web/html/docs/selinux-faq-fc5 index.php,1.5,1.6
Paul W. Frields (pfrields)
fedora-websites-list at redhat.com
Tue Jun 6 19:28:15 UTC 2006
Author: pfrields
Update of /cvs/fedora/web/html/docs/selinux-faq-fc5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18935
Modified Files:
index.php
Log Message:
Added it translation and updated en_US to newest build
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.5 -r 1.6 index.php
Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- index.php 28 Apr 2006 19:37:48 -0000 1.5
+++ index.php 6 Jun 2006 19:28:13 -0000 1.6
@@ -1,3423 +1,20 @@
<?
-
include("site.inc");
+
$template = new Page;
-$template->initCommon();
+$template->initCommon();
+
$template->displayHeader();
?>
+<h1>SELinux FAQ for Fedora Core 5</h1>
-<div class="article" lang="en">
-<div class="titlepage">
-<div>
-<div><h1 class="title">
-<a name="selinux-faq"></a>Fedora Core 5 SELinux FAQ</h1></div>
-<div><div class="authorgroup">
-<div class="author"><h3 class="author">
-<span class="firstname">Karsten</span> <span class="surname">Wade</span>
-</h3></div>
-<div class="author"><h3 class="author">
-<span class="firstname">Chad</span> <span class="surname">Sellers</span>
-</h3></div>
-</div></div>
-<div><p class="othercredit"><span class="firstname">Francesco</span> <span class="surname">Tombolini</span></p></div>
-<div><p class="copyright">Copyright © 2004, 2005 Red Hat, Inc., Karsten Wade</p></div>
-<div><p class="copyright">Copyright © 2006 Chad Sellers, Paul W. Frields</p></div>
-<div><div class="legalnotice">
-<a name="legalnotice"></a><p>
- Copyright (c) 2006 by Red Hat, Inc. and others. This material may be
- distributed only subject to the terms and conditions set forth in the Open
- Publication License, v1.0, available at <a href="http://www.opencontent.org/openpub/" target="_top">http://www.opencontent.org/openpub/</a>.
- </p>
-<p>
- Garrett LeSage created the admonition graphics (note, tip, important, caution,
- and warning). Tommy Reynolds <code class="email"><<a href="mailto:Tommy.Reynolds at MegaCoder.com">Tommy.Reynolds at MegaCoder.com</a>></code>
- created the callout graphics. They all may be freely redistributed with
- documentation produced for the Fedora Project.
-</p>
-<p>
- FEDORA, FEDORA PROJECT, and the Fedora Logo are trademarks of Red Hat, Inc.,
- are registered or pending registration in the U.S. and other countries, and
- are used here under license to the Fedora Project.
-</p>
-<p>
- Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc.
- in the United States and other countries.
-</p>
-<p>
- All other trademarks and copyrights referred to are the property of their
- respective owners.
-</p>
-</div></div>
-<div><div class="revhistory"><table border="1" width="100%" summary="Revision history">
-<tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr>
-<tr>
-<td align="left">Revision 1.5.6</td>
-<td align="left">2006-04-28</td>
-<td align="left">CS</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- Fix for bz #18727, bz#139744, bz#144696, bz#147915, and
- bz#190181; other fixes, including from
- http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
- </p>
- </td></tr>
-<tr>
-<td align="left">Revision 1.5.5</td>
-<td align="left">2006-04-07</td>
-<td align="left">KW</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- Fix for bz #188219; legal notice fix.
- </p>
- </td></tr>
-<tr>
-<td align="left">Revision 1.5.4</td>
-<td align="left">2006-03-21</td>
-<td align="left">CS</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- Updated log file location for FC5 release, added targeted
- domains FAQ
- </p>
- </td></tr>
-<tr>
-<td align="left">Revision 1.5.3</td>
-<td align="left">2006-03-21</td>
-<td align="left">CS</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- Numerous content updates for FC5 release
- </p>
- </td></tr>
-<tr>
-<td align="left">Revision 1.5.2</td>
-<td align="left">2006-02-10</td>
-<td align="left">PWF</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- Make admonition more easily maintainable
- </p>
- </td></tr>
-<tr>
-<td align="left">Revision 1.5.1</td>
-<td align="left">2006-02-05</td>
-<td align="left">PWF</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- Style and readability editing; some element clarifications
- </p>
- </td></tr>
-<tr>
-<td align="left">Revision 1.5</td>
-<td align="left">2006-02-03</td>
-<td align="left">CS</td>
-</tr>
-<tr><td align="left" colspan="3">
- <p>
- First round of editing.
