Revision History

Introduction · ABI changes

jvisualvm
@@ -491,7 +508,7 @@
     
 
SELinux is preventing gst-install-plu from making the program stack executable.
+      setsebool -P allow_unconfined_nsplugin_transition =0
+    
 	  backend default { .host = "127.0.0.1"; .port = "80"; }
@@ -322,22 +332,32 @@
 8.3.4.??Other improvements
 Fedora also includes the following virtualization
       improvements:
- Utilities in the new virt-mem package
+

+
+ Utilities in the new virt-mem package
 	  provide access to process tables, interface information,
 	  dmesg, and uname of QEmu and KVM guests from the host system.
-	  http://et.redhat.com/~rjones/virt-mem/
-	
-
+	  For more information, refer to
+	  http://et.redhat.com/~rjones/virt-mem/.
+	
+

-
+
-
+
 
 virt-mem is experimental. The virt-mem package is experimental.
 
Only 32 bit guests are supported at this time.
Only 32-bit guests are supported at this time.
 
- The new virt-df tool provides
+
+ The new virt-df tool provides
 	  information on the disk usage of guests from the host system.
 	  http://et.redhat.com/~rjones/virt-df
-	
+	
+The new experimental xenwatch package
+	  provides utilities for interacting with
+	  xenstore on Xen-based virtualization hosts.
+	  For more information refer to
+	  http://kraxel.fedorapeople.org/xenwatch/
+
 
 
 8.3.4.1.??libvirt updated to 0.4.6
@@ -582,21 +602,20 @@
 This section contains information related to Samba, the suite of
     software Fedora uses to interact with Microsoft Windows
     systems.
-
-
-
-
-
-
- Maybe you know what should be on this page?
The Fedora release notes are a collective effort of dozens of
-      people.  You can contribute by editing the wiki page that
-      corresponds to this part of the release notes.
-This section has not been updated for Fedora 10 by the beat
-    writer (http://fedoraproject.org/wiki/Docs/Beats#Beat_Assignments.)
-    If you have some ideas or knowledge of what should be in this part
-    of the release notes, you are encouraged to edit the wiki directly.
-    Read https://fedoraproject.org/wiki/Docs/Beats/HowTo/
-      for more information, then get an account and start writing.
+
+    Fedora 10 includes samba-3.2.1. This is only a
+    minor release over the version included in Fedora 9, 3.2.0, so users
+    upgrading from Fedora 9 should see no specific issues. However,
+    users upgrading from earlier versions of Samba are advised to
+    carefully review the Samba 3.2 release notes:
+  
+
+    http://samba.org/samba/history/samba-3.2.0.html
+  
+In addition, the news articles on Samba 3.2 also highlight some
+    of the major changes:
+  
+http://news.samba.org/
 
 
 8.6.??Mail servers
@@ -635,22 +654,35 @@
       to be successful.
     
 
-
+
+8.7.1.??MySQL
+Fedora 10 includes MySQL 5.0.67-2.
+    
+

-
-
+
+
-
+
 Maybe you know what should be on this page? MySQL version in Fedora 10 significantly different from
+	Fedora 9 version
 
The Fedora release notes are a collective effort of dozens of
-      people. You can contribute by editing the wiki page that
-      corresponds to this part of the release notes.
-    
There are a number of changes from the version included in
+	Fedora 9, including some incompatible changes.
 
-This section has not been updated for Fedora 10 by the beat
-    writer (http://fedoraproject.org/wiki/Docs/Beats#Beat_Assignments). 
-    If you have some ideas or knowledge of what should be in this part
-    of the release notes, you are encouraged to edit the wiki directly.
-    Read https://fedoraproject.org/wiki/Docs/Beats/HowTo
-    for more information, then get an account and start writing. 
+The MySQL user is strongly encouraged to study the release
+      notes for MySQL before upgrading his MySQL databases.
+    
+http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html
+
     yum groupinfo "Games and Entertainment"
@@ -61,6 +61,49 @@
     http://docs.fedoraproject.org/yum/
   
 
+
+5.2.??Amateur Radio
+
+    Fedora 10 includes a number of applications and libraries that are
+    of interest to amateur radio operators and electronic hobbyists.
+    Many of these applications are included in the Fedora Electronic
+    Lab spin. Fedora also includes a number of VLSI and IC design
+    tools.
+  
+
+
+	Sound card mode applications include
+	fldigi, gpsk31,
+	gmfsk, lpsk31,
+	xfhell, and xpsk31.
+      
+
+	The gnuradio package is a software defined
+	radio framework.
+      
+
+	The aprsd and
+	xastir packages provide APRS capabilities.
+      
+
+	The gEDA suite consists of an
+	integrated set of schematics applications for capture, net
+	listing, circuit simulation, and PCB layout.
+      
+
+	The gspiceui, ngspice,
+	and gnucap packages provide circuit
+	simulation capabilities.
+      
+
+
+    There are a variety of other tools for learning Morse code, orbit
+    prediction and tracking satellites, producing schematic diagrams
+    and PCB artwork, amateur radio logbook keeping, and other
+    applications of interest to amateur radio and electronics
+    enthusiasts.
+  
+
 
 
 


Index: What_is_New_for_Installation_and_Live_Images.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/release-notes/f10preview/en_US/What_is_New_for_Installation_and_Live_Images.php,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2

--- What_is_New_for_Installation_and_Live_Images.php	4 Nov 2008 12:17:48 -0000	1.1
+++ What_is_New_for_Installation_and_Live_Images.php	8 Nov 2008 00:54:26 -0000	1.2
@@ -3,12 +3,12 @@
 
 2.??What is New for Installation and Live Images
 
-
-
+
+
 
 
 
-
+
 
 Anaconda and installing Fedora 10.
 
 2.1.1.??Installation media
-
+

-
+
-
+      
+
 
  If you intend to download the Fedora DVD ISO image, keep
-	in mind that not all file downloading tools can accommodate
-	files larger than 2 GiB in size. Fedora DVD ISO image is a large file.
 
 The programs wget 1.9.1-16 and above,
+

+If you intend to download the Fedora DVD ISO image, keep
+	in mind that not all file downloading tools can accommodate
+	files larger than 2 GiB in size. 
+ The programs wget 1.9.1-16 and above,
 	curl, and ncftpget do not
 	have this limitation, and can successfully download files larger
 	than 2 GiB. BitTorrent is another method for downloading large
 	files. For information about obtaining and using the torrent
 	file, refer to http://torrent.fedoraproject.org/.
-      
 
 
       Anaconda asks if it should verify the
@@ -81,9 +82,9 @@
       For Fedora Live media, press any key during the initial boot
       countdown, to display a boot option menu.  Select
       Verify and
-      boot to perform the media test. The
-      pure installation medium can be used to verify a Fedora Live
-      medium. Anaconda asks during the
+      boot to perform the media test. 
+      Installation media can be used to verify Fedora Live
+      media. Anaconda asks during the
       mediacheck if you want to check any other disc than the one
       Anaconda is running from.  To test
       additional media, select
@@ -139,38 +140,27 @@
 

 2.1.2.??Changes in Anaconda
 
-
-	  http://www.fedoraproject.org/wiki/Anaconda/Features/NetConfigForNM 
-	  -- Anaconda is now using
-	  NetworkManager for configuring
-	  network interfaces during installation.  The previous backend
-	  tool was libdhcp,
-	  which was a replacement for libpump.
-	  Anaconda uses
-	  NetworkManager by communicating
-	  with it via D-Bus during installation. The move to
-	  NetworkManager in
-	  Anaconda is still ongoing,
-	  but the bulk of existing
-	  functionality has been retained.
-	  NetworkManager is enabled by
-	  default on newly installed systems, so moving to
-	  NetworkManager in
-	  Anaconda allows the installer to
-	  use the same network management tool that the final system
-	  uses. The move to NetworkManager
-	  brings some changes, most notably the removal of the network
+

+
+	  NetworkManager for Networking
+	  -- Anaconda is now using
+	  NetworkManager for configuration of
+	  network interfaces during installation.  The main network
 	  interface configuration screen in
-	  Anaconda. You are no longer asked
-	  to verify the network settings during installation. The screen
-	  now simply prompts for the hostname. The settings used during
-	  installation are written to the system.
+	  Anaconda has been removed.  Users
+	  are only prompted for network configuration details if they
+	  are necessary during installation.  The settings used during
+	  installation are then written to the system.
+	
+For more information, refer to  http://www.fedoraproject.org/wiki/Anaconda/Features/NetConfigForNM.
+	
+
 When using netinst.iso to boot
 	  the installer, Anaconda defaults to
 	  using the Fedora mirrorlist URL as the installation source.
 	  The method selection screen no longer appears by default. If
 	  you do not wish to use the mirrorlist URL, either add
-	  repo=<your installation
+	  repo=<your installation
 	    source> or add
 	  askmethod to the installer boot parameters.
 	  The askmethod option causes the selection
@@ -190,9 +180,9 @@
 
2.1.3.1.??PXE booting from a .iso
 

 When PXE booting and using a .iso file
-	for the installation media via NFS you are now required to add
+	mounted via NFS	for the installation media, add
 	method=nfsiso:server:/path to the command
-	line.
+	line.  This is a new requirement.
 

 
 2.1.3.2.??IDE device names
@@ -288,16 +278,16 @@
  	  su -c 'e2label /dev/example f7-slash'
 	
-For a VFAT filesystem use dosfslabel
+
For a VFAT file system use dosfslabel
 	  from the dosfstools package, and for NTFS
-	  filesystem use ntfslabel from the
+	  file system use ntfslabel from the
 	  ntfsprogs package. Before rebooting the
 	  machine, also update the file system mount entries, and the
 	  GRUB kernel root entry.
 
 
 2.1.4.2.3.??Update the file system mount entries
-If any filesystem labels were added or modified, then the
+
If any file system labels were added or modified, then the
 	  device entries in /etc/fstab must be
 	  adjusted to match: 
 @@ -314,7 +304,7 @@
 2.1.4.2.4.??Update the grub.conf kernel root
 	  entry
 If the label for the / (root)
-	  filesystem was modified, the kernel boot parameter in the grub
+	  file system was modified, the kernel boot parameter in the grub
 	  configuration file must also be modified: 
  	  su -c 'gedit /boot/grub/grub.conf'
@@ -399,7 +389,7 @@
 
 

 
-2.2.??Fedora Live images
+2.2.??Fedora Live Images
 The Fedora 10 release includes several Fedora Live ISO images in
     addition to the traditional installation images.  These ISO images
     are bootable, and you can burn them to media and use them to try out
@@ -407,7 +397,7 @@
     Fedora Live image content to your hard drive for persistence and
     higher performance.
 
-2.2.1.??Available images
+2.2.1.??Available Images
 For a complete list of current spins available, and
       instructions for using them, refer to:
 
@@ -415,29 +405,40 @@
     
 
 
-2.2.2.??Usage information
-To boot from the Fedora Live image, insert it into your
+
2.2.2.??Usage Information
+To boot from the Fedora Live image, insert the media into your
       computer and restart. To log in and use the desktop environment,
       enter the username fedora.  There is no password on
       this account.  The GNOME-based Fedora Live images automatically
       login after one minute, so users have time to select a preferred
       language. After logging in, if you wish to install the contents of
-      the live image to your hard drive, click on the Install
+      the Live image to your hard drive, click on the Install
 	to Hard Drive icon on the desktop.

 

 
-2.2.3.??Text mode installation
-You can do a text mode installation of the Fedora Live images
-      using the liveinst command in the
+
2.2.3.??Checking Your Media
+
+      To check Fedora Live media, press any key during the initial
+      boot countdown to display a boot option menu. Select
+      Verify and boot to perform the media test.
+    
+
+      Perform this test for any new Live medium.
+    
+
+
+2.2.4.??Text Mode Installation
+To perform a text mode installation of the Fedora Live image,
+      use the liveinst command in the
       console.
 
