirm that <code
class="filename">/usr/sbin/httpd</code> is labeled with the <code
class="computeroutput">unconfined_exec_t</code> type:
- </p><pre class="screen">-rwxr-xr-x root root
system_u:object_r:unconfined_exec_t /usr/sbin/httpd
-</pre></li><li><p>
- As the Linux root user, run the <code class="command">/sbin/service
httpd start</code> command to start the <code
class="systemitem">httpd</code> process. The output is as follows if
<code class="systemitem">httpd</code> starts successfully:
- </p><pre class="screen"># /sbin/service httpd start
+ </div><pre class="screen">-rwxr-xr-x root root
system_u:object_r:unconfined_exec_t /usr/sbin/httpd
+</pre></li><li><div class="para">
+ As the Linux root user, run the <code class="command">service httpd
start</code> command to start the <code
class="systemitem">httpd</code> process. The output is as follows if
<code class="systemitem">httpd</code> starts successfully:
+ </div><pre class="screen"># /sbin/service httpd start
Starting httpd: [ OK ]
-</pre></li><li><p>
+</pre></li><li><div class="para">
Run the <code class="command">ps -eZ | grep httpd</code>
command to view the <code class="systemitem">httpd</code> running in
the <code class="computeroutput">unconfined_t</code> domain:
- </p><pre class="screen">$ ps -eZ | grep httpd
+ </div><pre class="screen">$ ps -eZ | grep httpd
unconfined_u:system_r:unconfined_t <em
class="replaceable"><code>7721</code></em> ? 00:00:00
httpd
unconfined_u:system_r:unconfined_t <em
class="replaceable"><code>7723</code></em> ? 00:00:00
httpd
unconfined_u:system_r:unconfined_t <em
class="replaceable"><code>7724</code></em> ? 00:00:00
httpd
@@ -60,9 +62,9 @@
unconfined_u:system_r:unconfined_t <em
class="replaceable"><code>7728</code></em> ? 00:00:00
httpd
unconfined_u:system_r:unconfined_t <em
class="replaceable"><code>7729</code></em> ? 00:00:00
httpd
unconfined_u:system_r:unconfined_t <em
class="replaceable"><code>7730</code></em> ? 00:00:00
httpd
-</pre></li><li><p>
- Change into a directory where your Linux user has write access to, and run the
<code class="command">wget
http://localhost/test2file</code>
command. Unless there are any changes to the default configuration, this command
succeeds:
- </p><pre class="screen">--2008-09-07 01:41:10--
http://localhost/test2file
+</pre></li><li><div class="para">
+ Change into a directory where your Linux user has write access to, and run the
<code class="command">wget
http://localhost/test2file</code>
command. Unless there are changes to the default configuration, this command succeeds:
+ </div><pre class="screen">--2008-09-07 01:41:10--
http://localhost/test2file
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
@@ -72,19 +74,19 @@
[ <=> ]--.-K/s in 0s
2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
-</pre><p>
+</pre><div class="para">
Although the <code class="systemitem">httpd</code> process
does not have access to files labeled with the <code
class="computeroutput">samba_share_t</code> type, <code
class="systemitem">httpd</code> is running in the unconfined <code
class="computeroutput">unconfined_t</code> domain, and falls back to
using DAC rules, and as such, the <code class="command">wget</code>
command succeeds. Had <code class="systemitem">httpd</code> been
running in the confined <code class="computeroutput">httpd_t</code>
domain, the <code class="command">wget</code> command would have
failed.
- </p></li><li><p>
- The <code class="command">/sbin/restorecon</code> command
restores the default SELinux context for files. As the Linux root user, run the <code
class="command">restorecon -v /usr/sbin/httpd</code> command to restore
the default SELinux context for <code
class="filename">/usr/sbin/httpd</code>:
- </p><pre class="screen"># restorecon -v /usr/sbin/httpd
+ </div></li><li><div class="para">
+ The <code class="command">restorecon</code> command restores
the default SELinux context for files. As the Linux root user, run the <code
class="command">restorecon -v /usr/sbin/httpd</code> command to restore
the default SELinux context for <code
class="filename">/usr/sbin/httpd</code>:
+ </div><pre class="screen"># /sbin/restorecon -v
/usr/sbin/httpd
restorecon reset /usr/sbin/httpd context
system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
-</pre><p>
+</pre><div class="para">
Run the <code class="command">ls -Z /usr/sbin/httpd</code>
command to confirm that <code
class="filename">/usr/sbin/httpd</code> is labeled with the <code
class="computeroutput">httpd_exec_t</code> type:
- </p><pre class="screen">$ ls -Z /usr/sbin/httpd
+ </div><pre class="screen">$ ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">/sbin/service
httpd restart</code> command to restart <code
class="systemitem">httpd</code>. After restarting, run the <code
class="command">ps -eZ | grep httpd</code> to confirm that <code
class="systemitem">httpd</code> is running in the confined <code
class="computeroutput">httpd_t</code> domain:
- </p><pre class="screen"># /sbin/service httpd restart
+ </div><pre class="screen"># /sbin/service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
# ps -eZ | grep httpd
@@ -97,14 +99,14 @@
unconfined_u:system_r:httpd_t 8887 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8888 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t 8889 ? 00:00:00 httpd
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">rm -i
/var/www/html/test2file</code> command to remove <code
class="filename">test2file</code>.
- </p></li><li><p>
- If you do not require <code class="systemitem">httpd</code> to
be running, as the Linux root user, run the <code
class="command">/sbin/service httpd stop</code> command to stop
<code class="systemitem">httpd</code>:
- </p><pre class="screen"># /sbin/service httpd stop
+ </div></li><li><div class="para">
+ If you do not require <code class="systemitem">httpd</code> to
be running, as the Linux root user, run the <code class="command">service
httpd stop</code> command to stop <code
class="systemitem">httpd</code>:
+ </div><pre class="screen"># /sbin/service httpd stop
Stopping httpd: [ OK ]
-</pre></li></ol></div><p>
+</pre></li></ol></div><div class="para">
The examples in these sections demonstrate how data can be protected from a
compromised confined-process (protected by SELinux), as well as how data is more
accessible to an attacker from a compromised unconfined-process (not protected by
SELinux).
- </p><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e1469"
href="#d0e1469" class="para">7</a>] </sup>
+ </div><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e1463"
href="#d0e1463">7</a>] </sup>
When using other policies, such as MLS, other roles may also be used, for example,
<code class="computeroutput">secadm_r</code>.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Prev</strong>Chapter 4. Targeted
Policy</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Next</strong>4.3. Confined
and Unconfined Users</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,17 +1,8 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Rules and Broken Applications</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"
title="7.2.2. How are Confined Services Running?"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>7.2.3. Evolving Rules and
Broken Applications</strong></a></p><ul
class="docnav"><li class="pr
evious"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving
Rules and Broken Applications</h3></div></div></div><p>
- Applications may be broken, causing SELinux to deny access. Also, SELinux rules are
evolving - SELinux may not have seen an application running in a certain way, possibly
causing it to deny access, even though the application is working as expected. For
example, if a new version of PostgreSQL is released, it may perform actions that the
current policy has not seen before, causing access to be denied, even though access should
be allowed.
- </p><p>
- For these situations, after access is denied, use <code
class="command">audit2allow</code> to create a custom policy module to
allow access. The following example searches for <code
class="computeroutput">postgresql</code> entries in <code
class="filename">audit.log</code>, and sends those entries through
<code class="command">audit2allow</code> to create a custom module:
- </p><pre class="screen">
-# grep postgresql /var/log/audit/audit.log | audit2allow \
--R -M mypostgresql
-</pre><p>
- To install the module, run the <code class="command">semodule
-i</code> command as the Linux root user:
- </p><pre class="screen">
-# /usr/sbin/semodule -i mypostgresql.pp
-</pre><p>
- The <code class="command">audit2allow</code> command may allow
more access than desired. When access is denied, it is best to report the denial in <a
href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>, (against the
<span class="package">selinux-policy</span> package), or to a
mailing list, such as <a
href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list&quo...;,
allowing a more strict rule to be added, or to add your changes to the distribution's
or upstream policy.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong>7.2.2. How
are Confined Services Running?</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong>7.3. Fixing
Problems</a></li></ul></body></html>
\ No newline at end of file
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Rules and Broken Applications</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"
title="7.2.2. How are Confined Services Running?"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"
title="7.3. Fixing Problems"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="
right" href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving
Rules and Broken Applications</h3></div></div></div><div
class="para">
+ Applications may be broken, causing SELinux to deny access. Also, SELinux rules are
evolving - SELinux may not have seen an application running in a certain way, possibly
causing it to deny access, even though the application is working as expected. For
example, if a new version of PostgreSQL is released, it may perform actions the current
policy has not seen before, causing access to be denied, even though access should be
allowed.
+ </div><div class="para">
+ For these situations, after access is denied, use <code
class="command">audit2allow</code> to create a custom policy module to
allow access. Refer to <a
href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"
title="7.3.8. Allowing Access: audit2allow">Section 7.3.8, “Allowing Access:
audit2allow”</a> for information about using <code
class="command">audit2allow</code>.