- </p>
- </td></tr>
-</table></div></div>
-</div>
-<hr>
-</div>
-<div class="toc"><dl><dt><span class="section"><a href="#sn-selinux-faq">1. SELinux Notes and FAQ</a></span></dt></dl></div>
-<div class="section" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="sn-selinux-faq"></a>1. SELinux Notes and FAQ</h2></div></div></div>
-<p>
- The information in this FAQ is valuable for those who are new to SELinux. It
- is also valuable if you are new to the latest SELinux implementation in
- Fedora Core, since some of the behavior may be different than you have
- experienced.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: This FAQ is specific to Fedora Core 5">
-<tr>
-<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="./stylesheet-images/note.png"></td>
-<th align="left">This FAQ is specific to Fedora Core 5</th>
-</tr>
-<tr><td align="left" valign="top"><p>
- If you are looking for the FAQ for other versions of Fedora Core, refer to
- <a href="http://fedora.redhat.com/docs/selinux-faq/" target="_top">http://fedora.redhat.com/docs/selinux-faq/</a>.
- </p></td></tr>
-</table></div>
-<p>
- For more information about how SELinux works, how to use SELinux for general
- and specific Linux distributions, and how to write policy, these resources
- are useful:
- </p>
-<div class="itemizedlist">
-<a name="external-link-list"></a><p class="title"><b>External Link List</b></p>
-<ul type="disc">
-<li><p>
- NSA SELinux main website — <a href="http://www.nsa.gov/selinux/" target="_top">http://www.nsa.gov/selinux/</a>
- </p></li>
-<li><p>
- NSA SELinux FAQ — <a href="http://www.nsa.gov/selinux/info/faq.cfm" target="_top">http://www.nsa.gov/selinux/info/faq.cfm</a>
- </p></li>
-<li><p>
- SELinux community page — <a href="http://selinux.sourceforge.net" target="_top">http://selinux.sourceforge.net</a>
- </p></li>
-<li><p>
- UnOfficial FAQ — <a href="http://www.crypt.gen.nz/selinux/faq.html" target="_top">http://www.crypt.gen.nz/selinux/faq.html</a>
- </p></li>
-<li><p>
- Writing traditional SE Linux policy HOWTO — <a href="https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266" target="_top">https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266</a>
- </p></li>
-<li><p>
- Reference Policy (the new policy found in Fedora Core 5) — <a href="http://serefpolicy.sourceforge.net/" target="_top">http://serefpolicy.sourceforge.net/</a>
- </p></li>
-<li><p>
- SELinux policy development training courses — <a href="http://tresys.com/services/training.shtml" target="_top">http://tresys.com/services/training.shtml</a> and <a href="https://www.redhat.com/training/security/courses/rhs429.html" target="_top">https://www.redhat.com/training/security/courses/rhs429.html</a>
- </p></li>
-<li><p>
- Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —
- <a href="https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266" target="_top">https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266</a>
- </p></li>
-<li><p>
- List of SELinux object classes and permissions —
- <a href="http://tresys.com/selinux/obj_perms_help.shtml" target="_top">http://tresys.com/selinux/obj_perms_help.shtml</a>
- </p></li>
[...3038 lines suppressed...]
- For files, <code class="computeroutput">relabelfrom</code> means "Can
- domain D relabel a file from (i.e. currently in) type T1?" and
- <code class="computeroutput">relabelto</code> means "Can domain D
- relabel a file to type T2?", so both checks are applied upon a
- file relabeling, where T1 is the original type of the type and T2
- is the new type specified by the program.
- </p>
-<p>
- Useful documents to look at:
- </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
- Object class and permission summary by Tresys <a href="http://tresys.com/selinux/obj_perms_help.shtml" target="_top">http://tresys.com/selinux/obj_perms_help.shtml</a>
- </p></li>
-<li><p>
- Implementing SELinux as an LSM technical report (describes
- permission checks on a per-hook basis) <a href="http://www.nsa.gov/selinux/papers/module-abs.cfm" target="_top">http://www.nsa.gov/selinux/papers/module-abs.cfm</a>.
- This is also available in the selinux-doc package
- (and more up-to-date there).
- </p></li>
-<li><p>
- Integrating Flexible Support for Security Policies into the
- Linux Operating System - technical report (describes original
- design and implementation, including summary tables of
- classes, permissions, and what permission checks are applied
- to what system calls. It is not entirely up-to-date with
- current implementation, but a good resource nonetheless).
- <a href="http://www.nsa.gov/selinux/papers/slinux-abs.cfm" target="_top">http://www.nsa.gov/selinux/papers/slinux-abs.cfm</a>
- </p></li>
-</ul></div>
-</td>
-</tr>
-<tr class="qandadiv"><td align="left" valign="top" colspan="2">
-<a name="faq-div-deploying-selinux"></a><h4 class="title">
-<a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4>
-</td></tr>
-<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2961714">
- What file systems can I use for SELinux?
- </a>
-</dt>
-<dt>Q: <a href="#id2961748">
- How does SELinux impact system performance?
- </a>
-</dt>
-<dt>Q: <a href="#id2961779">
- What types of deployments, applications, and systems should I
- leverage SELinux in?
- </a>
-</dt>
-<dt>Q: <a href="#id2961848">
- How does SELinux affect third-party applications?
