March 2013 - selinux - Fedora Mailing-Lists

by magina antimage

Hi, i have tried disabling SElinux ,because i didnt had selinux module enabled in my kernel. i have tried changing /etc/selinux/config: from SELINUX=permissive to SELINUX=disabled but still i get error "Failed to load SELinux policy." during bootup i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 " and tried to solve this problem, but no positive results also sometimes i get I/O errors on my hard disk (during boot) after one or two boots . i am not sure whether its because of SElinux or not,but while searching this I/O error i came across few cases where these I/O errors were because of SElinux policies. other details: arch:x86 selinux version:libselinux-2.0.99-4.fc15.i686

10 years, 1 month

7
19
0 / 0

Re: [PATCH 1/2] iptables (userspace): add secmark match

by Mr Dash Four

Pablo Neira Ayuso wrote: > On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote: > >> This patch is part of the userspace changes needed for the "secmark" match >> in iptables. >> > > SELinux already provides the framework to define your network policy > based on the secmark. I don't see why we need this in iptables. > I am not sure what to make of your response above Pablo. The purpose of the patch isn't to replace what SELinux already provides, but to make full use of that security framework. Are you questioning the purpose or usefulness of the patch in general? Elaborate please.

10 years, 5 months

1
2
0 / 0

Ye olde "avc granted"

by mark

Hi, folks, Got a server that's throwing a ton of avc granted, all related to Matlab. I saw something via google from '06, for a java thing - is there something I can use to shut this up? CentOS 5.9, current. mark

