web/html/docs/selinux-user-guide/f11/html-single index.html, 1.2, 1.3

Scott Radvan sradvan at fedoraproject.org
Mon May 25 00:42:27 UTC 2009 

Author: sradvan

Update of /cvs/fedora/web/html/docs/selinux-user-guide/f11/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30299

Added Files:
	index.html 
Log Message:
typo



View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.2 -r 1.3 index.html
Index: index.html
===================================================================
RCS file: index.html
diff -N index.html
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ index.html	25 May 2009 00:41:57 -0000	1.3
@@ -0,0 +1,1999 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Security-Enhanced Linux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican" /><meta name="package" content="" /><meta name="description" content="This book is about managing and using Security-Enhanced Linux." /></head><body class=""><div class="book" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">11</span></div><div><h1 id="id2728262" class="title">Security-Enhanced Linux</h1></div><div><h2 class="subtitle">User Guide</h2></div><p class="edition">Edition 1.3</p><div><h3 class="corpauthor">
+				<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
+			</h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:mmcallis at redhat.com">mmcallis at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Daniel</span> <span class="surname">Walsh</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:dwalsh at redhat.com">dwalsh at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Dominick</span> <span class="surname">Grift</span></h3><span class="contrib">Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and T
 roubleshooting chapters.</span> <div class="affiliation"><span class="orgname"></span> <span class="orgdiv"></span></div><code class="email"><a class="email" href="mailto:domg472 at gmail.com">domg472 at gmail.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Paris</span></h3><span class="contrib">Technical editor for the Mounting File Systems and Raw Audit Messages sections.</span> <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:eparis at parisplace.org">eparis at parisplace.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">James</span> <span class="surname">Morris</span></h3><span class="contrib">Technical editor for the Introduction and Targeted Policy chapters.</span> <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Enginee
 ring</span></div><code class="email"><a class="email" href="mailto:jmorris at redhat.com">jmorris at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div></div></div><div><p class="copyright">Copyright © 2009 Red Hat, Inc.</p></div><hr /><div><div id="id2843842" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
+		Copyright <span class="trademark"></span>© 2009 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at <a href="http://www.opencontent.org/openpub/">http://www.opencontent.org/openpub/</a>).
+	</div><div class="para">
+		Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
+	</div><div class="para">
+		Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
+	</div><div class="para">
+		All other trademarks and copyrights referred to are the property of their respective owners.
+	</div><div class="para">
+		Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at <a href="http://fedoraproject.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>. 
+	</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">This book is about managing and using Security-Enhanced <span class="trademark">Linux</span>®.</div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security-Enhanced_Linux-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#id2808018">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#id2830681">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#id2838986">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#id2843840">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#id2838542">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Trademark_Information">1. Trademark Information</a></span></dt><dd><dl><dt><span class="section"><a href="#chap-Security-E
 nhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Introduction">2. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-SELinux_Contexts">3. SELinux Contexts</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Lin
 ux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Targeted_Policy">4. Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></d
 d><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Working_with_SELinux">5. Working with SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_
 and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="sec
 tion"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt
 ><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving
  Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Confining_Users">6. Confining Users</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd
 ">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Troubleshooting">7. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7
 .1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-
 Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><spa
 n class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Further_Information">8. Further Information</a></span></dt><dt><span class="appendix"><a href="#appe-Security-Enhanced_Linux-Revision_History">A. Revision History</a></span></dt></dl></div><div class="preface" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security-Enhanced_Linux-Preface" class="title">Preface</h1></div></div></div><div class="para">
+		The Fedora 11 SELinux User Guide is for people with minimal or no experience with SELinux. Although system administration experience is not necessary, content in this guide is written for system administration tasks. This guide provides an introduction to fundamental concepts and practical applications of SELinux. After reading this guide you should have an intermediate understanding of SELinux.
+	</div><div class="para">
+		Thank you to everyone who offered encouragement, help, and testing - it is most appreciated. Very special thanks to:
+	</div><div class="itemizedlist"><ul><li><div class="para">
+				Dominick Grift, Stephen Smalley, and Russell Coker for their contributions, help, and patience.
