web/html/docs/selinux-faq-fc5 index.php,1.1,1.2
by Paul W. Frields (pfrields)
Author: kwade
Update of /cvs/fedora/web/html/docs/selinux-faq-fc5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20309
Modified Files:
index.php
Log Message:
Updating to match content in CVS, this updates log file locations and addes targeted domains.
Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.php 23 Mar 2006 21:39:56 -0000 1.1
+++ index.php 24 Mar 2006 19:30:00 -0000 1.2
@@ -52,6 +52,17 @@
<div><div class="revhistory"><table border="1" width="100%" summary="Revision history">
<tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr>
<tr>
+<td align="left">Revision 1.5.4</td>
+<td align="left">2006-03-21</td>
+<td align="left">CS</td>
+</tr>
+<tr><td align="left" colspan="3">
+ <p>
+ Updated log file location for FC5 release, added targeted
+ domains FAQ
+ </p>
+ </td></tr>
+<tr>
<td align="left">Revision 1.5.3</td>
<td align="left">2006-03-21</td>
<td align="left">CS</td>
@@ -189,11 +200,11 @@
<dt>1.1. <a href="#faq-div-understanding-selinux">Understanding SELinux</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2729807">
+<dt>Q: <a href="#id2730692">
What is SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2731256">
+<dt>Q: <a href="#id2732137">
What is SELinux policy?
</a>
</dt>
@@ -201,11 +212,15 @@
What is the SELinux targeted policy?
</a>
</dt>
-<dt>Q: <a href="#id2731514">
+<dt>Q: <a href="#id2732394">
+ What programs are protected by the targeted policy?
+ </a>
+</dt>
+<dt>Q: <a href="#id2745278">
What about the strict policy? Does it even work?
</a>
</dt>
-<dt>Q: <a href="#id2728705">
+<dt>Q: <a href="#id2745344">
What is the mls policy? Who is it for?
</a>
</dt>
@@ -213,15 +228,15 @@
What is the Reference Policy?
</a>
</dt>
-<dt>Q: <a href="#id2728838">
+<dt>Q: <a href="#id2745437">
What are file contexts?
</a>
</dt>
-<dt>Q: <a href="#id2744128">
+<dt>Q: <a href="#id2745502">
How do I view the security context of a file, user, or process?
</a>
</dt>
-<dt>Q: <a href="#id2744165">
+<dt>Q: <a href="#id2745540">
What is the difference between a domain and
a type?
</a>
@@ -238,19 +253,19 @@
<dt>1.2. <a href="#faq-div-controlling-selinux">Controlling SELinux</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2744339">
+<dt>Q: <a href="#id2783681">
How do I install/not install SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2744365">
+<dt>Q: <a href="#id2783707">
How do I switch the policy I am currently using?
</a>
</dt>
-<dt>Q: <a href="#id2744595">
+<dt>Q: <a href="#id2783924">
How can I back up files from an SELinux file system?
</a>
</dt>
-<dt>Q: <a href="#id2744700">
+<dt>Q: <a href="#id2784024">
How can I install the strict policy by default with kickstart?
</a>
</dt>
@@ -259,48 +274,48 @@
the targeted policy?
</a>
</dt>
-<dt>Q: <a href="#id2782795">
+<dt>Q: <a href="#id2784146">
How do I make a user public_html directory
work under SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2783007">
+<dt>Q: <a href="#id2784358">
How do I turn SELinux off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2783067">
+<dt>Q: <a href="#id2784418">
How do I turn enforcing on/off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2783186">
+<dt>Q: <a href="#id2784537">
How do I temporarily turn off enforcing mode without having to
reboot?
</a>
</dt>
-<dt>Q: <a href="#id2783253">
+<dt>Q: <a href="#id2784604">
How do I turn system call auditing on/off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2783296">
+<dt>Q: <a href="#id2784647">
How do I temporarily turn off system-call auditing without having
to reboot?
</a>
</dt>
-<dt>Q: <a href="#id2783321">
+<dt>Q: <a href="#id2784672">
How do I get status info about my SELinux installation?
</a>
</dt>
-<dt>Q: <a href="#id2783352">
+<dt>Q: <a href="#id2784703">
How do I write policy to allow a domain to use pam_unix.so?
</a>
</dt>
-<dt>Q: <a href="#id2783443">
+<dt>Q: <a href="#id2784794">
In the past I have written local.te file in policy sources for my
own local customization to policy, how do I do this with
Reference Policy?
</a>
</dt>
-<dt>Q: <a href="#id2783608">
+<dt>Q: <a href="#id2784972">
I created a new Policy Package where do I put it to make sure that
it gets loaded into the kernel?
