BTW, there is a freeze date of 10 Feb. Midnight UTC for getting guides,
such as this one, translated. Plan to get all of your FC5 changes in by
that date. We'll tag a freeze at that point, and you can continue
writing at that point. We'll arrange translation freezes for new
content later, such as the final FC5 content freeze for guides on 03
Mar.
On Fri, 2006-02-03 at 17:41 -0500, Chad Sellers wrote:
Author: csellers
Update of /cvs/docs/selinux-faq
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2745
Modified Files:
selinux-faq-en.xml
Log Message:
First cut at an CF5 FAQ. Still missing several necessary new items, but
old items should be consistent with FC5 now.
Index: selinux-faq-en.xml
===================================================================
RCS file: /cvs/docs/selinux-faq/selinux-faq-en.xml,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- selinux-faq-en.xml 29 Jun 2005 14:51:04 -0000 1.25
+++ selinux-faq-en.xml 3 Feb 2006 22:40:55 -0000 1.26
@@ -6,11 +6,11 @@
<!ENTITY % FEDORA-ENTITIES-EN SYSTEM
"../docs-common/common/fedora-entities-en.ent">
%FEDORA-ENTITIES-EN;
-<!ENTITY BOOKID "selinux-faq-1.3-8 (2005-01-20-T16:20-0800)"> <!--
version of manual and date -->
+<!ENTITY DOCID "selinux-faq-1.5-1 (2005-12-30-T12:21-0500)"> <!--
version of manual and date -->
<!-- ************** local entities *********** -->
<!ENTITY APACHE "Apache HTTP">
-<!ENTITY LOCALVER "3"> <!-- Set value to your choice, when guide
version is out -->
+<!ENTITY LOCALVER "5"> <!-- Set value to your choice, when guide
version is out -->
<!-- of sync with FC release, use instead of FEDVER or FEDTESTVER -->
<!ENTITY BUG-URL
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Core&op_sys=Linux&version=fc3&component=fedora-docs&component_text=&rep_platform=All&priority=normal&bug_severity=normal&bug_status=NEW&assigned_to=kwade%40redhat.com&cc=&estimated_time=0.0&bug_file_loc=http%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc3%2F&short_desc=SELinux%20FAQ%20-%20%5Bsummarize%20FAQ%20change%20or%20addition%5D&comment=Description%20of%20change%2FFAQ%20addition.%20%20If%20a%20change%2C%20include%20the%20original%0D%0Atext%20first%2C%20then%20the%20changed%20text%3A%0D%0A%0D%0A%0D%0A%0D%0AVersion-Release&percn!
t;20of%20FAQ%20%28found%20on%0D%0Ahttp%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc3%2Fln-legalnotice.html%29%2C%0D%0Afor%20example%3A%0D%0A%0D%0A%20%20selinux-faq-1.3-8%20%282005-01-20-T16%3A20-0800%29%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A&keywords=&dependson=&blocked=118757%20%20&maketemplate=Remember%20values%20as%20bookmarkable%20template&form_name=enter_bug">
@@ -28,6 +28,10 @@
<surname>Wade</surname>
<firstname>Karsten</firstname>
</author>
+ <author>
+ <surname>Sellers</surname>
+ <firstname>Chad</firstname>
+ </author>
</authorgroup>
&LEGALNOTICE;
</articleinfo>
@@ -43,8 +47,9 @@
<note>
<title>This FAQ is specific to &FC; &LOCALVER;</title>
<para>
- If you are looking for the FAQ for &FC; 2, refer to <ulink
-
url="http://fedora.redhat.com/docs/selinux-faq-fc2/" />.
+ If you are looking for the FAQ for &FC; 2 or &FC; 3, refer to <ulink
+
url="http://fedora.redhat.com/docs/selinux-faq-fc2/" /> or
<ulink
+
url="http://fedora.redhat.com/docs/selinux-faq-fc3/" />,
respectively.
</para>
</note>
<para>
@@ -80,13 +85,29 @@
</listitem>
<listitem>
<para>
- Writing SE Linux policy HOWTO — <ulink
+ Writing traditional SE Linux policy HOWTO — <ulink
url="https://sourceforge.net/docman/display_doc.php?docid=21959&...
