Mon Nov 24 20:30:39 UTC 2008

Author: kwade

Update of /cvs/fedora/web/html/docs/selinux-guide/f10/en-US
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25508

Modified Files:
	appe-Security-Enhanced_Linux-Revision_History.html 
	chap-Security-Enhanced_Linux-Confining_Users.html 
	chap-Security-Enhanced_Linux-Introduction.html 
	chap-Security-Enhanced_Linux-SELinux_Contexts.html 
	chap-Security-Enhanced_Linux-Targeted_Policy.html 
	chap-Security-Enhanced_Linux-Trademark_Information.html 
	chap-Security-Enhanced_Linux-Troubleshooting.html 
	chap-Security-Enhanced_Linux-Working_with_SELinux.html 
	index.html pr01s02.html 
	pref-Security-Enhanced_Linux-Preface.html 
	sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html 
	sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html 
	sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html 
	sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html 
	sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html 
	sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html 
	sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html 
	sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html 
	sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html 
	sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html 
	sect-Security-Enhanced_Linux-Introduction-Examples.html 
	sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html 
	sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html 
	sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html 
	sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html 
	sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html 
	sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html 
	sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html 
	sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html 
	sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html 
	sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html 
	sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html 
	sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html 
	sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html 
	sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html 
	sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html 
	sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html 
	sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html 
	sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html 
	sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html 
Log Message:
Fedora 10 build ready


Index: appe-Security-Enhanced_Linux-Revision_History.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/appe-Security-Enhanced_Linux-Revision_History.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2

--- appe-Security-Enhanced_Linux-Revision_History.html	11 Nov 2008 22:56:28 -0000	1.1
+++ appe-Security-Enhanced_Linux-Revision_History.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>AppendixÂ A.Â Revision History</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Fixing_Problems-audit2allow.html" title="7.3.6.Â audit2allow"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>AppendixÂ A.Â Revision History</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-audit2allow.html"><strong>Prev</strong></a></li><li class="next"/></ul><div class="appendix" lang="en-US"><div class="titlepage"><div><div><h1 id="appe-Security-Enhanced_Linux-Revision_History" class="title">Revision History</h1></div><div><div class="revhistory"><table border="1" width="100
 %" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 1.0</td><td align="left"/><td align="left"><span class="firstname"><br/></span><span class="surname"><br/></span><code class="email"><a class="email" href="mailto:"/></code></td></tr><tr><td align="left" colspan="3">
-			<table class="simplelist" border="0" summary="Simple list"><tr><td/></tr></table>
-		</td></tr></table></div></div></div></div><p>
-		zing
-	</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-audit2allow.html"><strong>Prev</strong>7.3.6.Â audit2allow</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li></ul></body></html>
\ No newline at end of file
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>AppendixÂ A.Â Revision History</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="chap-Security-Enhanced_Linux-Further_Information.html" title="ChapterÂ 8.Â Further Information"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>AppendixÂ A.Â Revision History</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Prev</strong></a></li><li class="next"/></ul><div class="appendix" lang="en-US"><div class="titlepage"><div><div><h1 id="appe-Security-Enhanced_Linux-Revision_History" class="title">Revision 
 History</h1></div></div></div><p>
+		<div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 1.0</td><td align="left">Tuesday November 24 2008</td><td align="left"><span class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></span></td></tr><tr><td align="left" colspan="3">
+					<table class="simplelist" border="0" summary="Simple list"><tr><td>Initial content release on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a></td></tr></table>
+				</td></tr></table></div>
+	</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Further_Information.html"><strong>Prev</strong>ChapterÂ 8.Â Further Information</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li></ul></body></html>
\ No newline at end of file


