web/html/docs/selinux-user-guide/f12/html-single index.html, 1.1, 1.2

sradvan sradvan at fedoraproject.org
Wed Nov 18 03:40:26 UTC 2009 

Author: sradvan

Update of /cvs/fedora/web/html/docs/selinux-user-guide/f12/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9636

Modified Files:
	index.html 
Log Message:
new version



Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-user-guide/f12/html-single/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html	2 Sep 2009 23:54:50 -0000	1.1
+++ index.html	18 Nov 2009 03:40:26 -0000	1.2
@@ -1,20 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html
-  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Security-Enhanced Linux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content=""/><meta name="description" content="The SELinux User Guide assists users and administrators in managing and using Security-Enhanced Linux."/></head><body class=""><div xml:lang="en-US" class="book" title="Security-Enhanced Linux"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">12</span></div><div><h1 id="d0e1" class="title">Security-Enhanced Linux</h1></div><div><h2 class="subtitle">User Guide</h2></div><p class="edition">Edition 1.4</p><div><h3 class="corpauthor">
-				<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
-			</h3></div><div><div xml:lang="en-US" class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:mmcallis at redhat.com">mmcallis at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Daniel</span> <span class="surname">Walsh</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:dwalsh at redhat.com">dwalsh at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Dominick</span> <span class="surname">Grift</span></h3><span class="contrib">Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confi
 ning Users, and Troubleshooting chapters.</span> <div class="affiliation"><span class="orgname"/> <span class="orgdiv"/></div><code class="email"><a class="email" href="mailto:domg472 at gmail.com">domg472 at gmail.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Paris</span></h3><span class="contrib">Technical editor for the Mounting File Systems and Raw Audit Messages sections.</span> <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:eparis at parisplace.org">eparis at parisplace.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">James</span> <span class="surname">Morris</span></h3><span class="contrib">Technical editor for the Introduction and Targeted Policy chapters.</span> <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security En
 gineering</span></div><code class="email"><a class="email" href="mailto:jmorris at redhat.com">jmorris at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div></div></div><div><p class="copyright">Copyright © 2009 Red Hat, Inc.</p></div><hr/><div><div id="d0e35" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
-		Copyright <span class="trademark"/>© 2009 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at <a href="http://www.opencontent.org/openpub/">http://www.opencontent.org/openpub/</a>).
-	</div><div class="para">
-		Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
-	</div><div class="para">
-		Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
-	</div><div class="para">
-		All other trademarks and copyrights referred to are the property of their respective owners.
-	</div><div class="para">
-		Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at <a href="http://fedoraproject.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>. 
-	</div></div></div><div><div class="abstract" title="Abstract"><h6>Abstract</h6><div class="para">The SELinux User Guide assists users and administrators in managing
-and using Security-Enhanced <span class="trademark">Linux</span>®.</div></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security-Enhanced_Linux-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e158">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e168">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#d0e384">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#d0e403">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#d0e423">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Trademark_Information">1. Trademark Information</a></span></dt><dd><dl><dt><span class="section"><a href="#chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</a></span></dt></dl></dd><dt><span class="chapter"><a href=
 "#chap-Security-Enhanced_Linux-Introduction">2. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-SELinux_Contexts">3. SELinux Contexts</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Secur
 ity-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Targeted_Policy">4. Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Working_with_SELinux">5. Working with SELinux</a></span></
 dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href=
 "#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Change
 s: chcon</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. M
 ounting an NFS File System</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_La
 bels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Confining_Users">6. Confining Users</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Con
 fining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Troubleshooting">7. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubl
 eshooting-Top_Three_Causes_of_Problems">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-F
 ixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access:
  audit2allow</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Further_Information">8. Further Information</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Contributors">8.1. Contributors</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Other_Resources">8.2. Other Resources</a></span></dt></dl></dd><dt><span class="appendix"><a href="#appe-Security-Enhanced_Linux-Revision_History">A. Revision History</a></span></dt></dl></div><div xml:lang="en-US" class="preface" title="Preface"><div class="titlepage"><div><div><h1 id="pref-Security-Enhanced_Linux-Preface" class="title">Preface</h1></div></div></div><div class="para">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Security-Enhanced Linux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-Security-Enhanced_Linux-12-en-US-1.4-1" /><meta name="description" content="The SELinux User Guide assists users and administrators in managing and using Security-Enhanced Linux." /></head><body class=""><div xml:lang="en-US" class="book" title="Security-Enhanced Linux" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">12</span></div><div><h1 id="id2690778" class="title">Security-Enhanced Linux</h1></div><div><h2 class="subtitle">User Guide</h2></div><p class="edition">Edition 1.4</p><div><h3 class="corpauthor">
+		<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
+	</h3></div><div><div xml:lang="en-US" class="authorgroup" lang="en-US"><div class="author"><h3 class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:mmcallis at redhat.com">mmcallis at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Daniel</span> <span class="surname">Walsh</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering<
 /span></div><code class="email"><a class="email" href="mailto:dwalsh at redhat.com">dwalsh at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Dominick</span> <span class="surname">Grift</span></h3><span class="contrib">Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chapters.</span> <div class="affiliation"><span class="orgname"></span> <span class="orgdiv"></span></div><code class="email"><a class="email" href="mailto:domg472 at gmail.com">domg472 at gmail.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Paris</span></h3><span class="contrib">Technical editor for the Mounting File Systems and Raw Audit Messages sections.</span> <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:e
 paris at parisplace.org">eparis at parisplace.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">James</span> <span class="surname">Morris</span></h3><span class="contrib">Technical editor for the Introduction and Targeted Policy chapters.</span> <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:jmorris at redhat.com">jmorris at redhat.com</a></code></div></div></div><div><p class="copyright">Copyright © 2009 Red Hat, Inc.</p></div><hr /><div><div id="id2855521" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
+		Copyright <span class="trademark"></span>© 2009 Red Hat, Inc.
+	</div><div class="para">
+		The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
+	</div><div class="para">
+		Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
+	</div><div class="para">
+		Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
+	</div><div class="para">
+		For guidelines on the permitted uses of the Fedora trademarks, refer to <a href="https://fedoraproject.org/wiki/Legal:Trademark_guidelines">https://fedoraproject.org/wiki/Legal:Trademark_guidelines</a>.
+	</div><div class="para">
+		<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries.
+	</div><div class="para">
+		All other trademarks are the property of their respective owners.
+	</div></div></div><div><div class="abstract" title="Abstract"><h6>Abstract</h6><div class="para">
+The SELinux User Guide assists users and administrators in managing
+and using Security-Enhanced <span class="trademark">Linux</span>®.
+</div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security-Enhanced_Linux-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#id2765392">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#id2864527">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#id2861510">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#id2876283">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#id2916503">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Trademark_Information">1. Trademark Information</a></span></dt><dd><dl><dt><span class="section"><a href="#chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Introduction">2. Int
 roduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-SELinux_Contexts">3. SELinux Contexts</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Context
 s_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Targeted_Policy">4. Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Working_with_SELinux">5. Working with SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect
 -Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux
 -SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><
 a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</a></span></dt><dt><span
  class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3.
  Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Confining_Users">6. Confining Users</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanag
 e_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Troubleshooting">7. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top Th
 ree Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7
 .3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl></dd><dt
 ><span class="chapter"><a href="#chap-Security-Enhanced_Linux-Further_Information">8. Further Information</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Contributors">8.1. Contributors</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Other_Resources">8.2. Other Resources</a></span></dt></dl></dd><dt><span class="appendix"><a href="#appe-Security-Enhanced_Linux-Revision_History">A. Revision History</a></span></dt></dl></div><div xml:lang="en-US" class="preface" title="Preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security-Enhanced_Linux-Preface" class="title">Preface</h1></div></div></div><div class="para">
 		The Fedora 12 SELinux User Guide is for people with minimal or no experience with SELinux. Although system administration experience is not necessary, content in this guide is written for system administration tasks. This guide provides an introduction to fundamental concepts and practical applications of SELinux. After reading this guide you should have an intermediate understanding of SELinux.
 	</div><div class="para">
 		Thank you to everyone who offered encouragement, help, and testing - it is most appreciated. Very special thanks to:
@@ -26,48 +31,48 @@
 				The <a href="http://fedoraproject.org/wiki/Infrastructure">Fedora Infrastructure Team</a> for providing hosting.
 			</div></li><li class="listitem"><div class="para">
 				Jens-Ulrik Petersen for making sure the Red Hat Brisbane office has up-to-date Fedora mirrors.
-			</div></li></ul></div><div xml:lang="en-US" class="section" title="1. Document Conventions"><div class="titlepage"><div><div><h2 class="title" id="d0e158">1. Document Conventions</h2></div></div></div><div class="para">
+			</div></li></ul></div><div xml:lang="en-US" class="section" title="1. Document Conventions" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id2765392">1. Document Conventions</h2></div></div></div><div class="para">
 		This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
 	</div><div class="para">
 		In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
-	</div><div class="section" title="1.1. Typographic Conventions"><div class="titlepage"><div><div><h3 class="title" id="d0e168">1.1. Typographic Conventions</h3></div></div></div><div class="para">
+	</div><div class="section" title="1.1. Typographic Conventions"><div class="titlepage"><div><div><h3 class="title" id="id2864527">1.1. Typographic Conventions</h3></div></div></div><div class="para">
 			Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
 		</div><div class="para">
 			<code class="literal">Mono-spaced Bold</code>
 		</div><div class="para">
-			Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
+			Used to highlight system input, including shell commands, file names and paths. Also used to highlight keycaps and key combinations. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span class="keycap"><strong>Enter</strong></span> to execute the command.
