SELinux FAQ
Karsten 'quaid' Wade
kwade at redhat.com
Tue Nov 15 01:50:19 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I don't disagree with Steve, but I don't have any cycles to work on
the problem. Perhaps someone from Docs wants to reach out to Steve to
see how to collaborate and make things better.
- - Karsten
On 11/09/2011 05:09 PM, Steve Kelem wrote:
> If that stuff on the Fedora 13 site is no longer valid, it would
> be useful to all of us who search the web for useful info to be
> directed to the place with the latest information. Is there any
> chance that whoever maintains the page that I found be told where
> the latest stuff is and then add a pointer to the latest stuff?
>
> When I upgraded to Fedora 15, a bunch of stuff stopped working. I
> only stumbled across a bunch of SElinux errors in a tool that
> suggests how to fix the problem but relies on the user being
> intimate with SElinux. I couldn't find any explanation or even a
> definition of what these 20 or so "labels" are, so I don't know
> what I'm going to break if I guess at what labels to use! I'm not
> a novice. I worked with Unix (yeah, the original Unix) in the
> 1980's. I have a Ph.D. in Computer Science and my former wife
> worked in formal security and was always talking about MAC and DAC
> access. So I at least know what the terminology is and why it's a
> good thing. This SElinux stuff looks like a good thing, but I've
> found very little info on how to use it, how to understand it, or
> how to fix the problems as my system seems to be upgraded
> automatically to use it. I'm hoping I can encourage people to put
> out some good documentation so that it will catch on and be used.
>
> Sincerely, Steve Kelem
>
> Karsten 'quaid' Wade said the following on 11/08/2011 11:10 AM:
>> Hi Steve:
>>
>> Looks like a lot of good points below. I'm not aware of the
>> status of the SELinux FAQ; I did think most of that info was
>> moved in to release-specific documentation. (I haven't been a
>> maintainer of that FAQ in a long time.)
>>
>> I'm Cc:ing this to the Fedora Docs team, who manage the depth and
>> breadth of Fedora technical content - definitely the folks to
>> ask.
>>
>> http://lists.fedoraproject.org/mailman/listinfo/docs
>>
>> - Karsten
>>
>> On 11/08/2011 07:29 AM, Steve Kelem wrote:
>>> Hi. I've been reading the Fedora 13 SELinux FAQ.
>>
>>> 1. I found the SELinux FAQ under Fedora 13 at
>>>
> http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4228000.
>>
>>
>>
>
I
>
was surprised that this document is tied to Fedora 13. With Fedora 15
>>> about to be replaced by Fedora 16, it seems strange to tie
>>> SELinux to a specific revision of Fedora. 2. Under "What are
>>> file contexts?" it says: "Fedora ships with the |fixfiles|
>>> script, which supports four options: |check|, |relabel|,
>>> |relabel| and |verify|." One of these "relabel" options should
>>> be "restore". 3. Under "How do I make a user public_html
>>> directory work under SELinux?", item #2 says:
>>
>>> *|ls -Z -d public_html/|* |drwxrwxr-x auser auser
>>> user_u:object_r:user_home_t public_html| *|chcon -R -t
>>> httpd_user_content_t public_html/ ls -Z -d public_html
>>
>>> This should be:|* *|ls -Z -d public_html/|* |drwxrwxr-x auser
>>> auser user_u:object_r:user_home_t public_html| *|chcon -R -t
>>> httpd_user_content_t public_html/ ls -Z -d public_html/
>>
>>> Better yet, you should distinguish what's type v.s. what's
>>> returned by the system:|*
>>
>>> *|% ls -Z -d public_html/|* |drwxrwxr-x auser auser
>>> user_u:object_r:user_home_t public_html| **|%|***|chcon -R -t
>>> httpd_user_content_t public_html/ |***|%|***|ls -Z -d
>>> public_html/|**||*
>>
>>> 4. In item 3, it says that there is a "SELinux tab" in
>>> system-config-selinux. My version is (c) 2006 (in Fedora 15!)
>>> and does not have a SELinux tab. It has tabs: Status, Boolean,
>>> File Labeling, User Mapping, SELinux User, Network Port,
>>> Policy Module, and Process Domain. The command described is
>>> under the "Boolean" tab, search for "home directories", and
>>> you'll find it.
>>
>>
>>
>
- --
name: Karsten 'quaid' Wade, Sr. Community Architect
team: Red Hat Community Architecture & Leadership
uri: http://communityleadershipteam.org
http://TheOpenSourceWay.org
gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFOwcVb2ZIOBq0ODEERAmeYAKDCGwJkFiO3Hnjs5gLlw1Al33ETNQCfZ5yB
74VjFgJnKoahegeNRAl7TVc=
=Cry7
-----END PGP SIGNATURE-----
More information about the docs
mailing list