selinux-faq selinux-faq-en.xml,1.25,1.26
Chad Sellers (csellers)
fedora-docs-commits at redhat.com
Fri Feb 3 22:41:03 UTC 2006
Author: csellers
Update of /cvs/docs/selinux-faq
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2745
Modified Files:
selinux-faq-en.xml
Log Message:
First cut at an CF5 FAQ. Still missing several necessary new items, but
old items should be consistent with FC5 now.
Index: selinux-faq-en.xml
===================================================================
RCS file: /cvs/docs/selinux-faq/selinux-faq-en.xml,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- selinux-faq-en.xml 29 Jun 2005 14:51:04 -0000 1.25
+++ selinux-faq-en.xml 3 Feb 2006 22:40:55 -0000 1.26
@@ -6,11 +6,11 @@
<!ENTITY % FEDORA-ENTITIES-EN SYSTEM "../docs-common/common/fedora-entities-en.ent">
%FEDORA-ENTITIES-EN;
-<!ENTITY BOOKID "selinux-faq-1.3-8 (2005-01-20-T16:20-0800)"> <!-- version of manual and date -->
+<!ENTITY DOCID "selinux-faq-1.5-1 (2005-12-30-T12:21-0500)"> <!-- version of manual and date -->
<!-- ************** local entities *********** -->
<!ENTITY APACHE "Apache HTTP">
-<!ENTITY LOCALVER "3"> <!-- Set value to your choice, when guide version is out -->
+<!ENTITY LOCALVER "5"> <!-- Set value to your choice, when guide version is out -->
<!-- of sync with FC release, use instead of FEDVER or FEDTESTVER -->
<!ENTITY BUG-URL
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Core&op_sys=Linux&version=fc3&component=fedora-docs&component_text=&rep_platform=All&priority=normal&bug_severity=normal&bug_status=NEW&assigned_to=kwade%40redhat.com&cc=&estimated_time=0.0&bug_file_loc=http%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc3%2F&short_desc=SELinux%20FAQ%20-%20%5Bsummarize%20FAQ%20change%20or%20addition%5D&comment=Description%20of%20change%2FFAQ%20addition.%20%20If%20a%20change%2C%20include%20the%20original%0D%0Atext%20first%2C%20then%20the%20changed%20text%3A%0D%0A%0D%0A%0D%0A%0D%0AVersion-Release&percn!
t;20of%20FAQ%20%28found%20on%0D%0Ahttp%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc3%2Fln-legalnotice.html%29%2C%0D%0Afor%20example%3A%0D%0A%0D%0A%20%20selinux-faq-1.3-8%20%282005-01-20-T16%3A20-0800%29%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A&keywords=&dependson=&blocked=118757%20%20&maketemplate=Remember%20values%20as%20bookmarkable%20template&form_name=enter_bug">
@@ -28,6 +28,10 @@
<surname>Wade</surname>
<firstname>Karsten</firstname>
</author>
+ <author>
+ <surname>Sellers</surname>
+ <firstname>Chad</firstname>
+ </author>
</authorgroup>
&LEGALNOTICE;
</articleinfo>
@@ -43,8 +47,9 @@
<note>
<title>This FAQ is specific to &FC; &LOCALVER;</title>
<para>
- If you are looking for the FAQ for &FC; 2, refer to <ulink
- url="http://fedora.redhat.com/docs/selinux-faq-fc2/" />.
+ If you are looking for the FAQ for &FC; 2 or &FC; 3, refer to <ulink
+ url="http://fedora.redhat.com/docs/selinux-faq-fc2/" /> or <ulink
+ url="http://fedora.redhat.com/docs/selinux-faq-fc3/" />, respectively.