</a>
@@ -309,160 +324,166 @@
<dt>1.3. <a href="#faq-div-resolving-problems">Resolving Problems</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2783674">
+<dt>Q: <a href="#id2785038">
My application isn't working as expected and I am seeing
avc: denied messages. How do I
fix this?
</a>
</dt>
-<dt>Q: <a href="#id2783770">
+<dt>Q: <a href="#id2785134">
I installed Fedora Core on a system with an existing
/home partition, and now I can't log in.
</a>
</dt>
-<dt>Q: <a href="#id2783867">
+<dt>Q: <a href="#id2785231">
After relabeling my /home using
setfiles or fixfiles, will I
still be able to read /home with a
non-SELinux-enabled system?
</a>
</dt>
-<dt>Q: <a href="#id2783924">
+<dt>Q: <a href="#id2785289">
How do I share directories using NFS between Fedora Core and non-SELinux
systems?
</a>
</dt>
-<dt>Q: <a href="#id2783992">
+<dt>Q: <a href="#id2785356">
How can I create a new Linux user account with the user's home
directory having the proper context?
</a>
</dt>
-<dt>Q: <a href="#id2784110">
+<dt>Q: <a href="#id2785474">
I'm having troubles with avc errors filling my
logs for a particular program. How do I choose not to audit the
access for it?
</a>
</dt>
-<dt>Q: <a href="#id2784195">
+<dt>Q: <a href="#id2785559">
Even running in permissive mode, I'm getting a large number of
avc denied messages.
</a>
</dt>
-<dt>Q: <a href="#id2784237">
+<dt>Q: <a href="#id2785601">
I get a specific permission denial only when SELinux is in enforcing
mode, but I don't see any audit messages in
- /var/log/audit/audit.log. How can I identify the
+ /var/log/messages (or
+ /var/log/audit/audit.log if using the audit
+ daemon). How can I identify the
cause of these silent denials?
</a>
</dt>
-<dt>Q: <a href="#id2784355">
+<dt>Q: <a href="#id2785724">
Why do I not see the output when I run certain daemons in debug or
interactive mode?
</a>
</dt>
-<dt>Q: <a href="#id2784452">
+<dt>Q: <a href="#id2785822">
When I do an upgrade of the policy package (for example, using
yum), what happens with the policy? Is it
updated automatically?
</a>
</dt>
-<dt>Q: <a href="#id2784550">
+<dt>Q: <a href="#id2785920">
If the policy shipping with an application package changes in a
way that requires relabeling, will RPM handle relabeling the files
owned by the package?
</a>
</dt>
-<dt>Q: <a href="#id2784633">
+<dt>Q: <a href="#id2786002">
Why do binary policies distributed with Fedora, such as
/etc/selinux/<policyname>/policy/policy.<version>,
and those I compile myself have different sizes and MD5 checksums?
</a>
</dt>
-<dt>Q: <a href="#id2784696">
+<dt>Q: <a href="#id2786066">
Will new policy packages disable my system?
</a>
</dt>
-<dt>Q: <a href="#id2784732">
+<dt>Q: <a href="#id2786102">
How can I help write policy?
</a>
</dt>
-<dt>Q: <a href="#id2785039">
+<dt>Q: <a href="#id2786409">
My console is being flooded with messages. How do I turn them
off?
</a>
</dt>
-<dt>Q: <a href="#id2785069">
+<dt>Q: <a href="#id2786440">
Can I test the default policy without installing the policy
source?
</a>
</dt>
-<dt>Q: <a href="#id2785167">
+<dt>Q: <a href="#id2786537">
Why are some of my KDE applications having trouble under SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2785242">
+<dt>Q: <a href="#id2786613">
Why does SELINUX=disabled not work for me?
</a>
</dt>
-<dt>Q: <a href="#id2785270">
+<dt>Q: <a href="#id2786640">
I have a process running as
unconfined_t, and SELinux is
still preventing my application from running.
</a>
</dt>
-<dt>Q: <a href="#id2785409">
+<dt>Q: <a href="#id2786780">
What do these rpm errors mean?
</a>
</dt>
-<dt>Q: <a href="#id2785485">
+<dt>Q: <a href="#id2729318">
I want to run a daemon on a non standard port but SELinux will not
allow me. How do get this to work?
</a>
</dt>
-<dt>Q: <a href="#id2785522">
+<dt>Q: <a href="#id2729356">
How do I add additional translations to my MCS/MLS system?
</a>
</dt>
-<dt>Q: <a href="#id2785580">
+<dt>Q: <a href="#id2787091">
I have setup my MCS/MLS translations, now I want to designate
which users can read a given category?
</a>
</dt>
-<dt>Q: <a href="#id2785634">
+<dt>Q: <a href="#id2787145">
I am writing an php script that needs to create temporary files in
/tmp and then execute them, SELinux policy is
preventing this. What should I do?