Index: chap-Security-Enhanced_Linux-Confining_Users.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-Confining_Users.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Confining_Users.html	11 Nov 2008 22:56:28 -0000	1.1
+++ chap-Security-Enhanced_Linux-Confining_Users.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,16 +1,19 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 6.Â Confining Users</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html" title="5.10.5.Â Archiving Files with star"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html" title="6.2.Â Confining New Linux Users: useradd"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 6.Â Confining Users</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Prev</strong></a></li><li class="next"><a acc
 esskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Confining_Users">ChapterÂ 6.Â Confining Users</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="sect-Security-Enhance
 d_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5. xguest: Kiosk Mode</a></span></dt></dl></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 6.Â Confining Users</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html" title="5.10.5.Â Archiving Files with star"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html" title="6.2.Â Confining New Linux Users: useradd"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 6.Â Confining Users</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archivi
 ng_Files_with_star.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Confining_Users">ChapterÂ 6.Â Confining Users</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3. Confining Existing Linux Users: semanage
  login</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5. xguest: Kiosk Mode</a></span></dt></dl></div><p>
 		A number of confined SELinux users are available in Fedora 10. Each Linux user is mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the restrictions on SELinux users, for example (depending on the user), not being able to: run the X Window System, use networking, run setuid applications (unless SELinux policy permits it), or run the <code class="command">su</code> and <code class="command">sudo</code> commands to become the Linux root user. This helps protect the system from the user. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html" title="4.3.Â Confined and Unconfined Users">SectionÂ 4.3, â€œConfined and Unconfined Usersâ€</a> for further information about confined users in Fedora 10.
 	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1.Â Linux and SELinux User Mappings</h2></div></div></div><p>
-			As the Linux root user, run the <code class="command">/usr/sbin/semanage login -l</code> command to view the mapping between Linux users and SELinux users:
+			As the Linux root user, run the <code class="command">semanage login -l</code> command to view the mapping between Linux users and SELinux users:
 		</p><pre class="screen"># /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre><p>
-			In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). When a Linux user is created with the <code class="command">/usr/sbin/useradd</code> command, if no options are specified, they are mapped to the SELinux <code class="computeroutput">unconfined_u</code> user. The following defines the default-mapping:
-		</p><pre class="screen">__default__               unconfined_u              s0-s0:c0.c1023</pre></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Prev</strong>5.10.5.Â Archiving Files with star</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong>6.2.Â Confining New Linux Users: useradd</a></li></ul></body></html>
\ No newline at end of file
+system_u                  system_u                  s0-s0:c0.c1023
+</pre><p>
+			In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). When a Linux user is created with the <code class="command">useradd</code> command, if no options are specified, they are mapped to the SELinux <code class="computeroutput">unconfined_u</code> user. The following defines the default-mapping:
+		</p><pre class="screen">
+__default__               unconfined_u              s0-s0:c0.c1023
+</pre></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Prev</strong>5.10.5.Â Archiving Files with star</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Next</strong>6.2.Â Confining New Linux Users: useradd</a></li></ul></body></html>
\ No newline at end of file