10 years, 6 months

5
24
0 / 0

[PATCH 2/2] iptables (kernel): add secmark match

by Mr Dash Four

This patch is part of the kernel changes needed for the "secmark" match in iptables. Signed-off-by: Mr Dash Four <mr.dash.four(a)googlemail.com> --- include/uapi/linux/netfilter/Kbuild | 1 + include/uapi/linux/netfilter/xt_secmark.h | 24 ++++++ net/netfilter/Kconfig | 10 +++ net/netfilter/Makefile | 1 + net/netfilter/xt_secmark.c | 117 +++++++++++++++++++++++++++++ 5 files changed, 153 insertions(+) create mode 100644 include/uapi/linux/netfilter/xt_secmark.h create mode 100644 net/netfilter/xt_secmark.c diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 4111577..4884edd 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild @@ -69,6 +69,7 @@ header-y += xt_rateest.h header-y += xt_realm.h header-y += xt_recent.h header-y += xt_sctp.h +header-y += xt_secmark.h header-y += xt_set.h header-y += xt_socket.h header-y += xt_state.h diff --git a/include/uapi/linux/netfilter/xt_secmark.h b/include/uapi/linux/netfilter/xt_secmark.h new file mode 100644 index 0000000..c74a35d --- /dev/null +++ b/include/uapi/linux/netfilter/xt_secmark.h @@ -0,0 +1,24 @@ +#ifndef _XT_SECMARK_MATCH_H +#define _XT_SECMARK_MATCH_H + +#include <linux/types.h> + +/* + * Header file for iptables xt_secmark match + * + * This is intended for use by various security subsystems (but not + * at the same time). + * + * 'mode' refers to the specific security subsystem which the + * packets are being marked for. + */ +#define SECMARK_MODE_SEL 0x01 /* SELinux */ +#define SECMARK_SECCTX_MAX 256 + +struct xt_secmark_match_info { + __u8 mode; + __u32 secid; + char secctx[SECMARK_SECCTX_MAX]; +}; + +#endif /* _XT_SECMARK_MATCH_H */ diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 56d22ca..d53ea14 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -1166,6 +1166,16 @@ config NETFILTER_XT_MATCH_RECENT Short options are available by using 'iptables -m recent -h' Official Website: <http://snowman.net/projects/ipt_recent/> +config NETFILTER_XT_MATCH_SECMARK + tristate '"secmark" match support' + depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK + default m if NETFILTER_ADVANCED=n + help + The SECMARK match allows matching on security marking of network + packets, for use with security subsystems. + + To compile it as a module, choose M here. If unsure, say N. + config NETFILTER_XT_MATCH_SCTP tristate '"sctp" protocol match support' depends on NETFILTER_ADVANCED diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index a1abf87..686c4c3 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -139,6 +139,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o +obj-$(CONFIG_NETFILTER_XT_MATCH_SECMARK) += xt_secmark.o # ipset obj-$(CONFIG_IP_SET) += ipset/ diff --git a/net/netfilter/xt_secmark.c b/net/netfilter/xt_secmark.c new file mode 100644 index 0000000..8837d13 --- /dev/null +++ b/net/netfilter/xt_secmark.c @@ -0,0 +1,117 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 (or any + * later at your option) as published by the Free Software Foundation. + */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +#include <linux/module.h> +#include <linux/security.h> +#include <linux/skbuff.h> + +#include <linux/netfilter/x_tables.h> +#include <uapi/linux/netfilter/xt_secmark.h> + +MODULE_AUTHOR("Mr Dash Four <mr.dash.four(a)googlemail.com>"); +MODULE_DESCRIPTION("Xtables: security mark match"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_secmark"); +MODULE_ALIAS("ip6t_secmark"); + +static u8 mode; + +static bool secmark_mt(const struct sk_buff *skb, struct xt_action_param *par) +{ + const struct xt_secmark_match_info *info = par->targinfo; + u32 secmark = 0; + + BUG_ON(info->mode != mode); + + switch (mode) { + case SECMARK_MODE_SEL: + secmark = info->secid; + break; + default: + BUG(); + } + + return (skb->secmark != 0 && secmark != 0 && skb->secmark == secmark); +} + +static int checkentry_lsm(struct xt_secmark_match_info *info) +{ + int err; + + info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; + info->secid = 0; + + err = security_secctx_to_secid(info->secctx, strlen(info->secctx), + &info->secid); + if (err) { + if (err == -EINVAL) + pr_info("invalid security context \'%s\'\n", info->secctx); + return err; + } + + if (!info->secid) { + pr_info("unable to map security context \'%s\'\n", info->secctx); + return -ENOENT; + } + + return 0; +} + +static int +secmark_mt_checkentry(const struct xt_mtchk_param *par) +{ + struct xt_secmark_match_info *info = par->matchinfo; + int err; + + if (mode && mode != info->mode) { + pr_info("mode already set to %hu cannot mix with " + "rules for mode %hu\n", mode, info->mode); + return -EINVAL; + } + + switch (info->mode) { + case SECMARK_MODE_SEL: + break; + default: + pr_info("invalid mode: %hu\n", info->mode); + return -EINVAL; + } + + err = checkentry_lsm(info); + if (err) + return err; + + if (!mode) + mode = info->mode; + return 0; +} + +static void +secmark_mt_destroy(const struct xt_mtdtor_param *par) { } + +static struct xt_match secmark_mt_reg __read_mostly = { + .name = "secmark", + .family = NFPROTO_UNSPEC, + .checkentry = secmark_mt_checkentry, + .match = secmark_mt, + .destroy = secmark_mt_destroy, + .matchsize = sizeof(struct xt_secmark_match_info), + .me = THIS_MODULE, +}; + +static int __init secmark_mt_init(void) +{ + return xt_register_match(&secmark_mt_reg); +} + +static void __exit secmark_mt_exit(void) +{ + xt_unregister_match(&secmark_mt_reg); +} + +module_init(secmark_mt_init); +module_exit(secmark_mt_exit);

10 years, 6 months

3
3
0 / 0

default and new file contexts

by mark

We've got a scratch directory; in it, any user can write. I've gotten complaints of unlabled, and I found and set them to default_t. Here's the question: if I use semanage to set one of the user subdirectories to, say, default_t, and they try to copy a file that already has a valid context, would that context be changed to default_t, or would it retain its existing context? Thanks in advance. mark