</a>
</dt>
-<dt>Q: <a href="#id2785680">
+<dt>Q: <a href="#id2787191">
I am setting up swapping to a file, but I am seeing AVC messages
in my log files?
</a>
</dt>
-<dt>Q: <a href="#id2785717">
+<dt>Q: <a href="#id2787228">
Please explain the
relabelto/relabelfrom
permissions?
</a>
</dt>
+<dt>Q: <a href="#id2787324">
+ Where are SELinux AVC messages (denial logs, etc.) stored?
+ </a>
+</dt>
</dl></dd>
<dt>1.4. <a href="#faq-div-deploying-selinux">Deploying SELinux</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2785821">
+<dt>Q: <a href="#id2787378">
What file systems can I use for SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2785855">
+<dt>Q: <a href="#id2787412">
How does SELinux impact system performance?
</a>
</dt>
-<dt>Q: <a href="#id2785886">
+<dt>Q: <a href="#id2787443">
What types of deployments, applications, and systems should I
leverage SELinux in?
</a>
</dt>
-<dt>Q: <a href="#id2785955">
+<dt>Q: <a href="#id2787512">
How does SELinux affect third-party applications?
</a>
</dt>
@@ -476,11 +497,11 @@
<a name="faq-div-understanding-selinux"></a>1.1. Understanding SELinux</h4>
</td></tr>
<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2729807">
+<dt>Q: <a href="#id2730692">
What is SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2731256">
+<dt>Q: <a href="#id2732137">
What is SELinux policy?
</a>
</dt>
@@ -488,11 +509,15 @@
What is the SELinux targeted policy?
</a>
</dt>
-<dt>Q: <a href="#id2731514">
+<dt>Q: <a href="#id2732394">
+ What programs are protected by the targeted policy?
+ </a>
+</dt>
+<dt>Q: <a href="#id2745278">
What about the strict policy? Does it even work?
</a>
</dt>
-<dt>Q: <a href="#id2728705">
+<dt>Q: <a href="#id2745344">
What is the mls policy? Who is it for?
</a>
</dt>
@@ -500,15 +525,15 @@
What is the Reference Policy?
</a>
</dt>
-<dt>Q: <a href="#id2728838">
+<dt>Q: <a href="#id2745437">
What are file contexts?
</a>
</dt>
-<dt>Q: <a href="#id2744128">
+<dt>Q: <a href="#id2745502">
How do I view the security context of a file, user, or process?
</a>
</dt>
-<dt>Q: <a href="#id2744165">
+<dt>Q: <a href="#id2745540">
What is the difference between a domain and
a type?
</a>
@@ -524,7 +549,7 @@
</dl></td></tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2729807"></a><a name="id2729809"></a><b>Q:</b>
+<a name="id2730692"></a><a name="id2730694"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is SELinux?
@@ -603,7 +628,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2731256"></a><a name="qa-whatis-policy"></a><b>Q:</b>
+<a name="id2732137"></a><a name="qa-whatis-policy"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is SELinux policy?
@@ -654,7 +679,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="qa-whatis-targeted-policy"></a><a name="id2731408"></a><b>Q:</b>
+<a name="qa-whatis-targeted-policy"></a><a name="id2732292"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is the SELinux targeted policy?
@@ -709,7 +734,107 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2731514"></a><a name="id2731516"></a><b>Q:</b>
+<a name="id2732394"></a><a name="id2732396"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+ What programs are protected by the targeted policy?