 			</div></blockquote></div><div class="para">
-			The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
+			The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold and all distinguishable thanks to context.
 		</div><div class="para">
-			Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
+			Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key combination. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				Press <span class="keycap"><strong>Enter</strong></span> to execute the command.
 			</div><div class="para">
 				Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F1</strong></span> to switch to the first virtual terminal. Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F7</strong></span> to return to your X-Windows session.
 			</div></blockquote></div><div class="para">
-			The first sentence highlights the particular key cap to press. The second highlights two sets of three key caps, each set pressed simultaneously.
+			The first paragraph highlights the particular keycap to press. The second highlights two key combinations (each a set of three keycaps with each set pressed simultaneously).
 		</div><div class="para">
-			If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">Mono-spaced Bold</code>. For example:
+			If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">mono-spaced bold</code>. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
 			</div></blockquote></div><div class="para">
 			<span class="application"><strong>Proportional Bold</strong></span>
 		</div><div class="para">
-			This denotes words or phrases encountered on a system, including application names; dialogue box text; labelled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
+			This denotes words or phrases encountered on a system, including application names; dialog box text; labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				Choose <span class="guimenu"><strong>System > Preferences > Mouse</strong></span> from the main menu bar to launch <span class="application"><strong>Mouse Preferences</strong></span>. In the <span class="guilabel"><strong>Buttons</strong></span> tab, click the <span class="guilabel"><strong>Left-handed mouse</strong></span> check box and click <span class="guibutton"><strong>Close</strong></span> to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).
 			</div><div class="para">
 				To insert a special character into a <span class="application"><strong>gedit</strong></span> file, choose <span class="guimenu"><strong>Applications > Accessories > Character Map</strong></span> from the main menu bar. Next, choose <span class="guimenu"><strong>Search > Find…</strong></span> from the <span class="application"><strong>Character Map</strong></span> menu bar, type the name of the character in the <span class="guilabel"><strong>Search</strong></span> field and click <span class="guibutton"><strong>Next</strong></span>. The character you sought will be highlighted in the <span class="guilabel"><strong>Character Table</strong></span>. Double-click this highlighted character to place it in the <span class="guilabel"><strong>Text to copy</strong></span> field and then click the <span class="guibutton"><strong>Copy</strong></span> button. Now switch back to your document and choose <span class="guimenu"><strong>Edit > Paste</strong></span> from the 
 <span class="application"><strong>gedit</strong></span> menu bar.
 			</div></blockquote></div><div class="para">
-			The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in Proportional Bold and all distinguishable by context.
+			The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in proportional bold and all distinguishable by context.
 		</div><div class="para">
-			Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This is to avoid the difficult-to-follow 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar' approach.
+			Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This avoids difficult-to-follow phrasing such as 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar'.
 		</div><div class="para">
 			<code class="command"><em class="replaceable"><code>Mono-spaced Bold Italic</code></em></code> or <span class="application"><strong><em class="replaceable"><code>Proportional Bold Italic</code></em></strong></span>
 		</div><div class="para">
-			Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
+			Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				To connect to a remote machine using ssh, type <code class="command">ssh <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>domain.name</code></em></code> at a shell prompt. If the remote machine is <code class="filename">example.com</code> and your username on that machine is john, type <code class="command">ssh john at example.com</code>.
 			</div><div class="para">
@@ -80,52 +85,48 @@
 			Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
-			</div></blockquote></div></div><div class="section" title="1.2. Pull-quote Conventions"><div class="titlepage"><div><div><h3 class="title" id="d0e384">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
-			Two, commonly multi-line, data types are set off visually from the surrounding text.
+			</div></blockquote></div></div><div class="section" title="1.2. Pull-quote Conventions"><div class="titlepage"><div><div><h3 class="title" id="id2861510">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
+			Terminal output and source code listings are set off visually from the surrounding text.
 		</div><div class="para">
-			Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
-		</div><pre class="screen">
-books        Desktop   documentation  drafts  mss    photos   stuff  svn
+			Output sent to a terminal is set in <code class="computeroutput">mono-spaced roman</code> and presented thus:
+		</div><pre class="screen">books        Desktop   documentation  drafts  mss    photos   stuff  svn
 books_tests  Desktop1  downloads      images  notes  scripts  svgs
 </pre><div class="para">
-			Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
-		</div><pre class="programlisting">
-package org.jboss.book.jca.ex1;
+			Source-code listings are also set in <code class="computeroutput">mono-spaced roman</code> but add syntax highlighting as follows:
+		</div><pre class="programlisting"><pre class="programlisting">package org.<span class="perl_Function">jboss</span>.<span class="perl_Function">book</span>.<span class="perl_Function">jca</span>.<span class="perl_Function">ex1</span>;
 
-import javax.naming.InitialContext;
+<span class="perl_Keyword">import</span> javax.naming.InitialContext;
 
-public class ExClient
+<span class="perl_Keyword">public</span> <span class="perl_Keyword">class</span> ExClient
 {
-   public static void main(String args[]) 
-       throws Exception
+   <span class="perl_Keyword">public</span> <span class="perl_DataType">static</span> <span class="perl_DataType">void</span> <span class="perl_Function">main</span>(String args[]) 
+       <span class="perl_Keyword">throws</span> Exception
    {
-      InitialContext iniCtx = new InitialContext();
-      Object         ref    = iniCtx.lookup("EchoBean");
+      InitialContext iniCtx = <span class="perl_Keyword">new</span> InitialContext();
+      Object         ref    = iniCtx.<span class="perl_Function">lookup</span>(<span class="perl_String">"EchoBean"</span>);
       EchoHome       home   = (EchoHome) ref;
-      Echo           echo   = home.create();
+      Echo           echo   = home.<span class="perl_Function">create</span>();
 
-      System.out.println("Created Echo");
+      System.<span class="perl_Function">out</span>.<span class="perl_Function">println</span>(<span class="perl_String">"Created Echo"</span>);
 
-      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
+      System.<span class="perl_Function">out</span>.<span class="perl_Function">println</span>(<span class="perl_String">"Echo.echo('Hello') = "</span> + echo.<span class="perl_Function">echo</span>(<span class="perl_String">"Hello"</span>));
    }
-   
 }
-</pre></div><div class="section" title="1.3. Notes and Warnings"><div class="titlepage"><div><div><h3 class="title" id="d0e403">1.3. Notes and Warnings</h3></div></div></div><div class="para">
+</pre></pre></div><div class="section" title="1.3. Notes and Warnings"><div class="titlepage"><div><div><h3 class="title" id="id2876283">1.3. Notes and Warnings</h3></div></div></div><div class="para">
 			Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
 		</div><div class="note"><h2>Note</h2><div class="para">
-				A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
+				Notes are tips, shortcuts or alternative approaches to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
 			</div></div><div class="important"><h2>Important</h2><div class="para">
-				Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
+				Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring a box labeled 'Important' won't cause data loss but may cause irritation and frustration.
 			</div></div><div class="warning"><h2>Warning</h2><div class="para">
-				A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
-			</div></div></div></div><div class="section" title="2. We Need Feedback!"><div class="titlepage"><div><div><h2 class="title" id="d0e423">2. We Need Feedback!</h2></div></div></div><a id="d0e426" class="indexterm"/><div class="para">
-		If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla: <a href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla.redhat.com/bugzilla/</a>
-		against the product <span class="application"><strong>Fedora Documentation.</strong></span>
+				Warnings should not be ignored. Ignoring warnings will most likely cause data loss.
+			</div></div></div></div><div xml:lang="en-US" class="section" title="2. We Need Feedback!" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id2916503">2. We Need Feedback!</h2></div></div></div><a id="id2915050" class="indexterm"></a><div class="para">
+		If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla: <a href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla.redhat.com/bugzilla/</a> against the product <span class="application"><strong>Fedora Documentation.</strong></span>
 	</div><div class="para">
 		When submitting a bug report, be sure to mention the manual's identifier: <em class="citetitle">selinux-user-guide</em>
 	</div><div class="para">
 		If you have a suggestion for improving the documentation, try to be as specific as possible when describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.
-	</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 1. Trademark Information"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information">Chapter 1. Trademark Information</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</a></span></dt></dl></div><div class="para">
+	</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 1. Trademark Information" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information">Chapter 1. Trademark Information</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</a></span></dt></dl></div><div class="para">
 		<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the U.S. and other countries.
 	</div><div class="para">
 		UNIX is a registered trademark of The Open Group.
@@ -139,12 +140,12 @@
 		Other products mentioned may be trademarks of their respective corporations.
 	</div><div class="section" title="1.1. Source Code"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information-Source_Code">1.1. Source Code</h2></div></div></div><div class="para">
 			The XML source for this guide is available at <a href="http://svn.fedorahosted.org/svn/selinuxguide/">http://svn.fedorahosted.org/svn/selinuxguide/</a>
-		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 2. Introduction"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Introduction">Chapter 2. Introduction</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 2. Introduction" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Introduction">Chapter 2. Introduction</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Introduction-SELinux_on_Other_Operating_Systems">2.4. SELinux on Other Operating Systems</a></span></dt></dl></div><div class="para">
 		Security-Enhanced Linux (SELinux) is an implementation of a <em class="firstterm">mandatory access control</em> mechanism in the Linux kernel, checking for allowed operations after standard <em class="firstterm">discretionary access controls</em> are checked. It was created by the National Security Agency and can enforce rules on files and processes in a Linux system, and on their actions, based on defined policy.