</para>
</note>
<para>
@@ -80,13 +85,29 @@
</listitem>
<listitem>
<para>
- Writing SE Linux policy HOWTO — <ulink
+ Writing traditional SE Linux policy HOWTO — <ulink
url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266"
/>
</para>
</listitem>
<listitem>
<para>
+ Reference Policy (the new policy found in &FC; 5) — <ulink
+ url="http://serefpolicy.sourceforge.net/"
+ />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ SELinux policy development training courses — <ulink
+ url="http://tresys.com/services/training.shtml"
+ /> and <ulink
+ url="https://www.redhat.com/training/security/courses/rhs429.html"
+ />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —
<ulink
url="https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266" />
@@ -94,6 +115,13 @@
</listitem>
<listitem>
<para>
+ List of SELinux object classes and permissions —
+ <ulink
+ url="http://tresys.com/selinux/obj_perms_help.shtml" />
+ </para>
+ </listitem>
+ <listitem>
+ <para>
On IRC — irc.freenode.net, #fedora-selinux
</para>
</listitem>
@@ -110,7 +138,7 @@
<title>Making changes/additions to the &FED; &SEL; FAQ</title>
<para>
This FAQ is available at <ulink
- url="http://fedora.redhat.com/docs/selinux-faq-fc3/">http://fedora.redhat.com/docs/selinux-faq-fc3/</ulink>.
+ url="http://fedora.redhat.com/docs/selinux-faq-fc5/">http://fedora.redhat.com/docs/selinux-faq-fc5/</ulink>.
</para>
<para>
For changes or additions to the &FED; &SEL; FAQ, use this <ulink
@@ -224,29 +252,49 @@
delivered in a package, with an associated source package. Current
shipping policy packages are:
</para>
+ <itemizedlist>
+ <listitem>
+ <para><filename>selinux-policy-<replaceable><version></replaceable>.noarch.rpm</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ This package is common to all types of policy and contains config
+ files/man pages.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para><filename>selinux-policy-devel-<replaceable><version></replaceable>.noarch.rpm</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ This is the development environment. This replaces the -sources
+ package from the past. This package contains the interface files
+ used in reference policy along with a Makefile and a small tool
+ used to generate a policy template file. The interface files
+ reside in /usr/share/selinux/refpolicy/headers directory.
+ </para>
<itemizedlist>
<listitem>
- <para><filename>selinux-policy-strict-<replaceable><version-arch></replaceable>.rpm</filename>
- and
- <filename>selinux-policy-strict-sources-<replaceable><version-arch></replaceable>.rpm</filename>
+ <para><filename>selinux-policy-strict-<replaceable><version></replaceable>.noarch.rpm</filename>
</para>
</listitem>
<listitem>
<para>
- <filename>selinux-policy-targeted-<replaceable><version-arch></replaceable>.rpm</filename>
- and
- <filename>selinux-policy-targeted-sources-<replaceable><version-arch></replaceable>.rpm</filename>
+ <filename>selinux-policy-targeted-<replaceable><version></replaceable>.noarch.rpm</filename>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>selinux-policy-mls-<replaceable><version></replaceable>.noarch.rpm</filename>
</para>
</listitem>
</itemizedlist>
<para>
- Policy source resides in
- <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>,
- when it is installed, and the binary policy file is in
- <filename>/etc/selinux/<replaceable>policyname</replaceable>/policy</filename>.
- Policy source is not required for ultra-minimal installations. The
- policy for the types and domains is configured separately from
- security context for the subjects and objects.
+ Binary policy files are in /etc/selinux/policyname. The policy for the
+ types and domains is configured separately from security context for the
+ subjects and objects.
</para>
</answer>
</qandaentry>
@@ -374,6 +422,47 @@
<qandaentry>
<question>
<para>
+ What is the mls policy? Who is it for?
+ </para>
+ </question>
+ <answer>
+ <para>
+ The mls policy is similar to the strict policy, but adds an additional
+ field to security contexts for separating levels. These levels can be
+ used to separate data in an environment that calls for strict
+ hierarchical separation. The most common example of this is a military
+ setting where data is classified at a certain level. This policy is
+ geared toward these sorts of users, and is probably not useful to
+ you unless you fall into this category.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry id="faq-entry-whatis-refpolicy" xreflabel="Reference Policy">
+ <question>
+ <para>
+ What is the Reference Policy?
+ </para>
+ </question>
+ <answer>
+ <para>
+ The Reference Policy
+ is a new project designed to rewrite the entire SELinux policy in a
+ way that is easier to use and understand. To do this, it uses
+ the concepts of modularity, abstraction, and well-defined interfaces.