+			</div></li><li><div class="para">
+				Karsten Wade for his help, adding a component for this guide to <a href="https://bugzilla.redhat.com/"> Red Hat Bugzilla</a>, and sorting out web hosting on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a>.
+			</div></li><li><div class="para">
+				The <a href="http://fedoraproject.org/wiki/Infrastructure">Fedora Infrastructure Team</a> for providing hosting.
+			</div></li><li><div class="para">
+				Jens-Ulrik Petersen for making sure the Red Hat Brisbane office has up-to-date Fedora mirrors.
+			</div></li></ul></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id2808018">1. Document Conventions</h2></div></div></div><div class="para">
+		This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
+	</div><div class="para">
+		In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
+	</div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="id2830681">1.1. Typographic Conventions</h3></div></div></div><div class="para">
+			Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
+		</div><div class="para">
+			<code class="literal">Mono-spaced Bold</code>
+		</div><div class="para">
+			Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
+		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
+				To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span class="keycap"><strong>Enter</strong></span> to execute the command.
+			</div></blockquote></div><div class="para">
+			The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
+		</div><div class="para">
+			Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
+		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
+				Press <span class="keycap"><strong>Enter</strong></span> to execute the command.
+			</div><div class="para">
+				Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F1</strong></span> to switch to the first virtual terminal. Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F7</strong></span> to return to your X-Windows session.
+			</div></blockquote></div><div class="para">
+			The first sentence highlights the particular key cap to press. The second highlights two sets of three key caps, each set pressed simultaneously.
+		</div><div class="para">
+			If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">Mono-spaced Bold</code>. For example:
+		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
+				File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
+			</div></blockquote></div><div class="para">
+			<span class="application"><strong>Proportional Bold</strong></span>
+		</div><div class="para">
+			This denotes words or phrases encountered on a system, including application names; dialogue box text; labelled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
+		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
+				Choose <span class="guimenu"><strong>System > Preferences > Mouse</strong></span> from the main menu bar to launch <span class="application"><strong>Mouse Preferences</strong></span>. In the <span class="guilabel"><strong>Buttons</strong></span> tab, click the <span class="guilabel"><strong>Left-handed mouse</strong></span> check box and click <span class="guibutton"><strong>Close</strong></span> to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).
+			</div><div class="para">
+				To insert a special character into a <span class="application"><strong>gedit</strong></span> file, choose <span class="guimenu"><strong>Applications > Accessories > Character Map</strong></span> from the main menu bar. Next, choose <span class="guimenu"><strong>Search > Find…</strong></span> from the <span class="application"><strong>Character Map</strong></span> menu bar, type the name of the character in the <span class="guilabel"><strong>Search</strong></span> field and click <span class="guibutton"><strong>Next</strong></span>. The character you sought will be highlighted in the <span class="guilabel"><strong>Character Table</strong></span>. Double-click this highlighted character to place it in the <span class="guilabel"><strong>Text to copy</strong></span> field and then click the <span class="guibutton"><strong>Copy</strong></span> button. Now switch back to your document and choose <span class="guimenu"><strong>Edit > Paste</strong></span> from the 
 <span class="application"><strong>gedit</strong></span> menu bar.
+			</div></blockquote></div><div class="para">
+			The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in Proportional Bold and all distinguishable by context.
+		</div><div class="para">
+			Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This is to avoid the difficult-to-follow 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar' approach.
+		</div><div class="para">
+			<code class="command"><em class="replaceable"><code>Mono-spaced Bold Italic</code></em></code> or <span class="application"><strong><em class="replaceable"><code>Proportional Bold Italic</code></em></strong></span>
+		</div><div class="para">
+			Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
+		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
+				To connect to a remote machine using ssh, type <code class="command">ssh <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>domain.name</code></em></code> at a shell prompt. If the remote machine is <code class="filename">example.com</code> and your username on that machine is john, type <code class="command">ssh john at example.com</code>.
+			</div><div class="para">
+				The <code class="command">mount -o remount <em class="replaceable"><code>file-system</code></em></code> command remounts the named file system. For example, to remount the <code class="filename">/home</code> file system, the command is <code class="command">mount -o remount /home</code>.