 
-2.2.4.??USB booting
+2.2.5.??USB Booting
 Another way to use these Fedora Live images is to put them on
       a USB stick.  To do this, use the
       liveusb-creator graphical interface. Use
-      Add/Remove Software, search for, then
-      install liveusb-creator.  To install using
+      Add/Remove Software to search for and
+      install liveusb-creator, or to install using
       yum:
        su -c 'yum install liveusb-creator'
@@ -445,27 +446,27 @@
 Instead of the graphical tool, you can use the command line
       interface from the livecd-tools package.  Then,
       run the livecd-iso-to-disk script:
--      /usr/bin/livecd-iso-to-disk /path/to/live.iso
-	/dev/sdb1
-    
+/usr/bin/livecd-iso-to-disk /path/to/live.iso /dev/sdb1
 Replace /dev/sdb1 with the partition
       where you want to put the image.
 This is not a destructive process; any
       data you currently have on your USB stick is
 	preserved.
+
+      A Windows version of this tools is also available that allows
+      users to try out or migrate to Fedora.
+    
 
 
-2.2.5.??Persistent home directory
+2.2.6.??Persistent Home Directory
 Support for keeping a persistent /home
       with the rest of the system stateless has been added for Fedora
       10.  This includes support for encrypting
-      /home to protect your system in the case
-      where your USB stick is lost or stolen.  To use this, download the
-      live image and run the following command:
+      /home to protect your system if
+      your USB stick is lost or stolen.  To use this feature, download the
+      Live image and run the following command:
 -      livecd-iso-to-disk --home-size-mb 512 /path/to/live.iso
-	/dev/sdb1
+      livecd-iso-to-disk --home-size-mb 512 /path/to/live.iso /dev/sdb1
     
 Replace /dev/sdb1 with the partition
       where you want to put the image.
@@ -481,20 +482,17 @@
       can specify --unencrypted-home.
 Note that later runs of livecd-iso-to-disk
       preserve the /home that is created on the USB
-      stick, continuing to use it even if you change your live
+      stick, continuing to use it even if you change your Live
       image.
 
 
-2.2.6.??Live USB persistence
+2.2.7.??Live USB Persistence
 Support for persistent changes with a Fedora Live image exists
       for Fedora 9 and later. The primary use case is booting from a
       Fedora Live image on a USB flash drive and storing changes to that
       same device. To do this, download the Fedora Live image and then
       run the following command:
--      livecd-iso-to-disk --overlay-size-mb 512
-	/path/to/live.iso /dev/sdb1
-    
+livecd-iso-to-disk --overlay-size-mb 512 /path/to/live.iso /dev/sdb1
 Replace /dev/sdb1 with the partition
       where you want to put the image.
 Replace 512 with the desired
@@ -507,17 +505,14 @@
       stored on the media.
 
 
-2.2.7.??Booting a Fedora Live image off of USB on Intel-based Apple
-      hardware
-Fedora 10 includes support for putting the live image onto a
+
2.2.8.??Booting a Fedora Live Image from USB on Intel-based Apple
+      Hardware
+Fedora 10 includes support for putting the Live image onto a
       USB image and then booting it on Intel processor-based Apple
-      hardware.  Unlike for most x86 machines, this unfortunately
-      requires reformatting the USB stick that you are using.  To set up
-      a stick for this, you can run:
--      /usr/bin/livecd-iso-to-disk --mactel /path/to/live.iso
-	/dev/sdb1
-    
+      hardware.  Unlike most x86 machines, this hardware
+      requires reformatting the USB stick.  To set up
+      a USB stick, run this command:
+/usr/bin/livecd-iso-to-disk --mactel /path/to/live.iso /dev/sdb1
 Replace /dev/sdb1 with the partition
       where you want to put the image.
 Note that all of the other arguments for the
@@ -525,9 +520,9 @@
       be used here as well.
 
 
-2.2.8.??Differences from a regular Fedora install
-The following items are different from a normal Fedora install
-      with the Fedora Live images.
+2.2.9.??Differences from a Regular Fedora Installation
+The Fedora Live image is different from a normal Fedora
+    installation as shown below.
 
 Fedora Live images provide a subset of packages available
 	  in the regular DVD image. Both connect to the same repository
@@ -539,10 +534,10 @@
 	  password.
 Fedora Live image installations do not allow any package
 	  selection or upgrade capability since they copy the entire
-	  file system from media or USB disks to the hard disk. After
+	  file system from the Live media to the hard disk. After
 	  the installation is complete, and your system has been
 	  rebooted, you can add and remove packages as desired with the
-	  Add/Remove Packages tool,
+	  Add/Remove Software tool,
 	  yum, or the other software management
 	  tools.
 Fedora Live images do not work on i586
@@ -699,8 +694,8 @@
 	installing spin and the packages selected during installation.
 	Additional disk space is required during installation to support
 	the installation environment. The additional disk space
-	corresponds to the size of /Fedora/base/stage2.img plus the size
-	of the files in /var/lib/rpm on the installed system.
+	corresponds to the size of /Fedora/base/stage2.img plus the size
+	of the files in /var/lib/rpm on the installed system.
 In practical terms the additional space requirements may
 	range from as little as 90 MiB for a minimal installation to as
 	much as an additional 175 MiB for a larger installation.
@@ -726,7 +721,7 @@
 	    bootloader which is not included in the Fedora distribution.
 	    Fedora has also been installed and tested on POWER5 and
 	    POWER6 machines.
- Fedora 10 supports pSeries, iSeries, and Cell Broadband
+
Fedora 10 supports pSeries and Cell Broadband
 	    Engine machines.
  Fedora 10 also supports the Sony PlayStation 3 and
 	    Genesi Pegasos II and Efika.
@@ -788,10 +783,10 @@
       behave differently according to your system
       hardware:
 
-On most machines, the bootloader automatically boots the
+
On most machines -- The bootloader automatically boots the
 	  appropriate 32-bit or 64-bit installer from the install
 	  disc.
-64-bit IBM pSeries (POWER4/POWER5), current iSeries
+
64-bit IBM pSeries (POWER4/POWER5/POWER6), current iSeries
 	  models -- After using OpenFirmware to boot the CD, the
 	  bootloader, yaboot, automatically boots the
 	  64-bit installer.
@@ -799,12 +794,6 @@
 	      iSeries models, which do not use OpenFirmware, require use
 	      of the boot image located in the images/iSeries
 	      directory of the installation tree.
-32-bit CHRP (IBM RS/6000 and others) -- After using
-	  OpenFirmware to boot the CD, select the linux32 boot image at
-	  the boot: prompt to start
-	  the 32-bit installer. Otherwise, the 64-bit installer starts
-	  and fails.
-	
 
 Genesi Pegasos II / Efika 5200B -- The Fedora kernel
 	  supports both Pegasos and Efika without the need to use the
@@ -885,8 +874,6 @@
 	  encourages the use of yaboot over the
 	  netboot images.
 
-RS/6000 kernel support is currently broken (as of August
-	  28, 2008).
 
 
 2.4.4.4.1.??PPC specific packages
@@ -940,7 +927,15 @@
 Fedora 10 includes multiple boot-time updates, including changes
     that allow for faster booting and graphic booting changes.
 
-2.6.1.??Plymouth
+2.6.1.??GRUB
+The GRUB menu is no longer shown at startup, except on dual-boot
+      systems. To bring up the GRUB menu, hold the
+    Shift key before the kernel is loaded.  (Any other
+    key works but the Shift key is the safest to use.)
+    
+
+
+2.6.2.??Plymouth
 Plymouth is the graphical boot up system debuting with Fedora
       10.
 
@@ -978,7 +973,7 @@
 
 
 
-2.6.2.??Faster booting
+2.6.3.??Faster booting
 Fedora 10 gets a faster boot from improvements in process
       start-up.
 
@@ -995,7 +990,7 @@
 
 
 
-2.6.3.??Kernel modesetting
+2.6.4.??Kernel modesetting
 Kernel modesetting (KMS) can default to either enabled or
       disabled in the DRM driver and it can be enabled or disabled at
       boot-time.


Index: What_is_the_Latest_on_the_Desktop.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/release-notes/f10preview/en_US/What_is_the_Latest_on_the_Desktop.php,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- What_is_the_Latest_on_the_Desktop.php	4 Nov 2008 12:17:48 -0000	1.1
+++ What_is_the_Latest_on_the_Desktop.php	8 Nov 2008 00:54:26 -0000	1.2
@@ -3,12 +3,12 @@
 
 4.??What is the Latest on the Desktop
 
-
-
+
+
 
 
 
-
+
 
 4.??What is the Latest on the Desktop
 
 
-4.1.??Fedora desktop
+4.1.??Fedora Desktop
 This section details changes that affect Fedora graphical
     desktop users.
 
@@ -57,9 +57,9 @@
       supported by gspca.
 For a list of all webcams and applications where Fedora 10's
       new webcam support has been tested refer to https://fedoraproject.org/wiki/Features/BetterWebcamSupport. 
-      For a list of all cams supported by the original version of
-      gspca refer to the original gspca
-      website.
+      For a list of all webcams supported by the original version of
+      gspca refer to the original
+      gspca website.
 http://mxhaard.free.fr/spca5xx.html
 The V4L2 version of gspca in Fedora 10
       supports all these webcams and more.
@@ -71,7 +71,7 @@
 
 4.1.3.??Infrared remote support
 New to Fedora 10 is the gnome-lirc-properties
-      package with a new graphical frontend for configuring LIRC to use
+      package with a new graphical front-end for configuring LIRC to use
       with applications supporting the protocol.  For more information
       refer to Section??4.1.3, ???Infrared remote support???.
 LIRC is routinely used in multimedia applications to implement
@@ -110,14 +110,13 @@
 

 4.1.5.1.??Empathy instant messenger
 
-	Empathy instant messenger is the new
-	default replacing Pidgin in this
-	release. It has support for multiple protocols including IRC,
-	XMPP (Jabber), Yahoo, MSN, and others via plugins. It also
-	supports video and voice in the XMPP protocol, with support for
-	other protocols under active development. Empathy uses the
-	telepathy framework that has a number of
-	additional plugins:
+	Empathy instant messenger is
+	available in this release. It has support for multiple protocols
+	including IRC, XMPP (Jabber), Yahoo, MSN, and others via
+	plugins. It also supports video and voice in the XMPP protocol,
+	with support for other protocols under active development.
+	Empathy uses the telepathy framework that has
+	a number of additional plugins:
 
 
 	    telepathy-gabble -
@@ -160,7 +159,7 @@
 	codeina was replaced by a PackageKit-based
 	solution for Fedora 10. When Totem, Rhythmbox, or another
 	GStreamer application require a plugin to read a film or song, a
-	PackageKit dialogue appears, allowing the user to search for the
+	PackageKit dialog appears, allowing the user to search for the
 	necessary package in the configured
 	repositories.
 More details are available on the feature page:
@@ -192,7 +191,7 @@
 Fedora 10 does not include the legacy KDE
       3 Desktop. It does include a compatibility KDE 3 Development
       Platform, which can be used to build and run KDE 3 applications
-      within KDE 4 or any other desktop environment. Refer to the Section??7.5, ???KDE 3 Development Platform and Libraries???
+      within KDE 4 or any other desktop environment. Refer to the Section??7.6, ???KDE 3 Development Platform and Libraries???
       section for more details about what is
       included.
 Fedora 10 includes a snapshot of
@@ -299,7 +298,24 @@
 
 
 
-4.1.7.??Sugar Desktop
+4.1.7.??LXDE
+
+      This release of Fedora comes with an additional desktop
+      environment named LXDE. LXDE is a new project that provides a
+      lightweight, fast desktop environment designed to be usable and
+      slim enough to keep resource usage low. To install the LXDE
+      environment, use the Add/Remove Software
+      tool or run:
+    
+su -c 'yum groupinstall LXDE'
+
+      If you only need the base components of LXDE, install the
+      lxde-common package:
+    
+su -c 'yum install lxde-common'
+
+
+4.1.8.??Sugar Desktop
 The Sugar Desktop originated with the OLPC initiative. It
       allows for Fedora users and developers to do the following.
 
@@ -312,9 +328,9 @@
 
 
 
-4.1.8.??Web browsers
+4.1.9.??Web browsers
 
-4.1.8.1.??Enabling Flash plugin
+4.1.9.1.??Enabling Flash plugin
 Fedora includes swfdec and
       gnash, which are free and open source
       implementations of Flash.  We encourage you to try either of
@@ -357,7 +373,7 @@
       the plugin is loaded.
 
 
-4.1.8.2.??Disabling PC speaker
+4.1.9.2.??Disabling PC speaker
 PC speaker is enabled by default in Fedora.  If you do not
       prefer this, there are two ways to circumvent the sounds:
 Reduce its volume to a acceptable level or completely
@@ -380,18 +396,18 @@
     Fedora 10.
 
