web/html/docs/selinux-faq index.html,1.2,1.3
sradvan
sradvan at fedoraproject.org
Fri Jan 22 01:09:16 UTC 2010
Author: sradvan
Update of /cvs/fedora/web/html/docs/selinux-faq
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30519
Modified Files:
index.html
Log Message:
add sepolgen and avc/syscall analysis, other minor fixes
Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq/index.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- index.html 21 Jan 2010 03:33:24 -0000 1.2
+++ index.html 22 Jan 2010 01:09:15 -0000 1.3
@@ -2,7 +2,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SELinux FAQ</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 1.3" /><meta name="package" content="Fedora-SELinux_FAQ-12-en-US-0-0" /><meta name="description" content="This FAQ answers many questions about Security-Enhanced Linux. The information in this FAQ is valuable for those who are new to SELinux." /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><div xml:lang="en-US" class="article" title="SELinux FAQ" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="
productnumber">12</span></div><div><h1 id="chap-SELinux-FAQ-FAQ" class="title">SELinux FAQ</h1></div><div><h2 class="subtitle">Frequently-asked questions about Security Enhanced Linux</h2></div><div><h3 class="corpauthor">
<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> </object></span>
- </h3></div><div><div xml:lang="en-US" class="authorgroup" lang="en-US"><div class="author"><h3 class="author"><span class="firstname">Karsten</span> <span class="surname">Wade</span></h3><div class="affiliation"><span class="orgname">Fedora</span> <span class="orgdiv">Documentation Project</span></div><code class="email"><a class="email" href="mailto:quaid at fedoraproject.org">quaid at fedoraproject.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">Paul W.</span> <span class="surname">Frields</span></h3><div class="affiliation"><span class="orgname">Fedora</span> <span class="orgdiv">Documentation Project</span></div><code class="email"><a class="email" href="mailto:pfrields at fedoraproject.org">pfrields at fedoraproject.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Con
tent Services</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div></div></div><div><div id="id3115757" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
+ </h3></div><div><div xml:lang="en-US" class="authorgroup" lang="en-US"><div class="author"><h3 class="author"><span class="firstname">Karsten</span> <span class="surname">Wade</span></h3><div class="affiliation"><span class="orgname">Fedora</span> <span class="orgdiv">Documentation Project</span></div><code class="email"><a class="email" href="mailto:quaid at fedoraproject.org">quaid at fedoraproject.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">Paul W.</span> <span class="surname">Frields</span></h3><div class="affiliation"><span class="orgname">Fedora</span> <span class="orgdiv">Documentation Project</span></div><code class="email"><a class="email" href="mailto:pfrields at fedoraproject.org">pfrields at fedoraproject.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Con
tent Services</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div></div></div><div><div id="id3180313" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
Copyright <span class="trademark"></span>© 2010 Red Hat, Inc..
</div><div class="para">
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
@@ -45,139 +45,141 @@
Fedora mailing list — <a href="mailto:fedora-selinux-list at redhat.com">mailto:fedora-selinux-list at redhat.com</a>; read the archives or subscribe at <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">http://www.redhat.com/mailman/listinfo/fedora-selinux-list</a>
</div></li><li class="listitem"><div class="para">
On IRC - irc.freenode.net, #fedora-selinux and #selinux
- </div></li></ul></div><div class="section" title="1. SELinux"><div class="titlepage"><div><div><h2 class="title" id="SELinux_FAQ-FAQ-SELinux">1. SELinux</h2></div></div></div><div class="qandaset" title="Frequently Asked Questions" id="id3022703"><dl><dt></dt><dd><dl><dt>Q: <a href="#id3022708">
+ </div></li></ul></div><div class="section" title="1. SELinux"><div class="titlepage"><div><div><h2 class="title" id="SELinux_FAQ-FAQ-SELinux">1. SELinux</h2></div></div></div><div class="qandaset" title="Frequently Asked Questions" id="id2997132"><dl><dt></dt><dd><dl><dt>Q: <a href="#id2997137">
What is SELinux?
- </a></dt><dt>Q: <a href="#id2952428">
+ </a></dt><dt>Q: <a href="#id3000037">
What is SELinux policy?
- </a></dt><dt>Q: <a href="#id2948223">
+ </a></dt><dt>Q: <a href="#id3009439">
What happened to the strict policy?
- </a></dt><dt>Q: <a href="#id2948251">
+ </a></dt><dt>Q: <a href="#id3009466">
What programs are protected by the SELinux policy?
</a></dt><dt>Q: <a href="#faq-entry-whatis-refpolicy">
What is the Reference Policy?
- </a></dt><dt>Q: <a href="#id2953893">
+ </a></dt><dt>Q: <a href="#id2993140">
What are file contexts?
- </a></dt><dt>Q: <a href="#id2953953">
+ </a></dt><dt>Q: <a href="#id2993201">
How do I view the security context of a file, user, or process?
- </a></dt><dt>Q: <a href="#id3078024">
+ </a></dt><dt>Q: <a href="#id3067314">
What is the difference between a domain and a type?
</a></dt><dt>Q: <a href="#faq-entry-whatare-policy-modules">
What are policy modules?
</a></dt><dt>Q: <a href="#faq-entry-whatis-managed-policy">
What is managed policy?
- </a></dt></dl></dd><dt>1.2. <a href="#id3016692">Controlling SELinux</a></dt><dd><dl><dt>Q: <a href="#id3016698">
+ </a></dt></dl></dd><dt>1.2. <a href="#id3041991">Controlling SELinux</a></dt><dd><dl><dt>Q: <a href="#id3041997">
How do I install/not install SELinux?
- </a></dt><dt>Q: <a href="#id3016724">
+ </a></dt><dt>Q: <a href="#id3042024">
As an administrator, what do I need to do to configure SELinux for my system?
</a></dt><dt>Q: <a href="#qa-using-s-c-securitylevel">
How do I enable/disable SELinux protection on specific daemons under the targeted policy?
</a></dt><dt>Q: <a href="#faq-entry-local.te">
In the past I have written local.te file in policy sources for my own local customization to policy, how do I do this now?
- </a></dt><dt>Q: <a href="#id3017163">
+ </a></dt><dt>Q: <a href="#id3042460">
I have some avc denials that I would like to allow, how do I do this?
- </a></dt><dt>Q: <a href="#id2993909">
+ </a></dt><dt>Q: <a href="#id3029665">
How can I help write policy?
- </a></dt><dt>Q: <a href="#id2994188">
+ </a></dt><dt>Q: <a href="#id3029908">
How do I switch the policy I am currently using?
- </a></dt><dt>Q: <a href="#id2994374">
+ </a></dt><dt>Q: <a href="#id3030095">
How can I back up files from an SELinux file system?
</a></dt><dt>Q: <a href="#faq-entry-public_html">
How do I make a user public_html directory work under SELinux?
- </a></dt><dt>Q: <a href="#id2994596">
+ </a></dt><dt>Q: <a href="#id3030317">
How do I turn SELinux off at boot?
- </a></dt><dt>Q: <a href="#id2994660">
+ </a></dt><dt>Q: <a href="#id3030380">
How do I turn enforcing on/off at boot?
- </a></dt><dt>Q: <a href="#id2994760">
+ </a></dt><dt>Q: <a href="#id3030481">
How do I temporarily turn off enforcing mode without having to reboot?
- </a></dt><dt>Q: <a href="#id2994793">
+ </a></dt><dt>Q: <a href="#id3030514">
How do I turn system call auditing on/off at boot?
- </a></dt><dt>Q: <a href="#id2994839">
+ </a></dt><dt>Q: <a href="#id3030560">
How do I temporarily turn off system-call auditing without having to reboot?
- </a></dt><dt>Q: <a href="#id2994866">
+ </a></dt><dt>Q: <a href="#id3030586">
How do I get status info about my SELinux installation?
- </a></dt><dt>Q: <a href="#id2994896">
+ </a></dt><dt>Q: <a href="#id3030616">
How do I write policy to allow a domain to use pam_unix.so?
- </a></dt><dt>Q: <a href="#id2994979">
+ </a></dt><dt>Q: <a href="#id3030700">
I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel?