+			</div><div class="para">
+				To see the version of a currently installed package, use the <code class="command">rpm -q <em class="replaceable"><code>package</code></em></code> command. It will return a result as follows: <code class="command"><em class="replaceable"><code>package-version-release</code></em></code>.
+			</div></blockquote></div><div class="para">
+			Note the words in bold italics above — username, domain.name, file-system, package, version and release. Each word is a placeholder, either for text you enter when issuing a command or for text displayed by the system.
+		</div><div class="para">
+			Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
+		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
+				When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
+			</div></blockquote></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="id2838986">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
+			Two, commonly multi-line, data types are set off visually from the surrounding text.
+		</div><div class="para">
+			Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
+		</div><pre class="screen">
+books        Desktop   documentation  drafts  mss    photos   stuff  svn
+books_tests  Desktop1  downloads      images  notes  scripts  svgs
+</pre><div class="para">
+			Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
+		</div><pre class="programlisting">
+package org.jboss.book.jca.ex1;
+
+import javax.naming.InitialContext;
+
+public class ExClient
+{
+   public static void main(String args[]) 
+       throws Exception
+   {
+      InitialContext iniCtx = new InitialContext();
+      Object         ref    = iniCtx.lookup("EchoBean");
+      EchoHome       home   = (EchoHome) ref;
+      Echo           echo   = home.create();
+
+      System.out.println("Created Echo");
+
+      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
+   }
+   
+}
+</pre></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="id2843840">1.3. Notes and Warnings</h3></div></div></div><div class="para">
+			Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
+		</div><div class="note"><h2>Note</h2><div class="para">
+				A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
+			</div></div><div class="important"><h2>Important</h2><div class="para">
+				Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
+			</div></div><div class="warning"><h2>Warning</h2><div class="para">
+				A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
+			</div></div></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id2838542">2. We Need Feedback!</h2></div></div></div><a id="id2817101" class="indexterm"></a><div class="para">
+		If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla: <a href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla.redhat.com/bugzilla/</a>
+		against the product <span class="application"><strong>Fedora Documentation.</strong></span>
+	</div><div class="para">
+		When submitting a bug report, be sure to mention the manual's identifier: <em class="citetitle">selinux-user-guide</em>
+	</div><div class="para">
+		If you have a suggestion for improving the documentation, try to be as specific as possible when describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.
+	</div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information">Chapter 1. Trademark Information</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</a></span></dt></dl></div><div class="para">
+		<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the U.S. and other countries.
+	</div><div class="para">
+		UNIX is a registered trademark of The Open Group.
+	</div><div class="para">
+		Type Enforcement is a trademark of Secure Computing, LLC, a wholly owned subsidiary of McAfee, Inc., registered in the U.S. and in other countries. Neither McAfee nor Secure Computing, LLC, has consented to the use or reference to this trademark by the author outside of this guide.
+	</div><div class="para">
+		Apache is a trademark of The Apache Software Foundation.
+	</div><div class="para">
+		MySQL is a trademark or registered trademark of MySQL AB in the U.S. and other countries.
+	</div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</h2></div></div></div><div class="para">
+			The XML source for this guide is available at <a href="http://svn.fedorahosted.org/svn/selinuxguide/">http://svn.fedorahosted.org/svn/selinuxguide/</a>
+		</div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Introduction">Chapter 2. Introduction</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></div><div class="para">
+		Files, such as directories and devices, are called objects. Processes, such as a user running a command or the <span class="trademark">Mozilla</span>®<span class="trademark"> Firefox</span>® application, are called subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. For example, on <span class="trademark">Linux</span>® operating systems, users can make their home directories world-readable, giving users and processes (subjects) access to potentially sensitive information.
+	</div><div class="para">
+		DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.<sup>[<a id="id2828637" href="#ftn.id2828637" class="footnote">1</a>]</sup>
+	</div><div class="para">
+		The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions in these examples may differ from your system. Use the <code class="command">ls -l</code> command to view file permissions:
+	</div><pre class="screen">$ ls -l file1
+-rwxrw-r-- 1 user1 group1 0 2009-04-30 15:42 file1
+</pre><div class="para">
+		The first three permission bits, <code class="computeroutput">rwx</code>, control the access the Linux <code class="computeroutput">user1</code> user (in this case, the owner) has to <code class="filename">file1</code>. The next three permission bits, <code class="computeroutput">rw-</code>, control the access the Linux <code class="computeroutput">group1</code> group has to <code class="filename">file1</code>. The last three permission bits, <code class="computeroutput">r--</code>, control the access everyone else has to <code class="filename">file1</code>, which includes all users and processes.