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong>7.2.2. How
are Confined Services Running?</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong>7.3. Fixing
Problems</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html 24
Nov 2008 22:43:12 -0000 1.1
+++
sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... are
Confined Services Running?</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/><link rel="next"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"
title="7.2.3. Evolving Rules and Broken
Applications"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>7.2.2. How are Confined
Services Running?</strong></a></p><ul c
lass="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How
are Confined Services Running?</h3></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... are
Confined Services Running?</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"
title="7.2. Top Three Causes of Problems"/><link rel="next"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"
title="7.2.3. Evolving Rules and Broken Applications"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt
="Product Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How
are Confined Services Running?</h3></div></div></div><div
class="para">
Services can be run in a variety of ways. To cater for this, you must tell SELinux
how you are running services. This can be achieved via Booleans that allow parts of
SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing.
This allows changes, such as allowing services access to NFS file systems, without
reloading or recompiling SELinux policy. Also, running services on non-default port
numbers requires policy configuration to be updated via the <code
class="command">semanage</code> command.
- </p><p>
+ </div><div class="para">
For example, to allow the Apache HTTP Server to communicate with MySQL, turn the
<code class="computeroutput">httpd_can_network_connect_db</code>
Boolean on:
- </p><pre class="screen">
+ </div><pre class="screen">
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
-</pre><p>
+</pre><div class="para">
If access is denied for a particular service, use the <code
class="command">getsebool</code> and <code
class="command">grep</code> commands to see if any Booleans are
available to allow access. For example, use the <code
class="command">getsebool -a | grep ftp</code> command to search for
FTP related Booleans:
- </p><pre class="screen">
+ </div><pre class="screen">
$ /usr/sbin/getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
@@ -18,36 +18,36 @@
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
-</pre><p>
- For a list of Booleans and whether they are on or off, run the <code
class="command">/usr/sbin/getsebool -a</code> command. For a list of
Booleans, an explanation of what each one is, and whether they are on or off, as the Linux
root user, run the <code class="command">/usr/sbin/semanage boolean
-l</code> command. Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans">Section 5.6, “Booleans”</a> for information about
listing and configuring Booleans.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-How_are_Confined_Services_Running-Port_Numbers">Port
Numbers</h5>
- Depending on policy configuration, services may only be allowed to run on certain
port numbers. Attempting to change the port a service runs on without changing policy may
result in the service failing to start. For example, run the <code
class="command">semanage port -l | grep http</code> command to list
<code class="systemitem">http</code> related ports:
- <pre class="screen">
+</pre><div class="para">
+ For a list of Booleans and whether they are on or off, run the <code
class="command">/usr/sbin/getsebool -a</code> command. For a list of
Booleans, an explanation of what each one is, and whether they are on or off, run the
<code class="command">/usr/sbin/semanage boolean -l</code> command
as the Linux root user. Refer to <a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans">Section 5.6, “Booleans”</a> for information about
listing and configuring Booleans.
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-How_are_Confined_Services_Running-Port_Numbers">Port
Numbers</h5>
+ Depending on policy configuration, services may only be allowed to run on certain
port numbers. Attempting to change the port a service runs on without changing policy may
result in the service failing to start. For example, run the <code
class="command">semanage port -l | grep http</code> command as the
Linux root user to list <code class="systemitem">http</code> related
ports:
+ </div><pre class="screen">
# /usr/sbin/semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
-</pre><p>
+</pre><div class="para">
The <code class="computeroutput">http_port_t</code> port type
defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80,
443, 488, 8008, 8009, and 8443. If an administrator configures <code
class="filename">httpd.conf</code> so that <code
class="systemitem">httpd</code> listens on port 9876 (<code
class="option">Listen 9876</code>), but policy is not updated to
reflect this, the <code class="command">service httpd start</code>
command fails:
- </p><pre class="screen">
+ </div><pre class="screen">
# /sbin/service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
no listening sockets available, shutting down
Unable to open logs
[FAILED]
-</pre><p>
+</pre><div class="para">
An SELinux denial similar to the following is logged to <code
class="filename">/var/log/audit/audit.log</code>:
- </p><pre class="screen">
+ </div><pre class="screen">
type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997
comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
-</pre><p>
- To allow <code class="systemitem">httpd</code> to listen on a
port that is not listed for the <code
class="computeroutput">http_port_t</code> port type, run the <code
class="command">semanage port</code> command to add a port to policy
configuration<sup>[<a id="d0e5365" href="#ftn.d0e5365"
class="footnote">15</a>]</sup>:
- </p><pre class="screen">
+</pre><div class="para">
+ To allow <code class="systemitem">httpd</code> to listen on a
port that is not listed for the <code
class="computeroutput">http_port_t</code> port type, run the <code
class="command">semanage port</code> command to add a port to policy
configuration<sup>[<a id="d0e5490"
href="#ftn.d0e5490">15</a>]</sup>:
+ </div><pre class="screen">
# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
-</pre><p>
+</pre><div class="para">
The <code class="option">-a</code> option adds a new record;
the <code class="option">-t</code> option defines a type; and the
<code class="option">-p</code> option defines a protocol. The last
argument is the port number to add.
- </p><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e5365"
href="#d0e5365" class="para">15</a>] </sup>
+ </div><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e5490"
href="#d0e5490">15</a>] </sup>
The <code class="command">semanage port -a</code> command adds
an entry to the <code
class="filename">/etc/selinux/targeted/modules/active/ports.local</code>
file. Note: by default, this file can only be viewed by the Linux root user.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Prev</strong>7.2. Top
Three Causes of Problems</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Next</strong>7.2.3. Evolving
Rules and Broken Applications</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html 24 Nov 2008 22:43:12
-0000 1.1
+++ sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html 24 Jan 2009 03:48:03
-0000 1.2
@@ -1,21 +1,21 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Problems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"
title="7.2.3. Evolving Rules and Broken Applications"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"
title="7.3.2. Possible Causes of Silent
Denials"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>7.3. Fixing
Problems</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="sect-Se
curity-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing
Problems</h2></div></div></div><p>
- The following sections help troubleshoot issues. They go over: checking Linux
permissions, which are checked before SELinux rules; possible causes of SELinux denying
access but no denials being logged; manual pages for services, which contain information
about labeling and Booleans; permissive domains, for allowing one process to run
permissive, rather than the whole system; how to search for and view denial messages;
analyzing denials; and creating custom policy modules with <code
class="command">audit2allow</code>.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux
Permissions</h3></div></div></div><p>
- When access is denied, check standard Linux permissions. As mentioned in <a
class="xref" href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction">Chapter 2,
<i>Introduction</i></a>, most operating systems use a Discretionary
Access Control (DAC) system to control access, allowing users to control the permissions
of files that they own. SELinux policy rules are checked after DAC rules. SELinux policy
rules are not used if DAC rules deny access first.
- </p><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Problems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"
title="7.2.3. Evolving Rules and Broken Applications"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"
title="7.3.2. Possible Causes of Silent Denials"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="
http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing
Problems</h2></div></div></div><div class="para">
+ The following sections help troubleshoot issues. They go over: checking Linux
permissions, which are checked before SELinux rules; possible causes of SELinux denying
access, but no denials being logged; manual pages for services, which contain information
about labeling and Booleans; permissive domains, for allowing one process to run
permissive, rather than the whole system; how to search for and view denial messages;
analyzing denials; and creating custom policy modules with <code
class="command">audit2allow</code>.
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux
Permissions</h3></div></div></div><div
class="para">
+ When access is denied, check standard Linux permissions. As mentioned in <a
href="chap-Security-Enhanced_Linux-Introduction.html"
title="Chapter 2. Introduction">Chapter 2, <i
xmlns:xlink="http://www.w3.org/1999/xlink">Introduction</...;,
most operating systems use a Discretionary Access Control (DAC) system to control access,
allowing users to control the permissions of files that they own. SELinux policy rules are
checked after DAC rules. SELinux policy rules are not used if DAC rules deny access
first.
+ </div><div class="para">
If access is denied and no SELinux denials are logged, use the <code
class="command">ls -l</code> command to view the standard Linux
permissions:
- </p><pre class="screen">
+ </div><pre class="screen">
$ ls -l /var/www/html/index.html
-rw-r----- 1 root root 0 2008-11-07 11:06 index.html
-</pre><p>
+</pre><div class="para">
In this example, <code class="filename">index.html</code> is
owned by the root user and group. The root user has read and write permissions (<code
class="computeroutput">-rw</code>), and members of the root group have
read permissions (<code class="computeroutput">-r-</code>). Everyone
else has no access (<code class="computeroutput">---</code>). By
default, such permissions do not allow <code
class="systemitem">httpd</code> to read this file. To resolve this
issue, use the <code class="command">chown</code> command to change
the owner and group. This command must be run as the Linux root user:
- </p><pre class="screen">
+ </div><pre class="screen">
# chown apache:apache /var/www/html/index.html
-</pre><p>
+</pre><div class="para">
This assumes the default configuration, in which <code
class="systemitem">httpd</code> runs as the Linux apache user. If you
run <code class="systemitem">httpd</code> with a different user,
replace <code class="computeroutput">apache:apache</code> with that
user.
- </p><p>
+ </div><div class="para">
Refer to the <a
href="http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/...
Documentation Project "Permissions"</a> draft for information about
managing Linux permissions.