 	</div><div class="para">
 		When using SELinux, files, including directories and devices, are referred to as objects. Processes, such as a user running a command or the <span class="trademark">Mozilla</span>®<span class="trademark"> Firefox</span>® application, are referred to as subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. For example, on <span class="trademark">Linux</span>® operating systems, users could make their home directories world-readable, giving users and processes (subjects) access to potentially sensitive information, with no further protection over this unwanted action.
 	</div><div class="para">
-		Relying on DAC mechanisms alone is fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs could be exploited to obtain further system access.<sup>[<a id="d0e495" href="#ftn.d0e495" class="footnote">1</a>]</sup>
+		Relying on DAC mechanisms alone is fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs could be exploited to obtain further system access.<sup>[<a id="id2864498" href="#ftn.id2864498" class="footnote">1</a>]</sup>
 	</div><div class="para">
 		The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions and output in these examples may differ from your system. Use the <code class="command">ls -l</code> command to view file permissions:
 	</div><pre class="screen">$ ls -l file1
@@ -152,7 +153,7 @@
 </pre><div class="para">
 		The first three permission bits, <code class="computeroutput">rwx</code>, control the access the Linux <code class="computeroutput">user1</code> user (in this case, the owner) has to <code class="filename">file1</code>. The next three permission bits, <code class="computeroutput">rw-</code>, control the access the Linux <code class="computeroutput">group1</code> group has to <code class="filename">file1</code>. The last three permission bits, <code class="computeroutput">r--</code>, control the access everyone else has to <code class="filename">file1</code>, which includes all users and processes.
 	</div><div class="para">
-		Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from a
 uthorized users who have unwittingly executed malicious applications.<sup>[<a id="d0e537" href="#ftn.d0e537" class="footnote">2</a>]</sup>
+		Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from a
 uthorized users who have unwittingly executed malicious applications.<sup>[<a id="id2774425" href="#ftn.id2774425" class="footnote">2</a>]</sup>
 	</div><div class="para">
 		The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux <span class="emphasis"><em>context</em></span>, and is viewed using the <code class="command">ls -Z</code> command:
 	</div><pre class="screen">$ ls -Z file1
@@ -184,19 +185,19 @@
 		</div></div><div class="section" title="2.2. Examples"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2. Examples</h2></div></div></div><div class="para">
 			The following examples demonstrate how SELinux increases security:
 		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
-					the default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied.
+					The default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied.
 				</div></li><li class="listitem"><div class="para">
 					SELinux can confine Linux users. A number of confined SELinux users exist in SELinux policy. Linux users can be mapped to confined SELinux users to take advantage of the security rules and mechanisms applied to them. For example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as <code class="command">sudo</code> and <code class="command">su</code>, as well as preventing them from executing files and applications in their home directory - if configured, this prevents users from executing malicious files from their home directories.
 				</div></li><li class="listitem"><div class="para">
-					process separation. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as preventing processes from accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server as an attack vector to read and write to files used by other processes, such as databases used by <span class="trademark">MySQL</span>®.
+					Process separation is used. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as preventing processes from accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server as an attack vector to read and write to files used by other processes, such as databases used by <span class="trademark">MySQL</span>®.
 				</div></li><li class="listitem"><div class="para">
-					it helps limit the damage done by configuration mistakes. <a href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System (DNS)</a> servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <a href="https://www.isc.org/software/bind">Berkeley Internet Name Domain (BIND)</a> as a DNS server in Fedora, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <sup>[<a id="d0e645" href="#ftn.d0e645" class="footnote">3</a>]</sup> from being updated via zone transfers, by the BIND <code class="systemitem">named</code> daemon itself, and by other processes.
+					SELinux helps limit the damage made by configuration mistakes. <a href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System (DNS)</a> servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <a href="https://www.isc.org/software/bind">Berkeley Internet Name Domain (BIND)</a> as a DNS server in Fedora, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <sup>[<a id="id2792368" href="#ftn.id2792368" class="footnote">3</a>]</sup> from being updated via zone transfers, by the BIND <code class="systemitem">named</code> daemon itself, and by other processes.
 				</div></li><li class="listitem"><div class="para">
-					refer to the <a href="http://www.redhatmagazine.com/"><span class="trademark">Red Hat</span>® Magazine</a> article, <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">Risk report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a id="d0e662" href="#ftn.d0e662" class="footnote">4</a>]</sup>, for exploits that were restricted due to the default SELinux targeted policy in <span class="trademark">Red Hat</span>® Enterprise <span class="trademark">Linux</span>® 4.
+					Refer to the <a href="http://www.redhatmagazine.com/"><span class="trademark">Red Hat</span>® Magazine</a> article, <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">Risk report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a id="id2792411" href="#ftn.id2792411" class="footnote">4</a>]</sup>, for exploits that were restricted due to the default SELinux targeted policy in <span class="trademark">Red Hat</span>® Enterprise <span class="trademark">Linux</span>® 4.
 				</div></li><li class="listitem"><div class="para">
-					refer to the <a href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">A seatbelt for server software: SELinux blocks real-world exploits</a><sup>[<a id="d0e682" href="#ftn.d0e682" class="footnote">5</a>]</sup>, for background information about SELinux, and information about various exploits that SELinux has prevented.
+					Refer to the <a href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">A seatbelt for server software: SELinux blocks real-world exploits</a><sup>[<a id="id2795200" href="#ftn.id2795200" class="footnote">5</a>]</sup>, for background information about SELinux, and information about various exploits that SELinux has prevented.
 				</div></li><li class="listitem"><div class="para">
-					refer to James Morris's <a href="http://james-morris.livejournal.com/25421.html">SELinux mitigates remote root vulnerability in OpenPegasus</a> blog post for information about an exploit in <a href="http://www.openpegasus.org/">OpenPegasus</a> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
+					Refer to James Morris's <a href="http://james-morris.livejournal.com/25421.html">SELinux mitigates remote root vulnerability in OpenPegasus</a> blog post for information about an exploit in <a href="http://www.openpegasus.org/">OpenPegasus</a> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
 				</div></li></ul></div><div class="para">
 			The <a href="http://www.tresys.com/">Tresys Technology</a> website has an <a href="http://www.tresys.com/innovation.php">SELinux Mitigation News</a> section (on the right-hand side), that lists recent exploits that have been mitigated or prevented by SELinux.
 		</div></div><div class="section" title="2.3. SELinux Architecture"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture">2.3. SELinux Architecture</h2></div></div></div><div class="para">
@@ -215,17 +216,17 @@
 					Red Hat Enterprise Linux: <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html">Red Hat Enterprise Linux Deployment Guide</a> and <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/">Red Hat Enterprise Linux 4 SELinux Guide</a>.
 				</div></li><li class="listitem"><div class="para">
 					Fedora: <a href="http://fedoraproject.org/wiki/SELinux">http://fedoraproject.org/wiki/SELinux</a> and the <a href="http://docs.fedoraproject.org/selinux-faq-fc5/">Fedora Core 5 SELinux FAQ</a>.
-				</div></li></ul></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e495" href="#d0e495" class="para">1</a>] </sup>
+				</div></li></ul></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id2864498" href="#id2864498" class="para">1</a>] </sup>
 			"Integrating Flexible Support for Security Policies into the Linux Operating System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/research/_files/selinux/papers/freenix01/index.shtml">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
-		</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e537" href="#d0e537" class="para">2</a>] </sup>
+		</p></div><div class="footnote"><p><sup>[<a id="ftn.id2774425" href="#id2774425" class="para">2</a>] </sup>
 			"Meeting Critical Security Objectives with Security-Enhanced Linux", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
-		</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e645" href="#d0e645" class="para">3</a>] </sup>
+		</p></div><div class="footnote"><p><sup>[<a id="ftn.id2792368" href="#id2792368" class="para">3</a>] </sup>
 						Text files that include information, such as hostname to IP address mappings, that are used by DNS servers.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e662" href="#d0e662" class="para">4</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2792411" href="#id2792411" class="para">4</a>] </sup>
 						Cox, Mark. "Risk report: Three years of Red Hat Enterprise Linux 4". Published 26 February 2008. Accessed 27 August 2009: <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/</a>.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e682" href="#d0e682" class="para">5</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2795200" href="#id2795200" class="para">5</a>] </sup>
 						Marti, Don. "A seatbelt for server software: SELinux blocks real-world exploits". Published 24 February 2008. Accessed 27 August 2009: <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">http://www.linuxworld.com/news/2008/022408-selinux.html?page=1</a>.
-					</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 3. SELinux Contexts"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-SELinux_Contexts">Chapter 3. SELinux Contexts</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></div><div class="para">
+					</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 3. SELinux Contexts" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-SELinux_Contexts">Chapter 3. SELinux Contexts</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3. SELinux Contexts for Users</a></span></dt></dl></div><div class="para">
 		Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. In Fedora, SELinux provides a combination of Role-Based Access Control (RBAC), <span class="trademark">Type Enforcement</span>® (TE), and, optionally, Multi-Level Security (MLS).