- </a>
-</dt>
-</dl></td></tr>
-<tr class="question">
-<td align="left" valign="top">
-<a name="id2961714"></a><a name="id2961717"></a><b>Q:</b>
-</td>
-<td align="left" valign="top"><p>
- What file systems can I use for SELinux?
- </p></td>
-</tr>
-<tr class="answer">
-<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top">
-<p>
- The file system must support
- <code class="computeroutput">xattr</code> labels in the right
- <em class="parameter"><code>security.*</code></em> namespace. In addition to
- ext2/ext3, XFS has recently added support for the necessary
- labels.
- </p>
-<p>
- Note that XFS SELinux support is broken in upstream kernel
- 2.6.14 and 2.6.15, but fixed (worked around)
- in 2.6.16. Your kernel must include this fix if
- you choose to use XFS with SELinux.
- </p>
-</td>
-</tr>
-<tr class="question">
-<td align="left" valign="top">
-<a name="id2961748"></a><a name="id2961756"></a><b>Q:</b>
-</td>
-<td align="left" valign="top"><p>
- How does SELinux impact system performance?
- </p></td>
-</tr>
-<tr class="answer">
-<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top"><p>
- This is a variable that is hard to measure, and is heavily
- dependent on the tuning and usage of the system running SELinux.
- When performance was last measured, the impact was around 7% for
- completely untuned code. Subsequent changes in system components
- such as networking are likely to have made that worse in some
- cases. SELinux performance tuning continues to be a priority of the
- development team.
- </p></td>
-</tr>
-<tr class="question">
-<td align="left" valign="top">
-<a name="id2961779"></a><a name="id2961782"></a><b>Q:</b>
-</td>
-<td align="left" valign="top"><p>
- What types of deployments, applications, and systems should I
- leverage SELinux in?
- </p></td>
-</tr>
-<tr class="answer">
-<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top">
-<p>
- Initially, SELinux has been used on Internet facing servers that are
- performing a few specialized functions, where it is critical to
- keep extremely tight security. Administrators typically strip
- such a box of all extra software and services, and run a very
- small, focused set of services. A Web server or mail server is a
- good example.
- </p>
-<p>
- In these edge servers, you can lock down the policy very tightly.
- The smaller number of interactions with other components makes
- such a lock down easier. A dedicated system running a specialized
- third-party application would also be a good candidate.
- </p>
-<p>
- In the future, SELinux will be targeted at all environments. In
- order to achieve this goal, the community and
- <em class="firstterm">independent software vendors</em>
- (<span class="abbrev">ISV</span>s) must work with the SELinux developers to
- produce the necessary policy. So far, a very restrictive
- <em class="firstterm">strict policy</em> has been written, as well as
- a <em class="firstterm">targeted policy</em> that focuses on specific,
- vulnerable daemons.
- </p>
-<p>For more information about these policies, refer to <a href="#qa-whatis-policy">What is SELinux policy?</a> and <a href="#qa-whatis-targeted-policy">What is the SELinux targeted policy?</a>.
- </p>
-</td>
-</tr>
-<tr class="question">
-<td align="left" valign="top">
-<a name="id2961848"></a><a name="id2961850"></a><b>Q:</b>
-</td>
-<td align="left" valign="top"><p>
- How does SELinux affect third-party applications?
- </p></td>
-</tr>
-<tr class="answer">
-<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top">
-<p>
- One goal of implementing a targeted SELinux policy in Fedora Core is to
- allow third-party applications to work without modification. The
- targeted policy is transparent to those unaddressed applications,
- and it falls back on standard Linux DAC security. These
- applications, however, will not be running in an extra-secure
- manner. You or another provider must write policy to protect these
- applications with MAC security.
- </p>
-<p>
- It is impossible to predict how every third-party application
- might behave with SELinux, even running the targeted policy. You
- may be able to fix issues that arise by changing the policy. You
- may find that SELinux exposes previously unknown security issues
- with your application. You may have to modify the application to
- work under SELinux.
- </p>
-<p>
- Note that with the addition of <a href="#faq-entry-whatare-policy-modules">Policy Modules</a>, it is now possible
- for third-party developers to include policy modules with their
- application. If you are a third-party developer or a
- package-maintainer, please consider including a policy module
- in your package. This will allow you to secure the behavior
- of your application with the power of SELinux for any user
- installing your package.
- </p>
-<p>
- One important value that Fedora Core testers and users bring to the
- community is extensive testing of third-party applications. With
- that in mind, please bring your experiences to the appropriate
- mailing list, such as the fedora-selinux list, for discussion. For
- more information about that list, refer to <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/" target="_top">http://www.redhat.com/mailman/listinfo/fedora-selinux-list/</a>.
- </p>
-</td>
-</tr>
-</tbody>
-</table>
-</div>
-</div>
-</div>
+<p><a href="en_US/">en_US</a> | <a href="it/">it</a></p>
<?
$template->displayFooter('$Date$');
?>
-
More information about the Fedora-websites-list
mailing list