selinux-faq/en_US selinux-faq.xml,1.1,1.2
Chad Sellers (csellers)
fedora-docs-commits at redhat.com
Wed Mar 22 03:05:13 UTC 2006
Author: csellers
Update of /cvs/docs/selinux-faq/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25627/en_US
Modified Files:
selinux-faq.xml
Log Message:
Numerous updates for FC5 release
Index: selinux-faq.xml
===================================================================
RCS file: /cvs/docs/selinux-faq/en_US/selinux-faq.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- selinux-faq.xml 16 Mar 2006 19:43:06 -0000 1.1
+++ selinux-faq.xml 22 Mar 2006 03:04:53 -0000 1.2
@@ -243,20 +243,16 @@
<listitem>
<para>
This package is common to all types of policy and contains
- config files/man pages.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><filename>selinux-policy-devel-<replaceable><version></replaceable>.noarch.rpm</filename></term>
- <listitem>
- <para>
- This is the development environment. This replaces the
- -sources package from the past. This package contains the
- interface files used in reference policy along with a
- Makefile and a small tool used to generate a policy template
- file. The interface files reside in
- /usr/share/selinux/refpolicy/headers directory.
+ config files/man pages. This includes the interface files
+ for the development environment. This replaces the -sources
+ package from the past. This package contains the interface
+ files used in Reference Policy along with a Makefile and a
+ small tool called <command>policygentool</command> used to
+ generate a policy template file. The interface files reside
+ in <filename>/usr/share/selinux/devel/headers</filename>
+ directory. If you want to see all of the policy files used
+ to build the Reference Policy you need to install the
+ src.rpm.
</para>
</listitem>
</varlistentry>
@@ -266,13 +262,20 @@
<term><filename>selinux-policy-mls-<replaceable><version></replaceable>.noarch.rpm</filename></term>
<listitem>
<para>
- Binary policy files are in /etc/selinux/policyname. The
- policy for the types and domains is configured separately
- from security context for the subjects and objects.
+ Binary policy files are in
+ <filename>/etc/selinux/<replaceable>policyname</replaceable>/</filename>.
+ The policy for the types and domains is configured
+ separately from security context for the subjects and
+ objects.
</para>
</listitem>
</varlistentry>
</variablelist>
+ <para>
+ More information on the different policies available in SELinux
+ can be found at
+ <ulink url="http://fedoraproject.org/wiki/SELinux/Policies"/>.
+ </para>
</answer>
</qandaentry>
<qandaentry id="qa-whatis-targeted-policy" xreflabel="What is the
@@ -323,11 +326,15 @@
each of the specific daemons, refer to <xref
linkend="qa-using-s-c-securitylevel"/>.
</para>
+ <para>
+ More information on the different policies available in SELinux
+ can be found at
+ <ulink url="http://fedoraproject.org/wiki/SELinux/Policies"/>.
+ </para>
</answer>
</qandaentry>
+<!-- Need to update this for FC5
<qandaentry>
-<!-- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133403 thanks to -->
-<!-- dwalsh for supplying the source FAQs -->
<question>
<para>
What daemons are protected by the targeted policy?
@@ -398,6 +405,7 @@
</para>
</answer>
</qandaentry>
+-->
<qandaentry>
<question>
<para>
@@ -417,6 +425,11 @@
For example, <command>system-config-securitylevel</command> builds
a relabel into the startup scripts.
</para>
+ <para>
+ More information on the different policies available in SELinux
+ can be found at
+ <ulink url="http://fedoraproject.org/wiki/SELinux/Policies"/>.
+ </para>
</answer>
</qandaentry>
<qandaentry>
@@ -435,6 +448,11 @@
This policy is geared toward this sort of environment, and is
probably not useful to you unless you fall into this category.
</para>
+ <para>
+ More information on the different policies available in SELinux
+ can be found at
+ <ulink url="http://fedoraproject.org/wiki/SELinux/Policies"/>.
+ </para>
</answer>
</qandaentry>
<qandaentry id="faq-entry-whatis-refpolicy" xreflabel="Reference Policy">
@@ -446,14 +464,24 @@
<answer>
<para>
The <firstterm>Reference Policy</firstterm>
- is a new project designed to rewrite the entire SELinux policy in a
- way that is easier to use and understand. To do this, it uses
- the concepts of modularity, abstraction, and well-defined interfaces.
