selinux-faq/F-8/en_US doc-entities.xml, NONE, 1.1 rpm-info.xml, NONE, 1.1 selinux-faq.xml, NONE, 1.1
Paul W. Frields (pfrields)
fedora-docs-commits at redhat.com
Fri Nov 16 13:05:09 UTC 2007
- Previous message (by thread): selinux-faq/FC-5/po it.po, NONE, 1.1 pt.po, NONE, 1.1 selinux-faq.pot, NONE, 1.1
- Next message (by thread): selinux-faq/F-8/po it.po, NONE, 1.1 pt.po, NONE, 1.1 selinux-faq.pot, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pfrields
Update of /cvs/docs/selinux-faq/F-8/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12637/F-8/en_US
Added Files:
doc-entities.xml rpm-info.xml selinux-faq.xml
Log Message:
Add FC-5 and F-8 branches. For right now, these are duplicate copies of one another. The F-8 branch is where new work is to be done to bring the FAQ up to date with better and more content.
--- NEW FILE doc-entities.xml ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE entities SYSTEM "../../docs-common/common/entities/entities.dtd">
<entities>
<title>These entities are absolutely essential in this document.</title>
<group name="Example Tutorial Entities">
<entity name="LOCAL-ENT">
<comment>A per-document entity</comment>
<text><wordasword>Per-document Entity</wordasword>
</text>
</entity>
<entity name="DOCNAME">
<comment>Should match the name of this module</comment>
<text>selinux-faq</text>
</entity>
<entity name="DOCVERSION">
<comment>Last revision number, bump when you change the doc</comment>
<text>1.5.2</text>
</entity>
<entity name="DOCDATE">
<comment>Last revision date, format YYYY-MM-DD</comment>
<text>2006-03-24</text>
</entity>
<entity name="DOCID">
<comment>Same for every document</comment>
<text>
<use entity="DOCNAME"/>-<use entity="DOCVERSION"/> (<use
entity="DOCDATE"/>)</text>
</entity>
<entity name="BUG-URL">
<comment>Useful pre-filled bug report; note the changes of the
ampersand and percentage characters to their entity equivalent.
</comment>
<text>https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Documentation&op_sys=Linux&target_milestone=---&bug_status=NEW&version=devel&component=selinux-faq&rep_platform=All&priority=normal&bug_severity=normal&assigned_to=kwade%40redhat.com&cc=&estimated_time_presets=0.0&estimated_time=0.0&bug_file_loc=http%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq%2F&short_desc=CHANGE%20TO%20A%20REAL%20SUMMARY&comment=%5B%5B%20Description%20of%20change%2FFAQ%20addition.%20%20If%20a%20change%2C%20include%20the%20original%0D%0Atext&!
;percnt;20first%2C%20then%20the%20changed%20text%3A%20%5D%5D%0D%0A%0D%0A%0D%0A%5B%5B%20Version-Release%20of%20FAQ%20%0D%0A%28found%20on%0D%0Ahttp%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc5%2Fln-legalnotice.html%29%3A%0D%0A%0D%0A%20for%20example%3A%20%20selinux-faq-1.5.2%20%282006-03-20%29&status_whiteboard=&keywords=&issuetrackers=&dependson=&blocked=&ext_bz_id=0&ext_bz_bug_id=&data=&desc!
ription=&contenttypemethod=list&contenttypesel!