 	</div><div class="para">
 		The following is an example showing SELinux context. SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux. Use the <code class="command">ls -Z</code> command to view the SELinux context of files and directories:
@@ -244,7 +245,7 @@
 root                      unconfined_u              s0-s0:c0.c1023
 system_u                  system_u                  s0-s0:c0.c1023
 </pre><div class="para">
-					Output may differ from system to system. The <code class="computeroutput">Login Name</code> column lists Linux users, and the the <code class="computeroutput">SELinux User</code> column lists which SELinux user the Linux user is mapped to. For processes, the SELinux user limits which roles and levels are accessible. The last column, <code class="computeroutput">MLS/MCS Range</code>, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are briefly discussed later.
+					Output may differ slightly from system to system. The <code class="computeroutput">Login Name</code> column lists Linux users, and the <code class="computeroutput">SELinux User</code> column lists which SELinux user the Linux user is mapped to. For processes, the SELinux user limits which roles and levels are accessible. The last column, <code class="computeroutput">MLS/MCS Range</code>, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are briefly discussed later.
 				</div></dd><dt><span class="term"><span class="emphasis"><em>role</em></span></span></dt><dd><div class="para">
 					Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered - ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
 				</div></dd><dt><span class="term"><span class="emphasis"><em>type</em></span></span></dt><dd><div class="para">
@@ -296,7 +297,7 @@
 			In this example, when the <code class="filename">/usr/bin/passwd</code> application (labeled with the <code class="computeroutput">passwd_exec_t</code> type) is executed, the user's shell process transitions to the <code class="computeroutput">passwd_t</code> domain. Remember: the type defines a domain for processes, and a type for files.
 		</div><div class="para">
 			Use the <code class="command">ps -eZ</code> command to view the SELinux contexts for running processes. The following is a limited example of the output, and may differ on your system:
-		</div><pre class="screen">system_u:system_r:setroubleshootd_t:s0 1866 ?  00:00:08 setroubleshootd
+		</div><pre class="screen">
 system_u:system_r:dhcpc_t:s0     1869 ?        00:00:00 dhclient
 system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
 system_u:system_r:gpm_t:s0       1964 ?        00:00:00 gpm
@@ -310,14 +311,14 @@
 		</div><pre class="screen">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 </pre><div class="para">
 			In Fedora, Linux users run unconfined by default. This SELinux context shows that the Linux user is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user, running as the <code class="computeroutput">unconfined_r</code> role, and is running in the <code class="computeroutput">unconfined_t</code> domain. <code class="computeroutput">s0-s0</code> is an MLS range, which in this case, is the same as just <code class="computeroutput">s0</code>. The categories the user has access to is defined by <code class="computeroutput">c0.c1023</code>, which is all categories (<code class="computeroutput">c0</code> through to <code class="computeroutput">c1023</code>).
-		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 4. Targeted Policy"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Targeted_Policy">Chapter 4. Targeted Policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 4. Targeted Policy" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Targeted_Policy">Chapter 4. Targeted Policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3. Confined and Unconfined Users</a></span></dt></dl></div><div class="para">
 		Targeted policy is the default SELinux policy used in Fedora. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged in users run in the <code class="computeroutput">unconfined_t</code> domain, and system processes started by init run in the <code class="computeroutput">initrc_t</code> domain - both of these domains are unconfined.
 	</div><div class="para">
 		Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain can not allocate writeable memory and execute it. This reduces vulnerability to <a href="http://en.wikipedia.org/wiki/Buffer_overflow">buffer overflow attacks</a>. These memory checks are disabled by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.
 	</div><div class="section" title="4.1. Confined Processes"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</h2></div></div></div><div class="para">
 			Almost every service that listens on a network is confined in Fedora. Also, most processes that run as the Linux root user and perform tasks for users, such as the <span class="application"><strong>passwd</strong></span> application, are confined. When a process is confined, it runs in its own domain, such as the <code class="systemitem">httpd</code> process running in the <code class="computeroutput">httpd_t</code> domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
 		</div><div class="para">
-			The following example demonstrates how SELinux prevents the Apache HTTP Server (<code class="systemitem">httpd</code>) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
+			The following example demonstrates how SELinux prevents the Apache HTTP Server (<code class="systemitem">httpd</code>) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, <span class="package">dbus</span> and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
 		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
 					Run the <code class="command">sestatus</code> command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
 				</div><pre class="screen">
@@ -326,7 +327,7 @@
 SELinuxfs mount:                /selinux
 Current mode:                   enforcing
 Mode from config file:          enforcing
-Policy version:                 23
+Policy version:                 24
 Policy from config file:        targeted
 </pre><div class="para">
 					<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
@@ -336,14 +337,14 @@
 					Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the SELinux context:
 				</div><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
 </pre><div class="para">
-					By default, Linux users run unconfined in Fedora, which is why the <code class="filename">testfile</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1249" href="#ftn.d0e1249" class="footnote">6</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
+					By default, Linux users run unconfined in Fedora, which is why the <code class="filename">testfile</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="id2868558" href="#ftn.id2868558" class="footnote">6</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
 				</div></li><li class="listitem"><div class="para">
 					As the Linux root user, run the <code class="command">service httpd start</code> command to start the <code class="systemitem">httpd</code> process. The output is as follows if <code class="systemitem">httpd</code> starts successfully:
 				</div><pre class="screen"># /sbin/service httpd start
 Starting httpd:                                            [  OK  ]
 </pre></li><li class="listitem"><div class="para">
 					Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are changes to the default configuration, this command succeeds:
-				</div><pre class="screen">--2009-05-06 23:00:01--  http://localhost/testfile
+				</div><pre class="screen">--2009-11-06 17:43:01--  http://localhost/testfile
 Resolving localhost... 127.0.0.1
 Connecting to localhost|127.0.0.1|:80... connected.
 HTTP request sent, awaiting response... 200 OK
@@ -352,7 +353,7 @@
 
 [ <=>                              ] 0     --.-K/s   in 0s
 		
-2009-05-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
+2009-11-06 17:43:01 (0.00 B/s) - `testfile' saved [0/0]
 </pre></li><li class="listitem"><div class="para">
 					The <code class="command">chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">semanage</code> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
 				</div><div class="para">
@@ -362,11 +363,11 @@
 				</div><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
 </pre></li><li class="listitem"><div class="para">
 					Note: the current DAC permissions allow the <code class="systemitem">httpd</code> process access to <code class="filename">testfile</code>. Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are changes to the default configuration, this command fails:
-				</div><pre class="screen">--2009-05-06 23:00:54--  http://localhost/testfile
+				</div><pre class="screen">--2009-11-06 14:11:23--  http://localhost/testfile
 Resolving localhost... 127.0.0.1
 Connecting to localhost|127.0.0.1|:80... connected.
 HTTP request sent, awaiting response... 403 Forbidden
-2009-05-06 23:00:54 ERROR 403: Forbidden.
+2009-11-06 14:11:23 ERROR 403: Forbidden.
 </pre></li><li class="listitem"><div class="para">
 					As the Linux root user, run the <code class="command">rm -i /var/www/html/testfile</code> command to remove <code class="filename">testfile</code>.
 				</div></li><li class="listitem"><div class="para">
@@ -386,12 +387,10 @@
 </pre><div class="para">
 			Also, an error similar to the following is logged to <code class="filename">/var/log/httpd/error_log</code>:
 		</div><pre class="screen">[Wed May 06 23:00:54 2009] [error] [client <em class="replaceable"><code>127.0.0.1</code></em>] (13)Permission denied: access to /testfile denied
-</pre><div class="note"><h2>Note</h2><div class="para">
-				In Fedora, the <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed by default. These packages include the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons respectively. These daemons run by default. Stopping either of these daemons changes where SELinux denials are written to. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used" title="5.2. Which Log File is Used">Section 5.2, “Which Log File is Used”</a> for further information.
-			</div></div></div><div class="section" title="4.2. Unconfined Processes"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</h2></div></div></div><div class="para">
+</pre></div><div class="section" title="4.2. Unconfined Processes"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2. Unconfined Processes</h2></div></div></div><div class="para">
 			Unconfined processes run in unconfined domains, for example, init programs run in the unconfined <code class="computeroutput">initrc_t</code> domain, unconfined kernel processes run in the <code class="computeroutput">kernel_t</code> domain, and unconfined Linux users run in the <code class="computeroutput">unconfined_t</code> domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them.