+ </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+ Currently, the list of programs is approximately:
+ </p>
+<p>
+ <code class="filename">accton</code>,
+ <code class="filename">amanda</code>,
+ <code class="filename">httpd</code> (apache),
+ <code class="filename">arpwatch</code>,
+ <code class="filename">pam</code>,
+ <code class="filename">automount</code>,
+ <code class="filename">avahi</code>,
+ <code class="filename">named</code>,
+ <code class="filename">bluez</code>,
+ <code class="filename">lilo</code>,
+ <code class="filename">grub</code>,
+ <code class="filename">canna</code>,
+ <code class="filename">comsat</code>,
+ <code class="filename">cpucontrol</code>,
+ <code class="filename">cpuspeed</code>,
+ <code class="filename">cups</code>,
+ <code class="filename">cvs</code>,
+ <code class="filename">cyrus</code>,
+ <code class="filename">dbskkd</code>,
+ <code class="filename">dbus</code>,
+ <code class="filename">dhcpd</code>,
+ <code class="filename">dictd</code>,
+ <code class="filename">dmidecode</code>,
+ <code class="filename">dovecot</code>,
+ <code class="filename">fetchmail</code>,
+ <code class="filename">fingerd</code>,
+ <code class="filename">ftpd</code> (vsftpd, proftpd, and muddleftpd),
+ <code class="filename">gpm</code>,
+ <code class="filename">hald</code>,
+ <code class="filename">hotplug</code>,
+ <code class="filename">howl</code>,
+ <code class="filename">innd</code>,
+ <code class="filename">kerberos</code>,
+ <code class="filename">ktalkd</code>,
+ <code class="filename">openldap</code>,
+ <code class="filename">auditd</code>,
+ <code class="filename">syslog</code>,
+ <code class="filename">logwatch</code>,
+ <code class="filename">lpd</code>,
+ <code class="filename">lvm</code>,
+ <code class="filename">mailman</code>,
+ <code class="filename">module-init-tools</code>,
+ <code class="filename">mount</code>,
+ <code class="filename">mysql</code>,
+ <code class="filename">NetworkManager</code>,
+ <code class="filename">NIS</code>,
+ <code class="filename">nscd</code>,
+ <code class="filename">ntp</code>,
+ <code class="filename">pegasus</code>,
+ <code class="filename">portmap</code>,
+ <code class="filename">postfix</code>,
+ <code class="filename">postgresql</code>,
+ <code class="filename">pppd</code>,
+ <code class="filename">pptp</code>,
+ <code class="filename">privoxy</code>,
+ <code class="filename">procmail</code>,
+ <code class="filename">radiusd</code>,
+ <code class="filename">radvd</code>,
+ <code class="filename">rlogin</code>,
+ <code class="filename">nfs</code>,
+ <code class="filename">rsync</code>,
+ <code class="filename">samba</code>,
+ <code class="filename">saslauthd</code>,
+ <code class="filename">snmpd</code>,
+ <code class="filename">spamd</code>,
+ <code class="filename">squid</code>,
+ <code class="filename">stunnel</code>,
+ <code class="filename">dhcpc</code>,
+ <code class="filename">ifconfig</code>,
+ <code class="filename">sysstat</code>,
+ <code class="filename">tcp wrappers</code>,
+ <code class="filename">telnetd</code>,
+ <code class="filename">tftpd</code>,
+ <code class="filename">updfstab</code>,
+ <code class="filename">user management</code> (passwd, useradd, etc.),
+ <code class="filename">crack</code>,
+ <code class="filename">uucpd</code>,
+ <code class="filename">vpnc</code>,
+ <code class="filename">webalizer</code>,
+ <code class="filename">xend</code>,
+ <code class="filename">xfs</code>,
+ <code class="filename">zebra</code>
+ </p>
+</td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2745278"></a><a name="id2745280"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What about the strict policy? Does it even work?
@@ -739,7 +864,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2728705"></a><a name="id2728707"></a><b>Q:</b>
+<a name="id2745344"></a><a name="id2745346"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is the mls policy? Who is it for?
@@ -766,7 +891,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="faq-entry-whatis-refpolicy"></a><a name="id2728788"></a><b>Q:</b>
+<a name="faq-entry-whatis-refpolicy"></a><a name="id2745387"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is the Reference Policy?
@@ -802,7 +927,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2728838"></a><a name="id2728840"></a><b>Q:</b>
+<a name="id2745437"></a><a name="id2745439"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What are file contexts?
@@ -829,7 +954,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2744128"></a><a name="id2744130"></a><b>Q:</b>
+<a name="id2745502"></a><a name="id2745504"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I view the security context of a file, user, or process?
@@ -851,7 +976,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2744165"></a><a name="id2744167"></a><b>Q:</b>
+<a name="id2745540"></a><a name="id2745542"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is the difference between a <em class="firstterm">domain</em> and
@@ -869,7 +994,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="faq-entry-whatare-policy-modules"></a><a name="id2744202"></a><b>Q:</b>
+<a name="faq-entry-whatare-policy-modules"></a><a name="id2745578"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What are policy modules?
@@ -910,7 +1035,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="faq-entry-whatis-managed-policy"></a><a name="id2744276"></a><b>Q:</b>
+<a name="faq-entry-whatis-managed-policy"></a><a name="id2745651"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What is managed policy?
@@ -945,19 +1070,19 @@
<a name="faq-div-controlling-selinux"></a>1.2. Controlling SELinux</h4>
</td></tr>
<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2744339">
+<dt>Q: <a href="#id2783681">
How do I install/not install SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2744365">
+<dt>Q: <a href="#id2783707">
How do I switch the policy I am currently using?
</a>
</dt>
-<dt>Q: <a href="#id2744595">
+<dt>Q: <a href="#id2783924">
How can I back up files from an SELinux file system?