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong>7.2.3. Evolving
Rules and Broken Applications</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Next</strong>7.3.2. Possible
Causes of Silent Denials</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong>7.2.3. Evolving
Rules and Broken Applications</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Next</strong>7.3.2. Possible
Causes of Silent Denials</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html 24 Nov
2008 22:43:12 -0000 1.1
+++ sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html 24 Jan
2009 03:48:03 -0000 1.2
@@ -1,40 +1,40 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... Three
Causes of Problems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/><link rel="next"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"
title="7.2.2. How are Confined Services
Running?"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>7.2. Top Three Causes of
Problems</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Troubles
hooting.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top
Three Causes of Problems</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... Three
Causes of Problems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting"/><link rel="next"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"
title="7.2.2. How are Confined Services Running?"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Co
mmon_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top
Three Causes of Problems</h2></div></div></div><div
class="para">
The following sections describe the top three causes of problems: labeling problems,
configuring Booleans and ports for services, and evolving SELinux rules.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling
Problems</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling
Problems</h3></div></div></div><div class="para">
On systems running SELinux, all processes and files are labeled with a label that
contains security-relevant information. This information is called the SELinux context. If
these labels are wrong, access may be denied. If an application is labeled incorrectly,
the process it transitions to may not have the correct label, possibly causing SELinux to
deny access, and the process being able to create mislabeled files.
- </p><p>
- A common cause of labeling problems is when a non-standard directory is used for a
service. For example, instead of using <code
class="filename">/var/www/html/</code> for a website, an administrator
wants to use <code class="filename">/srv/myweb/</code>. On Fedora
10, the <code class="filename">/srv/</code> directory is labeled
with the <code class="computeroutput">var_t</code> type. Files and
directories created and <code class="filename">/srv/</code> inherit
this type. Also, newly-created top-level directories (such as <code
class="filename">/myserver</code>) may be labeled with the <code
class="computeroutput">default_t</code> type. SELinux prevents the
Apache HTTP Server (<code class="systemitem">httpd</code>) from
accessing both of these types. To allow access, SELinux must know that the files in
<code class="filename">/srv/myweb/</code> are to be accessible to
<code class="systemitem">httpd</code>:
- </p><pre class="screen">
+ </div><div class="para">
+ A common cause of labeling problems is when a non-standard directory is used for a
service. For example, instead of using <code
class="filename">/var/www/html/</code> for a website, an administrator
wants to use <code class="filename">/srv/myweb/</code>. On Fedora
10, the <code class="filename">/srv/</code> directory is labeled
with the <code class="computeroutput">var_t</code> type. Files and
directories created and <code class="filename">/srv/</code> inherit
this type. Also, newly-created top-level directories (such as <code
class="filename">/myserver/</code>) may be labeled with the <code
class="computeroutput">default_t</code> type. SELinux prevents the
Apache HTTP Server (<code class="systemitem">httpd</code>) from
accessing both of these types. To allow access, SELinux must know that the files in
<code class="filename">/srv/myweb/</code> are to be accessible to
<code class="systemitem">httpd</code>:
+ </div><pre class="screen">
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
"/srv/myweb(/.*)?"
-</pre><p>
- This <code class="command">semanage</code> command adds the
context for the <code class="filename">/srv/myweb/</code> directory
(and all files and directories under it) to the SELinux file-context
configuration<sup>[<a id="d0e5203" href="#ftn.d0e5203"
class="footnote">14</a>]</sup>. The <code
class="command">semanage</code> command does not change the context. As
the Linux root user, run the <code class="command">restorecon</code>
command to apply the changes:
- </p><pre class="screen">
+</pre><div class="para">
+ This <code class="command">semanage</code> command adds the
context for the <code class="filename">/srv/myweb/</code> directory
(and all files and directories under it) to the SELinux file-context
configuration<sup>[<a id="d0e5328"
href="#ftn.d0e5328">14</a>]</sup>. The <code
class="command">semanage</code> command does not change the context. As
the Linux root user, run the <code class="command">restorecon</code>
command to apply the changes:
+ </div><pre class="screen">
# /sbin/restorecon -R -v /srv/myweb
-</pre><p>
- Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2,
“Persistent Changes: semanage fcontext”</a> for further information about adding
contexts to the file-context configuration.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security-Enhanced_Linux-Labeling_Problems-What_is_the_Correct_Context">7.2.1.1. What
is the Correct Context?</h4></div></div></div><p>
+</pre><div class="para">
+ Refer to <a
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2,
“Persistent Changes: semanage fcontext”</a> for further information about adding
contexts to the file-context configuration.
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security-Enhanced_Linux-Labeling_Problems-What_is_the_Correct_Context">7.2.1.1. What
is the Correct Context?</h4></div></div></div><div
class="para">
The <code class="command">matchpathcon</code> command checks
the context of a file path and compares it to the default label for that path. The
following example demonstrates using <code
class="command">matchpathcon</code> on a directory that contains
incorrectly labeled files:
- </p><pre class="screen">
-$ matchpathcon -V /var/www/html/*
+ </div><pre class="screen">
+$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be
system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be
system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
+</pre><div class="para">
In this example, the <code class="filename">index.html</code>
and <code class="filename">page1.html</code> files are labeled with
the <code class="computeroutput">user_home_t</code> type. This type
is used for files in user home directories. Using the <code
class="command">mv</code> command to move files from your home
directory may result in files being labeled with the <code
class="computeroutput">user_home_t</code> type. This type should not
exist outside of home directories. Use the <code
class="command">restorecon</code> command to restore such files to
their correct type:
- </p><pre class="screen">
-# restorecon -v /var/www/html/index.html
+ </div><pre class="screen">
+# /sbin/restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context
unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
+</pre><div class="para">
To restore the context for all files under a directory, use the <code
class="option">-R</code> option:
- </p><pre class="screen">
-# restorecon -R -v /var/www/html/
+ </div><pre class="screen">
+# /sbin/restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context
unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context
unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
-</pre><p>
- Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"
title="5.10.3. Checking the Default SELinux Context">Section 5.10.3,
“Checking the Default SELinux Context”</a> for a more detailed example of <code
class="command">matchpathcon</code>.
- </p></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e5203"
href="#d0e5203" class="para">14</a>] </sup>
+</pre><div class="para">
+ Refer to <a
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"
title="5.10.3. Checking the Default SELinux Context">Section 5.10.3,
“Checking the Default SELinux Context”</a> for a more detailed example of <code
class="command">matchpathcon</code>.
+ </div></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e5328"
href="#d0e5328">14</a>] </sup>
Files in <code
class="filename">/etc/selinux/targeted/contexts/files/</code> define
contexts for files and directories. Files in this directory are read by <code
class="command">restorecon</code> and <code
class="command">setfiles</code> to restore files and directories to
their default contexts.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Prev</strong>Chapter 7. Troubleshooting</a></li><li
class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Next</strong>7.2.2. How
are Confined Services Running?</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html 24 Nov 2008 22:43:12
-0000 1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html 24 Jan 2009 03:48:03
-0000 1.2
@@ -1,34 +1,34 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"
title="5.5. SELinux Modes"/><link rel="next"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"
title="5.6.2. Configuring Booleans"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.6. Booleans</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"
title="5.5. SELinux Modes"/><link rel="next"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"
title="5.6.2. Configuring Booleans"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Docum
entation Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</h2></div></div></div><div
class="para">
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge
of SELinux policy writing. This allows changes, such as allowing services access to NFS
file systems, without reloading or recompiling SELinux policy.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing
Booleans</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing
Booleans</h3></div></div></div><div class="para">
For a list of Booleans, an explanation of what each one is, and whether they are on
or off, run the <code class="command">semanage boolean -l</code>
command as the Linux root user. The following example does not list all Booleans:
- </p><pre class="screen"># /usr/sbin/semanage boolean -l
+ </div><pre class="screen"># /usr/sbin/semanage boolean -l
SELinux boolean Description
ftp_home_dir -> off Allow ftp to read and write files in the
user home directories
xen_use_nfs -> off Allow xen to manage nfs files
xguest_connect_network -> on Allow xguest to configure Network Manager
-</pre><p>
+</pre><div class="para">
The <code class="computeroutput">SELinux boolean</code> column
lists Boolean names. The <code
class="computeroutput">Description</code> column lists whether the
Booleans are on or off, and what they do.