/>
</para>
</listitem>
<listitem>
<para>
+ Reference Policy (the new policy found in &FC; 5) — <ulink
+
url="http://serefpolicy.sourceforge.net/"
+ />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ SELinux policy development training courses — <ulink
+
url="http://tresys.com/services/training.shtml"
+ /> and <ulink
+
url="https://www.redhat.com/training/security/courses/rhs429.html"
+ />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —
<ulink
url="https://sourceforge.net/docman/display_doc.php?docid=20372&...
/>
@@ -94,6 +115,13 @@
</listitem>
<listitem>
<para>
+ List of SELinux object classes and permissions —
+ <ulink
+
url="http://tresys.com/selinux/obj_perms_help.shtml" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
On IRC —
irc.freenode.net, #fedora-selinux
</para>
</listitem>
@@ -110,7 +138,7 @@
<title>Making changes/additions to the &FED; &SEL;
FAQ</title>
<para>
This FAQ is available at <ulink
-
url="http://fedora.redhat.com/docs/selinux-faq-fc3/">http://...;.
+
url="http://fedora.redhat.com/docs/selinux-faq-fc5/">http://...;.
</para>
<para>
For changes or additions to the &FED; &SEL; FAQ, use this <ulink
@@ -224,29 +252,49 @@
delivered in a package, with an associated source package. Current
shipping policy packages are:
</para>
+ <itemizedlist>
+ <listitem>
+
<para><filename>selinux-policy-<replaceable><version></replaceable>.noarch.rpm</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ This package is common to all types of policy and contains config
+ files/man pages.
+ </para>
+ <itemizedlist>
+ <listitem>
+
<para><filename>selinux-policy-devel-<replaceable><version></replaceable>.noarch.rpm</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ This is the development environment. This replaces the -sources
+ package from the past. This package contains the interface files
+ used in reference policy along with a Makefile and a small tool
+ used to generate a policy template file. The interface files
+ reside in /usr/share/selinux/refpolicy/headers directory.
+ </para>
<itemizedlist>
<listitem>
-
<para><filename>selinux-policy-strict-<replaceable><version-arch></replaceable>.rpm</filename>
- and
-
<filename>selinux-policy-strict-sources-<replaceable><version-arch></replaceable>.rpm</filename>
+
<para><filename>selinux-policy-strict-<replaceable><version></replaceable>.noarch.rpm</filename>
</para>
</listitem>
<listitem>
<para>
-
<filename>selinux-policy-targeted-<replaceable><version-arch></replaceable>.rpm</filename>
- and
-
<filename>selinux-policy-targeted-sources-<replaceable><version-arch></replaceable>.rpm</filename>
+
<filename>selinux-policy-targeted-<replaceable><version></replaceable>.noarch.rpm</filename>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+
<filename>selinux-policy-mls-<replaceable><version></replaceable>.noarch.rpm</filename>
</para>
</listitem>
</itemizedlist>
<para>
- Policy source resides in
-
<filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>,
- when it is installed, and the binary policy file is in
-
<filename>/etc/selinux/<replaceable>policyname</replaceable>/policy</filename>.
- Policy source is not required for ultra-minimal installations. The
- policy for the types and domains is configured separately from
- security context for the subjects and objects.
+ Binary policy files are in /etc/selinux/policyname. The policy for the
+ types and domains is configured separately from security context for the
+ subjects and objects.
</para>
</answer>
</qandaentry>
@@ -374,6 +422,47 @@
<qandaentry>
<question>
<para>
+ What is the mls policy? Who is it for?
+ </para>
+ </question>
+ <answer>
+ <para>
+ The mls policy is similar to the strict policy, but adds an additional
+ field to security contexts for separating levels. These levels can be
+ used to separate data in an environment that calls for strict
+ hierarchical separation. The most common example of this is a military
+ setting where data is classified at a certain level. This policy is
+ geared toward these sorts of users, and is probably not useful to
+ you unless you fall into this category.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry id="faq-entry-whatis-refpolicy"
xreflabel="Reference Policy">
+ <question>
+ <para>
+ What is the Reference Policy?