 4.2.1.??Wireless Connection Sharing
+
+      The NetworkManager applet
+      nm-applet has been updated to provide better
+      connection sharing through the Create New Wireless
+      Network menu item.
+    
 Connection sharing makes it possible to easily set up an
       ad-hoc WiFi network on a machine with a network connection and a
-      spare wireless card. If the machine has primary network connection
+      spare wireless card. If the machine has a primary network connection
       (wired, 3G, second wireless card), routing is set up so that
       devices connected to the ad-hoc WiFi network can share the
       connection to the outside network.
-This ability is provided by the
-      NetworkManager applet
-      nm-applet. Although
-      nm-applet has had a Create New
-	Wireless Network menu item for a long time, this
-      feature makes it work better.
 When you create a new WiFi network, you have to specify the
       name of the network and what kind of wireless security to use.
       NetworkManager then sets up the wireless card to work as an ad-hoc
@@ -446,7 +462,7 @@
 
 
 
-4.4.??Package notes
+4.4.??Package Notes
 The following sections contain information regarding software
     packages that have undergone significant changes for Fedora 10. For
     easier access, they are generally organized using the same groups
@@ -456,10 +472,10 @@
 
Fedora 10 includes version 2.6 of the GNU Image Manipulation
       Program.
 This new version is designed to be backwards compatible, so
-      existing third party plug-ins and scripts should continue to work
-      -- with a minor caveat: The included Script-Fu Scheme interpreter
-      doesn't accept variable definitions without an initial value
-      anymore (which isn't compliant to the language standard). Scripts
+      existing third party plug-ins and scripts should continue to work,
+      with a minor caveat. The included Script-Fu Scheme interpreter
+      no longer accepts variable definitions without an initial value,
+      which is not compliant to the language standard. Scripts
       included in Fedora packages should not have this problem, but if
       you use scripts from other sources, please refer to the GIMP
       release notes for more details and how you can fix scripts that
@@ -467,18 +483,18 @@
 
http://www.gimp.org/release-notes/gimp-2.6.html
 Additionally, the gimptool script that is
       used to build and install third party plug-ins and scripts has
-      been moved from the gimp to the
+      been moved from the gimp package to the
       gimp-devel package. Install this package if you
       want to use gimptool.
 
 
-4.4.2.??Legal information
+4.4.2.??Legal Information
 The following legal information concerns some software in
       Fedora.
 
-      Portions Copyright (c) 2002-2007 Charlie Poole or Copyright (c)
+      Portions Copyright ?? 2002-2007 Charlie Poole or Copyright ??
       2002-2004 James W. Newkirk, Michael C. Two, Alexei A. Vorontsov or
-      Copyright (c) 2000-2002 Philip A. Craig
+      Copyright ?? 2000-2002 Philip A. Craig
     
 
 
@@ -519,16 +535,10 @@
 	  <language>-support'
       
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
$ ls -l file1
-rwxrw-r-- 1 user1 group1 0 Aug 18 10:08 file1
$ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
$ ls -Z /usr/bin/passwd
-rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
$ ls -Z /etc/shadow
-r--------  root root system_u:object_r:shadow_t:s0    /etc/shadow
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
--2008-09-06 23:00:01--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'

[ <=>                              ] 0     --.-K/s   in 0s
		
2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
--2008-09-06 23:00:54--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2008-09-06 23:00:54 ERROR 403: Forbidden.
# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
Sep  6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied
Forbidden

You don't have permission to access file name on this server
books        Desktop   documentation  drafts  mss    photos   stuff  svn
books_tests  Desktop1  downloads      images  notes  scripts  svgs
package org.jboss.book.jca.ex1;

import javax.naming.InitialContext;

public class ExClient
{
   public static void main(String args[]) 
       throws Exception
   {
      InitialContext iniCtx = new InitialContext();
      Object         ref    = iniCtx.lookup("EchoBean");
      EchoHome       home   = (EchoHome) ref;
      Echo           echo   = home.create();

      System.out.println("Created Echo");

      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
   }
   
}
$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
s0-s0:c0.c1023 __default__
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
newuser                   user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a passwordRetype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.
[newuser at rlocalhost ~]$ id -Z
user_u:user_r:user_t:s0
# /usr/sbin/userdel -r newuser
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
useruuser                 user_u                    s0
# passwd useruuser
Changing password for user useruuser.
New UNIX password: Enter a passwordRetype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.
[useruuser at localhost ~]$ id -Z
user_u:user_r:user_t:s0
$ /usr/sbin/getenforce
Enforcing
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ /usr/sbin/getenforce
Disabled
type=AVC msg=audit(1225875185.864:96): avc:  denied  { getattr } for  pid=2608 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
# /sbin/aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

	You can use audit2allow to generate a loadable module to allow this access.
# audit2allow -a


#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
# audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

# ls
mycertwatch.pp  mycertwatch.te
hostname setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020

Summary:

SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
(samba_share_t).

Detailed Description:

SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different program. If you
would like to share /var/www/html/file1 from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'

Fix Command:

chcon -t public_content_t '/var/www/html/file1'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:samba_share_t:s0
Target Objects                /var/www/html/file1 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          hostnameSource RPM Packages           httpd-2.2.10-2
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-11.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   public_content
Host Name                     rawhide
Platform                      Linux rawhide 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct
30 00:49:42 EDT 2008 i686 i686
Alert Count                   4
First Seen                    Wed Nov  5 18:53:05 2008
Last Seen                     Wed Nov  5 01:22:58 2008
Local ID                      84e0b04d-d0ad-4347-8317-22e74f6cd020
Line Numbers

Raw Audit Messages

node=hostname type=AVC msg=audit(1225812178.788:101): avc:  denied  { getattr } for  pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

node=hostname type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
$ star -x -f=test.star 
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star
$ tar -xf archive.tar | /sbin/restorecon -f -
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# mv file1 /var/www/html
# ls -Z /var/www/html/file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/web /local/web -o\
context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/database /local/database -o\
context="system_u:object_r:mysqld_db_t:s0"
kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)
# mount server:/export/web /local/web -o\
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/database /local/database -o\
nosharecache,context="system_u:object_r:mysqld_db_t:s0"
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
system_u:system_r:setroubleshootd_t:s0 1866 ?  00:00:08 setroubleshootd
system_u:system_r:dhcpc_t:s0     1869 ?        00:00:00 dhclient
system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
system_u:system_r:gpm_t:s0       1964 ?        00:00:00 gpm
system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
system_u:system_r:kerneloops_t:s0 1983 ?       00:00:05 kerneloops
system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls -Z /etc/file1
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1
# /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1
/etc/file1    system_u:object_r:samba_share_t:s0
# /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context system_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x  root root system_u:object_r:default_t:s0   /web
/web    system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v /web
restorecon reset /web context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v -R /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
/usr/sbin/semanage fcontext -d /test
/usr/sbin/semanage fcontext -d "/web(/.*)?"
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a password 
Retype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.
[newuser at localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
$ /sbin/service httpd status
httpd is stopped
# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
/usr/bin/chcon -t unconfined_exec_t /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
$ ps -eZ | grep httpd
unconfined_u:system_r:unconfined_t 7721 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7723 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7724 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7725 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7726 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7727 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7728 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7729 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7730 ?      00:00:00 httpd
--2008-09-07 01:41:10--  http://localhost/test2file
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `test2file.1'

[ <=>                            ]--.-K/s   in 0s      
	
2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
# restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
$ ls -Z /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
# /sbin/service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -eZ | grep httpd
unconfined_u:system_r:httpd_t    8880 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8882 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8883 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8884 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8885 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8886 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8887 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8888 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8889 ?        00:00:00 httpd
# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
# grep postgresql /var/log/audit/audit.log | audit2allow \
-R -M mypostgresql
# /usr/sbin/semodule -i mypostgresql.pp
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
$ /usr/sbin/getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
# /usr/sbin/semanage port -l | grep http
http_cache_port_t              tcp      3128, 8080, 8118
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989
# /sbin/service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
no listening sockets available, shutting down
Unable to open logs
						            [FAILED]
type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
$ ls -l /var/www/html/index.html
-rw-r----- 1 root root 0 2008-11-07 11:06 index.html
# chown apache:apache /var/www/html/index.html
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
"/srv/myweb(/.*)?"
# /sbin/restorecon -R -v /srv/myweb
$ matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
# restorecon -v /var/www/html/index.html 
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
# restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
# /usr/sbin/semanage boolean -l
SELinux boolean                          Description

ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
xen_use_nfs                    -> off   Allow xen to manage nfs files
xguest_connect_network         -> on    Allow xguest to configure Network Manager
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
$ /usr/sbin/getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
$ /usr/sbin/getsebool allow_console_login
allow_console_login --> off
$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
$ /usr/sbin/getenforce
Enforcing
$ /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ /usr/sbin/getenforce
Disabled
# /sbin/service setroubleshoot start
Starting setroubleshootd:                                  [  OK  ]
# /sbin/service setroubleshoot start
Starting setroubleshootd:
$ /sbin/chkconfig --list setroubleshoot
setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ /usr/sbin/getenforce
Enforcing
Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ touch file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
# cp file1 /etc/
$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
$ touch file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
$ touch file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp --preserve=context file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
$ touch file1
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z file1 file2
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2
$ rm file1 file2
# touch /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
# touch /tmp/file2
# ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
# cp /tmp/file2 /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
# mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
$ /sbin/restorecon -v file1
restorecon reset file1 context system_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
# chcon -R -t httpd_sys_content_t /web/
# ls -dZ /web/
drwxr-xr-x  root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
# ls -lZ /web/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
restorecon -v -R /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
/sbin/chkconfig --levels 2345 auditd on
/sbin/chkconfig --levels 2345 rsyslog on
/sbin/chkconfig --levels 345 setroubleshoot on
$ /sbin/service auditd status
auditd (pid  1318) is running...
# /sbin/service setroubleshoot start
Starting setroubleshootd:                                  [  OK  ]
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
$ ls -l file1
-rwxrw-r-- 1 user1 group1 0 Aug 18 10:08 file1
$ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
$ ls -Z /usr/bin/passwd
-rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
$ ls -Z /etc/shadow
-r--------  root root system_u:object_r:shadow_t:s0    /etc/shadow
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
--2008-09-06 23:00:01--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'

[ <=>                              ] 0     --.-K/s   in 0s
		
2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
--2008-09-06 23:00:54--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2008-09-06 23:00:54 ERROR 403: Forbidden.
# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
Sep  6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied
Forbidden

You don't have permission to access file name on this server
books        Desktop   documentation  drafts  mss    photos   stuff  svn
books_tests  Desktop1  downloads      images  notes  scripts  svgs
package org.jboss.book.jca.ex1;

import javax.naming.InitialContext;

public class ExClient
{
   public static void main(String args[]) 
       throws Exception
   {
      InitialContext iniCtx = new InitialContext();
      Object         ref    = iniCtx.lookup("EchoBean");
      EchoHome       home   = (EchoHome) ref;
      Echo           echo   = home.create();

      System.out.println("Created Echo");

      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
   }
   
}
$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
s0-s0:c0.c1023 __default__
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
newuser                   user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a passwordRetype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.
[newuser at rlocalhost ~]$ id -Z
user_u:user_r:user_t:s0
# /usr/sbin/userdel -r newuser
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
useruuser                 user_u                    s0
# passwd useruuser
Changing password for user useruuser.
New UNIX password: Enter a passwordRetype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.
[useruuser at localhost ~]$ id -Z
user_u:user_r:user_t:s0
$ /usr/sbin/getenforce
Enforcing
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ /usr/sbin/getenforce
Disabled
type=AVC msg=audit(1225875185.864:96): avc:  denied  { getattr } for  pid=2608 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
# /sbin/aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

	You can use audit2allow to generate a loadable module to allow this access.
# audit2allow -a


#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
# audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

# ls
mycertwatch.pp  mycertwatch.te
hostname setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020

Summary:

SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
(samba_share_t).