</a>
</dt>
-<dt>Q: <a href="#id2744700">
+<dt>Q: <a href="#id2784024">
How can I install the strict policy by default with kickstart?
</a>
</dt>
@@ -966,48 +1091,48 @@
the targeted policy?
</a>
</dt>
-<dt>Q: <a href="#id2782795">
+<dt>Q: <a href="#id2784146">
How do I make a user public_html directory
work under SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2783007">
+<dt>Q: <a href="#id2784358">
How do I turn SELinux off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2783067">
+<dt>Q: <a href="#id2784418">
How do I turn enforcing on/off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2783186">
+<dt>Q: <a href="#id2784537">
How do I temporarily turn off enforcing mode without having to
reboot?
</a>
</dt>
-<dt>Q: <a href="#id2783253">
+<dt>Q: <a href="#id2784604">
How do I turn system call auditing on/off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2783296">
+<dt>Q: <a href="#id2784647">
How do I temporarily turn off system-call auditing without having
to reboot?
</a>
</dt>
-<dt>Q: <a href="#id2783321">
+<dt>Q: <a href="#id2784672">
How do I get status info about my SELinux installation?
</a>
</dt>
-<dt>Q: <a href="#id2783352">
+<dt>Q: <a href="#id2784703">
How do I write policy to allow a domain to use pam_unix.so?
</a>
</dt>
-<dt>Q: <a href="#id2783443">
+<dt>Q: <a href="#id2784794">
In the past I have written local.te file in policy sources for my
own local customization to policy, how do I do this with
Reference Policy?
</a>
</dt>
-<dt>Q: <a href="#id2783608">
+<dt>Q: <a href="#id2784972">
I created a new Policy Package where do I put it to make sure that
it gets loaded into the kernel?
</a>
@@ -1015,7 +1140,7 @@
</dl></td></tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2744339"></a><a name="id2744342"></a><b>Q:</b>
+<a name="id2783681"></a><a name="id2783683"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I install/not install SELinux?
@@ -1031,7 +1156,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2744365"></a><a name="id2744367"></a><b>Q:</b>
+<a name="id2783707"></a><a name="id2783709"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I switch the policy I am currently using?
@@ -1123,7 +1248,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2744595"></a><a name="id2744597"></a><b>Q:</b>
+<a name="id2783924"></a><a name="id2783926"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How can I back up files from an SELinux file system?
@@ -1170,7 +1295,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2744700"></a><a name="id2744702"></a><b>Q:</b>
+<a name="id2784024"></a><a name="id2784026"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How can I install the strict policy by default with kickstart?
@@ -1197,7 +1322,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="qa-using-s-c-securitylevel"></a><a name="id2744774"></a><b>Q:</b>
+<a name="qa-using-s-c-securitylevel"></a><a name="id2784095"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I enable/disable SELinux protection on specific daemons under
@@ -1221,7 +1346,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2782795"></a><a name="id2782797"></a><b>Q:</b>
+<a name="id2784146"></a><a name="id2784148"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I make a user <code class="filename">public_html</code> directory
@@ -1297,7 +1422,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783007"></a><a name="id2783011"></a><b>Q:</b>
+<a name="id2784358"></a><a name="id2784361"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I turn SELinux off at boot?
@@ -1333,7 +1458,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783067"></a><a name="id2783069"></a><b>Q:</b>
+<a name="id2784418"></a><a name="id2784420"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I turn enforcing on/off at boot?
@@ -1387,7 +1512,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783186"></a><a name="id2783188"></a><b>Q:</b>
+<a name="id2784537"></a><a name="id2784539"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I temporarily turn off enforcing mode without having to
@@ -1423,7 +1548,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783253"></a><a name="id2783255"></a><b>Q:</b>
+<a name="id2784604"></a><a name="id2784606"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I turn system call auditing on/off at boot?
@@ -1448,7 +1573,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783296"></a><a name="id2783298"></a><b>Q:</b>
+<a name="id2784647"></a><a name="id2784649"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I temporarily turn off system-call auditing without having
@@ -1464,7 +1589,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783321"></a><a name="id2783323"></a><b>Q:</b>
+<a name="id2784672"></a><a name="id2784674"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I get status info about my SELinux installation?
@@ -1480,7 +1605,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783352"></a><a name="id2783354"></a><b>Q:</b>
+<a name="id2784703"></a><a name="id2784705"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I write policy to allow a domain to use pam_unix.so?
@@ -1522,7 +1647,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783443"></a><a name="id2783446"></a><b>Q:</b>
+<a name="id2784794"></a><a name="id2784797"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
In the past I have written local.te file in policy sources for my
@@ -1550,7 +1675,7 @@
additional customizations.