- </a></dt></dl></dd><dt>1.3. <a href="#faq-div-resolving-problems">Resolving Problems</a></dt><dd><dl><dt>Q: <a href="#id2995041">
+ </a></dt></dl></dd><dt>1.3. <a href="#faq-div-resolving-problems">Resolving Problems</a></dt><dd><dl><dt>Q: <a href="#id3030762">
Where are SELinux AVC messages (denial logs, etc.) stored?
- </a></dt><dt>Q: <a href="#id2995078">
+ </a></dt><dt>Q: <a href="#id3030799">
My application isn't working as expected and I am seeing avc: denied messages. How do I fix this?
- </a></dt><dt>Q: <a href="#id2995166">
- I installed Fedora on a system with an existing /home partition, and now I can't log in.
- </a></dt><dt>Q: <a href="#id2995253">
+ </a></dt><dt>Q: <a href="#id3030886">
+ Why doesn't SELinux give me the full path in an error message?
+ </a></dt><dt>Q: <a href="#id3031106">
+ I installed on a system with a pre-existing /home partition, and now I can't log in. What do I do?
+ </a></dt><dt>Q: <a href="#id3031193">
After relabeling my /home using setfiles or fixfiles, am I still be able to read /home with a non-SELinux-enabled system?
- </a></dt><dt>Q: <a href="#id2995304">
+ </a></dt><dt>Q: <a href="#id3031243">
How do I share directories using NFS between Fedora and non-SELinux systems?
- </a></dt><dt>Q: <a href="#id2995365">
+ </a></dt><dt>Q: <a href="#id3031304">
How can I create a new Linux user account with the user's home?
- </a></dt><dt>Q: <a href="#id2995455">
+ </a></dt><dt>Q: <a href="#id3031395">
Does the su command change my SELinux identity and role?
- </a></dt><dt>Q: <a href="#id2995522">
+ </a></dt><dt>Q: <a href="#id3031462">
I'm having troubles with avc errors filling my logs for a particular program. How do I choose not to audit the access for it?
- </a></dt><dt>Q: <a href="#id2995582">
+ </a></dt><dt>Q: <a href="#id3031522">
Even running in permissive mode, I'm getting a large number of avc denied messages.
- </a></dt><dt>Q: <a href="#id2995626">
+ </a></dt><dt>Q: <a href="#id3031566">
I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in /var/log/messages (or /var/log/audit/audit.log if using the audit daemon). How can I identify the cause of these silent denials?
- </a></dt><dt>Q: <a href="#id2995734">
+ </a></dt><dt>Q: <a href="#id3031674">
Why do I not see the output when I run certain daemons in debug or interactive mode?
- </a></dt><dt>Q: <a href="#id2995825">
+ </a></dt><dt>Q: <a href="#id3031765">
When I do an upgrade of the policy package (for example, using yum), what happens with the policy? Is it updated automatically?
- </a></dt><dt>Q: <a href="#id2995914">
+ </a></dt><dt>Q: <a href="#id3031854">
If the policy shipping with an application package changes in a way that requires relabeling, will RPM handle relabeling the files owned by the package?
- </a></dt><dt>Q: <a href="#id2995992">
+ </a></dt><dt>Q: <a href="#id3031902">
Why do binary policies distributed with Fedora, such as /etc/selinux/<policyname>/policy/policy.<version>, and those I compile myself have different sizes and MD5 checksums?
- </a></dt><dt>Q: <a href="#id2996054">
+ </a></dt><dt>Q: <a href="#id3031958">
Will new policy packages disable my system?
- </a></dt><dt>Q: <a href="#id2996090">
+ </a></dt><dt>Q: <a href="#id3032030">
My console is being flooded with messages. How do I turn them off?
- </a></dt><dt>Q: <a href="#id2996121">
+ </a></dt><dt>Q: <a href="#id3032061">
Can I test the default policy without installing the policy source?
- </a></dt><dt>Q: <a href="#id2996205">
+ </a></dt><dt>Q: <a href="#id3032145">
Why are some of my KDE applications having trouble under SELinux?
- </a></dt><dt>Q: <a href="#id2996277">
+ </a></dt><dt>Q: <a href="#id3032216">
Why does SELINUX=disabled not work for me?
</a></dt><dt>Q: <a href="#faq-entry-unconfined_t">
I have a process running as unconfined_t, and SELinux is still preventing my application from running.
- </a></dt><dt>Q: <a href="#id3029652">
+ </a></dt><dt>Q: <a href="#id3032435">
What do these rpm errors mean?
- </a></dt><dt>Q: <a href="#id3029720">
+ </a></dt><dt>Q: <a href="#id3032503">
I want to run a daemon on a non standard port but SELinux will not allow me. How do get this to work?
- </a></dt><dt>Q: <a href="#id3029755">
+ </a></dt><dt>Q: <a href="#id3032538">
I am writing a PHP script that needs to create files and possibly execute them. SELinux policy is preventing this. What should I do?
- </a></dt><dt>Q: <a href="#id3029810">
+ </a></dt><dt>Q: <a href="#id3032592">
I am setting up swapping to a file, but I am seeing AVC messages in my log files?
- </a></dt><dt>Q: <a href="#id3029847">
+ </a></dt><dt>Q: <a href="#id3032629">
Please explain the relabelto/relabelfrom permissions?
- </a></dt></dl></dd><dt>1.4. <a href="#faq-div-deploying-selinux">Deploying SELinux</a></dt><dd><dl><dt>Q: <a href="#id3029955">
+ </a></dt></dl></dd><dt>1.4. <a href="#faq-div-deploying-selinux">Deploying SELinux</a></dt><dd><dl><dt>Q: <a href="#id3032738">
What file systems can I use for SELinux?
- </a></dt><dt>Q: <a href="#id3029988">
+ </a></dt><dt>Q: <a href="#id3032771">
How does SELinux impact system performance?
- </a></dt><dt>Q: <a href="#id3030022">
+ </a></dt><dt>Q: <a href="#id3032805">
What types of deployments, applications, and systems should I leverage SELinux in?
- </a></dt><dt>Q: <a href="#id3030073">
+ </a></dt><dt>Q: <a href="#id3032855">
How does SELinux affect third-party applications?
- </a></dt></dl></dd></dl><div class="qandaset"><div class="toc"><dl><dt>Q: <a href="#id3022708">
+ </a></dt></dl></dd></dl><div class="qandaset"><div class="toc"><dl><dt>Q: <a href="#id2997137">
What is SELinux?
- </a></dt><dt>Q: <a href="#id2952428">
+ </a></dt><dt>Q: <a href="#id3000037">
What is SELinux policy?
- </a></dt><dt>Q: <a href="#id2948223">
+ </a></dt><dt>Q: <a href="#id3009439">
What happened to the strict policy?
- </a></dt><dt>Q: <a href="#id2948251">
+ </a></dt><dt>Q: <a href="#id3009466">
What programs are protected by the SELinux policy?
</a></dt><dt>Q: <a href="#faq-entry-whatis-refpolicy">
What is the Reference Policy?
- </a></dt><dt>Q: <a href="#id2953893">
+ </a></dt><dt>Q: <a href="#id2993140">
What are file contexts?
- </a></dt><dt>Q: <a href="#id2953953">
+ </a></dt><dt>Q: <a href="#id2993201">
How do I view the security context of a file, user, or process?
- </a></dt><dt>Q: <a href="#id3078024">
+ </a></dt><dt>Q: <a href="#id3067314">
What is the difference between a domain and a type?
</a></dt><dt>Q: <a href="#faq-entry-whatare-policy-modules">
What are policy modules?
</a></dt><dt>Q: <a href="#faq-entry-whatis-managed-policy">
What is managed policy?
- </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id3022708"><label>Q:</label><div class="data"><div class="para">
+ </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id2997137"><label>Q:</label><div class="data"><div class="para">
What is SELinux?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
SELinux (<em class="firstterm">Security-Enhanced Linux</em>) in Fedora is an implementation of <em class="firstterm">mandatory access control</em> in the Linux kernel using the <em class="firstterm">Linux Security Modules</em> (<abbr class="abbrev">LSM</abbr>) framework. Standard Linux security is a <em class="firstterm">discretionary access control</em> model.
@@ -193,17 +195,17 @@
MAC under SELinux allows you to provide granular permissions for all <em class="firstterm">subjects</em> (users, programs, processes) and <em class="firstterm">objects</em> (files, devices). In practice, think of subjects as processes, and objects as the target of a process operation. You can safely grant a process only the permissions it needs to perform its function, and no more.