+ is a new project maintained by Tresys Technology
+ (<ulink url="http://www.tresys.com/"/>) designed to rewrite
+ the entire SELinux policy in a way that is easier to use and
+ understand. To do this, it uses the concepts of modularity,
+ abstraction, and well-defined interfaces.
Refer to <ulink
url="http://serefpolicy.sourceforge.net/"/>
for more information on the Reference Policy.
</para>
<para>
+ Note that Reference Policy is not a new type of policy, like
+ targeted or strict. Rather, it is a new base that policies can be
+ built from. Targeted, strict, and mls policies can all be built
+ from Reference Policy. In fact, one of the design goals of Reference
+ Policy is to have a single unified source tree for the different
+ policy variants.
+ </para>
+ <para>
Fedora policies at version 1.x are based on the traditional example
policy. Version 2.x policies (as used in &FC; &LOCALVER;) are based
on the Reference Policy.
@@ -517,6 +545,71 @@
</para>
</answer>
</qandaentry>
+ <qandaentry id="faq-entry-whatare-policy-modules" xreflabel="Policy Modules">
+ <question>
+ <para>
+ What are policy modules?
+ </para>
+ </question>
+ <answer>
+ <para>
+ Prior to &FC; 5, SELinux policies were monolithic, meaning that
+ they were compiled into a single policy binary. To make changes
+ or additions to that policy, an administrator had to change out
+ the entire policy. With &FC; 5, the policy is now modular. This
+ means that third party developers can ship policy modules with
+ their applications, and then they can be added to the policy
+ without having to switch out the entire policy in much the
+ same way that kernel modules can add funcationality to the kernel
+ without having to reboot the entire system.
+ </para>
+ <para>
+ This actually works by separating out compile and link steps
+ in the policy build procedure. Policy modules are compiled from
+ source, and linked when installed into the module store (see
+ <xref linkend="faq-entry-whatis-managed-policy"/>). This linked
+ policy is then loaded into the kernel for enforcement.
+ </para>
+ <para>
+ The primary command for dealing with modules is
+ <command>semodule</command>, which will let you perform basic
+ functions such as installing, upgrading, or removing modules.
+ Modules are usually stored as policy package file (.pp
+ extension) in
+ <filename>/usr/share/selinux/<replaceable>policyname</replaceable>/</filename>.
+ There you should at least
+ find the base.pp, which is the base module.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry id="faq-entry-whatis-managed-policy" xreflabel="Managed Policy">
+ <question>
+ <para>
+ What is managed policy?
+ </para>
+ </question>
+ <answer>
+ <para>
+ Prior to &FC; 5, SELinux policies were handled as user-editable
+ config files in etc. Unfortunately, this made it difficult to
+ address many of the usability issues arising with SELinux. So, a
+ new libraray, <filename>libsemanage</filename>, was added to
+ provide userspace tools an interface to making policy management
+ easier. All policy management should use this library to access
+ the policy store. The policy store holds all the policy
+ information, and is found at
+ <filename>/etc/selinux/<replaceable>policyname</replaceable>/</filename>.
+ </para>
+ <para>
+ You should never have to edit the store directly. Instead, you
+ should use tools that link against libsemanage. One example tool
+ is <command>semanage</command>, which is a command line tool for
+ managing much of the policy such as SELinux user mappings,
+ SELinux port mappings, and file contexts entries. Other graphical
+ tools are currently being developed as well.
+ </para>
+ </answer>
+ </qandaentry>
</qandadiv>
<qandadiv id="faq-div-controlling-selinux">
<title>Controlling &SEL;</title>
@@ -882,14 +975,13 @@
</para>
<note>
<title><computeroutput>sysadm_r</computeroutput> Role
- Required</title>
+ Required for strict policy</title>
<para>
You must issue the <command>setenforce</command> command with
- the <computeroutput>sysadm_r</computeroutput> role. Use the
+ the <computeroutput>sysadm_r</computeroutput> role if you are
+ using strict policy. If you are using the standard targeted
+ policy, then this is not necessary. Use the
<command>newrole</command> command to assume this role.
- Alternately, if you switch to root using <command>su
- -</command>, you assume the
- <computeroutput>sysadm_r</computeroutput> role automatically.