ection
xt%2Fplain&contenttypeentry=&maketemplate=Remember%20values%20as%20bookmarkable%20template&form_name=enter_bug</text>
</entity>
<entity name="APACHE">
<comment>Locally useful.</comment>
<text>Apache HTTP</text>
</entity>
<entity name="LOCALVER">
<comment>Set value to your choice, usefule for when guide
version is out of sync with FC release, use instead of FEDVER or
FEDTESTVER</comment>
<text>5</text>
</entity>
</group>
</entities>
--- NEW FILE rpm-info.xml ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE rpm-info SYSTEM "../../docs-common/packaging/rpm-info.dtd">
<rpm-info>
<colophon>
<worker surname="Wade" firstname="Karsten" id="KarstenWade" email="kwade at redhat.com" wholename="Karsten Wade" initials="KW"/>
<worker surname="Sellers" firstname="Chad" id="ChadSellers" email="csellers at tresys.com" wholename="Chad Sellers" initials="CS"/>
<worker surname="Tombolini" firstname="Francesco" id="FrancescoTombolini" email="tombo at adamantio.net" wholename="Francesco Tombolini" initials="FT"/>
<worker firstname="Paul" othername="W." surname="Frields" initials="PWF" email="stickster at gmail.com" wholename="Paul W. Frields" id="PaulWFrields"/>
</colophon>
<author worker="KarstenWade"/>
<author worker="ChadSellers"/>
<translator worker="FrancescoTombolini"/>
<license>
<rights>OPL</rights>
<version>1.0</version>
</license>
<copyright>
<year>2004</year>
<year>2005</year>
<holder>Red Hat, Inc.</holder>
<holder>Karsten Wade</holder>
</copyright>
<copyright>
<year>2006</year>
<holder>Chad Sellers</holder>
<holder>Paul W. Frields</holder>
</copyright>
<title>Fedora Core 5 SELinux FAQ</title>
<desc>Frequently asked questions about SELinux in Fedora Core 5</desc>
<changelog order="newest-first">
<revision date="2006-04-28" number="1.5.6" role="doc">
<author worker="ChadSellers"/>
<details>Fix for bz #18727, bz#139744, bz#144696, bz#147915,
and bz#190181; other fixes, including from
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions</details>
</revision>
<revision date="2006-04-07" number="1.5.5" role="doc">
<author worker="KarstenWade"/>
<details>Fix for bz #188219; legal notice fix.</details>
</revision>
<revision date="2006-03-21" number="1.5.4" role="doc">
<author worker="ChadSellers"/>
<details>Updated log file location for FC5 release, added
targeted domains FAQ</details>
</revision>
<revision date="2006-03-21" number="1.5.3" role="doc">
<author worker="ChadSellers"/>
<details>Numerous content updates for FC5 release</details>
</revision>
<revision date="2006-02-10" number="1.5.2" role="doc">
<author worker="PaulWFrields"/>
<details>Make admonition more easily maintainable</details>
</revision>
<revision date="2006-02-05" number="1.5.1" role="doc">
<author worker="PaulWFrields"/>
<details>Style and readability editing; some element
clarifications</details>
</revision>
<revision date="2006-02-03" number="1.5" role="doc">
<author worker="ChadSellers"/>
<details>First round of editing.</details>
</revision>
</changelog>
</rpm-info>
--- NEW FILE selinux-faq.xml ---
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!-- *************** Bring in Fedora entities *************** -->
<!ENTITY % FDP-ENTITIES SYSTEM "fdp-entities.ent">
%FDP-ENTITIES;
<!ENTITY % DOCUMENT-ENTITIES SYSTEM "doc-entities.ent">
%DOCUMENT-ENTITIES;
]>
<!-- test content -->
<article id="selinux-faq" lang="en">
<xi:include href="fdp-info.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:fallback>WHERE IS MY FDP-INFO, DUDE</xi:fallback>
</xi:include>
<section id="sn-selinux-faq">
<title>&SEL; Notes and FAQ</title>
<para>
The information in this FAQ is valuable for those who are new to &SEL;. It
is also valuable if you are new to the latest &SEL; implementation in
&FC;, since some of the behavior may be different than you have
experienced.
</para>
<note>
<title>This FAQ is specific to &FC; &LOCALVER;</title>
<para>
If you are looking for the FAQ for other versions of &FC;, refer to
<ulink url="http://fedora.redhat.com/docs/selinux-faq/"/>.
</para>
</note>
<para>
For more information about how &SEL; works, how to use &SEL; for general
and specific Linux distributions, and how to write policy, these resources
are useful:
</para>
<itemizedlist id="external-link-list">
<title>External Link List</title>
<listitem>
<para>
NSA &SEL; main website — <ulink
url="http://www.nsa.gov/selinux/" />
</para>
</listitem>
<listitem>
<para>
NSA &SEL; FAQ — <ulink
url="http://www.nsa.gov/selinux/info/faq.cfm" />
</para>
</listitem>
<listitem>
<para>
&SEL; community page — <ulink
url="http://selinux.sourceforge.net" />
</para>
</listitem>
<listitem>
<para>
UnOfficial FAQ — <ulink
url="http://www.crypt.gen.nz/selinux/faq.html" />
</para>
</listitem>
<listitem>
<para>
Writing traditional SE Linux policy HOWTO — <ulink
url="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266"
/>
</para>
</listitem>
<listitem>
<para>
Reference Policy (the new policy found in &FC; 5) — <ulink
url="http://serefpolicy.sourceforge.net/"
/>
</para>
</listitem>
<listitem>
<para>
SELinux policy development training courses — <ulink
url="http://tresys.com/services/training.shtml"
/> and <ulink
url="https://www.redhat.com/training/security/courses/rhs429.html"
/>
</para>
</listitem>
<listitem>
<para>
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —
<ulink
url="https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266" />
</para>
</listitem>
<listitem>
<para>
List of SELinux object classes and permissions —
<ulink
url="http://tresys.com/selinux/obj_perms_help.shtml" />
</para>
</listitem>
<listitem>
<para>
On IRC — irc.freenode.net, #fedora-selinux
</para>
</listitem>
<listitem>
<para>
&FED; mailing list — <ulink
url="mailto:fedora-selinux-list at redhat.com" />;
read the archives or subscribe at <ulink
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list" />
</para>
</listitem>
</itemizedlist>
<tip>
<title>Making changes/additions to the &FED; &SEL; FAQ</title>
<para>
This FAQ is available at <ulink
url="http://fedora.redhat.com/docs/selinux-faq-fc5/">http://fedora.redhat.com/docs/selinux-faq-fc5/</ulink>.