</div><div class="para">
The SELinux implementation uses <em class="firstterm">role-based access control</em> (<abbr class="abbrev">RBAC</abbr>), which provides abstracted user-level control based on roles, and <em class="firstterm"><span class="trademark">Type Enforcement</span>®</em> (<abbr class="abbrev">TE</abbr>). TE uses a table, or <em class="firstterm">matrix</em> to handle access controls, enforcing policy rules based on the types of processes and objects. Process types are called <em class="firstterm">domains</em>, and a cross-reference on the matrix of the process's domain and the object's type defines their interaction. This system provides extremely granular control for actors in a Linux system.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2952428"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3000037"><label>Q:</label><div class="data"><div class="para">
What is SELinux policy?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The SELinux policy describes the access permissions for all subjects and objects, that is, the entire system of users, programs, and processes and the files and devices they act upon. Fedora policy is delivered in a package, with an associated source package. Current shipping policy packages are:
</div><div class="variablelist"><dl><dt><span class="term"><code class="filename">selinux-policy-<em class="replaceable"><code><version></code></em>.noarch.rpm</code></span></dt><dd><div class="para">
This package is common to all types of policy and contains config files/man pages. This includes the interface files for the development environment. This replaces the -sources package from the past. This package contains the interface files used in Reference Policy along with a Makefile and a small tool called <code class="command">sepolgen</code> used to generate a policy template file. The interface files reside in <code class="filename">/usr/share/selinux/devel/include</code> directory. If you want to see all of the policy files used to build the Reference Policy you need to install the src.rpm.
- </div></dd></dl></div></div></div></div><div class="qandaentry"><div class="question" id="id2948223"><label>Q:</label><div class="data"><div class="para">
+ </div></dd></dl></div></div></div></div><div class="qandaentry"><div class="question" id="id3009439"><label>Q:</label><div class="data"><div class="para">
What happened to the strict policy?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Strict policy since Red Hat Enterprise Linux 5 and Fedora Core 5 has been the equivalent of targeted policy with the unconfined domains removed. This means all users had to have a type defined for them like staff_t or user_t. Also, all processes started by init would need to have policy written for them. As of Fedora Core 9, the strict policy was removed and merged into targeted policy.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2948251"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3009466"><label>Q:</label><div class="data"><div class="para">
What programs are protected by the SELinux policy?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The number of programs that have SELinux policy defined for them is constantly changing and evolving. Different versions of policy have more or less executables covered. By convention all confined executables have a label type that ends with exec_t. The SELinux tools package (setools) includes the seinfo application which allows you to examine the installed policy.
@@ -217,13 +219,13 @@
The <em class="firstterm">Reference Policy</em> is a new project maintained by Tresys Technology (<a href="http://www.tresys.com/">http://www.tresys.com/</a>) designed to rewrite the entire SELinux policy in a way that is easier to use and understand. To do this, it uses the concepts of modularity, abstraction, and well-defined interfaces. Refer to <a href="http://oss.tresys.com/">http://oss.tresys.com/</a> for more information on the Reference Policy.
</div><div class="para">
Note that Reference Policy is not a new type of policy. Rather, it is a new base that policies can be built from.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2953893"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id2993140"><label>Q:</label><div class="data"><div class="para">
What are file contexts?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
<em class="firstterm">File contexts</em> are used by the <code class="command">setfiles</code> command to generate persistent labels which describe the security context for a file or directory.
</div><div class="para">
Fedora ships with the <code class="command">fixfiles</code> script, which supports three options: <code class="option">check</code>, <code class="option">restore</code>, and <code class="option">relabel</code>. This script allows users to relabel the file system without having the <code class="filename">selinux-policy-targeted-sources</code> package installed. The command line usage is more friendly than the standard <code class="command">setfiles</code> command.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2953953"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id2993201"><label>Q:</label><div class="data"><div class="para">
How do I view the security context of a file, user, or process?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The new option <code class="option">-Z</code> is the short method for displaying the context of a subject or object:
@@ -231,7 +233,7 @@
<code class="command">ls -alZ <em class="replaceable"><code>file.foo</code></em> </code>
<code class="computeroutput">id -Z</code>
<code class="computeroutput">ps -eZ</code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id3078024"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3067314"><label>Q:</label><div class="data"><div class="para">
What is the difference between a <em class="firstterm">domain</em> and a <em class="firstterm">type</em>?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
There is no difference between a domain and a type, although domain is sometimes used to refer to the type of a process. The use of domain in this way stems from Domain and Type Enforcement (DTE) models, where domains and types are separate.
@@ -253,45 +255,45 @@
A library, <code class="filename">libsemanage</code>, exists to provide userspace tools an interface to making policy management easier. All policy management should use this library to access the policy store. The policy store holds all the policy information, and is found at <code class="filename">/etc/selinux/<em class="replaceable"><code>policyname</code></em>/modules/</code>.
</div><div class="para">
You should never have to edit the store directly. Instead, you should use tools that link against libsemanage. One example tool is <code class="command">semanage</code>, which is a command line tool for managing much of the policy such as SELinux user mappings, SELinux port mappings, and file contexts entries. Other examples of tools that use libsemanage include <code class="command">semodule</code> which uses it to manage the SELinux policy modules installed to the policy store and <code class="command">setsebool</code> which uses it manage SELinux policy booleans. Additionally, graphical tools are currently being developed to utilize the functionality provided by libsemanage.
- </div></div></div></div></div><div class="qandadiv"><h4 class="title" id="id3016692">1.2. Controlling SELinux</h4></div><div class="toc"><dl><dt>Q: <a href="#id3016698">
+ </div></div></div></div></div><div class="qandadiv"><h4 class="title" id="id3041991">1.2. Controlling SELinux</h4></div><div class="toc"><dl><dt>Q: <a href="#id3041997">
How do I install/not install SELinux?
- </a></dt><dt>Q: <a href="#id3016724">
+ </a></dt><dt>Q: <a href="#id3042024">
As an administrator, what do I need to do to configure SELinux for my system?
</a></dt><dt>Q: <a href="#qa-using-s-c-securitylevel">
How do I enable/disable SELinux protection on specific daemons under the targeted policy?
</a></dt><dt>Q: <a href="#faq-entry-local.te">
In the past I have written local.te file in policy sources for my own local customization to policy, how do I do this now?
- </a></dt><dt>Q: <a href="#id3017163">
+ </a></dt><dt>Q: <a href="#id3042460">
I have some avc denials that I would like to allow, how do I do this?
- </a></dt><dt>Q: <a href="#id2993909">
+ </a></dt><dt>Q: <a href="#id3029665">
How can I help write policy?
- </a></dt><dt>Q: <a href="#id2994188">
+ </a></dt><dt>Q: <a href="#id3029908">
How do I switch the policy I am currently using?
- </a></dt><dt>Q: <a href="#id2994374">
+ </a></dt><dt>Q: <a href="#id3030095">
How can I back up files from an SELinux file system?
</a></dt><dt>Q: <a href="#faq-entry-public_html">
How do I make a user public_html directory work under SELinux?
- </a></dt><dt>Q: <a href="#id2994596">
+ </a></dt><dt>Q: <a href="#id3030317">
How do I turn SELinux off at boot?
- </a></dt><dt>Q: <a href="#id2994660">
+ </a></dt><dt>Q: <a href="#id3030380">
How do I turn enforcing on/off at boot?
- </a></dt><dt>Q: <a href="#id2994760">
+ </a></dt><dt>Q: <a href="#id3030481">
How do I temporarily turn off enforcing mode without having to reboot?
- </a></dt><dt>Q: <a href="#id2994793">
+ </a></dt><dt>Q: <a href="#id3030514">
How do I turn system call auditing on/off at boot?
- </a></dt><dt>Q: <a href="#id2994839">
+ </a></dt><dt>Q: <a href="#id3030560">
How do I temporarily turn off system-call auditing without having to reboot?
- </a></dt><dt>Q: <a href="#id2994866">
+ </a></dt><dt>Q: <a href="#id3030586">
How do I get status info about my SELinux installation?
- </a></dt><dt>Q: <a href="#id2994896">
+ </a></dt><dt>Q: <a href="#id3030616">
How do I write policy to allow a domain to use pam_unix.so?