- </p><p>
+ </div><div class="para">
In the following example, the <code
class="computeroutput">ftp_home_dir</code> Boolean is off, preventing
the FTP daemon (<code class="systemitem">vsftpd</code>) from reading
and writing to files in user home directories:
- </p><pre class="screen">ftp_home_dir ->
off Allow ftp to read and write files in the user home directories
-</pre><p>
+ </div><pre class="screen">ftp_home_dir
-> off Allow ftp to read and write files in the user home directories
+</pre><div class="para">
The <code class="command">getsebool -a</code> command lists
Booleans, whether they are on or off, but does not give a description of each one. The
following example does not list all Booleans:
- </p><pre class="screen">$ /usr/sbin/getsebool -a
+ </div><pre class="screen">$ /usr/sbin/getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
-</pre><p>
+</pre><div class="para">
Run the <code class="command">getsebool <em
class="replaceable"><code>boolean-name</code></em></code>
command to only list the status of the <em
class="replaceable"><code>boolean-name</code></em>
Boolean:
- </p><pre class="screen">$ /usr/sbin/getsebool
allow_console_login
+ </div><pre class="screen">$ /usr/sbin/getsebool
allow_console_login
allow_console_login --> off
-</pre><p>
+</pre><div class="para">
Use a space-separated list to list multiple Booleans:
- </p><pre class="screen">$ /usr/sbin/getsebool
allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
+ </div><pre class="screen">$ /usr/sbin/getsebool
allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
Index:
sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html 24
Nov 2008 22:43:13 -0000 1.1
+++
sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,26 +1,26 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
and Disabling SELinux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"
title="5.3. Main Configuration File"/><link rel="next"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"
title="5.4.2. Disabling SELinux"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.4. Enabling and
Disabling SELinux</strong></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p" href="sect-Security-Enhanced_L
inux-Working_with_SELinux-Main_Configuration_File.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling
and Disabling SELinux</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
and Disabling SELinux</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"
title="5.3. Main Configuration File"/><link rel="next"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"
title="5.4.2. Disabling SELinux"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><
img src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling
and Disabling SELinux</h2></div></div></div><div
class="para">
Use the <code class="command">/usr/sbin/getenforce</code> or
<code class="command">/usr/sbin/sestatus</code> commands to check
the status of SELinux. The <code class="command">getenforce</code>
command returns <code class="computeroutput">Enforcing</code>,
<code class="computeroutput">Permissive</code>, or <code
class="computeroutput">Disabled</code>. The <code
class="command">getenforce</code> command returns <code
class="computeroutput">Enforcing</code> when SELinux is enabled
(SELinux policy rules are enforced):
- </p><pre class="screen">$ /usr/sbin/getenforce
+ </div><pre class="screen">$ /usr/sbin/getenforce
Enforcing
-</pre><p>
+</pre><div class="para">
The <code class="command">getenforce</code> command returns
<code class="computeroutput">Permissive</code> when SELinux is
enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The
<code class="command">getenforce</code> command returns <code
class="computeroutput">Disabled</code> if SELinux is disabled.
- </p><p>
+ </div><div class="para">
The <code class="command">sestatus</code> command returns the
SELinux status and the SELinux policy being used:
- </p><pre class="screen">$ /usr/sbin/sestatus
+ </div><pre class="screen">$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
-</pre><p>
+</pre><div class="para">
<code class="computeroutput">SELinux status: enabled</code> is
returned when SELinux is enabled. <code class="computeroutput">Current
mode: enforcing</code> is returned when SELinux is running in enforcing mode.
<code class="computeroutput">Policy from config file:
targeted</code> is returned when the SELinux targeted policy is used.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling
SELinux</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling
SELinux</h3></div></div></div><div class="para">
On systems with SELinux disabled, the <code
class="computeroutput">SELINUX=disabled</code> option is configured in
<code class="filename">/etc/selinux/config</code>:
- </p><pre class="screen"># This file controls the state of
SELinux on the system.
+ </div><pre class="screen"># This file controls the state of
SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -30,23 +30,23 @@
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-</pre><p>
+</pre><div class="para">
Also, the <code class="command">getenforce</code> command
returns <code class="computeroutput">Disabled</code>:
- </p><pre class="screen">$ /usr/sbin/getenforce
+ </div><pre class="screen">$ /usr/sbin/getenforce
Disabled
-</pre><p>
+</pre><div class="para">
To enable SELinux:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
Use the <code class="command">rpm -qa | grep selinux</code>,
<code class="command">rpm -q policycoreutils</code>, and <code
class="command">rpm -qa | grep setroubleshoot</code> commands to
confirm that the SELinux packages are installed. This guide assumes the following packages
are installed: <span class="package">selinux-policy-targeted</span>,
<span class="package">selinux-policy</span>, <span
class="package">libselinux</span>, <span
class="package">libselinux-python</span>, <span
class="package">libselinux-utils</span>, <span
class="package">policycoreutils</span>, <span
class="package">setroubleshoot</span>, <span
class="package">setroubleshoot-server</span>, <span
class="package">setroubleshoot-plugins</span>. If these packages are
not installed, as the Linux root user, install them via the <code
class="command">yum install <em
class="replaceable"><code>package-name</code></em></code>
command. The following packages are optional: <span
class="package">policycoreu
tils-gui</span>, <span class="package">setroubleshoot</span>,
<span class="package">selinux-policy-devel</span>, and <span
class="package">mcstrans</span>.
- </p><p>
- After installing the <span
class="package">setroubleshoot-server</span> package, use the <code
class="command">/sbin/chkconfig --list setroubleshoot</code> command to
confirm that <code class="systemitem">setroubleshootd</code> starts
when the system is running in runlevel<sup>[<a id="d0e2475"
href="#ftn.d0e2475" class="footnote">10</a>]</sup> 3,
4, and 5:
- </p><pre class="screen">$ /sbin/chkconfig --list
setroubleshoot
+ </div><div class="para">
+ After installing the <span
class="package">setroubleshoot-server</span> package, use the <code
class="command">/sbin/chkconfig --list setroubleshoot</code> command to
confirm that <code class="systemitem">setroubleshootd</code> starts
when the system is running in runlevel<sup>[<a id="d0e2484"
href="#ftn.d0e2484">10</a>]</sup> 3, 4, and 5:
+ </div><pre class="screen">$ /sbin/chkconfig --list
setroubleshoot
setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
-</pre><p>
+</pre><div class="para">
If the output differs, as the Linux root user, run the <code
class="command">/sbin/chkconfig --levels 345 setroubleshoot on</code>
command. This makes <code class="systemitem">setroubleshootd</code>
automatically start when the system is in runlevel 3, 4, and 5.
- </p></li><li><p>
+ </div></li><li><div class="para">
Before SELinux is enabled, each file on the file system must be labeled with an
SELinux context. Before this happens, confined domains may be denied access, preventing
your system from booting correctly. To prevent this, configure <code
class="computeroutput">SELINUX=permissive</code> in <code
class="filename">/etc/selinux/config</code>:
- </p><pre class="screen"># This file controls the state of
SELinux on the system.
+ </div><pre class="screen"># This file controls the state of
SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -56,19 +56,19 @@
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">reboot</code> command to restart the system. During the
next boot, file systems are labeled. The label process labels all files with an SELinux
context:
- </p><pre class="screen">*** Warning -- SELinux targeted policy
relabel is required.
+ </div><pre class="screen">*** Warning -- SELinux targeted
policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
-</pre><p>
+</pre><div class="para">
Each <code class="computeroutput">*</code> character on the
bottom line represents 1000 files that have been labeled. In the above example, four
<code class="computeroutput">*</code> characters represent 4000
files have been labeled. The time it takes to label all files depends upon the number of
files on the system, and the speed of the hard disk drives. On modern systems, this
process can take as little as 10 minutes.
- </p></li><li><p>
- In permissive mode, SELinux policy is not enforced, but denials are still logged
for actions that would have been denied if running in enforcing mode. Before changing to
enforcing mode, as the Linux root user, run the <code class="command">grep
"SELinux is preventing" /var/log/messages</code> command as the Linux root
user to confirm that SELinux did not deny actions during the last boot. If SELinux did not
deny actions during the last boot, this command does not return any output. Refer to <a
class="xref" href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting">Chapter 7,
<i>Troubleshooting</i></a> for troubleshooting information if SELinux
denied access during boot.
- </p></li><li><p>
+ </div></li><li><div class="para">
+ In permissive mode, SELinux policy is not enforced, but denials are still logged
for actions that would have been denied if running in enforcing mode. Before changing to
enforcing mode, as the Linux root user, run the <code class="command">grep
"SELinux is preventing" /var/log/messages</code> command as the Linux root
user to confirm that SELinux did not deny actions during the last boot. If SELinux did not
deny actions during the last boot, this command does not return any output. Refer to <a
href="chap-Security-Enhanced_Linux-Troubleshooting.html"
title="Chapter 7. Troubleshooting">Chapter 7, <i
xmlns:xlink="http://www.w3.org/1999/xlink">Troubleshooting&l...
for troubleshooting information if SELinux denied access during boot.
+ </div></li><li><div class="para">
If there were no denial messages in <code
class="filename">/var/log/messages</code>, configure <code
class="computeroutput">SELINUX=enforcing</code> in <code
class="filename">/etc/selinux/config</code>:
- </p><pre class="screen"># This file controls the state of
SELinux on the system.
