SELinux FAQ

Karsten 'quaid' Wade kwade at redhat.com
Tue Nov 15 01:50:19 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't disagree with Steve, but I don't have any cycles to work on
the problem. Perhaps someone from Docs wants to reach out to Steve to
see how to collaborate and make things better.

- - Karsten

On 11/09/2011 05:09 PM, Steve Kelem wrote:
> If that stuff on the Fedora 13 site is no longer valid, it would
> be useful to all of us who search the web for useful info to be 
> directed to the place with the latest information. Is there any 
> chance that whoever maintains the page that I found be told where 
> the latest stuff is and then add a pointer to the latest stuff?
> 
> When I upgraded to Fedora 15, a bunch of stuff stopped working. I 
> only stumbled across a bunch of SElinux errors in a tool that 
> suggests how to fix the problem but relies on the user being 
> intimate with SElinux. I couldn't find any explanation or even a 
> definition of what these 20 or so "labels" are, so I don't know 
> what I'm going to break if I guess at what labels to use! I'm not
> a novice. I worked with Unix (yeah, the original Unix) in the
> 1980's. I have a Ph.D. in Computer Science and my former wife
> worked in formal security and was always talking about MAC and DAC
> access. So I at least know what the terminology is and why it's a
> good thing. This SElinux stuff looks like a good thing, but I've
> found very little info on how to use it, how to understand it, or
> how to fix the problems as my system seems to be upgraded
> automatically to use it. I'm hoping I can encourage people to put
> out some good documentation so that it will catch on and be used.
> 
> Sincerely, Steve Kelem
> 
> Karsten 'quaid' Wade said the following on 11/08/2011 11:10 AM:
>> Hi Steve:
>> 
>> Looks like a lot of good points below. I'm not aware of the 
>> status of the SELinux FAQ; I did think most of that info was 
>> moved in to release-specific documentation. (I haven't been a 
>> maintainer of that FAQ in a long time.)
>> 
>> I'm Cc:ing this to the Fedora Docs team, who manage the depth and
>> breadth of Fedora technical content - definitely the folks to 
>> ask.
>> 
>> http://lists.fedoraproject.org/mailman/listinfo/docs
>> 
>> - Karsten
>> 
>> On 11/08/2011 07:29 AM, Steve Kelem wrote:
>>> Hi. I've been reading the Fedora 13 SELinux FAQ.
>> 
>>> 1. I found the SELinux FAQ under Fedora 13 at
>>> 
> http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4228000.
>>
>>
>>
>
I
> 
was surprised that this document is tied to Fedora 13. With Fedora 15
>>> about to be replaced by Fedora 16, it seems strange to tie 
>>> SELinux to a specific revision of Fedora. 2. Under "What are 
>>> file contexts?" it says: "Fedora ships with the |fixfiles| 
>>> script, which supports four options: |check|, |relabel|, 
>>> |relabel| and |verify|." One of these "relabel" options should 
>>> be "restore". 3. Under "How do I make a user public_html 
>>> directory work under SELinux?", item #2 says:
>> 
>>> *|ls -Z -d public_html/|* |drwxrwxr-x auser auser 
>>> user_u:object_r:user_home_t public_html| *|chcon -R -t 
>>> httpd_user_content_t public_html/ ls -Z -d public_html
>> 
>>> This should be:|* *|ls -Z -d public_html/|* |drwxrwxr-x auser 
>>> auser user_u:object_r:user_home_t public_html| *|chcon -R -t 
>>> httpd_user_content_t public_html/ ls -Z -d public_html/
>> 
>>> Better yet, you should distinguish what's type v.s. what's 
>>> returned by the system:|*
>> 
>>> *|% ls -Z -d public_html/|* |drwxrwxr-x auser auser 
>>> user_u:object_r:user_home_t public_html| **|%|***|chcon -R -t 
>>> httpd_user_content_t public_html/ |***|%|***|ls -Z -d 
>>> public_html/|**||*
>> 
>>> 4. In item 3, it says that there is a "SELinux tab" in 
>>> system-config-selinux. My version is (c) 2006 (in Fedora 15!) 
>>> and does not have a SELinux tab. It has tabs: Status, Boolean, 
>>> File Labeling, User Mapping, SELinux User, Network Port,
>>> Policy Module, and Process Domain. The command described is
>>> under the "Boolean" tab, search for "home directories", and
>>> you'll find it.
>> 
>> 
>> 
> 


- -- 
name:  Karsten 'quaid' Wade, Sr. Community Architect
team:    Red Hat Community Architecture & Leadership
uri:              http://communityleadershipteam.org
                         http://TheOpenSourceWay.org
gpg:                                        AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFOwcVb2ZIOBq0ODEERAmeYAKDCGwJkFiO3Hnjs5gLlw1Al33ETNQCfZ5yB
74VjFgJnKoahegeNRAl7TVc=
=Cry7
-----END PGP SIGNATURE-----

More information about the docs mailing list