 		</div><div class="para">
-			The following example demonstrates how the Apache HTTP Server (<code class="systemitem">httpd</code>) can access data intended for use by Samba, when running unconfined. Note: in Fedora, the <code class="systemitem">httpd</code> process runs in the confined <code class="computeroutput">httpd_t</code> domain by default. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
+			The following example demonstrates how the Apache HTTP Server (<code class="systemitem">httpd</code>) can access data intended for use by Samba, when running unconfined. Note: in Fedora, the <code class="systemitem">httpd</code> process runs in the confined <code class="computeroutput">httpd_t</code> domain by default. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, <span class="package">dbus</span> and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
 		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
 					Run the <code class="command">sestatus</code> command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
 				</div><pre class="screen">
@@ -410,7 +409,7 @@
 					Run the <code class="command">ls -Z /var/www/html/test2file</code> command to view the SELinux context:
 				</div><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
 </pre><div class="para">
-					By default, Linux users run unconfined in Fedora, which is why the <code class="filename">test2file</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1499" href="#ftn.d0e1499" class="footnote">7</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
+					By default, Linux users run unconfined in Fedora, which is why the <code class="filename">test2file</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="id2789987" href="#ftn.id2789987" class="footnote">7</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
 				</div></li><li class="listitem"><div class="para">
 					The <code class="command">chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">semanage</code> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
 				</div><div class="para">
@@ -527,7 +526,7 @@
 			Confined and unconfined Linux users are subject to executable and writeable memory checks, and are also restricted by MCS (and MLS, if the MLS policy is used). If unconfined Linux users execute an application that SELinux policy defines can transition from the <code class="computeroutput">unconfined_t</code> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy. Note: this does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
 		</div><div class="para">
 			The following confined SELinux users are available in Fedora 12:
-		</div><div class="table" id="tabl-Security-Enhanced_Linux-Confined_and_Unconfined_Users-SELinux_User_Capabilities"><div class="table-contents"><table summary="SELinux User Capabilities" border="1"><colgroup><col/><col/><col/><col/><col/><col/></colgroup><thead><tr><th>
+		</div><div class="table" id="tabl-Security-Enhanced_Linux-Confined_and_Unconfined_Users-SELinux_User_Capabilities"><div class="table-contents"><table summary="SELinux User Capabilities" border="1"><colgroup><col width="17%" /><col width="17%" /><col width="17%" /><col width="17%" /><col width="17%" /><col width="17%" /></colgroup><thead><tr><th>
 							User
 						</th><th>
 							Domain
@@ -587,7 +586,7 @@
 							optional
 						</td><td align="center">
 							yes
-						</td></tr></tbody></table></div><h6>Table 4.1. SELinux User Capabilities</h6></div><br class="table-break"/><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+						</td></tr></tbody></table></div><h6>Table 4.1. SELinux User Capabilities</h6></div><br class="table-break" /><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 					Linux users in the <code class="computeroutput">guest_t</code>, <code class="computeroutput">xguest_t</code>, and <code class="computeroutput">user_t</code> domains can only run set user ID (setuid) applications if SELinux policy permits it (such as <code class="command">passwd</code>). They can not run the <code class="command">su</code> and <code class="command">/usr/bin/sudo</code> setuid applications, and therefore, can not use these applications to become the Linux root user.
 				</div></li><li class="listitem"><div class="para">
 					Linux users in the <code class="computeroutput">guest_t</code> domain have no network access, and can only log in via a terminal (including <code class="systemitem">ssh</code>; they can log in via <code class="systemitem">ssh</code>, but can not use <code class="systemitem">ssh</code> to connect to another system).
@@ -601,11 +600,11 @@
 			By default, Linux users in the <code class="computeroutput">guest_t</code> and <code class="computeroutput">xguest_t</code> domains can not execute applications in their home directories or <code class="filename">/tmp/</code>, preventing them from executing applications (which inherit users' permissions) in directories they have write access to. This helps prevent flawed or malicious applications from modifying files users' own.
 		</div><div class="para">
 			By default, Linux users in the <code class="computeroutput">user_t</code> and <code class="computeroutput">staff_t</code> domains can execute applications in their home directories and <code class="filename">/tmp/</code>. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications" title="6.6. Booleans for Users Executing Applications">Section 6.6, “Booleans for Users Executing Applications”</a> for information about allowing and preventing users from executing applications in their home directories and <code class="filename">/tmp/</code>.
-		</div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e1249" href="#d0e1249" class="para">6</a>] </sup>
+		</div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id2868558" href="#id2868558" class="para">6</a>] </sup>
 						When using other policies, such as MLS, other roles may be used, for example, <code class="computeroutput">secadm_r</code>.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e1499" href="#d0e1499" class="para">7</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2789987" href="#id2789987" class="para">7</a>] </sup>
 						When using other policies, such as MLS, other roles may also be used, for example, <code class="computeroutput">secadm_r</code>.
-					</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 5. Working with SELinux"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Working_with_SELinux">Chapter 5. Working with SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling
 _and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Securi
 ty-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span cla
 ss="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directorie
 s</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></div><div class="para">
+					</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 5. Working with SELinux" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Working_with_SELinux">Chapter 5. Working with SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_L
 inux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS">5.6.3. Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href=
 "#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt>
 <dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files a
 nd Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></div><div class="para">
 		The following sections give a brief overview of the main SELinux packages in Fedora; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the <code class="command">mount</code> command; mounting NFS file systems; and how to preserve SELinux contexts when copying and archiving files and directories.
 	</div><div class="section" title="5.1. SELinux Packages"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</h2></div></div></div><div class="para">
 			In Fedora, the SELinux packages are installed by default, unless they are manually excluded during installation. By default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:
@@ -620,7 +619,7 @@
 		</div><div class="para">
 			<span class="package">setroubleshoot-server</span>: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with <code class="command">sealert</code> (which is provided by this package).
 		</div><div class="para">
-			<span class="package">setools</span>, <span class="package">setools-gui</span>, and <span class="package">setools-console</span>: these packages provide the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</a>, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management<sup>[<a id="d0e2080" href="#ftn.d0e2080" class="footnote">8</a>]</sup>. The <span class="package">setools</span> package is a meta-package for SETools. The <span class="package">setools-gui</span> package provides the <code class="command">apol</code>, <code class="command">seaudit</code>, and <code class="command">sediffx</code> tools. The <span class="package">setools-console</span> package provides the <code class="command">seaudit-report</code>, <code class="command">sechecker</code>, <code class="command">sediff</code>, <code class="command">seinfo</code>, <code class="command">sesearch</code>
 , <code class="command">findcon</code>, <code class="command">replcon</code>, and <code class="command">indexcon</code> command line tools. Refer to the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools</a> page for information about these tools.
+			<span class="package">setools</span>, <span class="package">setools-gui</span>, and <span class="package">setools-console</span>: these packages provide the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</a>, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management<sup>[<a id="id2770094" href="#ftn.id2770094" class="footnote">8</a>]</sup>. The <span class="package">setools</span> package is a meta-package for SETools. The <span class="package">setools-gui</span> package provides the <code class="command">apol</code>, <code class="command">seaudit</code>, and <code class="command">sediffx</code> tools. The <span class="package">setools-console</span> package provides the <code class="command">seaudit-report</code>, <code class="command">sechecker</code>, <code class="command">sediff</code>, <code class="command">seinfo</code>, <code class="command">sesearch</c
 ode>, <code class="command">findcon</code>, <code class="command">replcon</code>, and <code class="command">indexcon</code> command line tools. Refer to the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools</a> page for information about these tools.
 		</div><div class="para">
 			<span class="package">libselinux-utils</span>: provides the <code class="command">avcstat</code>, <code class="command">getenforce</code>, <code class="command">getsebool</code>, <code class="command">matchpathcon</code>, <code class="command">selinuxconlist</code>, <code class="command">selinuxdefcon</code>, <code class="command">selinuxenabled</code>, <code class="command">setenforce</code>, <code class="command">togglesebool</code> tools.
 		</div><div class="para">
@@ -628,24 +627,25 @@
 		</div><div class="para">
 			To install packages in Fedora, as the Linux root user, run the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. For example, to install the <span class="package">mcstrans</span> package, run the <code class="command">yum install mcstrans</code> command. To upgrade all installed packages in Fedora, run the <code class="command">yum update</code> command.
 		</div><div class="para">
-			Refer to <a href="http://docs.fedoraproject.org/yum/en/">Managing Software with yum</a><sup>[<a id="d0e2192" href="#ftn.d0e2192" class="footnote">9</a>]</sup> for further information about using <code class="command">yum</code> to manage packages.
+			Refer to <a href="http://docs.fedoraproject.org/yum/en/">Managing Software with yum</a><sup>[<a id="id2732679" href="#ftn.id2732679" class="footnote">9</a>]</sup> for further information about using <code class="command">yum</code> to manage packages.
 		</div><div class="note"><h2>Note</h2><div class="para">
 				In previous versions of Fedora, the <span class="package">selinux-policy-devel</span> package is required when making a local policy module with <code class="command">audit2allow -M</code>.
 			</div></div></div><div class="section" title="5.2. Which Log File is Used"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2. Which Log File is Used</h2></div></div></div><div class="para">
-			In Fedora 12, the <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed if packages are not removed from the default package selection. These packages include the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons respectively. These daemons run by default.
+			In Fedora 12, the <span class="package">dbus</span>, <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed if packages are not removed from the default package selection.