</para>
<para>
For changes or additions to the &FED; &SEL; FAQ, use this <ulink
url="&BUG-URL;">bugzilla template</ulink>, which pre-fills most of the
bug report. Patches should be a <command>diff -u</command> against the
XML, which is available from CVS (refer to <ulink
url="http://fedora.redhat.com/projects/docs/" /> for details on
obtaining the fedora-docs/selinux-faq module from anonymous CVS; you can
get just the <filename>fedora-docs/selinux-faq</filename> module if you
don't want the entire <filename>fedora-docs</filename> tree.) Otherwise,
plain text showing before and after is sufficient.
</para>
<para>
For a list of all bug reports filed against this FAQ, refer to <ulink
url="https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757">https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757</ulink>.
</para>
</tip>
<qandaset defaultlabel="qanda" id="selinux-faq-list">
<?dbhtml toc="1"?>
<qandadiv id="faq-div-understanding-selinux">
<title>Understanding &SEL;</title>
<qandaentry>
<question>
<para>
What is &SEL;?
</para>
</question>
<answer>
<para>
&SEL; (<firstterm>Security-Enhanced Linux</firstterm>) in &FC; is
an implementation of <firstterm>mandatory access
control</firstterm> in the Linux kernel using the
<firstterm>Linux Security Modules</firstterm>
(<abbrev>LSM</abbrev>) framework. Standard Linux security is a
<firstterm>discretionary access control</firstterm> model.
</para>
<variablelist>
<varlistentry>
<term>Discretionary access control (<abbrev>DAC</abbrev>)</term>
<listitem>
<para>
DAC is standard Linux security, and it provides no
protection from broken software or malware running as a
normal user or root. Users can grant risky levels of access
to files they own.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mandatory access control (<abbrev>MAC</abbrev>)</term>
<listitem>
<para>
MAC provides full control over all interactions of
software. Administratively defined policy closely controls
user and process interactions with the system, and can
provide protection from broken software or malware running
as any user.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
In a DAC model, file and resource decisions are based solely on
user identity and ownership of the objects. Each user and program
run by that user has complete discretion over the user's objects.
Malicious or flawed software can do anything with the files and
resources it controls through the user that started the process.
If the user is the super-user or the application is
<command>setuid</command> or <command>setgid</command> to root,
the process can have root level control over the entire file
system.
</para>
<para>
A MAC system does not suffer from these problems. First, you can
administratively define a security policy over all processes and
objects. Second, you control all processes and objects, in the
case of &SEL; through the kernel. Third, decisions are based on
all the security relevant information available, and not just
[...2335 lines suppressed...]
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
I am setting up swapping to a file, but I am seeing AVC messages
in my log files?
</para>
</question>
<answer>
<para>
You need to identify the swapfile to SELinux by setting its file
context to <computeroutput>swapfile_t</computeroutput>.
</para>
<screen>
<command>chcon -t swapfile_t <replaceable>SWAPFILE</replaceable></command>
</screen>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Please explain the
<computeroutput>relabelto</computeroutput>/<computeroutput>relabelfrom</computeroutput>
permissions?
</para>
</question>
<answer>
<para>
For files, <computeroutput>relabelfrom</computeroutput> means "Can
domain D relabel a file from (i.e. currently in) type T1?" and
<computeroutput>relabelto</computeroutput> means "Can domain D
relabel a file to type T2?", so both checks are applied upon a
file relabeling, where T1 is the original type of the type and T2
is the new type specified by the program.
</para>
<para>
Useful documents to look at:
</para>
<itemizedlist>
<listitem>
<para>
Object class and permission summary by Tresys <ulink
url="http://tresys.com/selinux/obj_perms_help.shtml"/>
</para>
</listitem>
<listitem>
<para>
Implementing SELinux as an LSM technical report (describes
permission checks on a per-hook basis) <ulink
url="http://www.nsa.gov/selinux/papers/module-abs.cfm"/>.