</para>
</note>
</answer>
@@ -943,6 +1035,160 @@
</para>
</answer>
</qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ How do I write policy to allow a domain to use pam_unix.so?
+ </para>
+ </question>
+ <answer>
+ <para>
+ Very few domains in the SELinux world are allowed to read the
+ <filename>/etc/shadow</filename> file. There are constraint rules
+ that prevent policy writers from writing code like
+ </para>
+<screen>
+<command>allow mydomain_t shadow_t:file read;</command>
+</screen>
+ <para>
+ In RHEL4 you can setup your domain to use the
+ <command>unix_chkpwd</command> command. The easiest way is to use
+ the <command>unix_chkpwd</command> attribute. So if you were
+ writing policy for an ftpd daemon you would write something like
+ </para>
+<screen>
+<command>daemon_domain(vsftpd, `auth_chkpwd')</command>
+</screen>
+ <para>
+ This would create a context where
+ vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read
+ <filename>/etc/shadow</filename>, while vsftpd_t is not able to
+ read it.
+ </para>
+ <para>
+ In &FC; &LOCALVER;/RHEL5, add the rule
+ </para>
+<screen>
+<command>auth_domtrans_chk_passwd(vsftpd_t)</command>
+</screen>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ In the past I have written local.te file in policy sources for my
+ own local customization to policy, how do I do this with
+ Reference Policy?
+ </para>
+ </question>
+ <answer>
+ <para>
+ If you have specific AVC messages you can use
+ <command>audit2allow</command> to
+ generate a Type Enforcement file that is ready to load as a policy
+ module.
+ </para>
+<screen>
+<command>audit2allow -M local < /tmp/avcs</command>
+</screen>
+ <para>
+ This will create a <filename>local.pp</filename> which you can
+ then load into the kernel using
+ <command>semodule -i local.pp</command>.
+ You can also edit the <filename>local.te</filename> to make
+ additional customizations.
+ </para>
+<screen>
+<computeroutput>audit2allow -M local -l -i /var/log/audit/audit.log
+Generating type enforcment file: local.te
+Compiling policy
+checkmodule -M -m -o local.mod local.te
+semodule_package -o local.pp -m local.mod
+
+******************** IMPORTANT ***********************
+
+In order to load this newly created policy package into the kernel,
+you are required to execute
+
+semodule -i local.pp</computeroutput>
+</screen>
+ <para>
+ This will generate a <filename>local.te</filename> file, that
+ looks something like the following:
+ </para>
+<screen>
+<computeroutput>module local 1.0;
+
+require {
+ class file { append execute execute_no_trans getattr ioctl read write };
+ type httpd_t;
+ type httpd_w3c_script_exec_t;
+ };
+
+
+allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans getattr ioctl read };</computeroutput>
+</screen>
+ <para>
+ You can hand edit this file and then recompile and reload it
+ using
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>checkmodule</command> to compile the te file
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>semodule_package</command> to create a policy package
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>semodule</command> to add it to the current machines running policy
+ </para>
+ </listitem>
+ </itemizedlist>
+ <note>
+ <title>Important</title>
+ <para>
+ In order to load this newly created policy package into the
+ kernel, you are required to execute
+ <command>semodule -i local.pp</command>
+ </para>
+ </note>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I created a new Policy Package where do I put it to make sure that
+ it gets loaded into the kernel?
+ </para>
+ </question>
+ <answer>
+ <para>
+ All you need to do execute the
+ <command>semodule -i myapp.pp</command>
+ command. This modifies the policy that is stored on the machine.
+ Everytime for now on your policy module will get loaded with the
+ rest of the policy. You can even remove the pp file from the
+ system.
+ </para>
+ <para>
+ <command>semodule -l</command> will list the currently loaded
+ modules.
+ </para>
+<screen>
+<computeroutput>#semodule -i
+myapp 1.2.1</computeroutput>
+</screen>
+ <para>
+ If you later would like to remove the policy package, you can
+ execute <command>semodule -r myapp</command>.