+	</div><div class="para">
+		Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from a
 uthorized users who have unwittingly executed malicious applications.<sup>[<a id="id2805734" href="#ftn.id2805734" class="footnote">2</a>]</sup>
+	</div><div class="para">
+		The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the <code class="command">ls -Z</code> command:
+	</div><pre class="screen">$ ls -Z file1
+-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
+</pre><div class="para">
+		In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
+	</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Introduction-Linux_and_SELinux_Users">Linux and SELinux Users</h5>
+			On Linux operating systems that run SELinux, there are Linux users as well as SELinux users. SELinux users are part of SELinux policy. Linux users are mapped to SELinux users. To avoid confusion, this guide uses "Linux user" and "SELinux user" to differentiate between the two.
+		</div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</h2></div></div></div><div class="itemizedlist"><ul><li><div class="para">
+					All processes and files are labeled with a type. A type defines a domain for processes, and a type for files. Processes are separated from each other by running in their own domains, and SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.
+				</div></li><li><div class="para">
+					Fine-grained access control. Stepping beyond traditional <span class="trademark">UNIX</span>® permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a level.
+				</div></li><li><div class="para">
+					SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion.
+				</div></li><li><div class="para">
+					Reduced vulnerability to privilege escalation attacks. One example: since processes run in domains, and are therefore separated from each other, and SELinux policy rules define how processes access files and other processes, if a process is compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker can not use that process to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access.
+				</div></li><li><div class="para">
+					SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs.
+				</div></li></ul></div><div class="para">
+			SELinux is not:
+		</div><div class="itemizedlist"><ul><li><div class="para">
+					antivirus software.
+				</div></li><li><div class="para">
+					a replacement for passwords, firewalls, or other security systems.
+				</div></li><li><div class="para">
+					an all-in-one security solution.
+				</div></li></ul></div><div class="para">
+			SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, firewalls, and so on.
+		</div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</h2></div></div></div><div class="para">
+			The following examples demonstrate how SELinux increases security:
+		</div><div class="itemizedlist"><ul><li><div class="para">
+					the default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied.
+				</div></li><li><div class="para">
+					SELinux can confine Linux users. A number of confined SELinux users exist. Linux users can be mapped to SELinux users to take advantage of confined SELinux users. For example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as <code class="command">sudo</code> and <code class="command">su</code>, as well as preventing them from executing files and applications in their home directory- if configured, this prevents users from executing malicious files from their home directories.
+				</div></li><li><div class="para">
+					process separation. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as processes accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server to read and write to files used by other processes, such as databases used by <span class="trademark">MySQL</span>®.
+				</div></li><li><div class="para">
+					help limit the damage done by configuration mistakes. <a href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System (DNS)</a> servers can replicate information between each other. This is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <a href="https://www.isc.org/software/bind">Berkeley Internet Name Domain (BIND)</a> DNS server in Fedora 11, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <sup>[<a id="id2846421" href="#ftn.id2846421" class="footnote">3</a>]</sup> from being updated by zone transfers, the BIND <code class="systemitem">named</code> daemon, and other processes.
+				</div></li><li><div class="para">
+					refer to the <a href="http://www.redhatmagazine.com/"><span class="trademark">Red Hat</span>® Magazine</a> article, <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">Risk report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a id="id2877295" href="#ftn.id2877295" class="footnote">4</a>]</sup>, for exploits that were restricted due to the default SELinux targeted policy in <span class="trademark">Red Hat</span>® Enterprise <span class="trademark">Linux</span>® 4.
+				</div></li><li><div class="para">
+					refer to the <a href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">A seatbelt for server software: SELinux blocks real-world exploits</a><sup>[<a id="id2893285" href="#ftn.id2893285" class="footnote">5</a>]</sup>, for background information about SELinux, and information about various exploits that SELinux has prevented.
