The SELinux Documentation Project

Serge E. Hallyn serue at us.ibm.com
Mon Dec 14 18:32:01 UTC 2009


Quoting Dominick Grift (domg472 at gmail.com):
> On Mon, Dec 14, 2009 at 11:49:15AM -0600, Serge E. Hallyn wrote:
> > Quoting Joshua Brindle (method at manicmethod.com):
> > > Dominick Grift wrote:
> > > >On 11/27/2009 09:31 PM, Joshua Brindle wrote:
> > > >>Joshua Brindle wrote:
> > > >>>As we discussed at Linux Plumbers Conference during the 'Making SELinux
> > > >>>Easier to Use" talk we have some document deficiencies in the SELinux
> > > >>>project.
> > > >>>
> > > >><snip>
> > > >>
> > > >>We have gotten some good contributions to the documentation project over
> > > >>the last couple months but there is always more to do. I've updated the
> > > >>Documentation TODO at:
> > > >>
> > > >><http://selinuxproject.org/page/Documentation_TODO>
> > > >>
> > > >>with some docs we'd like written and some guidance on what the format
> > > >>should be. Use cases would be particularly appreciated.
> > > >>
> > > >>If you haven't gone to the documentation wiki lately take a look at
> > > >>
> > > >><http://selinuxproject.org/page/Main_Page>
> > > >>
> > > >>and see what's been added.
> > > >>
> > > >>Thanks for the help of the contributors and hopefully this effort will
> > > >>go a long way toward gaining users and keeping SELinux enabled.
> > > >>
> > > >>--
> > > >>fedora-selinux-list mailing list
> > > >>fedora-selinux-list at redhat.com
> > > >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >
> > > >Attached is a concept i wrote today about Locking down webapps with CGI.
> > > >This was a topic in the todo list.
> > > >
> > > >Would be nice if someone could proof-read this and when
> > > >modified/accepted publish it.
> > > 
> > > It's a wiki :) Just put it up there and others can make
> > 
> > How are we to create an account to edit a page?  The 'Log in/Create
> > Account' page doesn't seem to let me create an account?
> > 
> > I'd like to add the recipe
> > 
> >         useradd xa
> > 	semanage user -a -R user_r xa
> > 	semanage login -a -s xa xa
> 
> You would probably also need:
> 
> cd /etc/selinux/targeted/contexts/users; cp user_u xa;
> 
> To make that work.

Hmm - I didn't think in f10 or f11 I needed to, but good to
know, thanks!

> Easier would probably be: useradd -Z user_u xa

Excellent, didn't know about it and I like it :)

> or
> 
> useradd xa
> semanage login -m -s user_u -r s0-s0 xa

I don't have a fedora system handy at the moment - is the help
documentation in semanage now context-sensitive (so
'semanage login help' and 'semanage user help' give different,
briefer, more meaningful help)?

> You should send an e-mail to james morris. He maintains the site and will add a login if you ask him.
> 
> > 
> > to lock user xa into its own selinux context to the recipes page.
> > If someone else is willing to post it, all the better.
> > 
> > > modifications. There are actually a couple people who are decent at
> > > copy editing that have done some work on the wiki so if we get
> > > technical content up there they can do what they do to clean it up.
> > 
> > thanks,
> > -serge

thanks,
-serge




More information about the fedora-selinux-list mailing list