+ See <ulink
+ url="http://serefpolicy.sourceforge.net/">it's project page</ulink>
+ for more information on it.
+ </para>
+ <para>
+ Fedora policies at version 1.x are based on the traditional example
+ policy. Policies version 2.x (as used in &FC; &LOCALVER;) are based
+ on the Reference Policy.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
What are file contexts?
</para>
</question>
@@ -423,8 +512,8 @@
<para>
There is no difference between a domain and a type, although
domain is sometimes used to refer to the type of a process. The
- use of domain in this way stems from traditional TE models, where
- domains and types are separate.
+ use of domain in this way stems from Domain and Type Enforcement (DTE)
+ models, where domains and types are separate.
</para>
</answer>
</qandaentry>
@@ -796,7 +885,7 @@
kernel command line to turn system-call auditing off.
</para>
<para>
- System-call auditing is off by default. When on, it provides
+ System-call auditing is on by default. When on, it provides
information about the system-call that was executing when SELinux
generated a <computeroutput>denied</computeroutput> message. This
may be helpful when debugging policy.
@@ -812,8 +901,8 @@
</question>
<answer>
<para>
- This is not supported at this time. In the future, a utility will
- be provided to tune auditing.
+ To do this, run <command>auditctl -e 0</command>. Note that this
+ will not affect auditing of SELinux AVC denials.
</para>
</answer>
</qandaentry>
@@ -1000,9 +1089,9 @@
You can create your new user with the standard
<command>useradd</command> command. First you must become root;
under the strict policy you will need to change role to
- <computeroutput>sysadm_r</computeroutput>. This context switch
- has been incorporated into the <command>su</command> command and
- occurs automatically. For the targeted policy, you will not need
+ <computeroutput>sysadm_r</computeroutput> using
+ <computeroutput>newrole -r sysadm_r</computeroutput>
+ For the targeted policy, you will not need
to switch roles, staying in
<computeroutput>unconfined_t</computeroutput>:
</para>
@@ -1024,7 +1113,7 @@
</para>
</answer>
</qandaentry>
- <qandaentry>
+<!-- <qandaentry>
<question>
<para>
All of the other &SEL; documentation states that the
@@ -1052,7 +1141,7 @@
change.
</para>
</answer>
- </qandaentry>
+ </qandaentry> -->
<qandaentry>
<question>
<para>
@@ -1104,12 +1193,14 @@
</para>
</answer>
</qandaentry>
+ <!-- Need to modify this to work with new policy sources, or find
+ a better method than modifying all source
<qandaentry>
<question>
<para>
I get a specific permission denial only when &SEL; is in enforcing
mode, but I don't see any audit messages in
- <filename>/var/log/messages</filename>. How can I identify the
+ <filename>/var/log/audit/audit.log</filename>. How can I identify the
cause of these silent denials?
</para>
</question>
@@ -1155,7 +1246,7 @@
<command>cd /etc/selinux/targeted/src/policy
make clean
make load</command>
-</screen>
+</screen> -->
<!-- commented out just in case it needs to be rewritten and included:
<para>
Another reason for getting silent denials is on an
@@ -1180,9 +1271,9 @@
audit(1083674459.837:0): security_compute_sid: invalid context root:sysadm_r:system_chkpwd_t for scontext=root:sysadm_r:newrole_t tcontext=system_u:object_r:chkpwd_exec_t tclass=process
--->
</answer>
</qandaentry>
+-->
<qandaentry>
<question>
<para>
@@ -1246,18 +1337,7 @@
changes in the updated policy.
</para>
<para>
- If you have installed the policy source packages, e.g.
- <filename>selinux-policy-strict</filename>, you can execute these
- commands to relabel the file system.
- </para>
-<screen>
-<command>cd /etc/selinux/targeted/src/policy
-make
-make relabel
-reboot</command>
-</screen>
- <para>
- If you aren't using policy sources, another approach is to use the
+ To relabel, use the
<command>fixfiles</command> command or take advantage of the
<filename>/.autorelabel</filename> mechanism:
</para>
@@ -1288,6 +1368,8 @@
</para>
</answer>
</qandaentry>
+ <!-- Source package doesn't exist any more
+ Is there something similar now?