</p>
<pre class="screen">
-<code class="computeroutput">audit2allow -M local -l -i /var/log/audit/audit.log
+<code class="computeroutput">audit2allow -M local -l -i /var/log/messages
Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
@@ -1564,6 +1689,10 @@
semodule -i local.pp</code>
</pre>
<p>
+ Note that the above assumes you are not using the audit daemon.
+ If you were using the audit daemon, then you should use
+ <code class="filename">/var/log/audit/audit.log</code> instead of
+ <code class="filename">/var/log/messages</code> as your log file.
This will generate a <code class="filename">local.te</code> file, that
looks something like the following:
</p>
@@ -1609,7 +1738,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783608"></a><a name="id2783610"></a><b>Q:</b>
+<a name="id2784972"></a><a name="id2784974"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I created a new Policy Package where do I put it to make sure that
@@ -1646,146 +1775,152 @@
<a name="faq-div-resolving-problems"></a>1.3. Resolving Problems</h4>
</td></tr>
<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2783674">
+<dt>Q: <a href="#id2785038">
My application isn't working as expected and I am seeing
avc: denied messages. How do I
fix this?
</a>
</dt>
-<dt>Q: <a href="#id2783770">
+<dt>Q: <a href="#id2785134">
I installed Fedora Core on a system with an existing
/home partition, and now I can't log in.
</a>
</dt>
-<dt>Q: <a href="#id2783867">
+<dt>Q: <a href="#id2785231">
After relabeling my /home using
setfiles or fixfiles, will I
still be able to read /home with a
non-SELinux-enabled system?
</a>
</dt>
-<dt>Q: <a href="#id2783924">
+<dt>Q: <a href="#id2785289">
How do I share directories using NFS between Fedora Core and non-SELinux
systems?
</a>
</dt>
-<dt>Q: <a href="#id2783992">
+<dt>Q: <a href="#id2785356">
How can I create a new Linux user account with the user's home
directory having the proper context?
</a>
</dt>
-<dt>Q: <a href="#id2784110">
+<dt>Q: <a href="#id2785474">
I'm having troubles with avc errors filling my
logs for a particular program. How do I choose not to audit the
access for it?
</a>
</dt>
-<dt>Q: <a href="#id2784195">
+<dt>Q: <a href="#id2785559">
Even running in permissive mode, I'm getting a large number of
avc denied messages.
</a>
</dt>
-<dt>Q: <a href="#id2784237">
+<dt>Q: <a href="#id2785601">
I get a specific permission denial only when SELinux is in enforcing
mode, but I don't see any audit messages in
- /var/log/audit/audit.log. How can I identify the
+ /var/log/messages (or
+ /var/log/audit/audit.log if using the audit
+ daemon). How can I identify the
cause of these silent denials?
</a>
</dt>
-<dt>Q: <a href="#id2784355">
+<dt>Q: <a href="#id2785724">
Why do I not see the output when I run certain daemons in debug or
interactive mode?
</a>
</dt>
-<dt>Q: <a href="#id2784452">
+<dt>Q: <a href="#id2785822">
When I do an upgrade of the policy package (for example, using
yum), what happens with the policy? Is it
updated automatically?
</a>
</dt>
-<dt>Q: <a href="#id2784550">
+<dt>Q: <a href="#id2785920">
If the policy shipping with an application package changes in a
way that requires relabeling, will RPM handle relabeling the files
owned by the package?
</a>
</dt>
-<dt>Q: <a href="#id2784633">
+<dt>Q: <a href="#id2786002">
Why do binary policies distributed with Fedora, such as
/etc/selinux/<policyname>/policy/policy.<version>,
and those I compile myself have different sizes and MD5 checksums?
</a>
</dt>
-<dt>Q: <a href="#id2784696">
+<dt>Q: <a href="#id2786066">
Will new policy packages disable my system?
</a>
</dt>
-<dt>Q: <a href="#id2784732">
+<dt>Q: <a href="#id2786102">
How can I help write policy?
</a>
</dt>
-<dt>Q: <a href="#id2785039">
+<dt>Q: <a href="#id2786409">
My console is being flooded with messages. How do I turn them
off?
</a>
</dt>
-<dt>Q: <a href="#id2785069">
+<dt>Q: <a href="#id2786440">
Can I test the default policy without installing the policy
source?
</a>
</dt>
-<dt>Q: <a href="#id2785167">
+<dt>Q: <a href="#id2786537">
Why are some of my KDE applications having trouble under SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2785242">
+<dt>Q: <a href="#id2786613">
Why does SELINUX=disabled not work for me?
</a>
</dt>
-<dt>Q: <a href="#id2785270">
+<dt>Q: <a href="#id2786640">
I have a process running as
unconfined_t, and SELinux is
still preventing my application from running.