+ </para>
+ </answer>
+ </qandaentry>
</qandadiv>
<qandadiv id="faq-div-resolving-problems">
<title>Resolving Problems</title>
@@ -1186,7 +1432,7 @@
<para>
If you wanted to not audit <command>dmesg</command>, for example,
you would put this in your
- <filename>/etc/selinux/targeted/src/policy/dmesg.te</filename>
+ <filename>dmesg.te</filename>
file:
</para>
<screen>
@@ -1224,8 +1470,6 @@
</para>
</answer>
</qandaentry>
- <!-- Need to modify this to work with new policy sources, or find
- a better method than modifying all source
<qandaentry>
<question>
<para>
@@ -1248,9 +1492,7 @@
auditing of all <computeroutput>dontaudit</computeroutput> rules:
</para>
<screen>
-<command>cd /etc/selinux/targeted/src/policy
-make enableaudit
-make load</command>
+<command>semodule -b /usr/share/selinux/targeted/enableaudit.pp</command>
</screen>
<caution>
<title>Enabled <computeroutput>dontaudit</computeroutput> output
@@ -1270,14 +1512,12 @@
</para>
</caution>
<para>
- To re-enable <computeroutput>dontaudit</computeroutput> rules, do
- the following:
+ Once you have found your problem you can reset to the default
+ mode by executin
</para>
<screen>
-<command>cd /etc/selinux/targeted/src/policy
-make clean
-make load</command>
-</screen> -->
+<command>semodule -b /usr/share/selinux/targeted/base.pp</command>
+</screen>
<!-- commented out just in case it needs to be rewritten and included:
<para>
Another reason for getting silent denials is on an
@@ -1301,10 +1541,9 @@
been fixed):
audit(1083674459.837:0): security_compute_sid: invalid context root:sysadm_r:system_chkpwd_t for scontext=root:sysadm_r:newrole_t tcontext=system_u:object_r:chkpwd_exec_t tclass=process
-
+-->
</answer>
</qandaentry>
--->
<qandaentry>
<question>
<para>
@@ -1559,11 +1798,10 @@
which shows examples of policy.
</para>
<para>
- If you want to write a new policy domain, you should install the
- <filename>selinux-policy-devel</filename> package. This will place
- reference policy interface files into the
- <filename>/usr/share/selinux/refpolicy</filename> directory.
- There are also tools available to help you generate new policy.
+ If you want to create a new policy domain, you can look at the
+ interface files in the
+ <filename>/usr/share/selinux/devel</filename> sub-directories.
+ There is also a tool there to help you get started.
The following procedure is an example:
</para>
<procedure>
@@ -1580,7 +1818,8 @@
<command>policygentool <replaceable>mydaemon /usr/sbin/mydaemon</replaceable></command>
</screen>
<para>
- This command creates three files:
+ It will prompt you for a few common domain characteristics,
+ and will create three files:
<filename>mydaemon.te</filename>,
<filename>mydaemon.fc</filename> and
<filename>mydaemon.if</filename>.
@@ -1590,8 +1829,9 @@
<para>
After you generate the policy files, use the supplied
Makefile,
- <filename>/usr/share/selinux/refpolicy/Makefile</filename>, to
- build a policy package:
+ <filename>/usr/share/selinux/devel/Makefile</filename>, to
+ build a policy package
+ (<filename>mydaemon.pp</filename>):
</para>
<screen>
<command>make -f /usr/share/selinux/refpolicy/Makefile</command>
@@ -1615,7 +1855,7 @@
mode and then use the init script to start your daemon:
</para>
<screen>
-<command>setenforce 1</command> <!-- is this right? -->
+<command>setenforce 0</command>
<command>service <replaceable>mydaemon</replaceable> restart</command>
</screen>
</step>
@@ -1623,12 +1863,14 @@
<para>
Now you can collect avc messages. You can use
<command>audit2allow</command> to translate the avc messages to
- allow rules and begin updating you
+ allow rules and begin updating your
<filename>mydaemon.te</filename> file. You should search for
interface macros in the
- <filename>/etc/selinux/refpolicy/include</filename> directory and
+ <filename>/usr/share/selinux/devel/include</filename> directory and
use these instead of using the allow rules directly, whenever
- possible. If you want more examples of polcy, you could always
+ possible. <command>audit2allow -R</command> will attempt to find
+ interfaces that match the allow rule.
+ If you want more examples of polcy, you could always
install the selinux-policy src rpm, which contains all of the
policy te files for the reference policy.