Detailed Description:

SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different program. If you
would like to share /var/www/html/file1 from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'

Fix Command:

chcon -t public_content_t '/var/www/html/file1'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:samba_share_t:s0
Target Objects                /var/www/html/file1 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          hostnameSource RPM Packages           httpd-2.2.10-2
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-11.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   public_content
Host Name                     rawhide
Platform                      Linux rawhide 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct
30 00:49:42 EDT 2008 i686 i686
Alert Count                   4
First Seen                    Wed Nov  5 18:53:05 2008
Last Seen                     Wed Nov  5 01:22:58 2008
Local ID                      84e0b04d-d0ad-4347-8317-22e74f6cd020
Line Numbers

Raw Audit Messages

node=hostname type=AVC msg=audit(1225812178.788:101): avc:  denied  { getattr } for  pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

node=hostname type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
$ star -x -f=test.star 
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star
$ tar -xf archive.tar | /sbin/restorecon -f -
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar
# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# mv file1 /var/www/html
# ls -Z /var/www/html/file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/web /local/web -o\
context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/database /local/database -o\
context="system_u:object_r:mysqld_db_t:s0"
kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)
# mount server:/export/web /local/web -o\
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/database /local/database -o\
nosharecache,context="system_u:object_r:mysqld_db_t:s0"
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
system_u:system_r:setroubleshootd_t:s0 1866 ?  00:00:08 setroubleshootd
system_u:system_r:dhcpc_t:s0     1869 ?        00:00:00 dhclient
system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
system_u:system_r:gpm_t:s0       1964 ?        00:00:00 gpm
system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
system_u:system_r:kerneloops_t:s0 1983 ?       00:00:05 kerneloops
system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls -Z /etc/file1
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1
# /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1
/etc/file1    system_u:object_r:samba_share_t:s0
# /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context system_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x  root root system_u:object_r:default_t:s0   /web
/web    system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v /web
restorecon reset /web context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v -R /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
/usr/sbin/semanage fcontext -d /test
/usr/sbin/semanage fcontext -d "/web(/.*)?"
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a password 
Retype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.
[newuser at localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
$ /sbin/service httpd status
httpd is stopped
# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
/usr/bin/chcon -t unconfined_exec_t /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
$ ps -eZ | grep httpd
unconfined_u:system_r:unconfined_t 7721 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7723 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7724 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7725 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7726 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7727 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7728 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7729 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7730 ?      00:00:00 httpd
--2008-09-07 01:41:10--  http://localhost/test2file
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `test2file.1'

[ <=>                            ]--.-K/s   in 0s      
	
2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
# restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
$ ls -Z /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
# /sbin/service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -eZ | grep httpd
unconfined_u:system_r:httpd_t    8880 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8882 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8883 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8884 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8885 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8886 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8887 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8888 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8889 ?        00:00:00 httpd
# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
# grep postgresql /var/log/audit/audit.log | audit2allow \
-R -M mypostgresql
# /usr/sbin/semodule -i mypostgresql.pp
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
$ /usr/sbin/getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
# /usr/sbin/semanage port -l | grep http
http_cache_port_t              tcp      3128, 8080, 8118
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989
# /sbin/service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
no listening sockets available, shutting down
Unable to open logs
						            [FAILED]
type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
$ ls -l /var/www/html/index.html
-rw-r----- 1 root root 0 2008-11-07 11:06 index.html
# chown apache:apache /var/www/html/index.html
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
"/srv/myweb(/.*)?"
# /sbin/restorecon -R -v /srv/myweb
$ matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
# restorecon -v /var/www/html/index.html 
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
# restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
# /usr/sbin/semanage boolean -l
SELinux boolean                          Description

ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
xen_use_nfs                    -> off   Allow xen to manage nfs files
xguest_connect_network         -> on    Allow xguest to configure Network Manager
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
$ /usr/sbin/getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
$ /usr/sbin/getsebool allow_console_login
allow_console_login --> off
$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
$ /usr/sbin/getenforce
Enforcing
$ /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ /usr/sbin/getenforce
Disabled
# /sbin/service setroubleshoot start
Starting setroubleshootd:                                  [  OK  ]
# /sbin/service setroubleshoot start
Starting setroubleshootd:
$ /sbin/chkconfig --list setroubleshoot
setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ /usr/sbin/getenforce
Enforcing
Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
$ touch file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
# cp file1 /etc/
$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
$ touch file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
$ touch file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp --preserve=context file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
$ touch file1
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z file1 file2
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2
$ rm file1 file2
# touch /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
# touch /tmp/file2
# ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
# cp /tmp/file2 /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
# mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
$ /sbin/restorecon -v file1
restorecon reset file1 context system_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
# chcon -R -t httpd_sys_content_t /web/
# ls -dZ /web/
drwxr-xr-x  root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
# ls -lZ /web/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
restorecon -v -R /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
/sbin/chkconfig --levels 2345 auditd on
/sbin/chkconfig --levels 2345 rsyslog on
/sbin/chkconfig --levels 345 setroubleshoot on
$ /sbin/service auditd status
auditd (pid  1318) is running...
# /sbin/service setroubleshoot start
Starting setroubleshootd:                                  [  OK  ]
# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
+__default__               unconfined_u              s0-s0:c0.c1023
+
$ ls -l file1
--rwxrw-r-- 1 user1 group1 0 Aug 18 10:08 file1
$ls -Z file1
--rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
$ ls -Z file1
+-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
+
$ ls -Z file1
--rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
Login Name                SELinux User              MLS/MCS Range
+					The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to bound what roles and levels they can enter. Run the semanage login -l command as the Linux root user to view a list of mappings between SELinux and Linux user accounts:
+				
+# /usr/sbin/semanage login -l
+
+Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023

-					Output may differ from system to system. The Login Name column lists Linux users, and the the SELinux User column lists which SELinux user is mapped to which Linux user. For processes, the SELinux user limits which roles and levels are accessible. The last column, MLS/MCS Range, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are discussed briefly later.
+system_u                  system_u                  s0-s0:c0.c1023
+
$ ls -Z /usr/bin/passwd
--rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
$ ls -Z /etc/shadow
--r--------  root root system_u:object_r:shadow_t:s0    /etc/shadow
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
+
# /sbin/service httpd start
-Starting httpd:                                            [  OK  ]
--2008-09-06 23:00:01--  http://localhost/testfile
 Resolving localhost... 127.0.0.1
@@ -38,31 +41,42 @@
 
 [ <=>                              ] 0     --.-K/s   in 0s
 		
-2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
+
--2008-09-06 23:00:54--  http://localhost/testfile
 Resolving localhost... 127.0.0.1
 Connecting to localhost|127.0.0.1|:80... connected.
 HTTP request sent, awaiting response... 403 Forbidden
-2008-09-06 23:00:54 ERROR 403: Forbidden.
# /sbin/service httpd stop
-Stopping httpd:                                            [  OK  ]
Sep  6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
 to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
-run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file
 
-type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied
[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied
+
Forbidden
+			Clicking on the star presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:
+		
+Forbidden
 
-You don't have permission to access file name on this server

-			For these situations, if DAC rules (standard Linux permissions) allow access, check /var/log/messages and /var/log/audit/audit.log for SELinux is preventing and avc: denied errors respectively. This can be done by running the following commands as the Linux root user:
+You don't have permission to access file name on this server
+
books        Desktop   documentation  drafts  mss    photos   stuff  svn
-books_tests  Desktop1  downloads      images  notes  scripts  svgs
+books        Desktop   documentation  drafts  mss    photos   stuff  svn
+books_tests  Desktop1  downloads      images  notes  scripts  svgs
+
package org.jboss.book.jca.ex1;
+		
+package org.jboss.book.jca.ex1;
 
 import javax.naming.InitialContext;
 
@@ -87,12 +96,13 @@
       System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
    }
    
-}
$ /usr/sbin/getsebool httpd_can_network_connect_db
-httpd_can_network_connect_db --> off
$ /usr/sbin/getsebool httpd_can_network_connect_db
-httpd_can_network_connect_db --> on
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
+
/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__
# /usr/sbin/semanage login -l
+		
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               user_u                    s0
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023

+system_u                  system_u                  s0-s0:c0.c1023
+
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
-s0-s0:c0.c1023 __default__
# /usr/sbin/semanage login -l
+				
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023
# /usr/sbin/semanage login -l
+				
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 newuser                   user_u                    s0
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023
# passwd newuser
+				
+# passwd newuser
 Changing password for user newuser.
-New UNIX password: Enter a passwordRetype new UNIX password: Enter the same password again 
-passwd: all authentication tokens updated successfully.
[newuser at rlocalhost ~]$ id -Z
-user_u:user_r:user_t:s0
# /usr/sbin/userdel -r newuser
+				
+[newuser at rlocalhost ~]$ id -Z
+user_u:user_r:user_t:s0
+
+# /usr/sbin/userdel -r newuser
 # /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023
$ id -Z
-unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+$ id -Z
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
# /usr/sbin/semanage login -l
+					As the Linux root user, run the semanage login -l command to view the mapping between the Linux useruuser user and user_u:
+				
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
 system_u                  system_u                  s0-s0:c0.c1023
-useruuser                 user_u                    s0
# passwd useruuser
+				
+# passwd useruuser
 Changing password for user useruuser.
-New UNIX password: Enter a passwordRetype new UNIX password: Enter the same password again 
-passwd: all authentication tokens updated successfully.
[useruuser at localhost ~]$ id -Z
-user_u:user_r:user_t:s0
+[useruuser at localhost ~]$ id -Z
+user_u:user_r:user_t:s0
+
$ /usr/sbin/getenforce
-Enforcing
+$ /usr/sbin/getenforce
+Enforcing
+
# This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@@ -12,7 +12,9 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted
$ /usr/sbin/getenforce
-Disabled
type=AVC msg=audit(1225875185.864:96): avc:  denied  { getattr } for  pid=2608 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for  pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+
+type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+
# /sbin/aureport -a
+					The audit package provides aureport. From the aureport(8) manual page: "aureport is a tool that produces summary reports of the audit system logs"^[18]. The aureport tool accesses /var/log/audit/audit.log, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the aureport -a command. The following is example output that includes two denials:
+				+# /sbin/aureport -a
 
 AVC Report
 ========================================================
 # date time comm subj syscall class permission obj event
 ========================================================
 1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
-2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
sealert
+2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
+
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+
hostname setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+hostname setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+
$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+			
+$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
 
 Summary:
 
@@ -37,7 +40,8 @@
 Source                        httpd
 Source Path                   /usr/sbin/httpd
 Port                          <Unknown>
-Host                          hostnameSource RPM Packages           httpd-2.2.10-2
+Host                          hostname
+Source RPM Packages           httpd-2.2.10-2
 Target RPM Packages
 Policy RPM                    selinux-policy-3.5.13-11.fc10
 Selinux Enabled               True
@@ -58,7 +62,8 @@
 
 node=hostname type=AVC msg=audit(1225812178.788:101): avc:  denied  { getattr } for  pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
 
-node=hostname type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Summary

+node=hostname type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+
# touch /var/www/html/file{1,2,3}
+					
+# touch /var/www/html/file{1,2,3}
 # ls -Z /var/www/html/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
# star -xattr -H=exustar -c -f=test.star file{1,2,3}
-star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
+# star -xattr -H=exustar -c -f=test.star file{1,2,3}
+star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
+
$ star -x -f=test.star 
-star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
+$ star -x -f=test.star 
+star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
+
$ ls -lZ /test/
+					
+$ ls -lZ /test/
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
--rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star
$ tar -xf archive.tar | /sbin/restorecon -f -
+$ tar -xf archive.tar | /sbin/restorecon -f -
+
# touch /var/www/html/file{1,2,3}
+					
+# touch /var/www/html/file{1,2,3}
 # ls -Z /var/www/html/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
$ ls -lZ /test/
+					
+$ ls -lZ /test/
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
--rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar
# touch /var/www/html/file{1,2,3}
 # ls -Z /var/www/html/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
$ /usr/sbin/matchpathcon -V /var/www/html/*
 /var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
 /var/www/html/file2 verified.
-/var/www/html/file3 verified.
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
+
# /sbin/restorecon -v /var/www/html/file1
-restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
$ ls -Z file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
-drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# mv file1 /var/www/html
+						As the Linux root user, run the mv file1 /var/www/html/ command to move file1 to the /var/www/html/ directory. Since this file is moved, it keeps its current user_home_t type:
+					
# mv file1 /var/www/html/
 # ls -Z /var/www/html/file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
+# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
+
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
+server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
+
mount server:/export /local/mount/point -o\
-context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/web /local/web -o\
+			
+# mount server:/export/web /local/web -o\
 context="system_u:object_r:httpd_sys_content_t:s0"
 
 # mount server:/export/database /local/database -o\
-context="system_u:object_r:mysqld_db_t:s0"

+context="system_u:object_r:mysqld_db_t:s0"
+
kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)
+kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)
+
# mount server:/export/web /local/web -o\
+			
+# mount server:/export/web /local/web -o\
 nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
 