10 years, 6 months

4
11
0 / 0

dbus daemon SELinux problem

by Erick Staal

Hi, After the last update of selinux to 3.11.1-86 the following error appears in /var/log/messages: SELinux: Context unconfined_u:system_r:unconfined_dbusd_t:s0-s0:c0.c1023 would be invalid if enforcing Looks like that there is a problem with the selinux config for dbusd. Can anyone tell how to fix this? Sincerely, Erick

10 years, 6 months

3
3
0 / 0

syslog-ng creates /dev/log in wrong selinux domain causing avc denials

by Daniel Neuberger

All, We are getting AVC denials like the following: audit.log:type=AVC msg=audit(1363623746.304:77): avc: denied { write } for pid=7569 comm="audispd" name="log" dev=tmpfs ino=12139 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit.log:type=AVC msg=audit(1363628993.829:922): avc: denied { write } for pid=8402 comm="logger" name="log" dev=tmpfs ino=12139 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit.log:type=AVC msg=audit(1363628997.219:952): avc: denied { write } for pid=8808 comm="dhclient" name="log" dev=tmpfs ino=12139 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit.log:type=AVC msg=audit(1363628997.285:955): avc: denied { write } for pid=8808 comm="dhclient" name="log" dev=tmpfs ino=12139 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file ... audit.log:type=AVC msg=audit(1363629158.017:1081): avc: denied { write } for pid=9213 comm="logger" name="log" dev=tmpfs ino=12139 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit.log:type=AVC msg=audit(1363629420.696:1144): avc: denied { write } for pid=4944 comm="ntpd" name="log" dev=tmpfs ino=12139 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit.log:type=AVC msg=audit(1363629420.807:1145): avc: denied { write } for pid=9700 comm="ntpd" name="log" dev=tmpfs ino=12139 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file audit.log:type=AVC msg=audit(1363634382.869:2143): avc: denied { write } for pid=9973 comm="groupadd" name="log" dev=tmpfs ino=32837 scontext=user_u:system_r:groupadd_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=sock_file ... The problem seems to be that syslog-ng is creating /dev/log in the wrong domain: [root@foo ~]$ ls -Z /dev/log srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log [root@foo ~]$ chcon system_u:object_r:devlog_t:s0 /dev/log [root@foo ~]$ ls -Z /dev/log srw-rw-rw- root root system_u:object_r:devlog_t:s0 /dev/log [root@foo ~]$ run_init /etc/init.d/syslog-ng restart Authenticating foobar. Password: Restarting syslog-ng: Stopping syslog-ng: [ OK ] Starting syslog-ng: [ OK ] [root@foo ~]$ ls -Z /dev/log srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log I think this is because the syslog-ng daemon is running in the wrong domain. It never transitions from the initrc_t domain: [root@foo log]$ ps -efZ | grep syslog system_u:system_r:initrc_t:s0 root 4912 1 0 16:20 ? 00:00:00 supervising syslog-ng system_u:system_r:initrc_t:s0 root 4913 4912 0 16:20 ? 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps The problem - I think - is that we're using a syslog-ng rpm from the vendor's website that installs to /opt rather than /usr as the targeted policy seems to expect meaning the daemon and everything has the wrong file contexts. I tried fixing this by updating the contexts based off the settings in the logging.fc file from the policy src.rpm, but that didn't help: [root@foo ~]$ chcon system_u:object_r:syslog_conf_t:s0 /opt/syslog-ng/etc/* [root@foo ~]$ chcon system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/* [root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0 /opt/syslog-ng/var/syslog-ng.persist [root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0 /opt/syslog-ng/var/run/* [root@foo ~]$ run_init /etc/init.d/syslog-ng restart Authenticating foobar. Password: Restarting syslog-ng: Stopping syslog-ng: [ OK ] Starting syslog-ng: [ OK ] [root@foo ~]$ ls -Z /dev/log srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log [root@foo ~]$ ps -efZ | grep syslog user_u:system_r:initrc_t:s0 root 6594 1 0 14:35 ? 00:00:00 supervising syslog-ng user_u:system_r:initrc_t:s0 root 6595 6594 0 14:35 ? 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps Restarting after making these changes, didn't help either. At this point, I'm out of ideas for how to properly fix the problem. I also tried relabeling the whole system, then applying the above changes and that didn't help. FYI, we are running a RHEL 5.5 system, but are using the RHEL 5.7 kernel and selinux rpms including: libselinux-1.33.4-5.7.el5.i386 libselinux-1.33.4-5.7.el5.x86_64 libselinux-python-1.33.4-5.7.el5.x86_64 libselinux-utils-1.33.4-5.7.el5.x86_64 selinux-policy-2.4.6-316.el5.noarch selinux-policy-targeted-2.4.6-316.el5.noarch We're using syslog-ng-3.1.4-1.rhel5.x86_64.rpm from the vendor's website which installs everything in /opt/syslog-ng rather than the normal RHEL locations. Any pointers would be much appreciated. I'm assuming I should be able to fix this without modifying the policy, but maybe I'm missing something. Thanks. - Daniel