</a>
</dt>
-<dt>Q: <a href="#id2785409">
+<dt>Q: <a href="#id2786780">
What do these rpm errors mean?
</a>
</dt>
-<dt>Q: <a href="#id2785485">
+<dt>Q: <a href="#id2729318">
I want to run a daemon on a non standard port but SELinux will not
allow me. How do get this to work?
</a>
</dt>
-<dt>Q: <a href="#id2785522">
+<dt>Q: <a href="#id2729356">
How do I add additional translations to my MCS/MLS system?
</a>
</dt>
-<dt>Q: <a href="#id2785580">
+<dt>Q: <a href="#id2787091">
I have setup my MCS/MLS translations, now I want to designate
which users can read a given category?
</a>
</dt>
-<dt>Q: <a href="#id2785634">
+<dt>Q: <a href="#id2787145">
I am writing an php script that needs to create temporary files in
/tmp and then execute them, SELinux policy is
preventing this. What should I do?
</a>
</dt>
-<dt>Q: <a href="#id2785680">
+<dt>Q: <a href="#id2787191">
I am setting up swapping to a file, but I am seeing AVC messages
in my log files?
</a>
</dt>
-<dt>Q: <a href="#id2785717">
+<dt>Q: <a href="#id2787228">
Please explain the
relabelto/relabelfrom
permissions?
</a>
</dt>
+<dt>Q: <a href="#id2787324">
+ Where are SELinux AVC messages (denial logs, etc.) stored?
+ </a>
+</dt>
</dl></td></tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783674"></a><a name="id2783676"></a><b>Q:</b>
+<a name="id2785038"></a><a name="id2785041"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
My application isn't working as expected and I am seeing
@@ -1832,7 +1967,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783770"></a><a name="id2783772"></a><b>Q:</b>
+<a name="id2785134"></a><a name="id2785136"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I installed Fedora Core on a system with an existing
@@ -1868,7 +2003,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783867"></a><a name="id2783869"></a><b>Q:</b>
+<a name="id2785231"></a><a name="id2785233"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
After relabeling my <code class="filename">/home</code> using
@@ -1891,7 +2026,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783924"></a><a name="id2783927"></a><b>Q:</b>
+<a name="id2785289"></a><a name="id2785291"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I share directories using NFS between Fedora Core and non-SELinux
@@ -1927,7 +2062,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2783992"></a><a name="id2783994"></a><b>Q:</b>
+<a name="id2785356"></a><a name="id2785358"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How can I create a new Linux user account with the user's home
@@ -1973,7 +2108,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784110"></a><a name="id2784112"></a><b>Q:</b>
+<a name="id2785474"></a><a name="id2785476"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I'm having troubles with <span><strong class="command">avc</strong></span> errors filling my
@@ -2002,7 +2137,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784195"></a><a name="id2784197"></a><b>Q:</b>
+<a name="id2785559"></a><a name="id2785561"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Even running in permissive mode, I'm getting a large number of
@@ -2031,12 +2166,14 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784237"></a><a name="id2784239"></a><b>Q:</b>
+<a name="id2785601"></a><a name="id2785603"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I get a specific permission denial only when SELinux is in enforcing
mode, but I don't see any audit messages in
- <code class="filename">/var/log/audit/audit.log</code>. How can I identify the
+ <code class="filename">/var/log/messages</code> (or
+ <code class="filename">/var/log/audit/audit.log</code> if using the audit
+ daemon). How can I identify the
cause of these silent denials?
</p></td>
</tr>
@@ -2091,7 +2228,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784355"></a><a name="id2784357"></a><b>Q:</b>
+<a name="id2785724"></a><a name="id2785727"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Why do I not see the output when I run certain daemons in debug or
@@ -2132,7 +2269,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784452"></a><a name="id2784454"></a><b>Q:</b>
+<a name="id2785822"></a><a name="id2785824"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
When I do an upgrade of the policy package (for example, using
@@ -2179,7 +2316,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784550"></a><a name="id2784552"></a><b>Q:</b>
+<a name="id2785920"></a><a name="id2785922"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
If the policy shipping with an application package changes in a
@@ -2198,7 +2335,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784633"></a><a name="id2784636"></a><b>Q:</b>
+<a name="id2786002"></a><a name="id2786006"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Why do binary policies distributed with Fedora, such as
@@ -2217,7 +2354,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784696"></a><a name="id2784698"></a><b>Q:</b>
+<a name="id2786066"></a><a name="id2786068"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Will new policy packages disable my system?
@@ -2240,7 +2377,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2784732"></a><a name="id2784734"></a><b>Q:</b>
+<a name="id2786102"></a><a name="id2786104"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How can I help write policy?