+ </div><pre class="screen"># This file controls the state of
SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -78,41 +78,41 @@
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-</pre></li><li><p>
+</pre></li><li><div class="para">
Reboot your system. After reboot, confirm that the <code
class="command">getenforce</code> command returns <code
class="computeroutput">Enforcing</code>:
- </p><pre class="screen">$ /usr/sbin/getenforce
+ </div><pre class="screen">$ /usr/sbin/getenforce
Enforcing
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/usr/sbin/semanage login -l</code> command to view the
mapping between SELinux and Linux users. The output should be as follows:
- </p><pre class="screen">Login Name SELinux User
MLS/MCS Range
+ </div><pre class="screen">Login Name SELinux
User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-</pre></li></ol></div><p>
+</pre></li></ol></div><div class="para">
If this is not the case, run the following commands as the Linux root user to fix the
user mappings. It is safe to ignore the <code
class="computeroutput">SELinux-user<em
class="replaceable"><code> username</code></em> is already
defined</code> warnings if they occur, where <em
class="replaceable"><code>username</code></em> can be
<code class="computeroutput">unconfined_u</code>, <code
class="computeroutput">guest_u</code>, or <code
class="computeroutput">xguest_u</code>:
- </p><div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R
"unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
</pre>
- </p></li><li><p>
+ </div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage login -m -S targeted -s
"unconfined_u" -r s0-s0:c0.c1023 __default__
</pre>
- </p></li><li><p>
+ </div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage login -m -S targeted -s
"unconfined_u" -r s0-s0:c0.c1023 root
</pre>
- </p></li><li><p>
+ </div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R
guest_r guest_u
</pre>
- </p></li><li><p>
+ </div></li><li><div class="para">
<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R
xguest_r xguest_u
</pre>
- </p></li></ol></div><div
class="important"><h2>Important</h2><p>
+ </div></li></ol></div><div
class="important"><h2>Important</h2><div
class="para">
When systems run with SELinux in permissive or disabled mode, users have permission
to label files incorrectly. Also, files created while SELinux is disabled are not labeled.
This causes problems when changing to enforcing mode. To prevent incorrectly labeled and
unlabeled files from causing problems, file systems are automatically relabeled when
changing from disabled mode to permissive or enforcing mode.
- </p></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e2475"
href="#d0e2475" class="para">10</a>] </sup>
+ </div></div></div><div
class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e2484"
href="#d0e2484">10</a>] </sup>
Refer to <a
href="http://en.wikipedia.org/wiki/Runlevel">http://en.wikip...
for information about runlevels.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Prev</strong>5.3. Main
Configuration File</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Next</strong>5.4.2. Disabling
SELinux</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html 24 Nov
2008 22:43:13 -0000 1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html 24 Jan
2009 03:48:03 -0000 1.2
@@ -1,9 +1,9 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Configuration File</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.3. Main Configuration
File</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Lin
ux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main
Configuration File</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Configuration File</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"
title="5.2. Which Log File is Used"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.o
rg"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main
Configuration File</h2></div></div></div><div
class="para">
The <code class="filename">/etc/selinux/config</code> file is
the main SELinux configuration file. It controls the SELinux mode and the SELinux policy
to use:
- </p><pre class="screen"># This file controls the state of SELinux
on the system.
+ </div><pre class="screen"># This file controls the state of
SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
@@ -13,10 +13,10 @@
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-</pre><div class="variablelist"><dl><dt><span
class="term"><code
class="computeroutput">SELINUX=enforcing</code></span></dt><dd><p>
+</pre><div class="variablelist"><dl><dt><span
class="term"><code
class="computeroutput">SELINUX=enforcing</code></span></dt><dd><div
class="para">
The <code class="option">SELINUX</code> option sets the mode
SELinux runs in. SELinux has three modes: enforcing, permissive, and disabled. When using
enforcing mode, SELinux policy is enforced, and SELinux denies access based on SELinux
policy rules. Denial messages are logged. When using permissive mode, SELinux policy is
not enforced. SELinux does not deny access, but denials are logged for actions that would
have been denied if running SELinux in enforcing mode. When using disabled mode, SELinux
is disabled (the SELinux module is not registered with the Linux kernel), and only DAC
rules are used.
- </p></dd><dt><span class="term"><code
class="computeroutput">SELINUXTYPE=targeted</code></span></dt><dd><p>
+ </div></dd><dt><span class="term"><code
class="computeroutput">SELINUXTYPE=targeted</code></span></dt><dd><div
class="para">
The <code class="option">SELINUXTYPE</code> option sets the
SELinux policy to use. Targeted policy is the default policy. Only change this option if
you want to use the MLS policy. To use the MLS policy, install the <span
class="package">selinux-policy-mls</span> package; configure <code
class="option">SELINUXTYPE=mls</code> in <code
class="filename">/etc/selinux/config</code>; and reboot your system.
- </p></dd></dl></div><div
class="important"><h2>Important</h2><p>
+ </div></dd></dl></div><div
class="important"><h2>Important</h2><div
class="para">
When systems run with SELinux in permissive or disabled mode, users have permission
to label files incorrectly. Also, files created while SELinux is disabled are not labeled.
This causes problems when changing to enforcing mode. To prevent incorrectly labeled and
unlabeled files from causing problems, file systems are automatically relabeled when
changing from disabled mode to permissive or enforcing mode.
- </p></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Prev</strong>5.2. Which
Log File is Used</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Next</strong>5.4. Enabling
and Disabling SELinux</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Prev</strong>5.2. Which
Log File is Used</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Next</strong>5.4. Enabling
and Disabling SELinux</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html 24
Nov 2008 22:43:13 -0000 1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,29 +1,29 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
SELinux Labels</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"
title="5.9.5. Making Context Mounts Persistent"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"
title="5.10.2. Moving Files and Directories"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.10. Maintaining SELinux
Labels </strong></a></p><ul class="docnav"><li
class="previous"><a accesske
y="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining
SELinux Labels </h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
SELinux Labels</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"
title="5.9.5. Making Context Mounts Persistent"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"
title="5.10.2. Moving Files and Directories"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining
SELinux Labels </h2></div></div></div><div
class="para">
These sections describe what happens to SELinux contexts when copying, moving, and
archiving files and directories. Also, it explains how to preserve contexts when copying
and archiving.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying
Files and Directories</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying
Files and Directories</h3></div></div></div><div
class="para">
When a file or directory is copied, a new file or directory is created if it does not
exist. That new file or directory's context is based on default-labeling rules, not
the original file or directory's context (unless options were used to preserve the
original context). For example, files created in user home directories are labeled with
the <code class="computeroutput">user_home_t</code> type:
- </p><pre class="screen">
+ </div><pre class="screen">
$ touch file1
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</pre><p>
+</pre><div class="para">
If such a file is copied to another directory, such as <code
class="filename">/etc/</code>, the new file is created in accordance to
default-labeling rules for the <code class="filename">/etc/</code>
directory. Copying a file (without additional options) may not preserve the original
context:
- </p><pre class="screen">
+ </div><pre class="screen">
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
# cp file1 /etc/
$ ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
-</pre><p>
+</pre><div class="para">
When <code class="filename">file1</code> is copied to <code
class="filename">/etc/</code>, if <code
class="filename">/etc/file1</code> does not exist, <code
class="filename">/etc/file1</code> is created as a new file. As shown
in the example above, <code class="filename">/etc/file1</code> is
labeled with the <code class="computeroutput">etc_t</code> type, in
accordance to default-labeling rules.
- </p><p>
+ </div><div class="para">
When a file is copied over an existing file, the existing file's context is
preserved, unless the user specified <code class="command">cp</code>
options to preserve the context of the original file, such as <code
class="option">--preserve=context</code>. SELinux policy may prevent
contexts from being preserved during copies.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_Without_Preserving_SELinux_Contexts">Copying
Without Preserving SELinux Contexts</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_Without_Preserving_SELinux_Contexts">Copying
Without Preserving SELinux Contexts</h5>
When copying a file with the <code class="command">cp</code>
command, if no options are given, the type is inherited from the targeted, parent
directory:
- <pre class="screen">
+ </div><pre class="screen">
$ touch file1
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
@@ -32,11 +32,11 @@
# cp file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
-</pre><p>
+</pre><div class="para">
In this example, <code class="filename">file1</code> is created
in a user's home directory, and is labeled with the <code
class="computeroutput">user_home_t</code> type. The <code
class="filename">/var/www/html/</code> directory is labeled with the
<code class="computeroutput">httpd_sys_content_t</code> type, as
shown with the <code class="command">ls -dZ /var/www/html/</code>
command. When <code class="filename">file1</code> is copied to
<code class="filename">/var/www/html/</code>, it inherits the
<code class="computeroutput">httpd_sys_content_t</code> type, as
shown with the <code class="command">ls -Z
/var/www/html/file1</code> command.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Preserving_SELinux_Contexts_When_Copying">Preserving
SELinux Contexts When Copying</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Preserving_SELinux_Contexts_When_Copying">Preserving
SELinux Contexts When Copying</h5>
Use the <code class="command">cp --preserve=context</code>
command to preserve contexts when copying:
- <pre class="screen">
+ </div><pre class="screen">
$ touch file1
$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
@@ -45,22 +45,22 @@
# cp --preserve=context file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
-</pre><p>
+</pre><div class="para">
In this example, <code class="filename">file1</code> is created
in a user's home directory, and is labeled with the <code
class="computeroutput">user_home_t</code> type. The <code
class="filename">/var/www/html/</code> directory is labeled with the
<code class="computeroutput">httpd_sys_content_t</code> type, as
shown with the <code class="command">ls -dZ /var/www/html/</code>
command. Using the <code class="option">--preserve=context</code>
option preserves SELinux contexts during copy operations. As shown with the <code
class="command">ls -Z /var/www/html/file1</code> command, the <code
class="filename">file1</code> <code
class="computeroutput">user_home_t</code> type was preserved when the
file was copied to <code class="filename">/var/www/html/</code>.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_and_Changing_the_Context">Copying
and Changing the Context</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_and_Changing_the_Context">Copying
and Changing the Context</h5>
Use the <code class="command">cp -Z</code> command to change
the destination copy's context. The following example was performed in the user's
home directory:
- <pre class="screen">
+ </div><pre class="screen">
$ touch file1
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z file1 file2
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2
$ rm file1 file2
-</pre><p>
+</pre><div class="para">
In this example, the context is defined with the <code
class="option">-Z</code> option. Without the <code
class="option">-Z</code> option, <code
class="filename">file2</code> would be labeled with the <code
class="computeroutput">unconfined_u:object_r:user_home_t</code>
context.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_a_File_Over_an_Existing_File">Copying
a File Over an Existing File</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_a_File_Over_an_Existing_File">Copying
a File Over an Existing File</h5>
When a file is copied over an existing file, the existing file's context is
preserved (unless an option is used to preserve contexts). For example:
- <pre class="screen">
+ </div><pre class="screen">
# touch /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
@@ -70,8 +70,8 @@
# cp /tmp/file2 /etc/file1
# ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
-</pre><p>
+</pre><div class="para">
In this example, two files are created: <code
class="filename">/etc/file1</code>, labeled with the <code
class="computeroutput">etc_t</code> type, and <code
class="filename">/tmp/file2</code>, labeled with the <code
class="computeroutput">user_tmp_t</code> type. The <code
class="command">cp /tmp/file2 /etc/file1</code> command overwrites
<code class="filename">file1</code> with <code
class="filename">file2</code>. After copying, the <code
class="command">ls -Z /etc/file1</code> command shows <code
class="filename">file1</code> labeled with the <code
class="computeroutput">etc_t</code> type, not the <code
class="computeroutput">user_tmp_t</code> type from <code
class="filename">/tmp/file2</code> that replaced <code
class="filename">/etc/file1</code>.
