Head-banging targets, please

David Hart dhart275 at offramp.com
Thu Dec 30 22:26:24 UTC 2004 

I need help understanding SELinux!

I've read just about every on-line SELinux article I can find, and I am
getting progressively more confused as I read more.  Following along in
these articles on a Fedora Core 3 system, reading documents written for
Fedora Core 2 Test 3 and before, is confusing.  The older the document,
the more my installation fails to match the documentation.  

I need a starting place, some things to look at once I have my Fedora
Core 3 installation running.  Some simple things, some that work
correctly, some that fail and I can learn how to track down and fix.

And, the answers to some basic questions:
  1) Why does a Fedora Core 3 installation, with SELinux "Active" or
     "Warn", not install selinux-policy-targeted-sources?  I kept
     pulling my hair out (little that there is) when trying to find:
            /etc/selinux/targeted/src/policy
     All the documents referred to this directory, and it was VERY
     confusing not to find it.  This directory should at least be
     an empty directory after a fresh install.
  2) Are the setools and setools-gui packages required to be used on a
     SELinux enabled system?  If so, why are they not installed when
     SELinux is installed?  In particular, I am very confused about how
     to create new users and new groups.  It looks like I need to update
     our in-house instructions to use seuseradd, seuserdel, etc. instead
     of useradd and userdel?
  3) Where the heck is the SELinux audit file?  Try as much as I could,
     I can't find it.  Every document references it, but none I have
     found actually refer to it by path/filename.
  4) I know you guys discuss policy problems all the time, from the
     viewpoint of their AVC log events, but I'd like to see what one of
     these AVC log events looks like on my system.  In particular, I
     have a Fedora Core 3 Workstation installation running the targeted
     policy in enforcing mode.  I'd appreciate a simple test I could
     perform that would generate an AVC log entry, some idea on how to
     look for the log entry, and some idea about how to analyze the log
     entry.  I know, blasphemy.   But there are three ways that adults
     learn:
         1. Visual: people who learn by seeing it done.
         2. Auditory: people who learn by hearing.
         3. Kenesthetic: people who learn by doing (touch and body
            movement).
     I'm a #3.
  5) Does it make sense to have a Workstation installation with the
     "strict" policy?  Under what circumstances?

I am putting instructions together for people in my Lab on how to
install and use Fedora Core 3.  One of the early lessons I want to
document is some simple instructions on how to use SELinux.  Then, as
other instructions are written for other Lab-oriented tasks, I would
integrate SELinux into these instructions.  The people in the Lab are
responsible for maintaining their various computers, so knowledge about
SELinux appears necessary.  If I can't understand it and explain it to
them, things are going to get messy.

Thanks for the help.

-- 
David Hart <dhart275 at offramp.com>

More information about the fedora-selinux-list mailing list