</para>
@@ -1729,6 +1971,278 @@
</para>
</answer>
</qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I have a process running as
+ <computeroutput>unconfined_t</computeroutput>, and &SEL; is
+ still preventing my application from running.
+ </para>
+ </question>
+ <answer>
+ <para>
+ We have begun to confine the
+ <computeroutput>unconfined_t</computeroutput> domain somewhat.
+ SELinux restricts certain memory protection operation. Following
+ is a list of those denials, as well as possible reasons and
+ solutions for those denials.
+ For more information on these restrictions, see <ulink
+ url="http://people.redhat.com/drepper/selinux-mem.html"/>.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term><computeroutput>execmod</computeroutput></term>
+ <listitem>
+ <para>
+ This is usually based on a library label. You can change
+ the context on the library with the
+ <command>chcon -t testrel_shlib_t
+ <replaceable>LIBRARY</replaceable></command>. Now your
+ application can run. Please report this as a bugzilla.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><computeroutput>execstack</computeroutput></term>
+ <listitem>
+ <para>
+ Attempt to <command>execstack -c
+ <replaceable>LIBRARY</replaceable></command>. Now try your
+ application again. If the application now works, the
+ library was mistakenly marked as requiring
+ <computeroutput>execstack</computeroutput>. Please report
+ this as a bugzilla.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><computeroutput>execmem, execheap</computeroutput></term>
+ <listitem>
+ <para>
+ A boolean for each one of these memory check errors have been
+ provided. So if you need to run an application requiring
+ either of these permissions, you can set the boolean
+ allow_exec* to fix the problem. For instance if you try to run
+ an application and you get an AVC message containing an
+ <computeroutput>execstack</computeroutput> failure. You can
+ set the boolean with
+ </para>
+<screen>
+<command>setsebool -P allow_execstack=1</command>
+</screen>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ What do these rpm errors mean?
+ </para>
+ </question>
+ <answer>
+<screen>
+<computeroutput>genhomedircon: Warning! No support yet for expanding ROLE macros in the /etc/selinux/mls/contexts/files/homedir_template file when using libsemanage.
+genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).</computeroutput>
+</screen>
+ <para>
+ Some of the interfaces are not complete yet for selinux. Most
+ users should not care about this warning. It will only affect you
+ if you are running the policy package that is reporting the
+ problem and have non standard SELinux role/user combinations.
+ IE You are using some custom policy.
+ </para>
+<screen>
+<computeroutput>restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t
+restorecon reset /etc/cups/ppd/homehp.ppd context user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t</computeroutput>
+</screen>
+ <para>
+ During the update process, the selinux package runs restorecon on
+ the difference between the previously install policy file_context
+ and the newly install policy context. This maintains the correct
+ file context on disk.
+ </para>
+<screen>
+<computeroutput>libsepol.sepol_genbools_array: boolean hidd_disable_trans no longer in policy</computeroutput>
+</screen>
+ <para>
+ This indicates that the updated policy has removed the boolean
+ from policy.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I want to run a daemon on a non standard port but &SEL; will not
+ allow me. How do get this to work?
+ </para>
+ </question>
+ <answer>
+ <para>
+ You can use the <command>semanage</command> command to define
+ additional ports. So say you want httpd to be able to listen on
+ port 8082. You could enter the command.
+ </para>
+<screen>
+<command>semanage port -a -p tcp -t http_port_t 8082</command>
+</screen>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ How do I add additional translations to my MCS/MLS system?
+ </para>
+ </question>
+ <answer>
+ <para>
+ Translations are handled through libsemanage. Use
+ <command>semanage translation -l</command> to list all current
+ translations.
+ </para>
+<screen>
+<computeroutput># semanage translation -l
+Level Translation
+
+s0
+s0-s0:c0.c255 SystemLow-SystemHigh
+s0:c0.c255 SystemHigh</computeroutput>
+</screen>
+ <para>
+ Now pick an unused category. Say you wanted to add
+ Payroll as a translation, and s0:c6 is unused.
+ </para>
+<screen>
+<computeroutput># semanage translation -a -T Payroll s0:c6
+# semanage translation -l
+Level Translation
+
+s0
+s0-s0:c0.c255 SystemLow-SystemHigh
+s0:c0.c255 SystemHigh
+s0:c6 Payroll</computeroutput>
+</screen>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I have setup my MCS/MLS translations, now I want to designate
+ which users can read a given category?