- </a></dt><dt>Q: <a href="#id2994979">
+ </a></dt><dt>Q: <a href="#id3030700">
I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel?
- </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id3016698"><label>Q:</label><div class="data"><div class="para">
+ </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id3041997"><label>Q:</label><div class="data"><div class="para">
How do I install/not install SELinux?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The installer follows the choice you make in the <span class="guilabel"><strong>Firewall Configuration</strong></span> screen. The default running policy is the targeted policy, and it is on by default.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id3016724"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3042024"><label>Q:</label><div class="data"><div class="para">
As an administrator, what do I need to do to configure SELinux for my system?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The answer might be nothing! There are many Fedora users that don't even realize that they are using SELinux. SELinux provides protection for their systems with an out-of-the-box configuration. That said, there are a couple of things an administrator might want to do to configure their system. These include:
@@ -360,7 +362,7 @@
<code class="computeroutput"># semodule -i local.pp</code>
</pre></li></ol></div><div class="note"><h2>Module are uniquely identified by name</h2><div class="para">
This means that if you later insert another <code class="filename">local.pp</code>, it will replace the one you just loaded. So, you should keep this <code class="filename">local.te</code> around, and just add to it if you need to make later policy customizations. If you lose it, but want to keep your previous policy around, just call the new local policy module something else (say local2.te).
- </div></div></div></div></div><div class="qandaentry"><div class="question" id="id3017163"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div></div><div class="qandaentry"><div class="question" id="id3042460"><label>Q:</label><div class="data"><div class="para">
I have some avc denials that I would like to allow, how do I do this?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
If you have specific AVC messages you can use <code class="command">audit2allow</code> to generate a Type Enforcement file that is ready to load as a policy module.
@@ -395,7 +397,7 @@
In order to load this newly created policy package into the kernel, you are required to execute <code class="command">semodule -i local.pp</code>
</div><div class="para">
Note that if you later install another module called local, it will replace this module. If you want to keep these rules around, then you either need to append future customizations to this local.te, or give future customizations a different name.
- </div></div></div></div></div><div class="qandaentry"><div class="question" id="id2993909"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div></div><div class="qandaentry"><div class="question" id="id3029665"><label>Q:</label><div class="data"><div class="para">
How can I help write policy?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Your help is definitely appreciated.
@@ -408,30 +410,50 @@
</div></li></ul></div><div class="para">
Also, since the Fedora policy is based on the <a class="xref" href="#faq-entry-whatis-refpolicy" title="Q:">Reference Policy</a>, you should look at the documentation on its project page. Another excellent source of information is the example policy files in <code class="filename">/usr/share/selinux/devel</code>.
</div><div class="para">
- If you want to create a new policy domain, you can look at the interface files in the <code class="filename">/usr/share/selinux/devel</code> sub-directories. There is also a tool there to help you get started. The following procedure is an example:
- </div><div class="procedure"><ol class="1"><li class="step" title="Step 1"><div class="para">
- Use the <code class="command">sepolgen</code> command to generate your own <code class="filename">te</code>, <code class="filename">fc</code> and <code class="filename">if</code> files. The <code class="command">sepolgen</code> command takes two parameters: the name of the policy module and the full path to the executable. The following command gives a usage example:
- </div><pre class="screen">
-<code class="command">sepolgen <em class="replaceable"><code>mydaemon /usr/sbin/mydaemon</code></em></code>
+ If you want to create a new policy domain, you can look at the interface files in the <code class="filename">/usr/share/selinux/devel</code> sub-directories.
+ </div><div class="para">
+ <code class="computeroutput">Making things easier with sepolgen</code>
+ </div><div class="para">
+ The tool <code class="command">sepolgen</code> is an easy way to create SELinux policy. The following procedure is an example on how to use <code class="command">sepolgen</code> to create the required policy for a daemon called <code class="systemitem">mydaemon</code>:
+ </div><pre class="screen">
+<code class="command">sepolgen <em class="replaceable"><code>/usr/sbin/mydaemon</code></em></code>
</pre><div class="para">
- It will prompt you for a few common domain characteristics, and will create three files: <code class="filename">mydaemon.te</code>, <code class="filename">mydaemon.fc</code> and <code class="filename">mydaemon.if</code>.
+ <code class="computeroutput">sepolgen</code> then performs the following:
+ </div><div class="procedure"><ol class="1"><li class="step" title="Step 1"><div class="para">
+ Scans for appropriate templates in paths like /var/lib, /var/run, /etc/init.d/rc.d/mydaemon:
+ </div><div class="para">
+
+<pre class="screen">
+<code class="command">rpm -qlf /usr/sbin/mydaemon</code>
+</pre>
</div></li><li class="step" title="Step 2"><div class="para">
- After you generate the policy files, use the supplied Makefile, <code class="filename">/usr/share/selinux/devel/Makefile</code>, to build a policy package (<code class="filename">mydaemon.pp</code>):
- </div><pre class="screen">
-<code class="command">make -f /usr/share/selinux/devel/Makefile</code>
-</pre></li><li class="step" title="Step 3"><div class="para">
- Now you can load the policy module, using <code class="command">semodule</code>, and relabel the executable using <code class="command">restorecon</code>:
- </div><pre class="screen">
-<code class="command">semodule -i <em class="replaceable"><code>mydaemon.pp</code></em></code>
-<code class="command">restorecon -v <em class="replaceable"><code>/usr/sbin/mydaemon</code></em></code>
-</pre></li><li class="step" title="Step 4"><div class="para">
- Since you have very limited policy for your executable, SELinux will prevent it from doing much. Turn on permissive mode and then use the init script to start your daemon:
+ Scans for syslog, setuid, setgid, etc. and adds the appropriate access:
</div><pre class="screen">
-<code class="command">setenforce 0</code>
-<code class="command">service <em class="replaceable"><code>mydaemon</code></em> restart</code>
+<code class="command">nm -D /usr/sbin/mydaemon</code>
</pre></li></ol></div><div class="para">
- Now you can collect avc messages. You can use <code class="command">audit2allow</code> to translate the avc messages to allow rules and begin updating your <code class="filename">mydaemon.te</code> file. You should search for interface macros in the <code class="filename">/usr/share/selinux/devel/include</code> directory and use these instead of using the allow rules directly, whenever possible. <code class="command">audit2allow -R</code> will attempt to find interfaces that match the allow rule. If you want more examples of policy, you could always install the selinux-policy src rpm, which contains all of the policy te files for the reference policy.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2994188"><label>Q:</label><div class="data"><div class="para">
+ Four files are then generated:
+<pre class="screen">
+<code class="computeroutput">mydaemon.te</code> - Contains all types and allow rules discovered for this daemon.
+<code class="computeroutput">mydaemon.if</code> - Contains interfaces to be used with the types generated for this daemon.
+<code class="computeroutput">mydaemon.fc</code> - Contains file context mapping between types and paths on disk.
+<code class="computeroutput">mydaemon.sh</code> - Is a helper shell script used to compile/install policy and label the paths correctly.
+</pre>
+ </div><div class="para">
+ The policy writer then only needs to execute <code class="computeroutput">mydaemon.sh</code> and the policy will be compiled and installed - the daemon will then be ready to start testing.
+ </div><div class="para">
+ The following procedure may help you to understand the testing process:
+ </div><pre class="screen">
+begin:
+ service mydaemon start
+ run tests against mydaemon
+ check for AVC messages
+ if None
+ Break;
+ audit2allow -R >> mydaemon.te
+ Verify the policy is good or fix it.
+ ./mydaemon.sh
+ goto begin
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3029908"><label>Q:</label><div class="data"><div class="para">
How do I switch the policy I am currently using?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="caution"><h2>Use caution when switching policy</h2><div class="para">
Other than trying out a new policy on a test machine for research purposes, you should seriously consider your situation before switching to a different policy on a production system. The act of switching is straightforward. This method is fairly safe, but you should try it first on a test system.
@@ -459,7 +481,7 @@
With the new system running in <code class="computeroutput">permissive</code> mode, check <code class="filename">/var/log/messages</code> for <code class="computeroutput">avc: denied</code> messages. These may indicate a problem that needs to be solved for the system to run without trouble under the new policy.
</div></li><li class="step" title="Step 5"><div class="para">
When you are satisfied that the system runs stable under the new policy, enable enforcing by changing <code class="computeroutput">SELINUX=enforcing</code>. You can either reboot or run <code class="command">setenforce 1</code> to turn enforcing on in real time.