- </p><div
class="important"><h2>Important</h2><p>
+ </div><div
class="important"><h2>Important</h2><div
class="para">
Copy files and directories, rather than moving them. This helps ensure they are
labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent
processes from accessing such files and directories.
- </p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Prev</strong>5.9.5. Making
Context Mounts Persistent</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Next</strong>5.10.2. Moving
Files and Directories</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Prev</strong>5.9.5. Making
Context Mounts Persistent</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Next</strong>5.10.2. Moving
Files and Directories</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html 24 Nov
2008 22:43:13 -0000 1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html 24 Jan
2009 03:48:03 -0000 1.2
@@ -1,23 +1,23 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
File Systems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"
title="5.8. The file_t and default_t Types"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"
title="5.9.2. Changing the Default Context"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.9. Mounting File
Systems</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p" href="sect-Security-E
nhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting
File Systems</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
File Systems</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"
title="5.8. The file_t and default_t Types"/><link rel="next"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"
title="5.9.2. Changing the Default Context"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" href="http://docs.fe
doraproject.org"><img src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting
File Systems</h2></div></div></div><div
class="para">
By default, when a file system that supports extended attributes is mounted, the
security context for each file is obtained from the <span
class="emphasis"><em>security.selinux</em></span> extended
attribute of the file. Files in file systems that do not support extended attributes are
assigned a single, default security context from the policy configuration, based on file
system type.
- </p><p>
+ </div><div class="para">
Use the <code class="command">mount -o context</code> command to
override existing extended attributes, or to specify a different, default context for file
systems that do not support extended attributes. This is useful if you do not trust a file
system to supply the correct attributes, for example, removable media used in multiple
systems. The <code class="command">mount -o context</code> command
can also be used to support labeling for file systems that do not support extended
attributes, such as File Allocation Table (FAT) or NFS file systems. The context specified
with the <code class="option">context</code> is not written to disk:
the original contexts are preserved, and are seen when mounting without a <code
class="option">context</code> option (if the file system had extended
attributes in the first place).
- </p><p>
+ </div><div class="para">
For further information about file system labeling, refer to James Morris's
"Filesystem Labeling in SELinux" article: <a
href="http://www.linuxjournal.com/article/7426">http://www.l...;.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context
Mounts</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context
Mounts</h3></div></div></div><div class="para">
To mount a file system with the specified context, overriding existing contexts if
they exist, or to specify a different, default context for a file system that does not
support extended attributes, as the Linux root user, use the <code
class="command">mount -o context=<em
class="replaceable"><code>SELinux_user:role:type:level</code></em></code>
command when mounting the desired file system. Context changes are not written to disk. By
default, NFS mounts on the client side are labeled with a default context defined by
policy for NFS file systems. In common policies, this default context uses the <code
class="computeroutput">nfs_t</code> type. Without additional mount
options, this may prevent sharing NFS file systems via other services, such as the Apache
HTTP Server. The following example mounts an NFS file system so that it can be shared via
the Apache HTTP Server:
- </p><p>
+ </div><div class="para">
<pre class="screen"># mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
</pre>
- </p><p>
+ </div><div class="para">
Newly-created files and directories on this file system appear to have the SELinux
context specified with <code class="option">-o context</code>;
however, since context changes are not written to disk for these situations, the context
specified with the <code class="option">context</code> option is
only retained if the <code class="option">context</code> option is
used on the next mount, and if the same context is specified.
- </p><p>
+ </div><div class="para">
Type Enforcement is the main permission control used in SELinux targeted policy. For
the most part, SELinux users and roles can be ignored, so, when overriding the SELinux
context with <code class="option">-o context</code>, use the SELinux
<code class="computeroutput">system_u</code> user and <code
class="computeroutput">object_r</code> role, and concentrate on the
type. If you are not using the MLS policy or multi-category security, use the <code
class="computeroutput">s0</code> level.
- </p><div class="note"><h2>Note</h2><p>
+ </div><div class="note"><h2>Note</h2><div
class="para">
When a file system is mounted with a <code
class="option">context</code> option, context changes (by users and
processes) are prohibited. For example, running <code
class="command">chcon</code> on a file system mounted with a <code
class="option">context</code> option results in a <code
class="computeroutput">Operation not supported</code> error.
- </p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Prev</strong>5.8. The
file_t and default_t Types</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Next</strong>5.9.2. Changing
the Default Context</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Prev</strong>5.8. The
file_t and default_t Types</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Next</strong>5.9.2. Changing
the Default Context</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html 24
Nov 2008 22:43:13 -0000 1.1
+++
sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,72 +1,72 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts - Labeling Files</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"
title="5.6.3. Examples: Booleans for NFS and CIFS"/><link
rel="next"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage
fcontext"/></head><body><p id="title"><a
href="http://docs.fedoraproject.org"><strong>5.7. SELinux Contexts -
Labeling Files</strong></a></p><ul class="docnav"><li
class
="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux
Contexts - Labeling Files</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Contexts - Labeling Files</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"
title="5.6.3. Booleans for NFS and CIFS"/><link rel="next"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" h
ref="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux
Contexts - Labeling Files</h2></div></div></div><div
class="para">
On systems running SELinux, all processes and files are labeled with a label that
contains security-relevant information. This information is called the SELinux context.
For files, this is viewed using the <code class="command">ls
-Z</code> command:
- </p><pre class="screen">$ ls -Z file1
+ </div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</pre><p>
+</pre><div class="para">
In this example, SELinux provides a user (<code
class="computeroutput">unconfined_u</code>), a role (<code
class="computeroutput">object_r</code>), a type (<code
class="computeroutput">user_home_t</code>), and a level (<code
class="computeroutput">s0</code>). This information is used to make
access control decisions. On DAC systems, access is controlled based on Linux user and
group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not
used if DAC rules deny access first.
- </p><p>
+ </div><div class="para">
There are multiple commands for managing the SELinux context for files, such as
<code class="command">chcon</code>, <code
class="command">semanage fcontext</code>, and <code
class="command">restorecon</code>.
- </p><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary
Changes: chcon</h3></div></div></div><p>
+ </div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary
Changes: chcon</h3></div></div></div><div
class="para">
The <code class="command">chcon</code> command changes the
SELinux context for files. These changes do not survive a file system relabel, or the
<code class="command">/sbin/restorecon</code> command. SELinux
policy controls whether users are able to modify the SELinux context for any given file.
When using <code class="command">chcon</code>, users provide all or
part of the SELinux context to change. An incorrect file type is a common cause of SELinux
denying access.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Quick_Reference">Quick
Reference</h5>
- <div class="itemizedlist"><ul><li><p>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Quick_Reference">Quick
Reference</h5>
+ <div class="itemizedlist"><ul><li><div
class="para">
Run the <code class="command">chcon -t <em
class="replaceable"><code>type</code></em> <em
class="replaceable"><code>file-name</code></em></code>
command to change the file type, where <em
class="replaceable"><code>type</code></em> is a type, such
as <code class="computeroutput">httpd_sys_content_t</code>, and
<em class="replaceable"><code>file-name</code></em> is a
file or directory name.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">chcon -R -t <em
class="replaceable"><code>type</code></em> <em
class="replaceable"><code>directory-name</code></em></code>
command to change the type of the directory and its contents, where <em
class="replaceable"><code>type</code></em> is a type, such
as <code class="computeroutput">httpd_sys_content_t</code>, and
<em class="replaceable"><code>directory-name</code></em>
is a directory name.