<qandaentry>
<question>
<para>
@@ -1296,11 +1378,13 @@
</para>
</question>
<answer>
+ -->
<!--
thanks to "Gene C." <czar czarc net> for authoring the
original answer in
http://www.redhat.com/archives/fedora-test-list/2004-April/msg00755.html
-->
+ <!--
<para>
A policy package such as
<filename>selinux-policy-targeted</filename> is a requirement for
@@ -1338,6 +1422,7 @@
file as well as the <filename>file_contexts</filename> file, then
loads them as the currently effective policy.
</para>
+ -->
<!-- not sure if currently still an issue, or how to rephrase
<caution>
@@ -1351,32 +1436,28 @@
</para>
</caution>
-->
+ <!--
</answer>
</qandaentry>
+ -->
<qandaentry>
<!--
http://www.redhat.com/archives/fedora-selinux-list/2004-May/msg00061.html
-->
<question>
<para>
- Why do the files
+ Why do binary policies (e.g.
<filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/policy.<<replaceable>version</replaceable>></filename>
- and
- <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy/policy.<<replaceable>version</replaceable>></filename>
- have different (sizes, md5sums, dates)?
+ distributed with Fedora and those I compile myself have different sizes
+ and md5sums?
</para>
</question>
<answer>
<para>
When you install a policy package, pre-compiled binary policy
files are put directly into <filename>/etc/selinux</filename>.
- When a policy source package is installed or updated, binary
- policy files are built in
- <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy</filename>,
- then moved to
- <filename>/etc/selinux/<replaceable>policyname</replaceable>/policy/</filename>.
The different build environments will make target files that have
- different sizes, md5sums, and dates.
+ different sizes, md5sums.
</para>
</answer>
</qandaentry>
@@ -1409,39 +1490,94 @@
</question>
<answer>
<para>
- Your help is definitely appreciated. You can start by joining the
- &SEL; mailing list, <ulink
- url="mailto:fedora-selinux-list at redhat.com">fedora-selinux-list at redhat.com</ulink>;
- you can subscribe and read the archives at <ulink
- url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">http://www.redhat.com/mailman/listinfo/fedora-selinux-list</ulink>.
- The UnOfficial FAQ has some generic policy writing HOWTO
- information (<ulink
- url="http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1">http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1</ulink>).
- Another new resource is the Writing SE Linux policy HOWTO (<ulink
- url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266">https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266</ulink>).
+ Your help is definitely appreciated.
+ <itemizedlist>
+ <listitem>
+ <para>
+ You can start by joining the
+ &FED; &SEL; mailing list, <ulink
+ url="mailto:fedora-selinux-list at redhat.com">fedora-selinux-list at redhat.com</ulink>;
+ you can subscribe and read the archives at <ulink
+ url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">http://www.redhat.com/mailman/listinfo/fedora-selinux-list</ulink>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The UnOfficial FAQ has some generic policy writing HOWTO
+ information (<ulink
+ url="http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1">http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1</ulink>).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Another new resource is the Writing SE Linux policy HOWTO (<ulink
+ url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266">https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266</ulink>).
+ </para>
+ </listitem>
+ </itemizedlist>
+ Also, since the &FC; &LOCALVER; policy is based on the <xref linkend="faq-entry-whatis-refpolicy"/>,
+ you should look at the documentation on its project page.
</para>
<para>
Your best bet is to look at the policy files in
- <filename>/etc/selinux/<replaceable>policyname</replaceable>/src/policy/</filename>
- and try experiments. Watch the <computeroutput>avc
- denied</computeroutput> messages in
- <filename>/var/log/messages</filename> for clues.
- </para>
- <para>
- A useful tool for the policy writer is
- <command>/usr/bin/audit2allow</command>, which translates
- <computeroutput>avc</computeroutput> messages from
- <filename>/var/log/messages</filename> into rules that can be used
- by &SEL;. These rules will likely need to be cleaned up.