- </div></li></ol></div></div></div></div><div class="qandaentry"><div class="question" id="id2994374"><label>Q:</label><div class="data"><div class="para">
+ </div></li></ol></div></div></div></div><div class="qandaentry"><div class="question" id="id3030095"><label>Q:</label><div class="data"><div class="para">
How can I back up files from an SELinux file system?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You can now use the <code class="command">tar</code> command as normal, you no longer need to use <code class="command">star</code>.
@@ -488,7 +510,7 @@
You may notice at a later date that the user field, set here to <code class="computeroutput">user_u</code>, is changed to <code class="computeroutput">system_u</code>. This does not affect how the targeted policy works. The field that matters is the type field.
</div></li><li class="step" title="Step 3"><div class="para">
Your static webpages should now be served correctly. If you continue to have errors, ensure that the Boolean which enables user home directories is enabled. You can set it using <code class="command">system-config-selinux</code>. Select the <span class="guilabel"><strong>SELinux</strong></span> tab, and then select the <span class="guilabel"><strong>Modify SELinux Policy</strong></span> area. Select <code class="computeroutput">Allow HTTPD to read home directories</code>. The changes take effect immediately.
- </div></li></ol></div></div></div></div><div class="qandaentry"><div class="question" id="id2994596"><label>Q:</label><div class="data"><div class="para">
+ </div></li></ol></div></div></div></div><div class="qandaentry"><div class="question" id="id3030317"><label>Q:</label><div class="data"><div class="para">
How do I turn SELinux off at boot?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Set <code class="computeroutput">SELINUX=disabled</code> in <code class="filename">/etc/selinux/config</code>.
@@ -496,7 +518,7 @@
Alternatively, you can add <code class="option">selinux=0</code> to your kernel boot parameters. However, this option is not recommended.
</div><div class="caution"><h2>Be careful when disabling SELinux</h2><div class="para">
If you boot with <code class="option">selinux=0</code>, any files you create while SELinux is disabled do not have SELinux context information. The file system is marked for relabeling at the next boot. If an unforeseen problem prevents you from rebooting normally, you may need to boot in single-user mode for recovery. Add the option <code class="option">emergency</code> to your kernel boot parameters.
- </div></div></div></div></div><div class="qandaentry"><div class="question" id="id2994660"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div></div><div class="qandaentry"><div class="question" id="id3030380"><label>Q:</label><div class="data"><div class="para">
How do I turn enforcing on/off at boot?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You can specify the SELinux mode using the configuration file <code class="filename">/etc/sysconfig/selinux</code>.
@@ -517,25 +539,25 @@
However, setting the value to <code class="computeroutput">disabled</code> is not the same as the <code class="option">selinux=0</code> kernel boot parameter. Rather than fully disabling SELinux in the kernel, the <code class="computeroutput">disabled</code> setting instead turns enforcing off and skips loading a policy.
</div><div class="important"><h2>SELinux Configuration Precedence</h2><div class="para">
The command line kernel parameter overrides the configuration file.
- </div></div></div></div></div><div class="qandaentry"><div class="question" id="id2994760"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div></div><div class="qandaentry"><div class="question" id="id3030481"><label>Q:</label><div class="data"><div class="para">
How do I temporarily turn off enforcing mode without having to reboot?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Occasionally you may need to perform an action that is normally prevented by policy. Run the command <code class="command">setenforce 0</code> to turn off enforcing mode in real time. When you are finished, run <code class="command">setenforce 1</code> to turn enforcing back on.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2994793"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3030514"><label>Q:</label><div class="data"><div class="para">
How do I turn system call auditing on/off at boot?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Add <code class="option">audit=1</code> to your kernel command line to turn system call auditing on. Add <code class="option">audit=0</code> to your kernel command line to turn system call auditing off.
</div><div class="para">
System-call auditing is <span class="emphasis"><em>on</em></span> by default. When on, it provides information about the system call that was executing when SELinux generated a <code class="computeroutput">denied</code> message. The error message is helpful when debugging policy.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2994839"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3030560"><label>Q:</label><div class="data"><div class="para">
How do I temporarily turn off system-call auditing without having to reboot?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Run <code class="command">auditctl -e 0</code>. Note that this command does not affect auditing of SELinux AVC denials.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2994866"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3030586"><label>Q:</label><div class="data"><div class="para">
How do I get status info about my SELinux installation?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
As root, execute the command <code class="command">/usr/sbin/sestatus -v</code>. For more information, refer to the <code class="filename">sestatus(8)</code> manual page.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2994896"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3030616"><label>Q:</label><div class="data"><div class="para">
How do I write policy to allow a domain to use pam_unix.so?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Very few domains in the SELinux world are allowed to read the <code class="filename">/etc/shadow</code> file. There are constraint rules that prevent policy writers from writing code like
@@ -551,7 +573,7 @@
In Fedora and Red Hat Enterprise Linux 5 and above, add the rule
</div><pre class="screen">
<code class="command">auth_domtrans_chk_passwd(vsftpd_t)</code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id2994979"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3030700"><label>Q:</label><div class="data"><div class="para">
I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You need to execute the command <code class="command">semodule -i myapp.pp</code>. This modifies the policy that is stored on the machine. Your policy module now is loaded with the rest of the policy. You can even remove the pp file from the system.
@@ -561,61 +583,63 @@
<code class="computeroutput">#semodule -i myapp 1.2.1</code>
</pre><div class="para">
If you later would like to remove the policy package, you can execute <code class="command">semodule -r myapp</code>.
- </div></div></div></div></div><div class="qandadiv"><h4 class="title" id="faq-div-resolving-problems">1.3. Resolving Problems</h4></div><div class="toc"><dl><dt>Q: <a href="#id2995041">
+ </div></div></div></div></div><div class="qandadiv"><h4 class="title" id="faq-div-resolving-problems">1.3. Resolving Problems</h4></div><div class="toc"><dl><dt>Q: <a href="#id3030762">
Where are SELinux AVC messages (denial logs, etc.) stored?
- </a></dt><dt>Q: <a href="#id2995078">
+ </a></dt><dt>Q: <a href="#id3030799">
My application isn't working as expected and I am seeing avc: denied messages. How do I fix this?
- </a></dt><dt>Q: <a href="#id2995166">
- I installed Fedora on a system with an existing /home partition, and now I can't log in.
- </a></dt><dt>Q: <a href="#id2995253">
+ </a></dt><dt>Q: <a href="#id3030886">
+ Why doesn't SELinux give me the full path in an error message?
+ </a></dt><dt>Q: <a href="#id3031106">
+ I installed on a system with a pre-existing /home partition, and now I can't log in. What do I do?
+ </a></dt><dt>Q: <a href="#id3031193">
After relabeling my /home using setfiles or fixfiles, am I still be able to read /home with a non-SELinux-enabled system?
- </a></dt><dt>Q: <a href="#id2995304">
+ </a></dt><dt>Q: <a href="#id3031243">
How do I share directories using NFS between Fedora and non-SELinux systems?
- </a></dt><dt>Q: <a href="#id2995365">
+ </a></dt><dt>Q: <a href="#id3031304">
How can I create a new Linux user account with the user's home?
- </a></dt><dt>Q: <a href="#id2995455">
+ </a></dt><dt>Q: <a href="#id3031395">
Does the su command change my SELinux identity and role?
- </a></dt><dt>Q: <a href="#id2995522">
+ </a></dt><dt>Q: <a href="#id3031462">
I'm having troubles with avc errors filling my logs for a particular program. How do I choose not to audit the access for it?
- </a></dt><dt>Q: <a href="#id2995582">
+ </a></dt><dt>Q: <a href="#id3031522">
Even running in permissive mode, I'm getting a large number of avc denied messages.
- </a></dt><dt>Q: <a href="#id2995626">
+ </a></dt><dt>Q: <a href="#id3031566">
I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in /var/log/messages (or /var/log/audit/audit.log if using the audit daemon). How can I identify the cause of these silent denials?
- </a></dt><dt>Q: <a href="#id2995734">
+ </a></dt><dt>Q: <a href="#id3031674">
Why do I not see the output when I run certain daemons in debug or interactive mode?