+				</div></li><li><div class="para">
+					refer to James Morris's <a href="http://james-morris.livejournal.com/25421.html">SELinux mitigates remote root vulnerability in OpenPegasus</a> blog post, for information about an exploit in <a href="http://www.openpegasus.org/">OpenPegasus</a> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
[...1606 lines suppressed...]
+
+Summary:
+
+SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
+(samba_share_t).
+
+Detailed Description:
+
+SELinux denied access to /var/www/html/file1 requested by httpd.
+/var/www/html/file1 has a context used for sharing by different program. If you
+would like to share /var/www/html/file1 from httpd also, you need to change its
+file context to public_content_t. If you did not intend to this access, this
+could signal a intrusion attempt.
+
+Allowing Access:
+
+You can alter the file context by executing chcon -t public_content_t
+'/var/www/html/file1'
+
+Fix Command:
+
+chcon -t public_content_t '/var/www/html/file1'
+
+Additional Information:
+
+Source Context                unconfined_u:system_r:httpd_t:s0
+Target Context                unconfined_u:object_r:samba_share_t:s0
+Target Objects                /var/www/html/file1 [ file ]
+Source                        httpd
+Source Path                   /usr/sbin/httpd
+Port                          <Unknown>
+Host                          <em class="replaceable"><code>hostname</code></em>
+Source RPM Packages           httpd-2.2.10-2
+Target RPM Packages
+Policy RPM                    selinux-policy-3.5.13-11.fc11
+Selinux Enabled               True
+Policy Type                   targeted
+MLS Enabled                   True
+Enforcing Mode                Enforcing
+Plugin Name                   public_content
+Host Name                     <em class="replaceable"><code>hostname</code></em>
+Platform                      <em class="replaceable"><code>Linux hostname 2.6.27.4-68.fc11.i686 #1 SMP Thu Oct</code></em>
+30 00:49:42 EDT 2008 i686 i686
+Alert Count                   4
+First Seen                    Wed Nov  5 18:53:05 2008
+Last Seen                     Wed Nov  5 01:22:58 2008
+Local ID                      84e0b04d-d0ad-4347-8317-22e74f6cd020
+Line Numbers
+
+Raw Audit Messages
+
+node=<em class="replaceable"><code>hostname</code></em> type=AVC msg=audit(1225812178.788:101): avc:  denied  { getattr } for  pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+
+node=<em class="replaceable"><code>hostname</code></em> type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+</pre><div class="variablelist"><dl><dt><span class="term">Summary</span></dt><dd><div class="para">
+							A brief summary of the denied action. This is the same as the denial in <code class="filename">/var/log/messages</code>. In this example, the <code class="systemitem">httpd</code> process was denied access to a file (<code class="filename">file1</code>), which is labeled with the <code class="computeroutput">samba_share_t</code> type.
+						</div></dd><dt><span class="term">Detailed Description</span></dt><dd><div class="para">
+							A more verbose description. In this example, <code class="filename">file1</code> is labeled with the <code class="computeroutput">samba_share_t</code> type. This type is used for files and directories that you want to export via Samba. The description suggests changing the type to a type that can be accessed by the Apache HTTP Server and Samba, if such access is desired.
+						</div></dd><dt><span class="term">Allowing Access</span></dt><dd><div class="para">
+							A suggestion for how to allow access. This may be relabeling files, turning a Boolean on, or making a local policy module. In this case, the suggestion is to label the file with a type accessible to both the Apache HTTP Server and Samba.
+						</div></dd><dt><span class="term">Fix Command</span></dt><dd><div class="para">
+							A suggested command to allow access and resolve the denial. In this example, it gives the command to change the <code class="filename">file1</code> type to <code class="computeroutput">public_content_t</code>, which is accessible to the Apache HTTP Server and Samba.
+						</div></dd><dt><span class="term">Additional Information</span></dt><dd><div class="para">
+							Information that is useful in bug reports, such as the policy package name and version (<code class="computeroutput">selinux-policy-3.5.13-11.fc11</code>), but may not help towards solving why the denial occurred.