 		</div><div class="para">
 			SELinux denial messages, such as the following, are written to <code class="filename">/var/log/audit/audit.log</code> by default:
 		</div><pre class="screen">type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
 </pre><div class="para">
-			Also, if <code class="systemitem">setroubleshootd</code> is running, which it is by default, denial messages from <code class="filename">/var/log/audit/audit.log</code> are translated to an easier-to-read form and sent to <code class="filename">/var/log/messages</code>:
+			Also, if <code class="systemitem">setroubleshootd</code> is running, denial messages from <code class="filename">/var/log/audit/audit.log</code> are translated to an easier-to-read form and sent to <code class="filename">/var/log/messages</code>:
 		</div><pre class="screen">May  7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
 </pre><div class="para">
+			In Fedora 12, <code class="systemitem">setroubleshootd</code> no longer constantly runs as a service, however it is still used to analyze the AVC messages. Two new programs act as a method to start setroubleshoot when needed: <code class="systemitem">sedispatch</code> and <code class="systemitem">seapplet</code>. <code class="systemitem">sedispatch</code> runs as part of the audit subsystem, and via <code class="systemitem">dbus</code>, sends a message when an AVC denial occurs, which will go straight to <code class="systemitem">setroubleshootd</code> if it is already running, or it will start <code class="systemitem">setroubleshootd</code> if it is not running. <code class="systemitem">seapplet</code> is a tool which runs in the system's toolbar, waiting for dbus messages in <code class="systemitem">setroubleshootd</code>, and will launch the notification bubble, allowing the user to review the denial.
+		</div><div class="para">
 			Denial messages are sent to a different location, depending on which daemons are running:
-		</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">setroubleshootd, rsyslogd, and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">Starting Daemons Automatically</h5>
+		</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">rsyslogd and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">Starting Daemons Automatically</h5>
 				To configure the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons to automatically start at boot, run the following commands as the Linux root user:
 			</div><pre class="screen">/sbin/chkconfig --levels 2345 auditd on
 </pre><pre class="screen">/sbin/chkconfig --levels 2345 rsyslog on
-</pre><pre class="screen">/sbin/chkconfig --levels 345 setroubleshoot on
 </pre><div class="para">
 			Use the <code class="command">service <em class="replaceable"><code>service-name</code></em> status</code> command to check if these services are running, for example:
 		</div><pre class="screen">
@@ -654,8 +654,8 @@
 </pre><div class="para">
 			If the above services are not running (<code class="computeroutput"><em class="replaceable"><code>service-name</code></em> is stopped</code>), use the <code class="command">service <em class="replaceable"><code>service-name</code></em> start</code> command as the Linux root user to start them. For example:
 		</div><pre class="screen">
-# /sbin/service setroubleshoot start
-Starting setroubleshootd:                                  [  OK  ]
+# /sbin/service auditd start
+Starting auditd:                                  [  OK  ]
 </pre></div><div class="section" title="5.3. Main Configuration File"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3. Main Configuration File</h2></div></div></div><div class="para">
 			The <code class="filename">/etc/selinux/config</code> file is the main SELinux configuration file. It controls the SELinux mode and the SELinux policy to use:
 		</div><pre class="screen"># This file controls the state of SELinux on the system.
@@ -712,7 +712,7 @@
 			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
 						Use the <code class="command">rpm -qa | grep selinux</code>, <code class="command">rpm -q policycoreutils</code>, and <code class="command">rpm -qa | grep setroubleshoot</code> commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: <span class="package">selinux-policy-targeted</span>, <span class="package">selinux-policy</span>, <span class="package">libselinux</span>, <span class="package">libselinux-python</span>, <span class="package">libselinux-utils</span>, <span class="package">policycoreutils</span>, <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, <span class="package">setroubleshoot-plugins</span>. If these packages are not installed, as the Linux root user, install them via the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. The following packages are optional: <span class="package">policycoreu
 tils-gui</span>, <span class="package">setroubleshoot</span>, <span class="package">selinux-policy-devel</span>, and <span class="package">mcstrans</span>.
 					</div><div class="para">
-						After installing the <span class="package">setroubleshoot-server</span> package, use the <code class="command">/sbin/chkconfig --list setroubleshoot</code> command to confirm that <code class="systemitem">setroubleshootd</code> starts when the system is running in runlevel<sup>[<a id="d0e2520" href="#ftn.d0e2520" class="footnote">10</a>]</sup> 3, 4, and 5:
+						After installing the <span class="package">setroubleshoot-server</span> package, use the <code class="command">/sbin/chkconfig --list setroubleshoot</code> command to confirm that <code class="systemitem">setroubleshootd</code> starts when the system is running in runlevel<sup>[<a id="id2870085" href="#ftn.id2870085" class="footnote">10</a>]</sup> 3, 4, and 5:
 					</div><pre class="screen">$ /sbin/chkconfig --list setroubleshoot
 setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
 </pre><div class="para">
@@ -1083,7 +1083,7 @@
 			</div><div class="important"><h2>Important</h2><div class="para">
 					When changing the SELinux context with <code class="command">/usr/sbin/semanage fcontext -a</code>, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the <code class="command">/sbin/restorecon</code> command is run.
 				</div></div></div></div><div class="section" title="5.8. The file_t and default_t Types"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8. The file_t and default_t Types</h2></div></div></div><div class="para">
-			For file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The <code class="computeroutput">file_t</code> type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the <code class="computeroutput">file_t</code> type is never used in file-context configuration<sup>[<a id="d0e3772" href="#ftn.d0e3772" class="footnote">11</a>]</sup>.
+			For file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The <code class="computeroutput">file_t</code> type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the <code class="computeroutput">file_t</code> type is never used in file-context configuration<sup>[<a id="id2764973" href="#ftn.id2764973" class="footnote">11</a>]</sup>.
 		</div><div class="para">
 			The <code class="computeroutput">default_t</code> type is used on files that do not match any other pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally kept inaccessible to confined domains. If you create a new top-level directory, such as <code class="filename">/mydirectory/</code>, this directory may be labeled with the <code class="computeroutput">default_t</code> type. If services need access to such a directory, update the file-contexts configuration for this location. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext" title="5.7.2. Persistent Changes: semanage fcontext">Section 5.7.2, “Persistent Changes: semanage fcontext”</a> for details on adding a context to the file-context configuration.
 		</div></div><div class="section" title="5.9. Mounting File Systems"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9. Mounting File Systems</h2></div></div></div><div class="para">
@@ -1114,7 +1114,7 @@
 </pre><div class="para">
 				In this example:
 			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
-						the <code class="option">defcontext</code> option defines that <code class="computeroutput">system_u:object_r:samba_share_t:s0</code> is "the default security context for unlabeled files"<sup>[<a id="d0e3923" href="#ftn.d0e3923" class="footnote">12</a>]</sup>.
+						the <code class="option">defcontext</code> option defines that <code class="computeroutput">system_u:object_r:samba_share_t:s0</code> is "the default security context for unlabeled files"<sup>[<a id="id2903035" href="#ftn.id2903035" class="footnote">12</a>]</sup>.
 					</div></li><li class="listitem"><div class="para">
 						when mounted, the root directory (<code class="filename">/test/</code>) of the file system is treated as if it is labeled with the context specified by <code class="option">defcontext</code> (this label is not stored on disk). This affects the labeling for files created under <code class="filename">/test/</code>: new files inherit the <code class="computeroutput">samba_share_t</code> type, and these labels are stored on disk.
 					</div></li><li class="listitem"><div class="para">
@@ -1254,7 +1254,7 @@
 			</div><div class="important"><h2>Important</h2><div class="para">
 					Moving files and directories with the <code class="command">mv</code> command may result in the wrong SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.
 				</div></div></div><div class="section" title="5.10.3. Checking the Default SELinux Context"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3. Checking the Default SELinux Context</h3></div></div></div><div class="para">
-				Use the <code class="command">/usr/sbin/matchpathcon</code> command to check if files and directories have the correct SELinux context. From the <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page: "<code class="command">matchpathcon</code> queries the system policy and outputs the default security context associated with the file path."<sup>[<a id="d0e4374" href="#ftn.d0e4374" class="footnote">13</a>]</sup>. The following example demonstrates using the <code class="command">/usr/sbin/matchpathcon</code> command to verify that files in <code class="filename">/var/www/html/</code> directory are labeled correctly:
+				Use the <code class="command">/usr/sbin/matchpathcon</code> command to check if files and directories have the correct SELinux context. From the <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page: "<code class="command">matchpathcon</code> queries the system policy and outputs the default security context associated with the file path."<sup>[<a id="id2938094" href="#ftn.id2938094" class="footnote">13</a>]</sup>. The following example demonstrates using the <code class="command">/usr/sbin/matchpathcon</code> command to verify that files in <code class="filename">/var/www/html/</code> directory are labeled correctly:
 			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
 						As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
 					</div><pre class="screen"># touch /var/www/html/file{1,2,3}
@@ -1353,19 +1353,19 @@
 						If <code class="command">star</code> is no longer required, as the Linux root user, run the <code class="command">yum remove star</code> command to remove the package.
 					</div></li></ol></div><div class="para">
 				Refer to the <span class="citerefentry"><span class="refentrytitle">star</span>(1)</span> manual page for further information about <code class="command">star</code>.
-			</div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e2080" href="#d0e2080" class="para">8</a>] </sup>
+			</div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id2770094" href="#id2770094" class="para">8</a>] </sup>
 				Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.
-			</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2192" href="#d0e2192" class="para">9</a>] </sup>
+			</p></div><div class="footnote"><p><sup>[<a id="ftn.id2732679" href="#id2732679" class="para">9</a>] </sup>
 				Managing Software with yum, written by Stuart Ellis, edited by Paul W. Frields, Rodrigo Menezes, and Hugo Cisneiros.