- </p></li></ul></div>
- <h5 class="formalpara"
id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Files_or_Directorys_Type">Changing
a File's or Directory's Type</h5>
+ </div></li></ul></div>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Files_or_Directorys_Type">Changing
a File's or Directory's Type</h5>
The following example demonstrates changing the type, and no other attributes of the
SELinux context:
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
Run the <code class="command">cd</code> command without
arguments to change into your home directory.
- </p></li><li><p>
+ </div></li><li><div class="para">
Run the <code class="command">touch file1</code> command to
create a new file. Use the <code class="command">ls -Z file1</code>
command to view the SELinux context for <code
class="filename">file1</code>:
- </p><pre class="screen">$ ls -Z file1
+ </div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-</pre><p>
- In this example, the SELinux context for <code
class="filename">file1</code> includes the SELinux <code
class="computeroutput">unconfined_u</code> user, <code
class="computeroutput">object_r</code> role, <code
class="computeroutput">user_home_t</code> type, and the <code
class="computeroutput">s0</code> level. For a description of each part
of the SELinux context, refer to <a class="xref"
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts">Chapter 3, <i>SELinux
Contexts</i></a>.
- </p></li><li><p>
+</pre><div class="para">
+ In this example, the SELinux context for <code
class="filename">file1</code> includes the SELinux <code
class="computeroutput">unconfined_u</code> user, <code
class="computeroutput">object_r</code> role, <code
class="computeroutput">user_home_t</code> type, and the <code
class="computeroutput">s0</code> level. For a description of each part
of the SELinux context, refer to <a
href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"
title="Chapter 3. SELinux Contexts">Chapter 3, <i
xmlns:xlink="http://www.w3.org/1999/xlink">SELinux
Contexts</i></a>.
+ </div></li><li><div class="para">
Run the <code class="command">chcon -t samba_share_t
file1</code> command to change the type to <code
class="computeroutput">samba_share_t</code>. The <code
class="option">-t</code> option only changes the type. View the change
with <code class="command">ls -Z file1</code>:
- </p><pre class="screen">$ ls -Z file1
+ </div><pre class="screen">$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
-</pre></li><li><p>
+</pre></li><li><div class="para">
Use the <code class="command">/sbin/restorecon -v
file1</code> command to restore the SELinux context for the <code
class="filename">file1</code> file. Use the <code
class="option">-v</code> option to view what changes:
- </p><pre class="screen">$ /sbin/restorecon -v file1
+ </div><pre class="screen">$ /sbin/restorecon -v file1
restorecon reset file1 context
unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
-</pre><p>
+</pre><div class="para">
In this example, the previous type, <code
class="computeroutput">samba_share_t</code>, is restored to the
correct, <code class="computeroutput">user_home_t</code> type. When
using targeted policy (the default SELinux policy in Fedora 10), the <code
class="command">/sbin/restorecon</code> command reads the files in the
<code class="filename">/etc/selinux/targeted/contexts/files/</code>
directory, to see which SELinux context files should have.
- </p></li></ol></div><p>
+ </div></li></ol></div><div class="para">
The example in this section works the same for directories, for example, if <code
class="filename">file1</code> was a directory.
- </p><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Directory_and_its_Contents_Types">Changing
a Directory and its Contents Types</h5>
+ </div><div class="formalpara"><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Changing_a_Directory_and_its_Contents_Types">Changing
a Directory and its Contents Types</h5>
The following example demonstrates creating a new directory, and changing the
directory's file type (along with its contents) to a type used by the Apache HTTP
Server. The configuration in this example is used if you want Apache HTTP Server to use a
different document root (instead of <code
class="filename">/var/www/html/</code>):
- <div class="orderedlist"><ol><li><p>
+ </div><div class="orderedlist"><ol><li><div
class="para">
As the Linux root user, run the <code class="command">mkdir
/web</code> command to create a new directory, and then the <code
class="command">touch /web/file{1,2,3}</code> command to create 3 empty
files (<code class="filename">file1</code>, <code
class="filename">file2</code>, and <code
class="filename">file3</code>). The <code
class="filename">/web/</code> directory and files in it are labeled
with the <code class="computeroutput">default_t</code> type:
- </p><pre class="screen"># ls -dZ /web
+ </div><pre class="screen"># ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code class="command">chcon -R -t
httpd_sys_content_t /web/</code> command to change the type of the <code
class="filename">/web/</code> directory (and its contents) to <code
class="computeroutput">httpd_sys_content_t</code>:
- </p><pre class="screen"># chcon -R -t httpd_sys_content_t
/web/
+ </div><pre class="screen"># chcon -R -t httpd_sys_content_t
/web/
# ls -dZ /web/
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
# ls -lZ /web/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
-</pre></li><li><p>
+</pre></li><li><div class="para">
As the Linux root user, run the <code
class="command">/sbin/restorecon -R -v /web/</code> command to restore
the default SELinux contexts:
- </p><pre class="screen"># /sbin/restorecon -R -v /web/
+ </div><pre class="screen"># /sbin/restorecon -R -v /web/
restorecon reset /web context
unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context
unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context
unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context
unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
-</pre></li></ol></div><p>
+</pre></li></ol></div><div class="para">
Refer to the <span class="citerefentry"><span
class="refentrytitle">chcon</span>(1)</span> manual page for
further information about <code class="command">chcon</code>.
- </p><div class="note"><h2>Note</h2><p>
+ </div><div class="note"><h2>Note</h2><div
class="para">
Type Enforcement is the main permission control used in SELinux targeted policy. For
the most part, SELinux users and roles can be ignored.
- </p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Prev</strong>5.6.3. Examples:
Booleans for NFS and CIFS</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Next</strong>5.7.2. Persistent
Changes: semanage fcontext</a></li></ul></body></html>
\ No newline at end of file
+ </div></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html"><strong>Prev</strong>5.6.3. Booleans
for NFS and CIFS</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Next</strong>5.7.2. Persistent
Changes: semanage fcontext</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html 24 Nov 2008
22:43:13 -0000 1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html 24 Jan 2009
03:48:03 -0000 1.2
@@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Modes</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"
title="5.4.2. Disabling SELinux"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.5. SELinux
Modes</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><str
ong>Prev</strong></a></li><li class="next"><a
accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux
Modes</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
Modes</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"
title="5.4.2. Disabling SELinux"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"
title="5.6. Booleans"/></head><body class=""><p
id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png"
alt="Documentation Site"/></a></p><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux
Modes</h2></div></div></div><div class="para">
SELinux has three modes:
- </p><div class="itemizedlist"><ul><li><p>
+ </div><div class="itemizedlist"><ul><li><div
class="para">
Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy
rules.
- </p></li><li><p>
+ </div></li><li><div class="para">
Permissive: SELinux policy is not enforced. SELinux does not deny access, but
denials are logged for actions that would have been denied if running in enforcing mode.
- </p></li><li><p>
+ </div></li><li><div class="para">
Disabled: SELinux is disabled. Only DAC rules are used.
- </p></li></ul></div><p>
+ </div></li></ul></div><div class="para">
Use the <code class="command">/usr/sbin/setenforce</code>
command to change between enforcing and permissive mode. Changes made with <code
class="command">/usr/sbin/setenforce</code> do not persist across
reboots. To change to enforcing mode, as the Linux root user, run the <code
class="command">/usr/sbin/setenforce 1</code> command. To change to
permissive mode, run the <code class="command">/usr/sbin/setenforce
0</code> command. Use the <code
class="command">/usr/sbin/getenforce</code> command to view the current
SELinux mode.
- </p><p>
- Persistent mode changes are covered in <a class="xref"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux">Section 5.4, “Enabling and
Disabling SELinux”</a>.
- </p></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Prev</strong>5.4.2. Disabling
SELinux</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Next</strong>5.6. Booleans</a></li></ul></body></html>
\ No newline at end of file
+ </div><div class="para">
+ Persistent mode changes are covered in <a
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"
title="5.4. Enabling and Disabling SELinux">Section 5.4, “Enabling and
Disabling SELinux”</a>.
+ </div></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Prev</strong>5.4.2. Disabling
SELinux</a></li><li class="up"><a accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Next</strong>5.6. Booleans</a></li></ul></body></html>
\ No newline at end of file
Index:
sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
---
sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html 24
Nov 2008 22:43:13 -0000 1.1
+++
sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html 24
Jan 2009 03:48:03 -0000 1.2
@@ -1,10 +1,10 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... file_t
and default_t Types</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.8. The file_t and
default_t Types</strong></a></p><ul
class="docnav"><li class="previous"><a accesske
y="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The
file_t and default_t Types</h2></div></div></div><p>
- On file systems that support extended attributes, when a file that lacks an SELinux
context on disk is accessed, it is treated as if it had a default context as defined by
SELinux policy. In common policies, this default context uses the <code
class="computeroutput">file_t</code> type. This should be the only use
of this type, so that files without a context on disk can be distinguished in policy, and
generally kept inaccessible to confined domains. The <code
class="computeroutput">file_t</code> type should not exist on
correctly-labeled file systems, because all files on a system running SELinux should have
an SELinux context, and the <code
class="computeroutput">file_t</code> type is never used in file-context
configuration<sup>[<a id="d0e3720" href="#ftn.d0e3720"
class="footnote">11</a>]</sup>.