- </a></dt><dt>Q: <a href="#id2995825">
+ </a></dt><dt>Q: <a href="#id3031765">
When I do an upgrade of the policy package (for example, using yum), what happens with the policy? Is it updated automatically?
- </a></dt><dt>Q: <a href="#id2995914">
+ </a></dt><dt>Q: <a href="#id3031854">
If the policy shipping with an application package changes in a way that requires relabeling, will RPM handle relabeling the files owned by the package?
- </a></dt><dt>Q: <a href="#id2995992">
+ </a></dt><dt>Q: <a href="#id3031902">
Why do binary policies distributed with Fedora, such as /etc/selinux/<policyname>/policy/policy.<version>, and those I compile myself have different sizes and MD5 checksums?
- </a></dt><dt>Q: <a href="#id2996054">
+ </a></dt><dt>Q: <a href="#id3031958">
Will new policy packages disable my system?
- </a></dt><dt>Q: <a href="#id2996090">
+ </a></dt><dt>Q: <a href="#id3032030">
My console is being flooded with messages. How do I turn them off?
- </a></dt><dt>Q: <a href="#id2996121">
+ </a></dt><dt>Q: <a href="#id3032061">
Can I test the default policy without installing the policy source?
- </a></dt><dt>Q: <a href="#id2996205">
+ </a></dt><dt>Q: <a href="#id3032145">
Why are some of my KDE applications having trouble under SELinux?
- </a></dt><dt>Q: <a href="#id2996277">
+ </a></dt><dt>Q: <a href="#id3032216">
Why does SELINUX=disabled not work for me?
</a></dt><dt>Q: <a href="#faq-entry-unconfined_t">
I have a process running as unconfined_t, and SELinux is still preventing my application from running.
- </a></dt><dt>Q: <a href="#id3029652">
+ </a></dt><dt>Q: <a href="#id3032435">
What do these rpm errors mean?
- </a></dt><dt>Q: <a href="#id3029720">
+ </a></dt><dt>Q: <a href="#id3032503">
I want to run a daemon on a non standard port but SELinux will not allow me. How do get this to work?
- </a></dt><dt>Q: <a href="#id3029755">
+ </a></dt><dt>Q: <a href="#id3032538">
I am writing a PHP script that needs to create files and possibly execute them. SELinux policy is preventing this. What should I do?
- </a></dt><dt>Q: <a href="#id3029810">
+ </a></dt><dt>Q: <a href="#id3032592">
I am setting up swapping to a file, but I am seeing AVC messages in my log files?
- </a></dt><dt>Q: <a href="#id3029847">
+ </a></dt><dt>Q: <a href="#id3032629">
Please explain the relabelto/relabelfrom permissions?
- </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id2995041"><label>Q:</label><div class="data"><div class="para">
+ </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id3030762"><label>Q:</label><div class="data"><div class="para">
Where are SELinux AVC messages (denial logs, etc.) stored?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Messages can be found in <code class="filename">/var/log/messages</code> unless you choose to install and enable the <code class="systemitem">audit</code> daemon, in which case AVC messages will be in <code class="filename">/var/log/audit/audit.log</code>.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995078"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3030799"><label>Q:</label><div class="data"><div class="para">
My application isn't working as expected and I am seeing <code class="computeroutput">avc: denied</code> messages. How do I fix this?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
This message means that the current SELinux policy is not allowing the application to do something. There are a number of reasons this could happen.
@@ -625,8 +649,41 @@
Denials are sometimes due to a configuration change in the program that triggered the denial message. For example, if you change Apache to also listen on port 8800, you must also change the security policy, <code class="filename">apache.te</code>.
</div><div class="para">
If you are having trouble getting a specific application like Apache to work, refer to <a class="xref" href="#qa-using-s-c-securitylevel" title="Q:">How to use system-config-selinux</a> for information on disabling enforcement just for that application.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995166"><label>Q:</label><div class="data"><div class="para">
- I installed Fedora on a system with an existing <code class="filename">/home</code> partition, and now I can't log in.
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3030886"><label>Q:</label><div class="data"><div class="para">
+ Why doesn't SELinux give me the full path in an error message?
+ </div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
+ To answer this, let's first examine the structure of a typical SELinux AVC error message. Items of note in this example are in <code class="computeroutput">bold</code>:
+ </div><pre class="screen">
+node=host.example.com type=<code class="computeroutput">AVC</code> msg=audit(12/13/2006 11:28:14.395:952) : avc: denied { <code class="computeroutput">getattr</code> } for pid=7236 comm=<code class="computeroutput">vsftpd</code> name=public_html dev=<code class="computeroutput">dm-0</code> ino=<code class="computeroutput">9601649</code> scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=<code class="computeroutput">dir</code>
+
+node=host.example.com type=<code class="computeroutput">SYSCALL</code> msg=audit(12/13/2006 11:28:14.395:952) : arch=i386 syscall=<code class="computeroutput">lstat64</code> success=no exit=0
+a0=8495230 a1=849c830 a2=874ff4 a3=328d28 items=0 ppid=7234 pid=7236 auid=dwalsh uid=dwalsh gid=dwalsh euid=dwalsh suid=dwalsh fsuid=dwalsh egid=dwalsh sgid=dwalsh fsgid=dwalsh tty=(none) comm=vsftpd exe=<code class="computeroutput">/usr/sbin/vsftpd</code> subj=system_u:system_r:ftpd_t:s0 key=(null)
+</pre><div class="para">
+ This AVC message consists of two records, the actual <code class="computeroutput">AVC</code> record and the <code class="computeroutput">SYSCALL</code> record. The kernel generates both of these records when the SELinux system denies access. This AVC message indicates that SELinux prevented <code class="computeroutput">/usr/sbin/vsftpd</code> from performing the <code class="computeroutput">getattr</code> access on a <code class="computeroutput">dir</code> named <code class="computeroutput">public_html</code>.
+ </div><div class="para">
+ <code class="computeroutput">But which particular public_html directory has the problem?</code>
+ </div><div class="para">
+ The AVC records themselves do not show the full path to the problematic public_html directory in question. This is done because of performance reasons. Since AVC messages should occur infrequently, having the kernel report the full path is not considered to be worth the overhead. The AVC records do however include the device (<code class="computeroutput">dm-0</code>), and the inode in question (<code class="computeroutput">9601649</code>). You can use this device and inode information to find the correct path if the file and/or directory still exists.
+ </div><div class="para">
+ <code class="computeroutput">The slow way:</code>
+ </div><pre class="screen">
+# find / -inum <code class="computeroutput">9601649</code>
+</pre><div class="para">
+ <code class="computeroutput">A better way:</code>
+ </div><div class="para">
+ The <span class="package">setroubleshoot</span> tools can use the <code class="command">locate</code> command to attempt to re-assemble the path in question:
+ </div><pre class="screen">
+# locate -r /public_html$
+
+/home/dwalsh/public_html
+/home/obama/public_html
+...(continues)
+</pre><div class="para">
+ <span class="package">setroubleshoot</span> then uses <code class="command">stat</code> to get the inode of of each file returned and compares it to the values in the AVC message; if they match, it analyzes the full path. Of course, you need to have the <span class="package">mlocate</span> package installed and running via <code class="systemitem">cron</code> to gather these paths.
+ </div><div class="para">
+ Refer to <a href="http://danwalsh.livejournal.com/34903.html">http://danwalsh.livejournal.com/34903.html</a> for further details on this topic.
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031106"><label>Q:</label><div class="data"><div class="para">
+ I installed on a system with a pre-existing <code class="filename">/home</code> partition, and now I can't log in. What do I do?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Your <code class="filename">/home</code> partition is not labeled correctly. You can easily fix this two different ways.
</div><div class="para">
@@ -639,11 +696,11 @@
<code class="command">/sbin/fixfiles relabel</code>
</pre><div class="para">
You must have the <code class="filename">policycoreutils</code> package installed to use <code class="command">fixfiles</code>.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995253"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031193"><label>Q:</label><div class="data"><div class="para">
After relabeling my <code class="filename">/home</code> using <code class="command">setfiles</code> or <code class="command">fixfiles</code>, am I still be able to read <code class="filename">/home</code> with a non-SELinux-enabled system?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You can read the files from a non-SELinux distribution, or one with SELinux disabled. However, files created by a system not using SELinux systems do not have a security context, nor do any files you remove and recreate. This could be a challenge with files such as <code class="filename">~/.bashrc</code>. You may have to relabel <code class="filename">/home</code> when you reboot the SELinux enabled Fedora system.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995304"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031243"><label>Q:</label><div class="data"><div class="para">
How do I share directories using NFS between Fedora and non-SELinux systems?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Just as NFS transparently supports many file system types, it can be used to share directories between SELinux and non-SELinux systems.