+						</div></dd><dt><span class="term">Raw Audit Messages</span></dt><dd><div class="para">
+							The raw audit messages from <code class="filename">/var/log/audit/audit.log</code> that are associated with the denial. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages" title="7.3.6. Raw Audit Messages">Section 7.3.6, “Raw Audit Messages”</a> for information about each item in the AVC denial.
+						</div></dd></dl></div></div><div class="section" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</h3></div></div></div><div class="para">
+				Do not use the example in this section in production. It is used only to demonstrate the use of <code class="command">audit2allow</code>.
+			</div><div class="para">
+				From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page: "<code class="command">audit2allow</code> - generate SELinux policy allow rules from logs of denied operations"<sup>[<a id="id2878624" href="#ftn.id2878624" class="footnote">19</a>]</sup>. After analyzing denials as per <a class="xref" href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>, and if no label changes or Booleans allowed access, use <code class="command">audit2allow</code> to create a local policy module. After access is denied by SELinux, running the <code class="command">audit2allow</code> command presents Type Enforcement rules that allow the previously denied access.
+			</div><div class="para">
+				The following example demonstrates using <code class="command">audit2allow</code> to create a policy module:
+			</div><div class="orderedlist"><ol><li><div class="para">
+						A denial and the associated system call are logged to <code class="filename">/var/log/audit/audit.log</code>:
+					</div><pre class="screen">
+type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
+
+type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
+</pre><div class="para">
+						In this example, <span class="application"><strong>certwatch</strong></span> (<code class="computeroutput">comm="certwatch"</code>) was denied write access (<code class="computeroutput">{ write }</code>) to a directory labeled with the <code class="computeroutput">var_t</code> type (<code class="computeroutput">tcontext=system_u:object_r:var_t:s0</code>). Analyze the denial as per <a class="xref" href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>. If no label changes or Booleans allowed access, use <code class="command">audit2allow</code> to create a local policy module.
+					</div></li><li><div class="para">
+						With a denial logged, such as the <code class="computeroutput">certwatch</code> denial in step 1, run the <code class="command">audit2allow -w -a</code> command to produce a human-readable description of why access was denied. The <code class="option">-a</code> option causes all audit logs to be read. The <code class="option">-w</code> option produces the human-readable description. The <code class="command">audit2allow</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
+					</div><pre class="screen">
+# audit2allow -w -a
+type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
+	Was caused by:
+		Missing type enforcement (TE) allow rule.
+
+	You can use audit2allow to generate a loadable module to allow this access.
+</pre><div class="para">
+						As shown, access was denied due to a missing Type Enforcement rule.
+					</div></li><li><div class="para">
+						Run the <code class="command">audit2allow -a</code> command to view the Type Enforcement rule that allows the denied access:
+					</div><pre class="screen">
+# audit2allow -a
+
+
+#============= certwatch_t ==============
+allow certwatch_t var_t:dir write;
+</pre><div class="important"><h2>Important</h2><div class="para">
+							Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in <a href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>. For Fedora, create bugs against the <code class="computeroutput">Fedora</code> product, and select the <code class="computeroutput">selinux-policy</code> component. Include the output of the <code class="command">audit2allow -w -a</code> and <code class="command">audit2allow -a</code> commands in such bug reports.
+						</div></div></li><li><div class="para">
+						To use the rule displayed by <code class="command">audit2allow -a</code>, run the <code class="command">audit2allow -a -M <em class="replaceable"><code>mycertwatch</code></em></code> command as the Linux root user to create custom module. The <code class="option">-M</code> option creates a Type Enforcement file (<code class="filename">.te</code>) with the name specified with <code class="option">-M</code>, in your current working directory:
+					</div><pre class="screen">
+# audit2allow -a -M mycertwatch
+
+******************** IMPORTANT ***********************
+To make this policy package active, execute:
+
+semodule -i mycertwatch.pp
+
+# ls
+mycertwatch.pp  mycertwatch.te
+</pre><div class="para">
+						Also, <code class="command">audit2allow</code> compiles the Type Enforcement rule into a policy package (<code class="filename">.pp</code>). To install the module, run the <code class="command">/usr/sbin/semodule -i <em class="replaceable"><code>mycertwatch.pp</code></em></code> command as the Linux root user.