 # mount server:/export/database /local/database -o\
-nosharecache,context="system_u:object_r:mysqld_db_t:s0"

+nosharecache,context="system_u:object_r:mysqld_db_t:s0"
+
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
+
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
# ls -Z /etc/file1
--rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1
# /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
 # ls -Z /etc/file1
--rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1
/etc/file1    system_u:object_r:samba_share_t:s0
/etc/file1    unconfined_u:object_r:samba_share_t:s0
+
# /sbin/restorecon -v /etc/file1
-restorecon reset /etc/file1 context system_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
# ls -dZ /web
-drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
 # ls -dZ /web
-drwxr-xr-x  root root system_u:object_r:default_t:s0   /web
/web    system_u:object_r:httpd_sys_content_t:s0
/web    unconfined_u:object_r:httpd_sys_content_t:s0
+
# /sbin/restorecon -v /web
-restorecon reset /web context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
# ls -dZ /web
 drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
 # ls -lZ /web
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
# /sbin/restorecon -v -R /web
+					
/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+
# /sbin/restorecon -R -v /web
 restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
 restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
 restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
-restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
+
/test    system_u:object_r:httpd_sys_content_t:s0
/test    system_u:object_r:httpd_sys_content_t:s0
+
/usr/sbin/semanage fcontext -d /test
/usr/sbin/semanage fcontext -d "/web(/.*)?"
# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
__default__               unconfined_u              s0-s0:c0.c1023
+
[newuser at localhost ~]$ id -Z
-unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
+
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
+
$ /sbin/service httpd status
-httpd is stopped
# /sbin/service httpd stop
-Stopping httpd:                                            [  OK  ]
/usr/bin/chcon -t unconfined_exec_t /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
+
# /sbin/service httpd start
-Starting httpd:                                            [  OK  ]
$ ps -eZ | grep httpd
 unconfined_u:system_r:unconfined_t 7721 ?      00:00:00 httpd
@@ -46,7 +59,8 @@
 unconfined_u:system_r:unconfined_t 7727 ?      00:00:00 httpd
 unconfined_u:system_r:unconfined_t 7728 ?      00:00:00 httpd
 unconfined_u:system_r:unconfined_t 7729 ?      00:00:00 httpd
-unconfined_u:system_r:unconfined_t 7730 ?      00:00:00 httpd
--2008-09-07 01:41:10--  http://localhost/test2file
 Resolving localhost... 127.0.0.1
@@ -57,16 +71,19 @@
 
 [ <=>                            ]--.-K/s   in 0s      
 	
-2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
# restorecon -v /usr/sbin/httpd
-restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
$ ls -Z /usr/sbin/httpd
--rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
# /sbin/service httpd restart
 Stopping httpd:                                            [  OK  ]
 Starting httpd:                                            [  OK  ]
@@ -79,13 +96,15 @@
 unconfined_u:system_r:httpd_t    8886 ?        00:00:00 httpd
 unconfined_u:system_r:httpd_t    8887 ?        00:00:00 httpd
 unconfined_u:system_r:httpd_t    8888 ?        00:00:00 httpd
-unconfined_u:system_r:httpd_t    8889 ?        00:00:00 httpd
# /sbin/service httpd stop
-Stopping httpd:                                            [  OK  ]
# grep postgresql /var/log/audit/audit.log | audit2allow \
--R -M mypostgresql
+# grep postgresql /var/log/audit/audit.log | audit2allow \
+-R -M mypostgresql
+
# /usr/sbin/semodule -i mypostgresql.pp
+# /usr/sbin/semodule -i mypostgresql.pp
+
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
+# /usr/sbin/setsebool -P httpd_can_network_connect_db on
+
$ /usr/sbin/getsebool -a | grep ftp
+			
+$ /usr/sbin/getsebool -a | grep ftp
 allow_ftpd_anon_write --> off
 allow_ftpd_full_access --> off
 allow_ftpd_use_cifs --> off
 allow_ftpd_use_nfs --> off
 ftp_home_dir --> off
 httpd_enable_ftp_server --> off
-tftp_anon_write --> off

-				[link to section about running denials through audit2allow -w]
-			

-				For a list of Booleans and whether they are on or off, run the /usr/sbin/getsebool -a command. For a list of Booleans, an explanation of what each one is, and whether it is on or off, as the Linux root user, run the /usr/sbin/semanage boolean -l command. Refer to Section??5.6, ???Booleans??? for information about listing and configuring Booleans.
+tftp_anon_write --> off
+
# /usr/sbin/semanage port -l | grep http
+				+# /usr/sbin/semanage port -l | grep http
 http_cache_port_t              tcp      3128, 8080, 8118
 http_cache_port_t              udp      3130
 http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
 pegasus_http_port_t            tcp      5988
-pegasus_https_port_t           tcp      5989

+pegasus_https_port_t           tcp      5989
+
# /sbin/service httpd start
+			
+# /sbin/service httpd start
 Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
 no listening sockets available, shutting down
 Unable to open logs
-						            [FAILED]

+						            [FAILED]
+
type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
+type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
+
+# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
+
$ ls -l /var/www/html/index.html
--rw-r----- 1 root root 0 2008-11-07 11:06 index.html
+$ ls -l /var/www/html/index.html
+-rw-r----- 1 root root 0 2008-11-07 11:06 index.html
+
# chown apache:apache /var/www/html/index.html
+# chown apache:apache /var/www/html/index.html
+
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
-"/srv/myweb(/.*)?"
# /sbin/restorecon -R -v /srv/myweb
+# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
+"/srv/myweb(/.*)?"
+
+# /sbin/restorecon -R -v /srv/myweb
+
$ matchpathcon -V /var/www/html/*
+				
+$ matchpathcon -V /var/www/html/*
 /var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
-/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

-					In this example, the index.html and page1.html are labeled with the user_home_t type. This type is used for files in user home directories. Using the mv command to move files from your home directory may result in files being labeled with the user_home_t type. This type should not exist outside of home directories. Use the restorecon command to restore such files to their correct type:
-				
# restorecon -v /var/www/html/index.html 
-restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

+/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
+
+# restorecon -v /var/www/html/index.html 
+restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
+
# restorecon -R -v /var/www/html/
+				
+# restorecon -R -v /var/www/html/
 restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
-restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

+restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
+
# /usr/sbin/semanage boolean -l
 SELinux boolean                          Description
 
 ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
 xen_use_nfs                    -> off   Allow xen to manage nfs files
-xguest_connect_network         -> on    Allow xguest to configure Network Manager
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
+
$ /usr/sbin/getsebool -a
 allow_console_login --> off
 allow_cvs_read_shadow --> off
-allow_daemons_dump_core --> on
$ /usr/sbin/getsebool allow_console_login
-allow_console_login --> off
$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
 allow_console_login --> off
 allow_cvs_read_shadow --> off
-allow_daemons_dump_core --> on
$ /usr/sbin/getenforce
-Enforcing
$ /usr/sbin/sestatus
 SELinux status:                 enabled
 SELinuxfs mount:                /selinux
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy version:                 23
-Policy from config file:        targeted
$ /usr/sbin/getenforce
-Disabled
# /sbin/service setroubleshoot start
-Starting setroubleshootd:                                  [  OK  ]
# /sbin/service setroubleshoot start
-Starting setroubleshootd:
$ /sbin/chkconfig --list setroubleshoot
-setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
*** Warning -- SELinux targeted policy relabel is required.
 *** Relabeling could take a very long time, depending on file
 *** system size and speed of hard drives.
-****
# This file controls the state of SELinux on the system.
@@ -76,31 +77,42 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted
$ /usr/sbin/getenforce
-Enforcing
Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
+
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
+
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
+
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
+
/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u
+
# This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@@ -12,7 +12,8 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted
$ touch file1
+			
+$ touch file1
 $ ls -Z file1 
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

+-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+
$ ls -Z file1 
+			
+$ ls -Z file1 
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 # cp file1 /etc/
 $ ls -Z /etc/file1
--rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

+-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
+
$ touch file1
+				+$ touch file1
 $ ls -Z file1
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 $ ls -dZ /var/www/html/
 drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
 # cp file1 /var/www/html/
 $ ls -Z /var/www/html/file1
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
+
$ touch file1
+				+$ touch file1
 $ ls -Z file1
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 $ ls -dZ /var/www/html/
 drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
 # cp --preserve=context file1 /var/www/html/
 $ ls -Z /var/www/html/file1
--rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

+-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
+
$ touch file1
+				+$ touch file1
 $ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
 $ ls -Z file1 file2
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 -rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2
-$ rm file1 file2

+$ rm file1 file2
+
# touch /etc/file1
+				+# touch /etc/file1
 # ls -Z /etc/file1
 -rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
 # touch /tmp/file2
@@ -58,7 +69,8 @@
 -rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
 # cp /tmp/file2 /etc/file1
 # ls -Z /etc/file1
--rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

+-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
+
# mount server:/export /local/mount/point -o\
-context="system_u:object_r:httpd_sys_content_t:s0"
$ ls -Z file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -Z file1 
--rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
$ /sbin/restorecon -v file1
-restorecon reset file1 context system_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
# chcon -R -t httpd_sys_content_t /web/
 # ls -dZ /web/
@@ -52,13 +57,15 @@
 # ls -lZ /web/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
restorecon -v -R /web/
+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
+
# /sbin/restorecon -R -v /web/
 restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
 restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
 restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
-restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
+
Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
+
/sbin/chkconfig --levels 2345 auditd on
/sbin/chkconfig --levels 2345 rsyslog on
/sbin/chkconfig --levels 345 setroubleshoot on
/sbin/chkconfig --levels 2345 auditd on
+
/sbin/chkconfig --levels 2345 rsyslog on
+
/sbin/chkconfig --levels 345 setroubleshoot on
+
$ /sbin/service auditd status
-auditd (pid  1318) is running...
# /sbin/service setroubleshoot start
-Starting setroubleshootd:                                  [  OK  ]
+$ /sbin/service auditd status
+auditd (pid  1318) is running...
+
+# /sbin/service setroubleshoot start
+Starting setroubleshootd:                                  [  OK  ]
+
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

__default__               unconfined_u              s0-s0:c0.c1023

$ ls -l file1
-rwxrw-r-- 1 user1 group1 0 2008-11-21 15:42 file1

$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

$ ls -Z file1
-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

$ ls -Z /usr/bin/passwd
-rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd

$ ls -Z /etc/shadow
-r--------  root root system_u:object_r:shadow_t:s0    /etc/shadow

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted

-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile

# /sbin/service httpd start
Starting httpd:                                            [  OK  ]

--2008-09-06 23:00:01--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'

[ <=>                              ] 0     --.-K/s   in 0s
		
2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]

-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile

--2008-09-06 23:00:54--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2008-09-06 23:00:54 ERROR 403: Forbidden.

# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]

Sep  6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654

type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied

Forbidden

You don't have permission to access file name on this server

books        Desktop   documentation  drafts  mss    photos   stuff  svn
books_tests  Desktop1  downloads      images  notes  scripts  svgs

package org.jboss.book.jca.ex1;

import javax.naming.InitialContext;

public class ExClient
{
   public static void main(String args[]) 
       throws Exception
   {
      InitialContext iniCtx = new InitialContext();
      Object         ref    = iniCtx.lookup("EchoBean");
      EchoHome       home   = (EchoHome) ref;
      Echo           echo   = home.create();

      System.out.println("Created Echo");

      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
   }
   
}

$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

# /usr/sbin/setsebool -P httpd_can_network_connect_db on

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
s0-s0:c0.c1023 __default__

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
newuser                   user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a password
Retype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.

[newuser at rlocalhost ~]$ id -Z
user_u:user_r:user_t:s0

# /usr/sbin/userdel -r newuser
# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
useruuser                 user_u                    s0

# passwd useruuser
Changing password for user useruuser.
New UNIX password: Enter a password
Retype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.

[useruuser at localhost ~]$ id -Z
user_u:user_r:user_t:s0

$ /usr/sbin/getenforce
Enforcing

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

$ /usr/sbin/getenforce
Disabled

type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)

# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

	You can use audit2allow to generate a loadable module to allow this access.