+ </para>
+ </question>
+ <answer>
+ <para>
+ You can modify the range of categories a user can login with
+ by using <command>semanage</command>, as seen in this example.
+ </para>
+<screen>
+<computeroutput># semanage login -a -r s0-Payroll csellers
+# semanage login -l
+
+Login Name SELinux User MLS/MCS Range
+
+__default__ user_u s0
+csellers user_u s0-Payroll
+root root SystemLow-SystemHigh</computeroutput>
+</screen>
+ <para>
+ In the above example, the user csellers was given access to the
+ <computeroutput>Payroll</computeroutput> category with the first
+ command, as indicated in the listing output from the second
+ command.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I am writing an php script that needs to create temporary files in
+ <filename>/tmp</filename> and then execute them, SELinux policy is
+ preventing this. What should I do?
+ </para>
+ </question>
+ <answer>
+ <para>
+ You should avoid having system applications writing to the
+ <filename>/tmp</filename> directory, since users tend to use the
+ <filename>/tmp</filename> directory also. It would be better to
+ create a directory elsewhere which could be owned by the apache
+ process and allow your script to write to it. You should label the
+ directory <computeroutput>httpd_sys_script_rw_t</computeroutput>.
+ </para>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I am setting up swapping to a file, but I am seeing AVC messages
+ in my log files?
+ </para>
+ </question>
+ <answer>
+ <para>
+ You need to identify the swapfile to SELinux by setting its file
+ context to <computeroutput>swapfile_t</computeroutput>.
+ </para>
+<screen>
+<command>chcon -t swapfile_t <replaceable>SWAPFILE</replaceable></command>
+</screen>
+ </answer>
+ </qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ Please explain the
+ <computeroutput>relabelto</computeroutput>/<computeroutput>relabelfrom</computeroutput>
+ permissions?
+ </para>
+ </question>
+ <answer>
+ <para>
+ For files, <computeroutput>relabelfrom</computeroutput> means "Can
+ domain D relabel a file from (i.e. currently in) type T1?" and
+ <computeroutput>relabelto</computeroutput> means "Can domain D
+ relabel a file to type T2?", so both checks are applied upon a
+ file relabeling, where T1 is the original type of the type and T2
+ is the new type specified by the program.
+ </para>
+ <para>
+ Useful documents to look at:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Object class and permission summary by Tresys <ulink
+ url="http://tresys.com/selinux/obj_perms_help.shtml"/>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Implementing SELinux as an LSM technical report (describes
+ permission checks on a per-hook basis) <ulink
+ url="http://www.nsa.gov/selinux/papers/module-abs.cfm"/>.
+ This is also available in the selinux-doc package
+ (and more up-to-date there).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Integrating Flexible Support for Security Policies into the
+ Linux Operating System - technical report (describes original
+ design and implementation, including summary tables of
+ classes, permissions, and what permission checks are applied
+ to what system calls. It is not entirely up-to-date with
+ current implementation, but a good resource nonetheless).
+ <ulink
+ url="http://www.nsa.gov/selinux/papers/slinux-abs.cfm"/>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </answer>
+ </qandaentry>
</qandadiv>
<qandadiv id="faq-div-deploying-selinux">
<title>Deploying &SEL;</title>
@@ -1835,15 +2349,23 @@
work under &SEL;.
</para>
<para>
+ Note that with the addition of <xref
+ linkend="faq-entry-whatare-policy-modules"/>, it is now possible
+ for third-party developers to include policy modules with their
+ application. If you are a third-party developer or a
+ package-maintainer, please consider including a policy module
+ in your package. This will allow you to secure the behavior
+ of your application with the power of &SEL; for any user
+ insalling your package.
+ </para>
+ <para>
One important value that &FC; testers and users bring to the
community is extensive testing of third-party applications. With
that in mind, please bring your experiences to the appropriate
- mailing list, such as the fedora-selinux.list, for discussion. For
+ mailing list, such as the fedora-selinux list, for discussion. For
more information about that list, refer to <ulink
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/"/>.
</para>
- <!-- Add policy modules section -->
- <!-- Add managed policy section -->
</answer>
</qandaentry>
</qandadiv>
More information about the Fedora-docs-commits
mailing list