-			</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2520" href="#d0e2520" class="para">10</a>] </sup>
+			</p></div><div class="footnote"><p><sup>[<a id="ftn.id2870085" href="#id2870085" class="para">10</a>] </sup>
 							Refer to <a href="http://en.wikipedia.org/wiki/Runlevel">http://en.wikipedia.org/wiki/Runlevel</a> for information about runlevels.
-						</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e3772" href="#d0e3772" class="para">11</a>] </sup>
+						</p></div><div class="footnote"><p><sup>[<a id="ftn.id2764973" href="#id2764973" class="para">11</a>] </sup>
 				Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
-			</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e3923" href="#d0e3923" class="para">12</a>] </sup>
+			</p></div><div class="footnote"><p><sup>[<a id="ftn.id2903035" href="#id2903035" class="para">12</a>] </sup>
 							Morris, James. "Filesystem Labeling in SELinux". Published 1 October 2004. Accessed 14 October 2008: <a href="http://www.linuxjournal.com/article/7426">http://www.linuxjournal.com/article/7426</a>.
-						</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e4374" href="#d0e4374" class="para">13</a>] </sup>
+						</p></div><div class="footnote"><p><sup>[<a id="ftn.id2938094" href="#id2938094" class="para">13</a>] </sup>
 					The <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page, as shipped with the <span class="package">libselinux-utils</span> package in Fedora, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.
-				</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 6. Confining Users"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Confining_Users">Chapter 6. Confining Users</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span class="sectio
 n"><a href="#sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></div><div class="para">
+				</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 6. Confining Users" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Confining_Users">Chapter 6. Confining Users</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4. Changing the Default Mapping</a></span></dt><dt><span 
 class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5. xguest: Kiosk Mode</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</a></span></dt></dl></div><div class="para">
 		A number of confined SELinux users are available in Fedora 12. Each Linux user is mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the <code class="command">su</code> and <code class="command">sudo</code> commands. This helps protect the system from the user. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users" title="4.3. Confined and Unconfined Users">Section 4.3, “Confined and Unconfined Users”</a> for further information about confined users.
 	</div><div class="section" title="6.1. Linux and SELinux User Mappings"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</h2></div></div></div><div class="para">
 			As the Linux root user, run the <code class="command">semanage login -l</code> command to view the mapping between Linux users and SELinux users:
@@ -1510,7 +1510,7 @@
 					If this is not the case, refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes" title="5.5. SELinux Modes">Section 5.5, “SELinux Modes”</a> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
 				</div></li><li class="listitem"><div class="para">
 					You can only log in to this account via the GNOME Display Manager (GDM). Once the <span class="package">xguest</span> package is installed, a <code class="computeroutput">Guest</code> account is added to GDM. To log in, click on the <code class="computeroutput">Guest</code> account:
-				</div><div class="mediaobject"><img src="./images/xguest.png"/></div></li></ol></div></div><div class="section" title="6.6. Booleans for Users Executing Applications"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</h2></div></div></div><div class="para">
+				</div><div class="mediaobject"><img src="./images/xguest.png" /></div></li></ol></div></div><div class="section" title="6.6. Booleans for Users Executing Applications"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Booleans_for_Users_Executing_Applications">6.6. Booleans for Users Executing Applications</h2></div></div></div><div class="para">
 			Not allowing Linux users to execute applications (which inherit users' permissions) in their home directories and <code class="filename">/tmp/</code>, which they have write access to, helps prevent flawed or malicious applications from modifying files that users own. In Fedora 12, by default, Linux users in the <code class="computeroutput">guest_t</code> and <code class="computeroutput">xguest_t</code> domains can not execute applications in their home directories or <code class="filename">/tmp/</code>; however, by default, Linux users in the <code class="computeroutput">user_t</code> and <code class="computeroutput">staff_t</code> domains can.
 		</div><div class="para">
 			Booleans are available to change this behavior, and are configured with the <code class="command">setsebool</code> command. The <code class="command">setsebool</code> command must be run as the Linux root user. The <code class="command">setsebool -P</code> command makes persistent changes. Do not use the <code class="option">-P</code> option if you do not want changes to persist across reboots:
@@ -1530,14 +1530,14 @@
 				To <span class="emphasis"><em>prevent</em></span> Linux users in the <code class="computeroutput">staff_t</code> domain from executing applications in their home directories and <code class="filename">/tmp/</code>:
 			</div><div class="para">
 			<code class="command">/usr/sbin/setsebool -P allow_staff_exec_content off</code>
-		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 7. Troubleshooting"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Troubleshooting">Chapter 7. Troubleshooting</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="#sect-S
 ecurity-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Pr
 oblems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 7. Troubleshooting" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Troubleshooting">Chapter 7. Troubleshooting</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a 
 href="#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Li
 nux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl></div><div class="para">
 		The following chapter describes what happens when SELinux denies access; the top three causes of problems; where to find information about correct labeling; analyzing SELinux denials; and creating custom policy modules with <code class="command">audit2allow</code>.
 	</div><div class="section" title="7.1. What Happens when Access is Denied"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</h2></div></div></div><div class="para">
 			SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials", and are logged to a different location, depending on which daemons are running:
 		</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">setroubleshootd, rsyslogd, and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><div class="para">
 			If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons are running, a warning is displayed when access is denied by SELinux:
-		</div><div class="mediaobject"><img src="./images/setroubleshoot_denial.png"/></div><div class="para">
-			Clicking on the star icon, or on 'Show', presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:
+		</div><div class="mediaobject"><img src="./images/denial.png" width="444" /></div><div class="para">
+			Clicking on 'Show' presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:
 		</div><pre class="screen">
 Forbidden
 
@@ -1558,7 +1558,7 @@
 # /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
 "/srv/myweb(/.*)?"
 </pre><div class="para">
-				This <code class="command">semanage</code> command adds the context for the <code class="filename">/srv/myweb/</code> directory (and all files and directories under it) to the SELinux file-context configuration<sup>[<a id="d0e5371" href="#ftn.d0e5371" class="footnote">14</a>]</sup>. The <code class="command">semanage</code> command does not change the context. As the Linux root user, run the <code class="command">restorecon</code> command to apply the changes:
+				This <code class="command">semanage</code> command adds the context for the <code class="filename">/srv/myweb/</code> directory (and all files and directories under it) to the SELinux file-context configuration<sup>[<a id="id2804320" href="#ftn.id2804320" class="footnote">14</a>]</sup>. The <code class="command">semanage</code> command does not change the context. As the Linux root user, run the <code class="command">restorecon</code> command to apply the changes:
 			</div><pre class="screen">
 # /sbin/restorecon -R -v /srv/myweb
 </pre><div class="para">
@@ -1624,7 +1624,7 @@
 			</div><pre class="screen">
 type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
 </pre><div class="para">
-				To allow <code class="systemitem">httpd</code> to listen on a port that is not listed for the <code class="computeroutput">http_port_t</code> port type, run the <code class="command">semanage port</code> command to add a port to policy configuration<sup>[<a id="d0e5533" href="#ftn.d0e5533" class="footnote">15</a>]</sup>:
+				To allow <code class="systemitem">httpd</code> to listen on a port that is not listed for the <code class="computeroutput">http_port_t</code> port type, run the <code class="command">semanage port</code> command to add a port to policy configuration<sup>[<a id="id2911633" href="#ftn.id2911633" class="footnote">15</a>]</sup>:
 			</div><pre class="screen">
 # /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
 </pre><div class="para">
@@ -1731,11 +1731,11 @@
 				</div><div class="para">
 					Refer to Dan Walsh's <a href="http://danwalsh.livejournal.com/24537.html">"Permissive Domains"</a> blog entry for further information about permissive domains.
 				</div></div></div><div class="section" title="7.3.5. Searching For and Viewing Denials"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5. Searching For and Viewing Denials</h3></div></div></div><div class="para">
-				This section assumes the <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, and that the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons are running. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used" title="5.2. Which Log File is Used">Section 5.2, “Which Log File is Used”</a> for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as <code class="command">ausearch</code>, <code class="command">aureport</code>, and <code class="command">sealert</code>.
+				This section assumes the <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, <span class="package">dbus</span> and <span class="package">audit</span> packages are installed, and that the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons are running. Refer to <a class="xref" href="#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used" title="5.2. Which Log File is Used">Section 5.2, “Which Log File is Used”</a> for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as <code class="command">ausearch</code>, <code class="command">aureport</code>, and <code class="command">sealert</code>.