- </p><p>
- The <code class="computeroutput">default_t</code> type is used
on files that do not match any other pattern in file-context configuration, so that such
files can be distinguished from files that do not have a context on disk, and generally
kept inaccessible to confined domains. If you create a new top-level directory, such as
<code class="filename">/mydirectory/</code>, this directory may be
labeled with the <code class="computeroutput">default_t</code> type.
If services need access to such a directory, update the file-contexts configuration for
this location. Refer to <a class="xref"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2,
“Persistent Changes: semanage fcontext”</a> for details on adding a context to the
file-context configuration.
- </p><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e3720"
href="#d0e3720" class="para">11</a>] </sup>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... file_t
and default_t Types</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext"/><link
rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"
title="5.9. Mounting File Systems"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right" hr
ef="http://docs.fedoraproject.org"><img
src="Common_Content/images/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The
file_t and default_t Types</h2></div></div></div><div
class="para">
+ On file systems that support extended attributes, when a file that lacks an SELinux
context on disk is accessed, it is treated as if it had a default context as defined by
SELinux policy. In common policies, this default context uses the <code
class="computeroutput">file_t</code> type. This should be the only use
of this type, so that files without a context on disk can be distinguished in policy, and
generally kept inaccessible to confined domains. The <code
class="computeroutput">file_t</code> type should not exist on
correctly-labeled file systems, because all files on a system running SELinux should have
an SELinux context, and the <code
class="computeroutput">file_t</code> type is never used in file-context
configuration<sup>[<a id="d0e3729"
href="#ftn.d0e3729">11</a>]</sup>.
+ </div><div class="para">
+ The <code class="computeroutput">default_t</code> type is used
on files that do not match any other pattern in file-context configuration, so that such
files can be distinguished from files that do not have a context on disk, and generally
kept inaccessible to confined domains. If you create a new top-level directory, such as
<code class="filename">/mydirectory/</code>, this directory may be
labeled with the <code class="computeroutput">default_t</code> type.
If services need access to such a directory, update the file-contexts configuration for
this location. Refer to <a
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"
title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2,
“Persistent Changes: semanage fcontext”</a> for details on adding a context to the
file-context configuration.
+ </div><div class="footnotes"><br/><hr/><div
class="footnote"><p><sup>[<a id="ftn.d0e3729"
href="#d0e3729">11</a>] </sup>
Files in <code
class="filename">/etc/selinux/targeted/contexts/files/</code> define
contexts for files and directories. Files in this directory are read by <code
class="command">restorecon</code> and <code
class="command">setfiles</code> to restore files and directories to
their default contexts.
</p></div></div></div><ul
class="docnav"><li class="previous"><a
accesskey="p"
href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Prev</strong>5.7.2. Persistent
Changes: semanage fcontext</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Next</strong>5.9. Mounting
File Systems</a></li></ul></body></html>
\ No newline at end of file
Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html
===================================================================
RCS file:
/cvs/fedora/web/html/docs/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html 24 Nov
2008 22:43:13 -0000 1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html 24 Jan
2009 03:48:03 -0000 1.2
@@ -1,29 +1,29 @@
<?xml version="1.0" encoding="UTF-8"
standalone="no"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... Log
File is Used</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"
title="5.3. Main Configuration File"/></head><body><p
id="title"><a
href="http://docs.fedoraproject.org"><strong>5.2. Which Log File is
Used</strong></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><str
ong>Prev</strong></a></li><li class="next"><a
accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which
Log File is Used</h2></div></div></div><p>
+<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g... Log
File is Used</title><link rel="stylesheet"
href="./Common_Content/css/default.css" type="text/css"/><meta
name="generator" content="publican"/><meta
name="package"
content="Fedora-Security-Enhanced_Linux-10-en-US-1.1-1"/><link
rel="start" href="index.html" title="Security-Enhanced
Linux"/><link rel="up"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="prev"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"
title="Chapter 5. Working with SELinux"/><link rel="next"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"
title="5.3. Main Configuration File"/></head><body
class=""><p id="title"><a class="left"
href="http://www.fedoraproject.org"><img
src="Common_Content/images/image_left.png" alt="Product
Site"/></a><a class="right"
href="http://docs.fedoraproject.org"><img src="Common_Content/imag
es/image_right.png" alt="Documentation
Site"/></a></p><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong></a></li></ul><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which
Log File is Used</h2></div></div></div><div
class="para">
In Fedora 10, the <span
class="package">setroubleshoot-server</span> and <span
class="package">audit</span> packages are installed if packages are not
removed from the default package selection. These packages include the <code
class="systemitem">setroubleshootd</code> and <code
class="systemitem">auditd</code> daemons respectively. These daemons
run by default.
- </p><p>
+ </div><div class="para">
SELinux denial messages, such as the following, are written to <code
class="filename">/var/log/audit/audit.log</code> by default:
- </p><pre class="screen">type=AVC msg=audit(1223024155.684:49):
avc: denied { getattr } for pid=2000 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=399185
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0
tclass=file
-</pre><p>
- Also, if <code class="systemitem">setroubleshootd</code> is
running, which is it by default, denial messages from <code
class="filename">/var/log/audit/audit.log</code> are translated to an
easier-to-read form and sent to <code
class="filename">/var/log/messages</code>:
- </p><pre class="screen">Oct 3 18:55:56 localhost setroubleshoot:
SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
(samba_share_t). For complete SELinux messages. run sealert -l
de7e30d6-5488-466d-a606-92c9f40d316d
-</pre><p>
+ </div><pre class="screen">type=AVC msg=audit(1223024155.684:49):
avc: denied { getattr } for pid=2000 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=399185
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0
tclass=file
+</pre><div class="para">
+ Also, if <code class="systemitem">setroubleshootd</code> is
running, which it is by default, denial messages from <code
class="filename">/var/log/audit/audit.log</code> are translated to an
easier-to-read form and sent to <code
class="filename">/var/log/messages</code>:
+ </div><pre class="screen">Oct 3 18:55:56 localhost
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to
/var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l
de7e30d6-5488-466d-a606-92c9f40d316d
+</pre><div class="para">
Denial messages are sent to a different location, depending on which daemons are
running:
- </p><div class="segmentedlist"><table
border="0"><thead><tr
class="segtitle"><th>Daemon</th><th>Log
Location</th></tr></thead><tbody><tr
class="seglistitem"><td class="seg">auditd
on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code></td></tr><tr
class="seglistitem"><td class="seg">auditd off; rsyslogd
on</td><td class="seg"><code
class="filename">/var/log/messages</code></td></tr><tr
class="seglistitem"><td class="seg">setroubleshootd,
rsyslogd, and auditd on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial
messages also sent to <code
class="filename">/var/log/messages</code></td></tr></tbody></table></div><h5
class="formalpara"
id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">Starting
Daemons Automatically</h5>
+ </div><div class="segmentedlist"><table
border="0"><thead><tr
class="segtitle"><th>Daemon</th><th>Log
Location</th></tr></thead><tbody><tr
class="seglistitem"><td class="seg">auditd
on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code></td></tr><tr
class="seglistitem"><td class="seg">auditd off; rsyslogd
on</td><td class="seg"><code
class="filename">/var/log/messages</code></td></tr><tr
class="seglistitem"><td class="seg">setroubleshootd,
rsyslogd, and auditd on</td><td class="seg"><code
class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial
messages also sent to <code
class="filename">/var/log/messages</code></td></tr></tbody></table></div><div
class="formalpara"><h5 class="formalpara"
id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">Starting
Daemons Automatically</h5>
To configure the <code class="systemitem">auditd</code>,
<code class="systemitem">rsyslogd</code>, and <code
class="systemitem">setroubleshootd</code> daemons to automatically
start at boot, run the following commands as the Linux root user:
- <pre class="screen">/sbin/chkconfig --levels 2345 auditd on
+ </div><pre class="screen">/sbin/chkconfig --levels 2345 auditd
on
</pre><pre class="screen">/sbin/chkconfig --levels 2345 rsyslog on
</pre><pre class="screen">/sbin/chkconfig --levels 345
setroubleshoot on
-</pre><p>
+</pre><div class="para">
Use the <code class="command">service <em
class="replaceable"><code>service-name</code></em>
status</code> command to check if these services are running, for example:
- </p><pre class="screen">
+ </div><pre class="screen">
$ /sbin/service auditd status
auditd (pid <em
class="replaceable"><code>1318</code></em>) is running...
-</pre><p>
+</pre><div class="para">
If the above services are not running (<code
class="computeroutput"><em
class="replaceable"><code>service-name</code></em> is
stopped</code>), use the <code class="command">service <em
class="replaceable"><code>service-name</code></em>
start</code> command as the Linux root user to start them. For example:
- </p><pre class="screen">
+ </div><pre class="screen">
# /sbin/service setroubleshoot start
Starting setroubleshootd: [ OK ]
</pre></div><ul class="docnav"><li
class="previous"><a accesskey="p"
href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Prev</strong>Chapter 5. Working
with SELinux</a></li><li class="up"><a
accesskey="u"
href="#"><strong>Up</strong></a></li><li
class="home"><a accesskey="h"
href="index.html"><strong>Home</strong></a></li><li
class="next"><a accesskey="n"
href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong>5.3. Main
Configuration File</a></li></ul></body></html>
\ No newline at end of file