+ </para>
+ </question>
+ <answer>
+ <para>
+ The Reference Policy
+ is a new project designed to rewrite the entire SELinux policy in a
+ way that is easier to use and understand. To do this, it uses
+ the concepts of modularity, abstraction, and well-defined interfaces.
+ See <ulink
+
url="http://serefpolicy.sourceforge.net/">it's project
page</ulink>
+ for more information on it.
+ </para>
+ <para>
+ Fedora policies at version 1.x are based on the traditional example
+ policy. Policies version 2.x (as used in &FC; &LOCALVER;) are based
+ on the Reference Policy.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
What are file contexts?
</para>
</question>
@@ -423,8 +512,8 @@
<para>
There is no difference between a domain and a type, although
domain is sometimes used to refer to the type of a process. The
- use of domain in this way stems from traditional TE models, where
- domains and types are separate.
+ use of domain in this way stems from Domain and Type Enforcement (DTE)
+ models, where domains and types are separate.
</para>
</answer>
</qandaentry>
@@ -796,7 +885,7 @@
kernel command line to turn system-call auditing off.
</para>
<para>
- System-call auditing is off by default. When on, it provides
+ System-call auditing is on by default. When on, it provides
information about the system-call that was executing when SELinux
generated a <computeroutput>denied</computeroutput> message.
This
may be helpful when debugging policy.
@@ -812,8 +901,8 @@
</question>
<answer>
<para>
- This is not supported at this time. In the future, a utility will
- be provided to tune auditing.
+ To do this, run <command>auditctl -e 0</command>. Note that this
+ will not affect auditing of SELinux AVC denials.
</para>
</answer>
</qandaentry>
@@ -1000,9 +1089,9 @@
You can create your new user with the standard
<command>useradd</command> command. First you must become
root;
under the strict policy you will need to change role to
- <computeroutput>sysadm_r</computeroutput>. This context
switch
- has been incorporated into the <command>su</command> command
and
- occurs automatically. For the targeted policy, you will not need
+ <computeroutput>sysadm_r</computeroutput> using
+ <computeroutput>newrole -r sysadm_r</computeroutput>
+ For the targeted policy, you will not need
to switch roles, staying in
<computeroutput>unconfined_t</computeroutput>:
</para>
@@ -1024,7 +1113,7 @@
</para>
</answer>
</qandaentry>
- <qandaentry>
+<!-- <qandaentry>
<question>
<para>
All of the other &SEL; documentation states that the
@@ -1052,7 +1141,7 @@
change.
</para>
</answer>
- </qandaentry>
+ </qandaentry> -->
<qandaentry>
<question>
<para>
@@ -1104,12 +1193,14 @@
</para>
</answer>
</qandaentry>
+ <!-- Need to modify this to work with new policy sources, or find
+ a better method than modifying all source
<qandaentry>
<question>
<para>
I get a specific permission denial only when &SEL; is in enforcing
mode, but I don't see any audit messages in
- <filename>/var/log/messages</filename>. How can I identify
the
+ <filename>/var/log/audit/audit.log</filename>. How can I
identify the
cause of these silent denials?
</para>
</question>
@@ -1155,7 +1246,7 @@
<command>cd /etc/selinux/targeted/src/policy
make clean
make load</command>
-</screen>
+</screen> -->
<!-- commented out just in case it needs to be rewritten and included:
<para>
Another reason for getting silent denials is on an
@@ -1180,9 +1271,9 @@
audit(1083674459.837:0): security_compute_sid: invalid context
root:sysadm_r:system_chkpwd_t for scontext=root:sysadm_r:newrole_t
tcontext=system_u:object_r:chkpwd_exec_t tclass=process
--->
</answer>
</qandaentry>
+-->
<qandaentry>
<question>
<para>
@@ -1246,18 +1337,7 @@
changes in the updated policy.
</para>
<para>
- If you have installed the policy source packages, e.g.
- <filename>selinux-policy-strict</filename>, you can execute
these
- commands to relabel the file system.