@@ -653,7 +710,7 @@
<code class="command">mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo</code>
</pre><div class="para">
When SELinux exports a file system via NFS, newly created files have the context of the directory they were created in. In other words, the presence of SELinux on the remote mounting system has no effect on the local security contexts.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995365"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031304"><label>Q:</label><div class="data"><div class="para">
How can I create a new Linux user account with the user's home?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You can create your new user with the standard <code class="command">useradd</code> command. First you must become <code class="systemitem">root</code>.
@@ -668,13 +725,13 @@
<code class="computeroutput">drwx------ auser auser root:object_r:user_home_dir_t /home/auser</code>
</pre><div class="para">
The initial context for a new user directory has an identity of <code class="computeroutput">root</code>. Subsequent relabeling of the file system changes the identity to <code class="computeroutput">system_u</code>. These are functionally the same since the role and type are identical (<code class="computeroutput">object_r:user_home_dir_t</code>.)
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995455"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031395"><label>Q:</label><div class="data"><div class="para">
Does the <code class="command">su</code> command change my SELinux identity and role?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
In older versions of Fedora, security context transitions were integrated into the <code class="command">su</code> via <code class="computeroutput">pam_selinux</code>. This turned out to be more trouble than it was worth, and is quite unnecessary on a system running targeted policy. So, this is no longer the case. Now, <code class="command">su</code>/<code class="command">sudo</code> only change the Linux identity. You will need to use <code class="command">newrole</code> to change the SELinux identity, role, or level.
</div><div class="para">
Other forms of Linux/<span class="trademark">UNIX</span>® identity change, for example <code class="command">setuid(2)</code>, also do not cause an SELinux identity change.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995522"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031462"><label>Q:</label><div class="data"><div class="para">
I'm having troubles with <code class="command">avc</code> errors filling my logs for a particular program. How do I choose not to audit the access for it?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
If you wanted to not audit <code class="command">dmesg</code>, for example, you would put this in your <code class="filename">dmesg.te</code> file:
@@ -682,13 +739,13 @@
<strong class="userinput"><code>dontaudit dmesg_t userdomain:fd { use };</code></strong>
</pre><div class="para">
This eliminates the error output to the terminal for all user domains, including <code class="varname">user</code>, <code class="varname">staff</code> and <code class="varname">sysadm</code>.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995582"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031522"><label>Q:</label><div class="data"><div class="para">
Even running in permissive mode, I'm getting a large number of <code class="computeroutput">avc denied</code> messages.
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
In a non-enforcing mode, you should actually receive <span class="emphasis"><em>more</em></span> messages than in enforcing mode. The kernel logs each access denial as if you were in an enforcing mode. Since you are not restricted by policy enforcement, you can perform more actions, which results in more denials being logged.
</div><div class="para">
If an application running under an enforcing mode is denied access to read a number of files in a directory, it is stopped once at the beginning of the action. In a non-enforcing mode, the application is not stopped from traversing the directory tree, and generates a denial message for each file read in the directory.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995626"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031566"><label>Q:</label><div class="data"><div class="para">
I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in <code class="filename">/var/log/messages</code> (or <code class="filename">/var/log/audit/audit.log</code> if using the audit daemon). How can I identify the cause of these silent denials?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The most common reason for a silent denial is when the policy contains an explicit <code class="computeroutput">dontaudit</code> rule to suppress audit messages. The <code class="computeroutput">dontaudit</code> rule is often used this way when a benign denial is filling the audit logs.
@@ -704,7 +761,7 @@
Once you have found your problem you can reset to the default mode by executing
</div><pre class="screen">
<code class="command">semodule -b /usr/share/selinux/targeted/base.pp</code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id2995734"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3031674"><label>Q:</label><div class="data"><div class="para">
Why do I not see the output when I run certain daemons in debug or interactive mode?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
SELinux intentionally disables access to the tty devices to stop daemons from communicating back with the controlling terminal. This communication is a potential security hole because such daemons could insert commands into the controlling terminal. A broken or compromised program could use this hole to cause serious problems.
@@ -716,7 +773,7 @@
When debugging a daemon, you may want to turn off the transition of the daemon to its specific domain. You can do this using <code class="command">system-config-selinux</code> or <code class="command">setsebool</code> on the command line.
</div><div class="para">
A final option is to turn off enforcing mode while debugging. Issue the command <code class="command">setenforce 0</code> to turn off enforcing mode, and use the command <code class="command">setenforce 1</code> to re-enable SELinux when you are finished debugging.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995825"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031765"><label>Q:</label><div class="data"><div class="para">
When I do an upgrade of the policy package (for example, using <code class="command">yum</code>), what happens with the policy? Is it updated automatically?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Policy reloads itself when the package is updated. This behavior replaces the manual <code class="command">make load</code>.
@@ -732,25 +789,25 @@
Alternately, use the <code class="filename">/.autorelabel</code> mechanism:
</div><pre class="screen">
<code class="command">touch /.autorelabel reboot</code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id2995914"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3031854"><label>Q:</label><div class="data"><div class="para">
If the policy shipping with an application package changes in a way that requires relabeling, will RPM handle relabeling the files owned by the package?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Yes. The security contexts for the files owned by the package are stored in the header data for the package. The file contexts are set directly after the <code class="command">cpio</code> copy, as the package files are being put on the disk.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2995992"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031902"><label>Q:</label><div class="data"><div class="para">
Why do binary policies distributed with Fedora, such as <code class="filename">/etc/selinux/<em class="replaceable"><code><policyname></code></em>/policy/policy.<em class="replaceable"><code><version></code></em></code>, and those I compile myself have different sizes and MD5 checksums?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
When you install a policy package, pre-compiled binary policy files are put directly into <code class="filename">/etc/selinux</code>. The different build environments will make target files that have different sizes and MD5 checksums.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2996054"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3031958"><label>Q:</label><div class="data"><div class="para">
Will new policy packages disable my system?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
There is a possibility that changes in the policy package or in the policy shipping with an application package can cause errors, more denials, or other unknown behaviors. You can discover which package caused the breakage by reverting policy and application packages one at a time. If you don't want to return to the previous package, the older version of the configuration files will be saved with the extension <code class="filename">.rpmsave</code>. Use the mailing lists, bugzilla, and IRC to help you work through your problem. If you are able, write or fix policy to resolve your problem.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2996090"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032030"><label>Q:</label><div class="data"><div class="para">
My console is being flooded with messages. How do I turn them off?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
To regain useful control, turn off kernel messages to the console with this command:
</div><pre class="screen">
<code class="command">dmesg -n 1</code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id2996121"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3032061"><label>Q:</label><div class="data"><div class="para">
Can I test the default policy without installing the policy source?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You can test SELinux default policy by installing just the <code class="filename">selinux-policy-<em class="replaceable"><code>policyname</code></em></code> and <code class="filename">policycoreutils</code> packages. Without the policy source installed, the <code class="command">fixfiles</code> command automates the file system relabeling.
@@ -758,7 +815,7 @@
The command <code class="command">fixfiles relabel</code> is the equivalent of <code class="command">make relabel</code>. During the relabeling, it will delete all of the files in <code class="filename">/tmp</code>, cleaning up files which may have old file context labels.
</div><div class="para">
Other commands are <code class="command">fixfiles check</code>, which checks for mislabeled files, and <code class="command">fixfiles restore</code>, which fixes the mislabeled files but does not delete the files in <code class="filename">/tmp</code>. The <code class="command">fixfiles</code> command does not take a list of directories as an argument, because it relabels the entire file system. If you need to relabel a specific directory path, use <code class="command">restorecon</code>.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2996205"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032145"><label>Q:</label><div class="data"><div class="para">
Why are some of my KDE applications having trouble under SELinux?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
KDE executables always appear as <code class="command">kdeinit</code>, which limits what can be done with SELinux policy. This is because every KDE application runs in the domain for <code class="command">kdeinit</code>.