# audit2allow -a


#============= certwatch_t ==============
allow certwatch_t var_t:dir write;

# audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

# ls
mycertwatch.pp  mycertwatch.te

# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:

# semodule -i mycertwatch2.pp

# /usr/sbin/semodule -l | grep permissive
permissive_httpd_t      1.0

$ sesearch --dontaudit -s smbd_t | grep squid
WARNING: This policy contained disabled aliases; they have been removed.
dontaudit smbd_t squid_port_t : tcp_socket name_bind ;
dontaudit smbd_t squid_port_t : udp_socket name_bind ;

type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for  pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

# /sbin/aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4

setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020

type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

	You can use audit2allow to generate a loadable module to allow this access.
# audit2allow -a


#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
# audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

# ls
mycertwatch.pp  mycertwatch.te
hostname setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020

$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020

Summary:

SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1
(samba_share_t).

Detailed Description:

SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different program. If you
would like to share /var/www/html/file1 from httpd also, you need to change its
file context to public_content_t. If you did not intend to this access, this
could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'

Fix Command:

chcon -t public_content_t '/var/www/html/file1'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:samba_share_t:s0
Target Objects                /var/www/html/file1 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          hostname
Source RPM Packages           httpd-2.2.10-2
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-11.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   public_content
Host Name                     rawhide
Platform                      Linux rawhide 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct
30 00:49:42 EDT 2008 i686 i686
Alert Count                   4
First Seen                    Wed Nov  5 18:53:05 2008
Last Seen                     Wed Nov  5 01:22:58 2008
Local ID                      84e0b04d-d0ad-4347-8317-22e74f6cd020
Line Numbers

Raw Audit Messages

node=hostname type=AVC msg=audit(1225812178.788:101): avc:  denied  { getattr } for  pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

node=hostname type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).

$ star -x -f=test.star 
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).

$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star

$ tar -xf archive.tar | /sbin/restorecon -f -

# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar

# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.

/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

# /sbin/restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

# mv file1 /var/www/html/
# ls -Z /var/www/html/file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"

server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0

mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/web /local/web -o\
context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/database /local/database -o\
context="system_u:object_r:mysqld_db_t:s0"

kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)

# mount server:/export/web /local/web -o\
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"

# mount server:/export/database /local/database -o\
nosharecache,context="system_u:object_r:mysqld_db_t:s0"

type=AVC msg=audit(1226882736.442:86): avc:  denied  { getattr } for  pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
	
type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1226882925.714:136): avc:  denied  { read } for  pid=2512 comm="httpd" name="file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
	
type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes exit=11 a0=b962a1e8 a1=8000 a2=0 a3=8000 items=0 ppid=2511 pid=2512 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd

system_u:system_r:setroubleshootd_t:s0 1866 ?  00:00:08 setroubleshootd
system_u:system_r:dhcpc_t:s0     1869 ?        00:00:00 dhclient
system_u:system_r:sshd_t:s0-s0:c0.c1023 1882 ? 00:00:00 sshd
system_u:system_r:gpm_t:s0       1964 ?        00:00:00 gpm
system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
system_u:system_r:kerneloops_t:s0 1983 ?       00:00:05 kerneloops
system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

# /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

/etc/file1    unconfined_u:object_r:samba_share_t:s0

# /sbin/restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0

# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0   /web

/web    unconfined_u:object_r:httpd_sys_content_t:s0

# /sbin/restorecon -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0

# /sbin/restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

/test    system_u:object_r:httpd_sys_content_t:s0

/test    system_u:object_r:httpd_sys_content_t:s0

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

__default__               unconfined_u              s0-s0:c0.c1023

# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a password 
Retype new UNIX password: Enter the same password again 
passwd: all authentication tokens updated successfully.

[newuser at localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted

-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file

-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file

$ /sbin/service httpd status
httpd is stopped

# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]

-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd

# /sbin/service httpd start
Starting httpd:                                            [  OK  ]

$ ps -eZ | grep httpd
unconfined_u:system_r:unconfined_t 7721 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7723 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7724 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7725 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7726 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7727 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7728 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7729 ?      00:00:00 httpd
unconfined_u:system_r:unconfined_t 7730 ?      00:00:00 httpd

--2008-09-07 01:41:10--  http://localhost/test2file
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `test2file.1'

[ <=>                            ]--.-K/s   in 0s      
	
2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]

# restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0

$ ls -Z /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd

# /sbin/service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -eZ | grep httpd
unconfined_u:system_r:httpd_t    8880 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8882 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8883 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8884 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8885 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8886 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8887 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8888 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t    8889 ?        00:00:00 httpd

# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]

# grep postgresql /var/log/audit/audit.log | audit2allow \
-R -M mypostgresql

# /usr/sbin/semodule -i mypostgresql.pp

# /usr/sbin/setsebool -P httpd_can_network_connect_db on

$ /usr/sbin/getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off

# /usr/sbin/semanage port -l | grep http
http_cache_port_t              tcp      3128, 8080, 8118
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

# /sbin/service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
no listening sockets available, shutting down
Unable to open logs
						            [FAILED]

type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876

$ ls -l /var/www/html/index.html
-rw-r----- 1 root root 0 2008-11-07 11:06 index.html

# chown apache:apache /var/www/html/index.html

# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
"/srv/myweb(/.*)?"

# /sbin/restorecon -R -v /srv/myweb

$ matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

# restorecon -v /var/www/html/index.html 
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

# restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

# /usr/sbin/semanage boolean -l
SELinux boolean                          Description

ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
xen_use_nfs                    -> off   Allow xen to manage nfs files
xguest_connect_network         -> on    Allow xguest to configure Network Manager

ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories

$ /usr/sbin/getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on

$ /usr/sbin/getsebool allow_console_login
allow_console_login --> off

$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on

$ /usr/sbin/getenforce
Enforcing

$ /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

$ /usr/sbin/getenforce
Disabled

$ /sbin/chkconfig --list setroubleshoot
setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

$ /usr/sbin/getenforce
Enforcing

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u

/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__

/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root

/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u

/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

$ touch file1
$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
# cp file1 /etc/
$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

$ touch file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

$ touch file1
$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# cp --preserve=context file1 /var/www/html/
$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

$ touch file1
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z file1 file2
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2
$ rm file1 file2

# touch /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
# touch /tmp/file2
# ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
# cp /tmp/file2 /etc/file1
# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

# mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"

$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1

$ /sbin/restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0

# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3

# chcon -R -t httpd_sys_content_t /web/
# ls -dZ /web/
drwxr-xr-x  root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
# ls -lZ /web/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

# /sbin/restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0

type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file

Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d

/sbin/chkconfig --levels 2345 auditd on

/sbin/chkconfig --levels 2345 rsyslog on

/sbin/chkconfig --levels 345 setroubleshoot on

$ /sbin/service auditd status
auditd (pid  1318) is running...

# /sbin/service setroubleshoot start
Starting setroubleshootd:                                  [  OK  ]


10.??Legal Stuff and Administrivia
9.??Legal Stuff and Administrivia
-Prev??	??	??

Daemon	Log Location
auditd on	`/var/log/audit/audit.log`
auditd off; rsyslogd on	`/var/log/messages`
setroubleshootd, rsyslogd, and auditd on	`/var/log/audit/audit.log`. Easier-to-read denial messages also sent to `/var/log/messages`

Searching For	Command
all denials	`/sbin/ausearch -m avc`
denials for that today	`/sbin/ausearch -m avc -ts today`
denials from the last 10 minutes	`/sbin/ausearch -m avc -ts recent`

Daemon	Log Location
auditd on	`/var/log/audit/audit.log`
auditd off; rsyslogd on	`/var/log/messages`
setroubleshootd, rsyslogd, and auditd on	`/var/log/audit/audit.log`. Easier-to-read denial messages also sent to `/var/log/messages`

Daemon	Log Location
auditd on	`/var/log/audit/audit.log`
auditd off; rsyslogd on	`/var/log/messages`
setroubleshootd, rsyslogd, and auditd on	`/var/log/audit/audit.log`. Easier-to-read denial messages also sent to `/var/log/messages`

	Kernel Includes Paravirtualization
	+ Both the x86_64 and the i686 kernels contain + `paravirt_ops` support and no longer require a + separate kernel for running under a Xen hypervisor. For more + information, refer to Section??8.3.1, ???Unified kernel image???. +


	There is no support for Xen or kdump for the PowerPC - architecture in Fedora. 32-bit PowerPC does still have a + architecture in Fedora. 32-bit PowerPC still has a separate SMP kernel.

	Fedora is a community supported project
	Fedora is not a commercially supported product of Red Hat, - Inc.

	IRC Channels
	The Fedora Project and Red Hat have no control over the Fedora - Project IRC channels or their content.

	This content not updated until after Preview Release - occurs.
	We need to finish writing and translating the notes to know - who has worked on them.

	Out of date content.
	- This content is out of date, it has not been updated since the - Fedora 9 release notes.

-Prev??	??	??
9.??Are There Hideous Bugs and Terrible Tigers??	8.??What Do System Adminstrators Care About??	Home	??
??	??Next +	??Next

	virt-mem is experimental.	The virt-mem package is experimental.
	Only 32 bit guests are supported at this time.
Only 32-bit guests are supported at this time.

	Maybe you know what should be on this page?
	The Fedora release notes are a collective effort of dozens of - people. You can contribute by editing the wiki page that - corresponds to this part of the release notes.

	Maybe you know what should be on this page?	MySQL version in Fedora 10 significantly different from + Fedora 9 version
	The Fedora release notes are a collective effort of dozens of - people. You can contribute by editing the wiki page that - corresponds to this part of the release notes. -
There are a number of changes from the version included in + Fedora 9, including some incompatible changes.

User	Domain	X Window System	su and sudo	Execute in home directory and /tmp/	Networking
guest_u	guest_t	no	no	no	no
xguest_u	xguest_t	yes	no	no	only Firefox
user_u	user_t	yes	no	no	yes
staff_u	staff_t	yes	only `sudo`	yes	yes

User	Domain	X Window System	su and sudo	Execute in home directory and /tmp/	Networking
guest_u	guest_t	no	no	no	no
xguest_u	xguest_t	yes	no	no	only Firefox
user_u	user_t	yes	no	no	yes
staff_u	staff_t	yes	only `sudo`	yes	yes