- </para>
- <para>
- The command <command>audit2allow</command> can receive input via
- three methods. Default is from standard input
- (<firstterm>STDIN</firstterm>). Using the <option>-i</option>
- option reads input from <filename>/var/log/messages</filename>,
- and the <option>-d</option> option reads input from
- <command>dmesg</command> output.
+ <filename>/usr/share/doc/selinux-policy-<replaceable>>version<</replaceable></filename>
+ which shows examples of policy.
</para>
+ <para>
+ If you want to write a new policy domain, you should install the
+ selinux-policy-devel package. This will place reference policy
+ interface files into the
+ <filename>/usr/share/selinux/refpolicy directory</filename>.
+ </para>
+ <para>
+ There is also a tool there to help you get started. You can use
+ the tool <command>policygentool</command> to generate your own
+ <filename>te</filename>, <filename>fc</filename>
+ and <filename>if</filename> file.
+ This tool takes two parameters: the Name of the policy module
+ (mydaemon) and the full path to the executable
+ (<filename>/usr/sbin/mydaemon</filename>). This will create three
+ files <filename>mydaemon.te</filename>,
+ <filename>mydaemon.fc</filename> and
+ <filename>mydaemon.if</filename>.
+ After you generate the policy files,
+ use the supplied Makefile,
+ <filename>/usr/share/selinux/refpolicy/Makefile</filename>,
+ build a policy package (<filename>mydaemon.pp</filename>). Now
+ you can load the policy
+ module, using <command>semodule</command>, and relabel the
+ executable using
+ <filename>restorecon</filename>. Since you have very limited
+ policy for your
+ executeable, SELinux will prevent it from doing much. So you need
+ to turn on permissive mode and then use the init script to start
+ your daemon. Now you can start collect avc messages. You can use
+ <command>audit2allow</command> to translate the avc messages to
+ allow rules and begin
+ updating you <filename>mydaemon.te</filename> file. You should
+ search for interface
+ macros in the <filename>/etc/selinux/refpolicy/include</filename>
+ directory and use
+ these instead of using the allow rules directly, whenever
+ possible. If you want more examples of polcy, you could always
+ install the selinux-policy src rpm, which contains all of the
+ policy te files for the reference policy.
+ </para>
+<screen>
+<command># /usr/share/selinux/refpolicy/policygentool mydaemon /usr/sbin/mydaemon
+# make -f /usr/share/selinux/refpolicy/Makefile
+m4 /usr/share/selinux/refpolicy/include/all_perms.spt /usr/share/selinux/refpolicy/include/loadable_module.spt /usr/share/selinux/refpolicy/include/misc_macros.spt
+...
+/usr/share/selinux/refpolicy/include/obj_perm_sets.spt mydaemon.fc > tmp/mydaemon.mod.fc
+Creating targeted mydaemon.pp policy package
+/usr/bin/semodule_package -o mydaemon.pp -m tmp/mydaemon.mod -f tmp/mydaemon.mod.fc
+rm tmp/mydaemon.mod.fc tmp/mydaemon.mod
+# semodule -i mydaemon.pp
+# restorecon -v /usr/sbin/mydaemon
+restorecon reset /usr/sbin/mydaemon context user_u:object_r:sbin_t->system_u:object_r:mydaemon_exec_t
+# setenforce 1
+# service mydaemon restart</command>
+</screen>
</answer>
</qandaentry>
<qandaentry>
@@ -1552,6 +1688,12 @@
ext2/ext3, XFS has recently added support for the necessary
labels.
</para>
+ <para>
+ Note that XFS SELinux support is broken in upstream kernel
+ 2.6.14 and 2.6.15, but fixed (worked around)
+ in 2.6.16. So, make sure your kernel includes this fix if
+ you choose to use XFS.
+ </para>
</answer>
</qandaentry>
<qandaentry>
@@ -1636,10 +1778,11 @@
url="mailto:fedora-selinux-list at redhat.com">fedora-selinux-list at redhat.com</ulink>)
for discussion.
</para>
+ <!-- Add policy modules section -->
+ <!-- Add managed policy section -->
</answer>
</qandaentry>
</qandadiv>
</qandaset>
</section>
</article>
-
More information about the Fedora-docs-commits
mailing list