10 years, 6 months

4
11
0 / 0

CentOS 6.4 and node.js

by mark

Actually, it could be mongodb, but most likely, since I've just built, packaged, and installed node.js, I'm getting buried under AVC's. Is there a policy somewhere for node.js?

10 years, 6 months

2
2
0 / 0

Issue with SELinux and BackupPC backup directory at non-standard location

by Jeff Boyce

Greetings - I have been testing BackupPC for my small office network, with BackupPC running from its own VM. The backups created by BackupPC are being put on a seperate mounted LVM partition (/bkupdata), rather than at /var/lib/BackupPC for the standard installation. I followed the BackupPC documentation for doing this, and everything was testing fine. I extended the logical volume and filesystem containing the /bkupdata partition to allow more room for all the expected backups after testing was completed. When I rebooted after extending the filesystem, I noticed that SELinux was doing a relabel on the filesystem. I didn't think anything of it until a few hours later when I accessed the BackupPC web interface and couldn't see the previous backups. After a fair amount of research about potential BackupPC specific causes, I was able to determine that the issue was SELinux related. 1. Everything worked properly (with the non-standard backup location) before the reboot and SELinux relabel. 2. Temporarily turning SELinux off (setenforce=0), and everything works again. 3. Turning SELinux on (setenforce=1), and I get errors from BackupPC web interface I posted to the BackupPC mailing list yesterday, but have no responses from anyone with SELinux expertise, so I thought I should take my issue here. So in summary, here is what I have: Backups are being stored on separate partition, not standard for BackupPC: /bkupdata Standard BackupPC storage location: /var/lib/BackupPC SELinux context on standard BackupPC storage location: [root@bacteria BackupPC]# pwd /var/lib/BackupPC [root@bacteria BackupPC]# ls -Z drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 cpool drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 pc drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 pool drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 trash Current SELinux context on my BackupPC storage location: [root@bacteria bkupdata]# pwd /bkupdata [root@bacteria bkupdata]# ls -Z drwxr-x---. backuppc root system_u:object_r:default_t:s0 cpool drwx------. root root system_u:object_r:default_t:s0 lost+found drwxr-x---. backuppc root system_u:object_r:default_t:s0 pc drwxr-x---. backuppc root system_u:object_r:default_t:s0 pool drwxr-x---. backuppc root system_u:object_r:default_t:s0 trash And one of the test clients backup location: [root@bacteria jab-opti755]# pwd /bkupdata/pc/jab-opti755 [root@bacteria jab-opti755]# ls -Z drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 0 drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 1 drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 2 drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 3 drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 4 drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 5 -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 backups -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 backups.old -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 backups.save -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 LOCK -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 LOG.032013 -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.0.z -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.1.z -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.2.z -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.3.z -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.4.z -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.5.z -rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.bad.z.old In reviewing my SELinux contexts listed above, I noticed that the group assignment for the directories under /bkupdata is root. I have subsequently changed