	Fedora 10 User SELinux Guide	Fedora 10 SELinux User Guide
	From hydra84 at gmail.com Sun Nov 16 15:49:02 2008 From: hydra84 at gmail.com (Paolo Leoni) Date: Sun, 16 Nov 2008 16:49:02 +0100 Subject: Fedora 10 release banner Message-ID: <492040EE.8030605@gmail.com> This is a possible Fedora 10 release banner: http://pleoni.altervista.org/fedora10-release-banner.svg http://pleoni.altervista.org/fedora10-release-banner.png And a simple Fedora 10 banner: http://pleoni.altervista.org/fedora10-banner.svg http://pleoni.altervista.org/fedora10-banner.png -- Paolo Leoni ~ http://pleoni.altervista.org GPG fingerprint: DAD1 6419 D42B 0B1C D9E1 A9CB 4587 4812 17F7 F764 From ricky at fedoraproject.org Mon Nov 17 11:39:19 2008 From: ricky at fedoraproject.org (Ricky Zhou) Date: Mon, 17 Nov 2008 06:39:19 -0500 Subject: Meeting Reminder - Today at 22:00 UTC Message-ID: <20081117113837.GC1177@sphe.res.cmu.edu> We'll be meeting in #fedora-meeting at 22:00 UTC today. As everything is pretty much frozen up for translations/release, we'll probably just run through the task list as usual this time (and maybe start looking at future changes after the freeze ends). Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From lajjr at yahoo.com Mon Nov 17 17:48:36 2008 From: lajjr at yahoo.com (Leo Jackson) Date: Mon, 17 Nov 2008 09:48:36 -0800 (PST) Subject: Intro for Leo Albert Jackson Jr (lajjr) Message-ID: <654342.99461.qm@web84304.mail.re1.yahoo.com> My name Leo Albert Jackson Jr I live in Scranton Pa USA EST I would like to help. I have been using fedora for awhile. I am an ambassador for fedora. I have been creating web sites for over 7+ years. I use python, ruby, perl, js, php, html, and others c# vb, c++, css. I would like to use my talents to help out in any way possible. Thank You, Leo Albert Jackson Jr Owner Head Programmer LJ's Electronics and Software From ricky at fedoraproject.org Mon Nov 17 22:41:32 2008 From: ricky at fedoraproject.org (Ricky Zhou) Date: Mon, 17 Nov 2008 17:41:32 -0500 Subject: Meeting Log - 2008-11-17 Message-ID: <20081117224132.GF1177@sphe.res.cmu.edu> 22:00 -!- ricky changed the topic of #fedora-meeting to: Fedora Websites - Who's here? 22:01 < ianweller> hey look a meeting! 22:02 < ricky> :-/ 22:03 -!- ChitleshGoorah [n=chitlesh at fedora/ChitleshGoorah] has quit Read error: 110 (Connection timed out) 22:03 < ianweller> k. 22:03 < ianweller> ricky: maybe you should ping people :P 22:03 -!- mdomsch [n=Matt_Dom at cpe-70-124-62-55.austin.res.rr.com] has quit Remote closed the connection 22:03 -!- CB6 [n=CB6 at modemcable031.189-201-24.mc.videotron.ca] has joined #fedora-meeting 22:03 < CB6> hello 22:04 < ianweller> brb 22:04 < ianweller> go ahead and start 22:05 -!- ianweller is now known as ianweller_afk 22:05 -!- ricky changed the topic of #fedora-meeting to: Fedora Websites - Tasks 22:05 < ricky> The website is pretty much frozen for translations now, so it's time to start looking at other tasks again 22:05 < ricky> http://fedoraproject.org/wiki/Websites/Tasks 22:05 < stiv2k> hello 22:06 < stiv2k> 22:00 UTC is now? 22:06 < ricky> Yup 22:06 < stiv2k> cool 22:06 < stiv2k> I'm in time! 22:06 < ricky> date -u is handy for checking :-) 22:06 < ricky> Cool 22:06 < ricky> quaid: Any updates on the CMS search, or are you guys still up to your necks in release stuff? 22:08 < ricky> All righty. 22:08 < CB6> I was just wondering that 22:08 < stiv2k> what kind of CMS have you deliberated upon thus far? 22:08 < ricky> I'm not 100% sure what meeting the CMS discussion would even happen in. My understanding is that we want to find something that definitely works for docs first, then look at integrating websites. 22:09 < ricky> There were some requirements sent out a while ago, and they should be mostly centered around working for the docs team's needs (plus having good l10n support) 22:09 < CB6> Drupal or Plone both fit well. Plone being a bit more difficult to work on than drupal for newer users 22:09 < ricky> If the security record is good, Drupal looked pretty nice for me. 22:09 < stiv2k> ricky: im looking at the wiki page now 22:10 < ricky> We've had bad experience with plone before, so that's looking pretty unlikely for infrastructure to be able to support fully 22:10 < stiv2k> you guys ever toy w/ the idea of frameworks? 22:10 < ricky> What kind of frameworks? 22:10 < ricky> We've been using TurboGears for a lot of webapps, if that's what you mean 22:10 < stiv2k> django, ror, cakephp, etc 22:10 < ricky> But that's a level below content mangement 22:10 < ricky> management 22:12 < CB6> Django is not secure 22:12 < stiv2k> CB6: how so? 22:12 < CB6> I have friends that worked with it at a networking site level and we experienced all sorts of bugs. It's still a very new platform 22:12 < stiv2k> oh... I have never used it myself 22:13 < stiv2k> I have used cakephp 22:13 < ricky> Transifex people were porting to it, they've had good experiences so far, but not sure what level they're working at 22:13 < CB6> cakephp has been around a long time 22:13 < CB6> well plone is used by NASA, and some groups such as fedorasolved 22:14 < ricky> Yeah. It's not packageable for python 2.5 though, which is kind of a blocker. 22:14 -!- buggbot [n=supybot at landfill.bugzilla.org] has quit Connection reset by peer 22:14 < CB6> I just am not familiar enough with plone myself to make a decent go of it at this time. Drupal is something that pretty much anyone can learn to work with quite fast 22:14 < stiv2k> I watched their shuttle go up the other day' 22:15 -!- buggbot [n=supybot at landfill.bugzilla.org] has joined #fedora-meeting 22:15 < ricky> Cool 22:16 < ricky> If you guys are interested in getting some test sites up to test requirements, talk to quaid and G 22:16 < stiv2k> what do you mean test sites 22:16 < CB6> staging sites 22:16 < ricky> Like getting a local instance running 22:16 < stiv2k> ah 22:17 < CB6> I have a drupal platform up.. in the middle of setting up. I haven't done anything with it yet 22:17 < ricky> Ah, cool 22:18 < CB6> pretty simple to set up.. really tight on the security restrictions 22:18 < CB6> if you don't do certain things it will not let you proceed onto other steps 22:18 < ricky> That's good - their community seems to be great as well, which is always good 22:19 -!- ericz [n=eric at ip98-166-65-97.hr.hr.cox.net] has joined #fedora-meeting 22:19 -!- mccann_ [n=jmccann at 66.187.234.199] has quit Read error: 113 (No route to host) 22:19 < CB6> plone was just intimidating 22:19 -!- sgtd [n=SOD at wilug/newlug/sgtd] has joined #fedora-meeting 22:19 < ricky> Anyway, I guess we can talk about this more when we can get quaid around :-) 22:20 < CB6> amazing potential with plone but I have a lot of learning yet before I can make a go of it. It's best if there's tons of support so everyone can work on it sort of like wiki 22:20 < CB6> ya 22:20 < ricky> Yeah 22:20 < ricky> So next on the list is myfedora 22:20 < ricky> J5: Do you guys need any help with CSS/web stuff for myfedora? 22:20 < stiv2k> ricky: is there a way to test myfedora ? 22:20 < ricky> Even if you just need more testers, feel free to email fedora-websites-list asking for help 22:20 < J5> ricky: mo is working on that so ask her 22:20 < ricky> stiv2k: I think J5 will be very happy to answer that :-) 22:21 < ricky> J5: Ah, she couldn't make this meeting :-( 22:21 < J5> stiv2k: http://publictest16.fedoraproject.org/community 22:22 < CB6> myfedora is a very good idea... integration is so necessary to speed up the development cycle 22:22 -!- ianweller_afk is now known as ianweller 22:22 < stiv2k> nice 22:22 < ricky> Oh, speaking of testing, we really really need browser testing on http://publictest15.fedoraproject.org/ 22:22 < ricky> So whatever browsers/resolutions/OSs you can get access to, try to make sure that it looks right, especially the new get-fedora pages 22:23 < ianweller> contributors are smart enough to not use IE, right? ;) 22:23 < stiv2k> ricky: that gives me a good reason to download chrome now :) 22:23 < ricky> That'll be the main get-fedora work leading up to the release 22:23 -!- fab [n=bellet at bellet.info] has quit Read error: 60 (Operation timed out) 22:23 < ricky> ianweller: I'd think so :-) So windows testing can be targetted more at http://publictest15.fedoraproject.org/ 22:24 < ianweller> ricky: er, you mean, get-fedora? 22:24 < ricky> Yeah, and that whole site in general 22:26 < ricky> All right, so I'll ask mizmo if she needs any CSS help, etc. when she's around 22:26 < stiv2k> ricky: is there supposed to be a missing image at http://publictest15.fedoraproject.org/ 22:27 < CB6> IE is completely rebuilt for version 8 so it's probably full of new bugs 22:27 < ricky> Yeah, we haven't gotten the release image from the art team yet - I think they started to post some initial mockups 22:27 < ianweller> ricky: i was thinking about that the other day when i pinged you :) 22:27 < stiv2k> right I think I saw some of them on the mailing list 22:27 < ricky> CB6: Blech, CSS patches would be hugely appreciated, especially since a lot of us can't get IE8 22:28 < ricky> ianweller: Ah, sorry I missed that - this was a weird weekend 22:28 < ianweller> heh. 22:28 < ricky> ianweller: You're probably the most updated about that stuff - do you know how the progress is going? 22:28 < ianweller> no, haven't heard a thing 22:28 < CB6> I use IE to test 22:28 < ricky> I think I saw a small banner for the sidebar, but no big banner yet 22:28 < ianweller> i'll ping mizmo later tonight 22:28 < ianweller> i was actually thinking of taking some screenshots for that but qemu doesn 22:29 < ianweller> 't like me 22:29 < stiv2k> hmm 22:29 < ricky> I still have instructions for getting screenshots of the various boot screens - not sure if upstart changes could have messed anything up though 22:29 < ianweller> ricky: send 'em my way if you have the time 22:29 < stiv2k> get-fedora looks really weird when viewing with google chrome 22:30 < ricky> Wait, rhgb is gone now, right? 22:30 < CB6> what are you guys using for cross browser testing on fedora? 22:30 < stiv2k> CB6: I'm using chrome, FF, and IE right now 22:30 < ricky> In that case, I'm not sure how useful http://ricky.fedorapeople.org/rhgb-screenshot still is. 22:30 < CB6> stiv2k I figured their might be an application but I guess there's really no replacement for the updated browser it self 22:31 < ricky> stiv2k: Yow, can you get a screenshot up somewhere? (Or if you're feeling up to it, feel free to tweak the CSS to try and make it look right) 22:31 < stiv2k> ricky: my CSS is rusty but I'll show you a screenshot in a minute 22:31 < ricky> Sure 22:34 < ricky> But yeah, if anybody has a chance to do some testing, please email screenshots/report to the list 22:35 < stiv2k> http://stiv2k.info/get-fedora-chrome.PNG 22:35 < stiv2k> http://stiv2k.info/get-fedora-ff3.PNG 22:35 < ricky> Woah. 22:35 < ricky> That is weird. 22:35 < stiv2k> the browser windows are the same size in these two cases^ 22:35 < stiv2k> yeah :P 22:36 < ricky> I can reproduce in Konqueror, so I'll mess around with that later 22:36 < stiv2k> ok, should I report it to the mailing list? 22:37 < ricky> Yeah, that'd be a good way to keep track of report 22:37 < ricky> reports 22:37 < stiv2k> alright 22:37 < ricky> Feel free to ask your friends to test it, etc. as well :-) 22:37 < ricky> Anyway, does anybody have anything else that they want to bring up? 22:38 < ricky> Even though we're currently frozen, we can discuss changes for after the release and stuff 22:38 -!- mccann [n=jmccann at 66.187.234.199] has joined #fedora-meeting 22:38 < ricky> Some people on marketing-list preferred the period after "Fire it up" 22:38 < stiv2k> ricky: I agree 22:39 < ricky> I'll look at modifying PO files manually, but no promises that it'll happen by the release 22:39 < ricky> Anythine else? 22:40 < ricky> All right then, thanks for coming, everybody! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From steve at neoturbine.net Mon Nov 17 22:46:26 2008 From: steve at neoturbine.net (Steven Bularca) Date: Mon, 17 Nov 2008 17:46:26 -0500 Subject: get-fedora renders unusually thin columns in Google Chrome Message-ID: <4921F442.2010404@neoturbine.net> I would like to bring to everyone's attention that the get-fedora page http://publictest15.fedoraproject.org/en/get-fedora appears distorted when viewing with Google Chrome on Windows XP SP3. I have been told from Rick Zhou that the bug is reproducible in Konqueror aswell. I have attached two screenshots, one with Google Chrome, the other with FireFox 3. Both browser windows are of approximately the same size. Regards, Steven Bularca -------------- next part -------------- A non-text attachment was scrubbed... Name: get-fedora-chrome.PNG Type: image/png Size: 180699 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: get-fedora-ff3.PNG Type: image/png Size: 713422 bytes Desc: not available URL: From ankh at dtrclan.com Mon Nov 17 22:47:55 2008 From: ankh at dtrclan.com (ankh at dtrclan.com) Date: Mon, 17 Nov 2008 17:47:55 -0500 Subject: Self Introduction Message-ID: <20081117174755.ut708md9y9co0sgc@dtrclan.com> Greetings, My name is Justin, and I have recently applied to attempt to help this group. I am only 19 years of age. I do, however, learn quickly when it comes to something I enjoy. I am currently taking two courses online in FrontPage and Perl. I know the frontpage is a useless course, it is however mandatory for the certificate. Starting September, I will be going to college for a degree in Web Development. As for my experience and skill, I have not actually had any formal learning, everything I know is from making crappy sites and testing various methods until finding ones that I like. I do know a fair bit of HTML, some javascript, PHP and CSS. I have dabbled in XML and XHTML. I have been using Fedora off and on for the past fiveish years now. I started with Fedora Core, and have used each of its successors. I look forward to working with everyone. Justin Wood From ricky at fedoraproject.org Tue Nov 18 07:53:03 2008 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 18 Nov 2008 02:53:03 -0500 Subject: Introduction In-Reply-To: <8c5969130811120804ld4d93dew79e2fc86cc2ece70@mail.gmail.com> References: <8c5969130811120804ld4d93dew79e2fc86cc2ece70@mail.gmail.com> Message-ID: <20081118075303.GG1177@sphe.res.cmu.edu> On 2008-11-12 11:04:22 AM, Antoni Sousa wrote: > My name is Antoni and I live in the Hudson Valley of NY. I currently work as an > IT Administrator for a small to medium size corporation. I have experience with > PHP, XHTML,XML, XSLT, CSS, AJAX, MySQL and I use Fedora for all of my web > servers. I am eager to learn and contribute to the team and I look forward to > working with all of you. Hey, and welcome! We have meetings every Monday at 20:00 and 22:00 UTC, so it'd be great if you can make it to those. We also have a bunch of tasks listed at http://tinyurl.com/5w6hp8 and http://fedoraproject.org/wiki/Websites/Tasks, so feel free to take some of these on. Feel free here or in #fedora-websites on Freenode if you need any help. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Tue Nov 18 08:02:32 2008 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 18 Nov 2008 03:02:32 -0500 Subject: Intro for Leo Albert Jackson Jr (lajjr) In-Reply-To: <654342.99461.qm@web84304.mail.re1.yahoo.com> References: <654342.99461.qm@web84304.mail.re1.yahoo.com> Message-ID: <20081118080232.GH1177@sphe.res.cmu.edu> On 2008-11-17 09:48:36 AM, Leo Jackson wrote: > My name Leo Albert Jackson Jr > > I live in Scranton Pa USA EST > > I would like to help. > > I have been using fedora for awhile. I am an ambassador for fedora. > > I have been creating web sites for over 7+ years. I use python, ruby, > perl, js, php, html, and others c# vb, c++, css. I would like to > use my talents to help out in any way possible. Cool, we have a bunch of we applications written in Python, and our website is currently built from templates using a Python script. We have some tasks at http://tinyurl.com/5w6hp8 and http://fedoraproject.org/wiki/Websites/Tasks (let me know if you might be interested in looking at improving the build script). Also, we have meetings on Mondays (I try to send out reminders every week), so try to show up and let us know that you're around :-) Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Tue Nov 18 08:07:20 2008 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 18 Nov 2008 03:07:20 -0500 Subject: Self Introduction In-Reply-To: <20081117174755.ut708md9y9co0sgc@dtrclan.com> References: <20081117174755.ut708md9y9co0sgc@dtrclan.com> Message-ID: <20081118080720.GI1177@sphe.res.cmu.edu> On 2008-11-17 05:47:55 PM, ankh at dtrclan.com wrote: > As for my experience and skill, I have not actually had any formal > learning, everything I know is from making crappy sites and testing > various methods until finding ones that I like. I do know a fair bit of > HTML, some javascript, PHP and CSS. I have dabbled in XML and XHTML. Welcome! Contributing to Fedora is a great way to gain experience/skill in web development/design. If you're interested, we have some open tasks at http://tinyurl.com/5w6hp8 and http://fedoraproject.org/wiki/Websites/Tasks, and we also meet every Monday if you can make it (details at http://fedoraproject.org/wiki/Websites/Meetings). Also, we hang out on #fedora-websites on irc.freenode.net, if you're on IRC. Let us know if you have any questions, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Tue Nov 18 08:35:23 2008 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 18 Nov 2008 03:35:23 -0500 Subject: get-fedora renders unusually thin columns in Google Chrome In-Reply-To: <4921F442.2010404@neoturbine.net> References: <4921F442.2010404@neoturbine.net> Message-ID: <20081118083523.GK1177@sphe.res.cmu.edu> On 2008-11-17 05:46:26 PM, Steven Bularca wrote: > I would like to bring to everyone's attention that the get-fedora page > http://publictest15.fedoraproject.org/en/get-fedora appears distorted > when viewing with Google Chrome on Windows XP SP3. I have been told > from Rick Zhou that the bug is reproducible in Konqueror aswell. > > I have attached two screenshots, one with Google Chrome, the other with > FireFox 3. Both browser windows are of approximately the same size. I've tried to fix that in git right now - can you check if it looks right now? I tried to do some testing tonight, and I think IE6 might fail to show the buttons on the right - can somebody with access to IE6 verify that (it'd be even more amazing if they could try to fix the CSS, as I don't have access to IE6 to test with). Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From hydra84 at gmail.com Tue Nov 18 11:36:06 2008 From: hydra84 at gmail.com (Paolo Leoni) Date: Tue, 18 Nov 2008 12:36:06 +0100 Subject: Fedora 10 release banner In-Reply-To: <492040EE.8030605@gmail.com> References: <492040EE.8030605@gmail.com> Message-ID: <4922A8A6.3070704@gmail.com> This is a possible release banner (big): http://pleoni.altervista.org/fedora10-0day-banner.svg http://pleoni.altervista.org/fedora10-0day-banner.png -- Paolo Leoni ~ http://pleoni.altervista.org GPG fingerprint: DAD1 6419 D42B 0B1C D9E1 A9CB 4587 4812 17F7 F764 From ra.jana at yahoo.co.uk Tue Nov 18 18:45:05 2008 From: ra.jana at yahoo.co.uk (R. Jana) Date: Tue, 18 Nov 2008 18:45:05 +0000 (GMT) Subject: (no subject) Message-ID: <134748.89671.qm@web26601.mail.ukl.yahoo.com> how can remove from fedora mailing list? -------------- next part -------------- An HTML attachment was scrubbed... URL: From meuligo_aa at yahoo.com Wed Nov 19 08:34:56 2008 From: meuligo_aa at yahoo.com (afwan halim) Date: Wed, 19 Nov 2008 00:34:56 -0800 (PST) Subject: (no subject) Message-ID: <168327.21870.qm@web32407.mail.mud.yahoo.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rick.Noelle at definition6.com Thu Nov 20 17:19:25 2008 From: Rick.Noelle at definition6.com (Rick Noelle) Date: Thu, 20 Nov 2008 12:19:25 -0500 Subject: User signup not working? Message-ID: <120F709F273B0943BAAE254D6903FB5B0124EA1A@ex2k3.def6.com> Hi, I'm trying to sign up for a fedora login but I did not receive my initial email with my password. I tried the "Forgot Password" link as well and it reported that a password reminder has been sent but I did not receive it. I've tested the recipient email address and made sure spam filters are disabled, etc. but not having much luck. The login I created is "jdictionary" and the email address is rick at jdictionary.com. Thanks a lot, Rick Noelle -------------- next part -------------- An HTML attachment was scrubbed... URL: From tufan at ymail.com Sun Nov 23 13:21:54 2008 From: tufan at ymail.com (=?iso-8859-1?Q?Tufan_=E7etin?=) Date: Sun, 23 Nov 2008 05:21:54 -0800 (PST) Subject: Turkish Website Message-ID: <862119.61381.qm@web59516.mail.ac4.yahoo.com> I want to join Turkish Translate group. What can I do for join? I'm waiting your reply, Emin Tufan Cetin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdious at fedoraproject.org Sun Nov 23 21:31:06 2008 From: mdious at fedoraproject.org (Murray McAllister) Date: Sun, 23 Nov 2008 21:31:06 +0000 (UTC) Subject: web/html/docs/selinux-guide index.php,1.3,1.4 Message-ID: <20081123213106.22AEE700FE@cvs1.fedora.phx.redhat.com> Author: mdious Update of /cvs/fedora/web/html/docs/selinux-guide In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28748/selinux-guide Modified Files: index.php Log Message: test commit Index: index.php =================================================================== RCS file: /cvs/fedora/web/html/docs/selinux-guide/index.php,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- index.php 15 Nov 2008 02:24:02 -0000 1.3 +++ index.php 23 Nov 2008 21:30:35 -0000 1.4 @@ -27,6 +27,7 @@ Fedora 10 SELinux User Guide (US English)