@@ -770,7 +827,7 @@
<code class="command">rm -rf /var/tmp/kdecache-<em class="replaceable"><code><username></code></em> rm -rf /var/tmp/<em class="replaceable"><code><other_kde_files></code></em></code>
</pre><div class="para">
At your next login, your problem should be fixed.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id2996277"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032216"><label>Q:</label><div class="data"><div class="para">
Why does <code class="option">SELINUX=disabled</code> not work for me?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Be careful of white space in the file <code class="filename">/etc/sysconfig/selinux</code>. The code is very sensitive to white space, even trailing space.
@@ -798,7 +855,7 @@
A boolean for each one of these memory check errors have been provided. So if you need to run an application requiring either of these permissions, you can set the boolean allow_exec* to fix the problem. For instance if you try to run an application and you get an AVC message containing an <code class="computeroutput">execstack</code> failure. You can set the Boolean with:
</div><pre class="screen">
<code class="command">setsebool -P allow_execstack=1</code>
-</pre></dd></dl></div></div></div></div><div class="qandaentry"><div class="question" id="id3029652"><label>Q:</label><div class="data"><div class="para">
+</pre></dd></dl></div></div></div></div><div class="qandaentry"><div class="question" id="id3032435"><label>Q:</label><div class="data"><div class="para">
What do these rpm errors mean?
</div></div></div><div class="answer"><label>A:</label><div class="data"><pre class="screen">
restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t
@@ -809,25 +866,25 @@
<code class="computeroutput">libsepol.sepol_genbools_array: boolean hidd_disable_trans no longer in policy</code>
</pre><div class="para">
This indicates that the updated policy has removed the boolean from policy.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id3029720"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032503"><label>Q:</label><div class="data"><div class="para">
I want to run a daemon on a non standard port but SELinux will not allow me. How do get this to work?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You can use the <code class="command">semanage</code> command to define additional ports. So say you want httpd to be able to listen on port 8082. You could enter the command.
</div><pre class="screen">
<code class="command">semanage port -a -p tcp -t http_port_t 8082</code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id3029755"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3032538"><label>Q:</label><div class="data"><div class="para">
I am writing a PHP script that needs to create files and possibly execute them. SELinux policy is preventing this. What should I do?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
First, you should never allow a system service to execute anything it can write. This gives an attacker the ability to upload malicious code to the server and then execute it, which is something we want to prevent.
</div><div class="para">
If you merely need to allow your script to create (non-executable) files, this is possible. That said, you should avoid having system applications writing to the <code class="filename">/tmp</code> directory, since users tend to use the <code class="filename">/tmp</code> directory also. It would be better to create a directory elsewhere which could be owned by the apache process and allow your script to write to it. You should label the directory <code class="computeroutput">httpd_sys_script_rw_t</code>, which will allow apache to read and write files to that directory. This directory could be located anywhere that apache can get to (even <code class="filename">$HOME/public_html/</code>).
- </div></div></div></div><div class="qandaentry"><div class="question" id="id3029810"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032592"><label>Q:</label><div class="data"><div class="para">
I am setting up swapping to a file, but I am seeing AVC messages in my log files?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
You need to identify the swapfile to SELinux by setting its file context to <code class="computeroutput">swapfile_t</code>.
</div><pre class="screen">
<code class="command">chcon -t swapfile_t <em class="replaceable"><code>SWAPFILE</code></em></code>
-</pre></div></div></div><div class="qandaentry"><div class="question" id="id3029847"><label>Q:</label><div class="data"><div class="para">
+</pre></div></div></div><div class="qandaentry"><div class="question" id="id3032629"><label>Q:</label><div class="data"><div class="para">
Please explain the <code class="computeroutput">relabelto</code>/<code class="computeroutput">relabelfrom</code> permissions?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
For files, <code class="computeroutput">relabelfrom</code> means "Can domain D relabel a file from (i.e. currently in) type T1?" and <code class="computeroutput">relabelto</code> means "Can domain D relabel a file to type T2?", so both checks are applied upon a file relabeling, where T1 is the original type of the type and T2 is the new type specified by the program.
@@ -839,25 +896,25 @@
Implementing SELinux as an LSM technical report (describes permission checks on a per-hook basis) <a href="http://www.nsa.gov/selinux/papers/module-abs.cfm">http://www.nsa.gov/selinux/papers/module-abs.cfm</a>. This is also available in the selinux-doc package (and more up-to-date there).
</div></li><li class="listitem"><div class="para">
Integrating Flexible Support for Security Policies into the Linux Operating System - technical report (describes original design and implementation, including summary tables of classes, permissions, and what permission checks are applied to what system calls. It is not entirely up-to-date with current implementation, but a good resource nonetheless). <a href="http://www.nsa.gov/selinux/papers/slinux-abs.cfm">http://www.nsa.gov/selinux/papers/slinux-abs.cfm</a>
- </div></li></ul></div></div></div></div></div><div class="qandadiv"><h4 class="title" id="faq-div-deploying-selinux">1.4. Deploying SELinux</h4></div><div class="toc"><dl><dt>Q: <a href="#id3029955">
+ </div></li></ul></div></div></div></div></div><div class="qandadiv"><h4 class="title" id="faq-div-deploying-selinux">1.4. Deploying SELinux</h4></div><div class="toc"><dl><dt>Q: <a href="#id3032738">
What file systems can I use for SELinux?
- </a></dt><dt>Q: <a href="#id3029988">
+ </a></dt><dt>Q: <a href="#id3032771">
How does SELinux impact system performance?
- </a></dt><dt>Q: <a href="#id3030022">
+ </a></dt><dt>Q: <a href="#id3032805">
What types of deployments, applications, and systems should I leverage SELinux in?
- </a></dt><dt>Q: <a href="#id3030073">
+ </a></dt><dt>Q: <a href="#id3032855">
How does SELinux affect third-party applications?
- </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id3029955"><label>Q:</label><div class="data"><div class="para">
+ </a></dt></dl></div><div class="qandadiv"><div class="qandaentry"><div class="question" id="id3032738"><label>Q:</label><div class="data"><div class="para">
What file systems can I use for SELinux?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The file system must support <code class="computeroutput">xattr</code> labels in the right <em class="parameter"><code>security.*</code></em> namespace. In addition to ext2/ext3/ext4, XFS has recently added support for the necessary labels.
</div><div class="para">
Note that XFS SELinux support was broken in the upstream Linux kernel versions 2.6.14 and 2.6.15, but fixed (worked around) in version 2.6.16. Your kernel must be of this version or later if you choose to use XFS with SELinux.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id3029988"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032771"><label>Q:</label><div class="data"><div class="para">
How does SELinux impact system performance?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
This is a metric that is hard to measure, and is heavily dependent on the tuning and usage of the system running SELinux. When performance was last measured, the impact was around 7% for completely untuned code. Subsequent changes in system components such as networking are likely to have made that worse in some cases. SELinux performance tuning continues to be a priority of the development team.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id3030022"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032805"><label>Q:</label><div class="data"><div class="para">
What types of deployments, applications, and systems should I leverage SELinux in?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Initially, SELinux has been used on Internet facing servers that are performing a few specialized functions, where it is critical to keep extremely tight security. Administrators typically strip such a box of all extra software and services, and run a very small, focused set of services. A Web server or mail server is a good example.
@@ -865,7 +922,7 @@
In these edge servers, you can lock down the policy very tightly. The smaller number of interactions with other components makes such a lock down easier. A dedicated system running a specialized third-party application would also be a good candidate.
</div><div class="para">
In the future, SELinux will be targeted at all environments. In order to achieve this goal, the community and <em class="firstterm">independent software vendors</em> (<abbr class="abbrev">ISV</abbr>s) must work with the SELinux developers to produce the necessary policy.
- </div></div></div></div><div class="qandaentry"><div class="question" id="id3030073"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div class="qandaentry"><div class="question" id="id3032855"><label>Q:</label><div class="data"><div class="para">
How does SELinux affect third-party applications?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
One goal of implementing a targeted SELinux policy in Fedora is to allow third-party applications to work without modification. The targeted policy is transparent to those unaddressed applications, and it falls back on standard Linux DAC security. These applications, however, will not be running in an extra-secure manner. You or another provider must write policy to protect these applications with MAC security.
More information about the docs-commits
mailing list