- </para>
-<screen>
-<command>cd /etc/selinux/targeted/src/policy
-make
-make relabel
-reboot</command>
-</screen>
- <para>
- If you aren't using policy sources, another approach is to use the
+ To relabel, use the
<command>fixfiles</command> command or take advantage of the
<filename>/.autorelabel</filename> mechanism:
</para>
@@ -1288,6 +1368,8 @@
</para>
</answer>
</qandaentry>
+ <!-- Source package doesn't exist any more
+ Is there something similar now?
<qandaentry>
<question>
<para>
@@ -1296,11 +1378,13 @@
</para>
</question>
<answer>
+ -->
<!--
thanks to "Gene C." <czar czarc net> for authoring the
original answer in
http://www.redhat.com/archives/fedora-test-list/2004-April/msg00755.html
-->
+ <!--
<para>
A policy package such as
<filename>selinux-policy-targeted</filename> is a requirement
for
@@ -1338,6 +1422,7 @@
file as well as the <filename>file_contexts</filename> file,
then
loads them as the currently effective policy.
</para>
+ -->
<!-- not sure if currently still an issue, or how to rephrase
<caution>
@@ -1351,32 +1436,28 @@
</para>
</caution>
-->
+ <!--
</answer>
</qandaentry>
+ -->
<qandaentry>
<!--
http://www.redhat.com/archives/fedora-selinux-list/2004-May/msg00061.html
-->
<question>
<para>
- Why do the files
+ Why do binary policies (e.g.
<filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/policy.<<replaceable>version</replaceable>></filename>
- and
-
<filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy/policy.<<replaceable>version</replaceable>></filename>
- have different (sizes, md5sums, dates)?
+ distributed with Fedora and those I compile myself have different sizes
+ and md5sums?
</para>
</question>
<answer>
<para>
When you install a policy package, pre-compiled binary policy
files are put directly into
<filename>/etc/selinux</filename>.
- When a policy source package is installed or updated, binary
- policy files are built in
-
<filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>,
- then moved to
-
<filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/</filename>.
The different build environments will make target files that have
- different sizes, md5sums, and dates.
+ different sizes, md5sums.
</para>
</answer>
</qandaentry>
@@ -1409,39 +1490,94 @@
</question>
<answer>
<para>
- Your help is definitely appreciated. You can start by joining the
- &SEL; mailing list, <ulink
-
url="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</ulink>;
- you can subscribe and read the archives at <ulink
-
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list"...;.
- The UnOfficial FAQ has some generic policy writing HOWTO
- information (<ulink
-
url="http://sourceforge.net/docman/display_doc.php?docid=14882&g...>).
- Another new resource is the Writing SE Linux policy HOWTO (<ulink
-
url="https://sourceforge.net/docman/display_doc.php?docid=21959&...>).
+ Your help is definitely appreciated.
+ <itemizedlist>
+ <listitem>
+ <para>
+ You can start by joining the
+ &FED; &SEL; mailing list, <ulink
+
url="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</ulink>;
+ you can subscribe and read the archives at <ulink
+
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list"...;.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The UnOfficial FAQ has some generic policy writing HOWTO
+ information (<ulink
+
url="http://sourceforge.net/docman/display_doc.php?docid=14882&g...>).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Another new resource is the Writing SE Linux policy HOWTO
(<ulink
+
url="https://sourceforge.net/docman/display_doc.php?docid=21959&...>).
+ </para>
+ </listitem>
+ </itemizedlist>
+ Also, since the &FC; &LOCALVER; policy is based on the <xref
linkend="faq-entry-whatis-refpolicy"/>,
+ you should look at the documentation on its project page.
</para>
<para>
Your best bet is to look at the policy files in
-
<filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy/</filename>
- and try experiments. Watch the <computeroutput>avc
- denied</computeroutput> messages in
- <filename>/var/log/messages</filename> for clues.
- </para>
- <para>
- A useful tool for the policy writer is
- <command>/usr/bin/audit2allow</command>, which translates
- <computeroutput>avc</computeroutput> messages from
- <filename>/var/log/messages</filename> into rules that can be
used
- by &SEL;. These rules will likely need to be cleaned up.