@@ -2355,7 +2492,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785039"></a><a name="id2785041"></a><b>Q:</b>
+<a name="id2786409"></a><a name="id2786411"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
My console is being flooded with messages. How do I turn them
@@ -2376,7 +2513,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785069"></a><a name="id2785071"></a><b>Q:</b>
+<a name="id2786440"></a><a name="id2786442"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Can I test the default policy without installing the policy
@@ -2413,7 +2550,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785167"></a><a name="id2785169"></a><b>Q:</b>
+<a name="id2786537"></a><a name="id2786540"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Why are some of my KDE applications having trouble under SELinux?
@@ -2448,7 +2585,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785242"></a><a name="id2785245"></a><b>Q:</b>
+<a name="id2786613"></a><a name="id2786615"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Why does <code class="option">SELINUX=disabled</code> not work for me?
@@ -2464,7 +2601,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785270"></a><a name="id2785272"></a><b>Q:</b>
+<a name="id2786640"></a><a name="id2786642"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I have a process running as
@@ -2521,7 +2658,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785409"></a><a name="id2785411"></a><b>Q:</b>
+<a name="id2786780"></a><a name="id2786782"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What do these rpm errors mean?
@@ -2562,7 +2699,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785485"></a><a name="id2785487"></a><b>Q:</b>
+<a name="id2729318"></a><a name="id2729320"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I want to run a daemon on a non standard port but SELinux will not
@@ -2584,7 +2721,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785522"></a><a name="id2785524"></a><b>Q:</b>
+<a name="id2729356"></a><a name="id2729358"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I add additional translations to my MCS/MLS system?
@@ -2624,7 +2761,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785580"></a><a name="id2785582"></a><b>Q:</b>
+<a name="id2787091"></a><a name="id2787093"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I have setup my MCS/MLS translations, now I want to designate
@@ -2658,7 +2795,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785634"></a><a name="id2785636"></a><b>Q:</b>
+<a name="id2787145"></a><a name="id2787148"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I am writing an php script that needs to create temporary files in
@@ -2679,7 +2816,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785680"></a><a name="id2785682"></a><b>Q:</b>
+<a name="id2787191"></a><a name="id2787193"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I am setting up swapping to a file, but I am seeing AVC messages
@@ -2700,7 +2837,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785717"></a><a name="id2785719"></a><b>Q:</b>
+<a name="id2787228"></a><a name="id2787230"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Please explain the
@@ -2744,32 +2881,55 @@
</ul></div>
</td>
</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2787324"></a><a name="id2787326"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+ Where are SELinux AVC messages (denial logs, etc.) stored?
+ </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top"><p>
+ In Fedora Core 2 and 3, SELinux AVC messages could be found in
+ <code class="filename">/var/log/messages</code>.
+ In Fedora Core 4, the audit daemon was added, and these messages
+ moved to
+ <code class="filename">/var/log/audit/audit.log</code>.
+ In Fedora Core 5, the audit daemon is not installed by default, and
+ consequently these messages can be found in
+ <code class="filename">/var/log/messages</code> unless you choose to
+ install the audit daemon, in which case AVC messages will be in
+ <code class="filename">/var/log/audit/audit.log</code>.
+ </p></td>
+</tr>
<tr class="qandadiv"><td align="left" valign="top" colspan="2">
<a name="faq-div-deploying-selinux"></a><h4 class="title">
<a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4>
</td></tr>
<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2785821">
+<dt>Q: <a href="#id2787378">
What file systems can I use for SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2785855">
+<dt>Q: <a href="#id2787412">
How does SELinux impact system performance?
</a>
</dt>
-<dt>Q: <a href="#id2785886">
+<dt>Q: <a href="#id2787443">
What types of deployments, applications, and systems should I
leverage SELinux in?
</a>
</dt>
-<dt>Q: <a href="#id2785955">
+<dt>Q: <a href="#id2787512">
How does SELinux affect third-party applications?
</a>
</dt>
</dl></td></tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785821"></a><a name="id2785823"></a><b>Q:</b>
+<a name="id2787378"></a><a name="id2787381"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What file systems can I use for SELinux?
@@ -2795,7 +2955,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785855"></a><a name="id2785862"></a><b>Q:</b>
+<a name="id2787412"></a><a name="id2787420"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How does SELinux impact system performance?
@@ -2815,7 +2975,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785886"></a><a name="id2785888"></a><b>Q:</b>
+<a name="id2787443"></a><a name="id2787446"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What types of deployments, applications, and systems should I
@@ -2855,7 +3015,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2785955"></a><a name="id2785957"></a><b>Q:</b>
+<a name="id2787512"></a><a name="id2787514"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How does SELinux affect third-party applications?