	Fedora 10 SELinux Guide	Fedora 10 User SELinux Guide
	- Fedora 10 SELinux Guide - Preview (US English) + Fedora 10 SELinux User Guide - Preview (US English)
+

	Fedora 10 Installation Guide
	+ + Fedora 10 Installation Guide - (US English) now available. + +
+ + Translations to multiple languages are underway. Return to the Fedora 10 Installation Guide page, keep a watch on Fedora News, or fedora-announce-list for updates on translated versions. + +

7.??How are Things for Developers

7.1.??Java

7.1.??Runtime

7.1.1.??Python NSS bindings

7.2.??Java

7.1.1.??Best of breed free software Java implementation

7.2.1.??Best of breed free software Java implementation

7.1.2.??Handling Java Applets and web start applications

7.2.2.??Handling Java Applets and web start applications

7.1.3.??New integration with other Fedora technologies

7.2.3.??New integration with other Fedora technologies

7.1.3.1.??VisualVM integration through the NetBeans framework

7.2.3.1.??VisualVM integration through the NetBeans framework

7.1.3.2.??PulseAudio integration for +7.2.3.2.??PulseAudio integration for javax.sound PulseAudio integrations provides all the benefits of @@ -125,21 +147,21 @@ javax.sound package.

7.2.3.2.??PulseAudio integration for javax.sound

7.1.3.3.??Integration of Mozilla Rhino - JavaScript

7.2.3.3.??Integration of Mozilla Rhino - JavaScript

7.1.3.4.??Other improvements

7.2.3.4.??Other improvements

7.1.4.??Fedora and JPackage

7.2.4.??Fedora and JPackage

7.1.5.??Note on upgrading from Fedora 8 - OpenJDK Replaces IcedTea

7.2.5.??Note on upgrading from Fedora 8 - OpenJDK Replaces IcedTea

7.2.??Tools

7.3.??Tools

7.2.1.??Eclipse

7.3.1.??Eclipse

7.2.1.1.??Additional plugins

7.3.1.1.??Additional plugins

7.2.1.2.??Translations from the Babel project - eclipse-nls

7.3.1.2.??Translations from the Babel project - eclipse-nls

7.2.1.3.??Upgrading from Fedora 9

7.3.1.3.??Upgrading from Fedora 9

7.2.2.??Emacs

7.3.2.??Emacs

7.2.3.??GCC Compiler Collection

7.3.3.??GCC Compiler Collection

7.2.3.1.??Target-specific improvements

7.3.3.1.??Target-specific improvements

7.2.3.1.1.??IA-32 x86-64

7.3.3.1.1.??IA-32 x86-64

7.2.4.??Improved Haskell support

7.3.4.??Improved Haskell support

7.2.5.??Objective CAML OCaml coverage greatly extended

7.3.5.??Extended Objective CAML OCaml Coverage

7.2.6.??NetBeans

7.3.6.??NetBeans

7.2.6.1.??NetBean resources

7.3.6.1.??NetBean resources

7.2.7.??AMQP Infrastructure

7.3.7.??AMQP Infrastructure

7.2.7.1.??AMQP resources

7.3.7.1.??AMQP resources

7.2.8.??Appliance building tools

7.3.8.??Appliance building tools

7.2.8.1.??Appliance Creation Tool

7.3.8.1.??Appliance Creation Tool

7.2.8.2.??Appliance Operating System

7.3.8.2.??Appliance Operating System

7.2.8.3.??Appliance building tools resources

7.3.8.3.??Appliance building tools resources

7.3.??Linux kernel

7.4.??Linux kernel

7.3.1.??Version

7.4.1.??Version

7.3.2.??Changelog

7.4.2.??Changelog

7.3.3.??Kernel flavors

7.4.3.??Kernel flavors

7.3.4.??Preparing for kernel development

7.4.4.??Preparing for kernel development

7.3.5.??Reporting bugs

7.4.5.??Reporting bugs

7.4.??Embedded

7.5.??Embedded

7.4.1.??AVR

7.5.1.??AVR

7.4.2.??Microchip PIC

7.5.2.??Microchip PIC

7.4.3.??Others and processor agnostic

7.1.3.2.??PulseAudio integration for +
7.2.3.2.??PulseAudio integration for javax.sound

PulseAudio integrations provides all the benefits of @@ -125,21 +147,21 @@ javax.sound package.

`2.1.3.1.??PXE booting from a .iso`

2.1.4.2.4.??Update the `grub.conf` kernel root entry