+					</div><div class="important"><h2>Important</h2><div class="para">
+							Modules created with <code class="command">audit2allow</code> may allow more access than required. It is recommended that policy created with <code class="command">audit2allow</code> be posted to an SELinux list, such as <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">fedora-selinux-list</a>, for review. If you believe their is a bug in policy, create a bug in <a href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>.
+						</div></div></li></ol></div><div class="para">
+				If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the <code class="command">grep</code> command to narrow down the input for <code class="command">audit2allow</code>. The following example demonstrates using <code class="command">grep</code> to only send denials related to <code class="command">certwatch</code> through <code class="command">audit2allow</code>:
+			</div><pre class="screen">
+# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
+******************** IMPORTANT ***********************
+To make this policy package active, execute:
+
+# /usr/sbin/semodule -i mycertwatch2.pp
+</pre><div class="para">
+				Refer to Dan Walsh's <a href="http://danwalsh.livejournal.com/24750.html">"Using audit2allow to build policy modules. Revisited."</a> blog entry for further information about using <code class="command">audit2allow</code> to build policy modules.
+			</div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id2821782" href="#id2821782" class="para">14</a>] </sup>
+					Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id2834174" href="#id2834174" class="para">15</a>] </sup>
+					The <code class="command">semanage port -a</code> command adds an entry to the <code class="filename">/etc/selinux/targeted/modules/active/ports.local</code> file. Note: by default, this file can only be viewed by the Linux root user.
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id2904231" href="#id2904231" class="para">16</a>] </sup>
+						From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 11.
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2882658" href="#id2882658" class="para">17</a>] </sup>
+					From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 11.
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id2877562" href="#id2877562" class="para">18</a>] </sup>
+						From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 11.
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2878624" href="#id2878624" class="para">19</a>] </sup>
+					From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page, as shipped with the <span class="package">policycoreutils</span> package in Fedora 11.
+				</p></div></div></div><div class="chapter" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Further_Information">Chapter 8. Further Information</h2></div></div></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-The_National_Security_Agency_NSA">The National Security Agency (NSA)</h5>
+			From the NSA <a href="http://www.nsa.gov/research/selinux/contrib.shtml">Contributors to SELinux</a> page:
+		</div><div class="para">
+		<span class="emphasis"><em>Researchers in NSA's National Information Assurance Research Laboratory (NIARL) designed and implemented flexible mandatory access controls in the major subsystems of the Linux kernel and implemented the new operating system components provided by the Flask architecture, namely the security server and the access vector cache. The NSA researchers reworked the LSM-based SELinux for inclusion in Linux 2.6. NSA has also led the development of similar controls for the X Window System (XACE/XSELinux) and for Xen (XSM/Flask).</em></span>
+	</div><div class="itemizedlist"><ul><li><div class="para">
+				Main SELinux website: <a href="http://www.nsa.gov/research/selinux/index.shtml">http://www.nsa.gov/research/selinux/index.shtml</a>.
+			</div></li><li><div class="para">
+				SELinux documentation: <a href="http://www.nsa.gov/research/selinux/docs.shtml">http://www.nsa.gov/research/selinux/docs.shtml</a>.
+			</div></li><li><div class="para">
+				SELinux background: <a href="http://www.nsa.gov/research/selinux/background.shtml">http://www.nsa.gov/research/selinux/background.shtml</a>.
+			</div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-Tresys_Technology">Tresys Technology</h5>
+			<a href="http://www.tresys.com/">Tresys Technology</a> are the upstream for:
+		</div><div class="itemizedlist"><ul><li><div class="para">
+				<a href="http://userspace.selinuxproject.org/trac/">SELinux userland libraries and tools</a>.
+			</div></li><li><div class="para">
+				<a href="http://oss.tresys.com/projects/refpolicy">SELinux Reference Policy</a>.
+			</div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-SELinux_News">SELinux News</h5>
+			<div class="itemizedlist"><ul><li><div class="para">
+						News: <a href="http://selinuxnews.org/wp/">http://selinuxnews.org/wp/</a>.