This is also available in the selinux-doc package
(and more up-to-date there).
</para>
</listitem>
<listitem>
<para>
Integrating Flexible Support for Security Policies into the
Linux Operating System - technical report (describes original
design and implementation, including summary tables of
classes, permissions, and what permission checks are applied
to what system calls. It is not entirely up-to-date with
current implementation, but a good resource nonetheless).
<ulink
url="http://www.nsa.gov/selinux/papers/slinux-abs.cfm"/>
</para>
</listitem>
</itemizedlist>
</answer>
</qandaentry>
</qandadiv>
<qandadiv id="faq-div-deploying-selinux">
<title>Deploying &SEL;</title>
<qandaentry>
<question>
<para>
What file systems can I use for &SEL;?
</para>
</question>
<answer>
<para>
The file system must support
<computeroutput>xattr</computeroutput> labels in the right
<parameter>security.*</parameter> namespace. In addition to
ext2/ext3, XFS has recently added support for the necessary
labels.
</para>
<para>
Note that XFS SELinux support is broken in upstream kernel
2.6.14 and 2.6.15, but fixed (worked around)
in 2.6.16. Your kernel must include this fix if
you choose to use XFS with &SEL;.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How does &SEL; impact system performance?
</para>
</question>
<answer>
<para>
This is a variable that is hard to measure, and is heavily
dependent on the tuning and usage of the system running &SEL;.
When performance was last measured, the impact was around 7% for
completely untuned code. Subsequent changes in system components
such as networking are likely to have made that worse in some
cases. &SEL; performance tuning continues to be a priority of the
development team.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What types of deployments, applications, and systems should I
leverage &SEL; in?
</para>
</question>
<answer>
<para>
Initially, &SEL; has been used on Internet facing servers that are
performing a few specialized functions, where it is critical to
keep extremely tight security. Administrators typically strip
such a box of all extra software and services, and run a very
small, focused set of services. A Web server or mail server is a
good example.
</para>
<para>
In these edge servers, you can lock down the policy very tightly.
The smaller number of interactions with other components makes
such a lock down easier. A dedicated system running a specialized
third-party application would also be a good candidate.
</para>
<para>
In the future, &SEL; will be targeted at all environments. In
order to achieve this goal, the community and
<firstterm>independent software vendors</firstterm>
(<abbrev>ISV</abbrev>s) must work with the &SEL; developers to
produce the necessary policy. So far, a very restrictive
<firstterm>strict policy</firstterm> has been written, as well as
a <firstterm>targeted policy</firstterm> that focuses on specific,
vulnerable daemons.
</para>
<para>For more information about these policies, refer to <xref
linkend="qa-whatis-policy"/> and <xref
linkend="qa-whatis-targeted-policy"/>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How does &SEL; affect third-party applications?
</para>
</question>
<answer>
<para>
One goal of implementing a targeted &SEL; policy in &FC; is to
allow third-party applications to work without modification. The
targeted policy is transparent to those unaddressed applications,
and it falls back on standard Linux DAC security. These
applications, however, will not be running in an extra-secure
manner. You or another provider must write policy to protect these
applications with MAC security.
</para>
<para>
It is impossible to predict how every third-party application
might behave with &SEL;, even running the targeted policy. You
may be able to fix issues that arise by changing the policy. You
may find that &SEL; exposes previously unknown security issues
with your application. You may have to modify the application to
work under &SEL;.
</para>
<para>
Note that with the addition of <xref
linkend="faq-entry-whatare-policy-modules"/>, it is now possible
for third-party developers to include policy modules with their
application. If you are a third-party developer or a
package-maintainer, please consider including a policy module
in your package. This will allow you to secure the behavior
of your application with the power of &SEL; for any user
installing your package.
</para>
<para>
One important value that &FC; testers and users bring to the
community is extensive testing of third-party applications. With
that in mind, please bring your experiences to the appropriate
mailing list, such as the fedora-selinux list, for discussion. For
more information about that list, refer to <ulink
url="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/"/>.
</para>
</answer>
</qandaentry>
</qandadiv>
</qandaset>
</section>
</article>
- Previous message (by thread): selinux-faq/FC-5/po it.po, NONE, 1.1 pt.po, NONE, 1.1 selinux-faq.pot, NONE, 1.1
- Next message (by thread): selinux-faq/F-8/po it.po, NONE, 1.1 pt.po, NONE, 1.1 selinux-faq.pot, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-docs-commits
mailing list