- </para>
- <para>
- The command <command>audit2allow</command> can receive input
via
- three methods. Default is from standard input
- (<firstterm>STDIN</firstterm>). Using the
<option>-i</option>
- option reads input from
<filename>/var/log/messages</filename>,
- and the <option>-d</option> option reads input from
- <command>dmesg</command> output.
+
<filename>/usr/share/doc/selinux-policy-<replaceable>>version<</replaceable></filename>
+ which shows examples of policy.
</para>
+ <para>
+ If you want to write a new policy domain, you should install the
+ selinux-policy-devel package. This will place reference policy
+ interface files into the
+ <filename>/usr/share/selinux/refpolicy directory</filename>.
+ </para>
+ <para>
+ There is also a tool there to help you get started. You can use
+ the tool <command>policygentool</command> to generate your own
+ <filename>te</filename>, <filename>fc</filename>
+ and <filename>if</filename> file.
+ This tool takes two parameters: the Name of the policy module
+ (mydaemon) and the full path to the executable
+ (<filename>/usr/sbin/mydaemon</filename>). This will create three
+ files <filename>mydaemon.te</filename>,
+ <filename>mydaemon.fc</filename> and
+ <filename>mydaemon.if</filename>.
+ After you generate the policy files,
+ use the supplied Makefile,
+ <filename>/usr/share/selinux/refpolicy/Makefile</filename>,
+ build a policy package (<filename>mydaemon.pp</filename>). Now
+ you can load the policy
+ module, using <command>semodule</command>, and relabel the
+ executable using
+ <filename>restorecon</filename>. Since you have very limited
+ policy for your
+ executeable, SELinux will prevent it from doing much. So you need
+ to turn on permissive mode and then use the init script to start
+ your daemon. Now you can start collect avc messages. You can use
+ <command>audit2allow</command> to translate the avc messages to
+ allow rules and begin
+ updating you <filename>mydaemon.te</filename> file. You should
+ search for interface
+ macros in the <filename>/etc/selinux/refpolicy/include</filename>
+ directory and use
+ these instead of using the allow rules directly, whenever
+ possible. If you want more examples of polcy, you could always
+ install the selinux-policy src rpm, which contains all of the
+ policy te files for the reference policy.
+ </para>
+<screen>
+<command># /usr/share/selinux/refpolicy/policygentool mydaemon /usr/sbin/mydaemon
+# make -f /usr/share/selinux/refpolicy/Makefile
+m4 /usr/share/selinux/refpolicy/include/all_perms.spt
/usr/share/selinux/refpolicy/include/loadable_module.spt
/usr/share/selinux/refpolicy/include/misc_macros.spt
+...
+/usr/share/selinux/refpolicy/include/obj_perm_sets.spt mydaemon.fc >
tmp/mydaemon.mod.fc
+Creating targeted mydaemon.pp policy package
+/usr/bin/semodule_package -o mydaemon.pp -m tmp/mydaemon.mod -f tmp/mydaemon.mod.fc
+rm tmp/mydaemon.mod.fc tmp/mydaemon.mod
+# semodule -i mydaemon.pp
+# restorecon -v /usr/sbin/mydaemon
+restorecon reset /usr/sbin/mydaemon context
user_u:object_r:sbin_t->system_u:object_r:mydaemon_exec_t
+# setenforce 1
+# service mydaemon restart</command>
+</screen>
</answer>
</qandaentry>
<qandaentry>
@@ -1552,6 +1688,12 @@
ext2/ext3, XFS has recently added support for the necessary
labels.
</para>
+ <para>
+ Note that XFS SELinux support is broken in upstream kernel
+ 2.6.14 and 2.6.15, but fixed (worked around)
+ in 2.6.16. So, make sure your kernel includes this fix if
+ you choose to use XFS.
+ </para>
</answer>
</qandaentry>
<qandaentry>
@@ -1636,10 +1778,11 @@
url="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</ulink>)
for discussion.
</para>
+ <!-- Add policy modules section -->
+ <!-- Add managed policy section -->
</answer>
</qandaentry>
</qandadiv>
</qandaset>
</section>
</article>
-
--
Fedora-docs-commits mailing list
Fedora-docs-commits(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-docs-commits --
Karsten Wade, RHCE * Sr. Tech Writer *
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Content Services Fedora Documentation Project