+					</div></li><li><div class="para">
+						Planet SELinux (blogs): <a href="http://selinuxnews.org/planet/">http://selinuxnews.org/planet/</a>.
+					</div></li></ul></div>
+		</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-SELinux_Project_Wiki">SELinux Project Wiki</h5>
+			<div class="itemizedlist"><ul><li><div class="para">
+						Main page: <a href="http://selinuxproject.org/page/Main_Page">http://selinuxproject.org/page/Main_Page</a>.
+					</div></li><li><div class="para">
+						User resources, including links to documentation, mailing lists, websites, and tools: <a href="http://selinuxproject.org/page/User_Resources">http://selinuxproject.org/page/User_Resources</a>.
+					</div></li></ul></div>
+		</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-Red_Hat_Enterprise_Linux">Red Hat Enterprise Linux</h5>
+			<div class="itemizedlist"><ul><li><div class="para">
+						The <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/index.html">Red Hat Enterprise Linux Deployment Guide</a> contains an SELinux <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-chapter-0054.html">References</a> section, that has links to SELinux tutorials, general information, and the technology behind SELinux.
+					</div></li><li><div class="para">
+						The <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html">Red Hat Enterprise Linux 4 SELinux Guide</a>.
+					</div></li></ul></div>
+		</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-Fedora">Fedora</h5>
+			<div class="itemizedlist"><ul><li><div class="para">
+						Main page: <a href="http://fedoraproject.org/wiki/SELinux">http://fedoraproject.org/wiki/SELinux</a>.
+					</div></li><li><div class="para">
+						Troubleshooting: <a href="http://fedoraproject.org/wiki/SELinux/Troubleshooting">http://fedoraproject.org/wiki/SELinux/Troubleshooting</a>.
+					</div></li><li><div class="para">
+						Fedora Core 5 SELinux FAQ: <a href="http://docs.fedoraproject.org/selinux-faq-fc5/">http://docs.fedoraproject.org/selinux-faq-fc5/</a>.
+					</div></li></ul></div>
+		</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-The_UnOfficial_SELinux_FAQ">The UnOfficial SELinux FAQ</h5>
+			<a href="http://www.crypt.gen.nz/selinux/faq.html">http://www.crypt.gen.nz/selinux/faq.html</a>
+		</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Further_Information-IRC">IRC</h5>
+			On <a href="http://freenode.net/">Freenode</a>:
+		</div><div class="itemizedlist"><ul><li><div class="para">
+				#selinux
+			</div></li><li><div class="para">
+				#fedora-selinux
+			</div></li></ul></div></div><div class="appendix" lang="en-US" xml:lang="en-US"><div class="titlepage"><div><div><h1 id="appe-Security-Enhanced_Linux-Revision_History" class="title">Revision History</h1></div></div></div><div class="para">
+		<div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 1.3</td><td align="left">Tue May 12 2009</td><td align="left"><span class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></span></td></tr><tr><td align="left" colspan="3">
+					<table class="simplelist" border="0" summary="Simple list"><tr><td>Revision for Fedora 11</td></tr></table>
+				</td></tr><tr><td align="left">Revision 1.2</td><td align="left">Mon Jan 19 2009</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
+					<table class="simplelist" border="0" summary="Simple list"><tr><td>Updating hyperlinks to NSA websites</td></tr></table>
+				</td></tr><tr><td align="left">Revision 1.1</td><td align="left">Sat Dec 6 2008</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
+					<table class="simplelist" border="0" summary="Simple list"><tr><td>Resolving <a href="https://bugzilla.redhat.com/show_bug.cgi?id=472986">Red Hat Bugzilla #472986, "httpd does not write to /etc/httpd/logs/"</a></td></tr><tr><td>Added new section, "6.6. Booleans for Users Executing Applications"</td></tr><tr><td>Minor text revisions</td></tr></table>
+				</td></tr><tr><td align="left">Revision 1.0</td><td align="left">Tue Nov 25 2008</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
+					<table class="simplelist" border="0" summary="Simple list"><tr><td>Initial content release on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a></td></tr></table>
+				</td></tr></table></div>
+	</div></div></div></body></html>

More information about the Fedora-docs-commits mailing list