them to backuppc, and shutdown the backuppc service, shutdown and restarted the http service, then restarted the backuppc service. The same errors persist after this change, so the issue was not just with an incorrect group setting. Here is a representative sample of the SELinux audit messages that are occurring: ---- time->Thu Mar 14 13:35:51 2013 type=SYSCALL msg=audit(1363293351.295:27283): arch=c000003e syscall=2 success=no exit=-13 a0=1437b70 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813 pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin." exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1363293351.295:27283): avc: denied { read } for pid=4379 comm="BackupPC_Admin." name="backups" dev=vdd1 ino=4218673 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file ---- time->Thu Mar 14 13:35:51 2013 type=SYSCALL msg=audit(1363293351.292:27282): arch=c000003e syscall=2 success=no exit=-13 a0=1437b10 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813 pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin." exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1363293351.292:27282): avc: denied { read } for pid=4379 comm="BackupPC_Admin." name="LOCK" dev=vdd1 ino=4194307 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file ---- time->Thu Mar 14 13:36:01 2013 type=SYSCALL msg=audit(1363293361.526:27285): arch=c000003e syscall=4 success=no exit=-13 a0=1630140 a1=1569130 a2=1569130 a3=21 items=0 ppid=1806 pid=4400 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin." exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1363293361.526:27285): avc: denied { getattr } for pid=4400 comm="BackupPC_Admin." path="/bkupdata/pc/jab-opti755/backups" dev=vdd1 ino=4218673 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file ---- I have read through the RedHat SELinux users guide and understand from this and looking at the above messages that my target context is probably not what it should be for this. I am hoping someone can guide me to get this corrected in a proper way without making a blanket permissive policy. Also I would like to make sure that if I have to expand my partition again, I don't want to have to go through the same pain of discovering the problem, or have it fixed so that the problem doesn't re-occur. If any additional information is needed please let me know. Please CC me directly on any replies as I am only subscribed to the daily digest. Thanks. Jeff Boyce Meridian Environmental www.meridianenv.com

10 years, 6 months

4
6
0 / 0

Re: Looking for links: passenger & selinux

by mark

Miroslav wrote: > m.roth(a)5-cent.us wrote: >>> Gag. I hate passenger... >> >>> This is CentOS 6.3 >> >>> Does someone have a link to info on what selinux passenger context to set >>> what files to? I see passenger set to lib_t, which I may have done a >>> while back, but the current policy may be more picky. I've looked at the >>> passenger_selinux manpage, and it doesn't suggest what they should be. The >>> version of ruby my users are on is the old 1.8.7 enterprise, *not* >>> installed from an rpm, so nothing's correct.... >> >> Following myself up, a clarification: I've seen pages that say to set all >> of passenger to httpd_sys_content_t; however, since there's explicitly a >> passenger_*_t, and I *assume* that it allows it to transition to run >> things like ps, and status, I'd like to set them *correctly*, rather than >> as httpd*, and then allow all sorts of things for httpd to do as policy. > We have passenger fixes in RHEL6.4. Basically you will need to follow > http://git.fedorahosted.org/cgit/selinux-policy.git/tree/passenger.fc?h=f... labeling. Thanks, Miroslav. Here's what (once I thought of it) seems like an obvious question: is there a way, in selinux, to say "I installed this stuff over here, not in the usual place (say, from a tarball instead of an rpm), but I want to label everything correctly, something like <selinuxrelabel> passenger-policy /opt/ruby/gem/etc? mark

10 years, 6 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2013