 			</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-ausearch">ausearch</h5>
-					The <span class="package">audit</span> package provides <code class="command">ausearch</code>. From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page: "<code class="command">ausearch</code> is a tool that can query the audit daemon logs based for events based on different search criteria"<sup>[<a id="d0e5982" href="#ftn.d0e5982" class="footnote">16</a>]</sup>. The <code class="command">ausearch</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
+					The <span class="package">audit</span> package provides <code class="command">ausearch</code>. From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page: "<code class="command">ausearch</code> is a tool that can query the audit daemon logs based for events based on different search criteria"<sup>[<a id="id2870920" href="#ftn.id2870920" class="footnote">16</a>]</sup>. The <code class="command">ausearch</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
 				</div><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Searching For</th><th>Command</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">all denials</td><td class="seg"><code class="command">/sbin/ausearch -m avc</code></td></tr><tr class="seglistitem"><td class="seg">denials for that today</td><td class="seg"><code class="command">/sbin/ausearch -m avc -ts today</code></td></tr><tr class="seglistitem"><td class="seg">denials from the last 10 minutes</td><td class="seg"><code class="command">/sbin/ausearch -m avc -ts recent</code></td></tr></tbody></table></div><div class="para">
-				To search for SELinux denials for a particular service, use the <code class="option">-c <em class="replaceable"><code>comm-name</code></em></code> option, where <em class="replaceable"><code>comm-name</code></em> "is the executable’s name"<sup>[<a id="d0e6034" href="#ftn.d0e6034" class="footnote">17</a>]</sup>, for example, <code class="systemitem">httpd</code> for the Apache HTTP Server, and <code class="systemitem">smbd</code> for Samba:
+				To search for SELinux denials for a particular service, use the <code class="option">-c <em class="replaceable"><code>comm-name</code></em></code> option, where <em class="replaceable"><code>comm-name</code></em> "is the executable’s name"<sup>[<a id="id2871018" href="#ftn.id2871018" class="footnote">17</a>]</sup>, for example, <code class="systemitem">httpd</code> for the Apache HTTP Server, and <code class="systemitem">smbd</code> for Samba:
 			</div><div class="para">
 				<code class="command">/sbin/ausearch -m avc -c httpd</code>
 			</div><div class="para">
@@ -1743,7 +1743,7 @@
 			</div><div class="para">
 				Refer to the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page for further <code class="command">ausearch</code> options.
 			</div><div class="formalpara"><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-aureport">aureport</h5>
-					The <span class="package">audit</span> package provides <code class="command">aureport</code>. From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page: "<code class="command">aureport</code> is a tool that produces summary reports of the audit system logs"<sup>[<a id="d0e6094" href="#ftn.d0e6094" class="footnote">18</a>]</sup>. The <code class="command">aureport</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <code class="command">aureport -a</code> command. The following is example output that includes two denials:
+					The <span class="package">audit</span> package provides <code class="command">aureport</code>. From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page: "<code class="command">aureport</code> is a tool that produces summary reports of the audit system logs"<sup>[<a id="id2808474" href="#ftn.id2808474" class="footnote">18</a>]</sup>. The <code class="command">aureport</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <code class="command">aureport -a</code> command. The following is example output that includes two denials:
 				</div><pre class="screen">
 # /sbin/aureport -a
 
@@ -1762,8 +1762,8 @@
 </pre><div class="para">
 				In this example, the denial ID is <code class="computeroutput">84e0b04d-d0ad-4347-8317-22e74f6cd020</code>. The <code class="option">-l</code> option takes an ID as an argument. Running the <code class="command">sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
 			</div><div class="para">
-				If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons are running, a yellow star and a warning are displayed when access is denied by SELinux. Clicking on the star launches the <code class="command">sealert</code> GUI, and displays denials in HTML output:
-			</div><div class="mediaobject"><img src="./images/sealert_gui.png"/></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+				If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code>, <code class="systemitem">dbus</code> and <code class="systemitem">auditd</code> daemons are running, a warning is displayed when access is denied by SELinux. Clicking on 'Show' launches the <code class="command">sealert</code> GUI, and displays denials in HTML output:
+			</div><div class="mediaobject"><img src="./images/sealertgui.png" /></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 						Run the <code class="command">sealert -b</code> command to launch the <code class="command">sealert</code> GUI.
 					</div></li><li class="listitem"><div class="para">
 						Run the <code class="command">sealert -l \*</code> command to view a detailed analysis of all denials.
@@ -1874,7 +1874,7 @@
 						</div></dd></dl></div></div><div class="section" title="7.3.8. Allowing Access: audit2allow"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow">7.3.8. Allowing Access: audit2allow</h3></div></div></div><div class="para">
 				Do not use the example in this section in production. It is used only to demonstrate the use of <code class="command">audit2allow</code>.
 			</div><div class="para">
-				From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page: "<code class="command">audit2allow</code> - generate SELinux policy allow rules from logs of denied operations"<sup>[<a id="d0e6536" href="#ftn.d0e6536" class="footnote">19</a>]</sup>. After analyzing denials as per <a class="xref" href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>, and if no label changes or Booleans allowed access, use <code class="command">audit2allow</code> to create a local policy module. After access is denied by SELinux, running the <code class="command">audit2allow</code> command presents Type Enforcement rules that allow the previously denied access.
+				From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page: "<code class="command">audit2allow</code> - generate SELinux policy allow rules from logs of denied operations"<sup>[<a id="id2757812" href="#ftn.id2757812" class="footnote">19</a>]</sup>. After analyzing denials as per <a class="xref" href="#sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages" title="7.3.7. sealert Messages">Section 7.3.7, “sealert Messages”</a>, and if no label changes or Booleans allowed access, use <code class="command">audit2allow</code> to create a local policy module. After access is denied by SELinux, running the <code class="command">audit2allow</code> command presents Type Enforcement rules that allow the previously denied access.
 			</div><div class="para">
 				The following example demonstrates using <code class="command">audit2allow</code> to create a policy module:
 			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
@@ -1932,19 +1932,19 @@
 # /usr/sbin/semodule -i mycertwatch2.pp
 </pre><div class="para">
 				Refer to Dan Walsh's <a href="http://danwalsh.livejournal.com/24750.html">"Using audit2allow to build policy modules. Revisited."</a> blog entry for further information about using <code class="command">audit2allow</code> to build policy modules.
-			</div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e5371" href="#d0e5371" class="para">14</a>] </sup>
+			</div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id2804320" href="#id2804320" class="para">14</a>] </sup>
 					Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
-				</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5533" href="#d0e5533" class="para">15</a>] </sup>
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id2911633" href="#id2911633" class="para">15</a>] </sup>
 					The <code class="command">semanage port -a</code> command adds an entry to the <code class="filename">/etc/selinux/targeted/modules/active/ports.local</code> file. Note: by default, this file can only be viewed by the Linux root user.
-				</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5982" href="#d0e5982" class="para">16</a>] </sup>
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id2870920" href="#id2870920" class="para">16</a>] </sup>
 						From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 12.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e6034" href="#d0e6034" class="para">17</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2871018" href="#id2871018" class="para">17</a>] </sup>
 					From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 12.
-				</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e6094" href="#d0e6094" class="para">18</a>] </sup>
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id2808474" href="#id2808474" class="para">18</a>] </sup>
 						From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 12.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e6536" href="#d0e6536" class="para">19</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2757812" href="#id2757812" class="para">19</a>] </sup>
 					From the <span class="citerefentry"><span class="refentrytitle">audit2allow</span>(1)</span> manual page, as shipped with the <span class="package">policycoreutils</span> package in Fedora 12.
-				</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 8. Further Information"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Further_Information">Chapter 8. Further Information</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Contributors">8.1. Contributors</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Other_Resources">8.2. Other Resources</a></span></dt></dl></div><div class="section" title="8.1. Contributors"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Further_Information-Contributors">8.1. Contributors</h2></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+				</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 8. Further Information" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Further_Information">Chapter 8. Further Information</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Contributors">8.1. Contributors</a></span></dt><dt><span class="section"><a href="#sect-Security-Enhanced_Linux-Further_Information-Other_Resources">8.2. Other Resources</a></span></dt></dl></div><div class="section" title="8.1. Contributors"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Further_Information-Contributors">8.1. Contributors</h2></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 					<a href="http://fedoraproject.org/wiki/GeertWarrink">Geert Warrink</a> (translation - Dutch)
 				</div></li><li class="listitem"><div class="para">
 					<a href="http://fedoraproject.org/wiki/User:Beckerde">Domingo Becker</a> (translation - Spanish)
@@ -2004,7 +2004,7 @@
 					#fedora-selinux
 				</div></li><li class="listitem"><div class="para">
 					#security
-				</div></li></ul></div></div></div><div xml:lang="en-US" class="appendix" title="Appendix A. Revision History"><div class="titlepage"><div><div><h1 id="appe-Security-Enhanced_Linux-Revision_History" class="title">Revision History</h1></div></div></div><div class="para">
+				</div></li></ul></div></div></div><div xml:lang="en-US" class="appendix" title="Appendix A. Revision History" lang="en-US"><div class="titlepage"><div><div><h1 id="appe-Security-Enhanced_Linux-Revision_History" class="title">Revision History</h1></div></div></div><div class="para">
 		<div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 1.4</td><td align="left">Mon Aug 31 2009</td><td align="left"><span class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></span></td></tr><tr><td align="left" colspan="3">
 					<table border="0" summary="Simple list" class="simplelist"><tr><td>Update and verification for Fedora 12</td></tr></table>
 				</td></tr><tr><td align="left">Revision 1.3</td><td align="left">Tue May 12 2009</td><td align="left"><span class="author"><span class="firstname">Scott</span> <span class="surname">Radvan</span></span></td></tr><tr><td align="left" colspan="3">
@@ -2016,4 +2016,4 @@
 				</td></tr><tr><td align="left">Revision 1.0</td><td align="left">Tue Nov 25 2008</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
 					<table border="0" summary="Simple list" class="simplelist"><tr><td>Initial content release on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a></td></tr></table>
 				</td></tr></table></div>
-	</div></div></div></body></html>
\ No newline at end of file
+	</div></div></div></body></html>

More information about the Fedora-docs-commits mailing list