Index: chap-Security-Enhanced_Linux-Introduction.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-Introduction.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Introduction.html	11 Nov 2008 22:56:28 -0000	1.1
+++ chap-Security-Enhanced_Linux-Introduction.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,48 +1,48 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 2.Â Introduction</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="chap-Security-Enhanced_Linux-Trademark_Information.html" title="ChapterÂ 1.Â Trademark Information"/><link rel="next" href="sect-Security-Enhanced_Linux-Introduction-Examples.html" title="2.2.Â Examples"/></head><body class="draft"><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 2.Â Introduction</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Next</strong></a></li></ul><
 div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Introduction">ChapterÂ 2.Â Introduction</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2. Examples</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html">2.3. SELinux Architecture and Performance</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html">2.4. SELinux on other Operating Systems</a></span></dt></dl></div><p>
-		Files, such as directories and devices, are called objects. Processes, such as a user running a command or the <span class="trademark">Mozilla</span>Â®<span class="trademark"> Firefox</span>Â® application, are called subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. On <span class="trademark">Linux</span>Â® operating systems, users can make their home directories world-readable, giving users and processes (subjects) access to potentially sensitive information.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 2.Â Introduction</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="chap-Security-Enhanced_Linux-Trademark_Information.html" title="ChapterÂ 1.Â Trademark Information"/><link rel="next" href="sect-Security-Enhanced_Linux-Introduction-Examples.html" title="2.2.Â Examples"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 2.Â Introduction</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-
 Introduction-Examples.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Introduction">ChapterÂ 2.Â Introduction</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2. Examples</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html">2.4. SELinux on Other Operating Systems</a></span></dt></dl></div><p>
+		Files, such as directories and devices, are called objects. Processes, such as a user running a command or the <span class="trademark">Mozilla</span>Â®<span class="trademark"> Firefox</span>Â® application, are called subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. For example, on <span class="trademark">Linux</span>Â® operating systems, users can make their home directories world-readable, giving users and processes (subjects) access to potentially sensitive information.
 	</p><p>
-		DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.<sup>[<a id="d0e445" href="#ftn.d0e445" class="footnote">1</a>]</sup>
+		DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.<sup>[<a id="d0e465" href="#ftn.d0e465" class="footnote">1</a>]</sup>
 	</p><p>
 		The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions in these examples may differ from your system. Use the <code class="command">ls -l</code> command to view file permissions:
 	</p><pre class="screen">$ ls -l file1
--rwxrw-r-- 1 user1 group1 0 Aug 18 10:08 file1</pre><p>
-		The first three permission bits, <code class="computeroutput">rwx</code>, control the access the Linux <code class="computeroutput">user1</code> user (in this case, the owner) has to <code class="filename">file1</code>. The next three permission bits, <code class="computeroutput">rw-</code>, control the access the Linux <code class="computeroutput">group1</code> group has to <code class="filename">file1</code>. The last three permission bits, <code class="computeroutput">r--</code>, control the access everyone else has to <code class="filename">file1</code>. This includes all processes and users.
+-rwxrw-r-- 1 user1 group1 0 2008-11-21 15:42 file1
+</pre><p>
+		The first three permission bits, <code class="computeroutput">rwx</code>, control the access the Linux <code class="computeroutput">user1</code> user (in this case, the owner) has to <code class="filename">file1</code>. The next three permission bits, <code class="computeroutput">rw-</code>, control the access the Linux <code class="computeroutput">group1</code> group has to <code class="filename">file1</code>. The last three permission bits, <code class="computeroutput">r--</code>, control the access everyone else has to <code class="filename">file1</code>, which includes all users and processes.
 	</p><p>
-		Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from a
 uthorized users who have unwittingly executed malicious applications.<sup>[<a id="d0e487" href="#ftn.d0e487" class="footnote">2</a>]</sup>
+		Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from a
 uthorized users who have unwittingly executed malicious applications.<sup>[<a id="d0e507" href="#ftn.d0e507" class="footnote">2</a>]</sup>
 	</p><p>
 		The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the <code class="command">ls -Z</code> command:
-	</p><pre class="screen">$ls -Z file1
--rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1</pre><p>
-		In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
-	</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Introduction-Linux_and_SELinux_users">Linux and SELinux users</h5>
+	</p><pre class="screen">$ ls -Z file1
+-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
+</pre><p>
+		In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
+	</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Introduction-Linux_and_SELinux_Users">Linux and SELinux Users</h5>
 			On Linux operating systems that run SELinux, there are Linux users as well as SELinux users. SELinux users are part of SELinux policy. Linux users are mapped to SELinux users. To avoid confusion, this guide uses "Linux user" and "SELinux user" to differentiate between the two.
-		<div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1.Â Benefits of running SELinux</h2></div></div></div><p>
-			SELinux provides:
-		</p><div class="itemizedlist"><ul><li><p>
+		<div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1.Â Benefits of running SELinux</h2></div></div></div><div class="itemizedlist"><ul><li><p>
 					All processes and files are labeled with a type. A type defines a domain for processes, and a type for files. Processes are separated from each other by running in their own domains, and SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.
 				</p></li><li><p>
 					Fine-grained access control. Stepping beyond traditional <span class="trademark">UNIX</span>Â® permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a level.
 				</p></li><li><p>
 					SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion.
 				</p></li><li><p>
-					Reduced vulnerability to privilege escalation attacks. One example: since processes run in domains, and are therefore separated from each other, and SELinux policy rules determine how processes access files and other processes, if a service is compromised, the attacker only has access to the normal functions of that service, and to files that the service has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker is unable to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access.
+					Reduced vulnerability to privilege escalation attacks. One example: since processes run in domains, and are therefore separated from each other, and SELinux policy rules define how processes access files and other processes, if a process is compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker can not use that process to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access.
+				</p></li><li><p>
+					SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs.
 				</p></li></ul></div><p>
-			SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs.
-		</p><p>
 			SELinux is not:
 		</p><div class="itemizedlist"><ul><li><p>
-					Antivirus software.
+					antivirus software.
 				</p></li><li><p>
-					A replacement for passwords, firewalls, or other security systems.
+					a replacement for passwords, firewalls, or other security systems.
 				</p></li><li><p>
-					An all-in-one security solution.
+					an all-in-one security solution.
 				</p></li></ul></div><p>
 			SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, firewalls, and so on.
-		</p></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e445" href="#d0e445" class="para">1</a>] </sup>
+		</p></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e465" href="#d0e465" class="para">1</a>] </sup>
 			"Integrating Flexible Support for Security Policies into the Linux Operating System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/selinux/papers/freenix01/freenix01.html">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
-		</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e487" href="#d0e487" class="para">2</a>] </sup>
+		</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e507" href="#d0e507" class="para">2</a>] </sup>
 			"Meeting Critical Security Objectives with Security-Enhanced Linux", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <a href="http://www.nsa.gov/selinux/papers/ottawa01/index.html">original paper</a> for details and the document as it was first released. Any edits and changes were done by Murray McAllister.
 		</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Prev</strong>ChapterÂ 1.Â Trademark Information</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Introduction-Examples.html"><strong>Next</strong>2.2.Â Examples</a></li></ul></body></html>
\ No newline at end of file


Index: chap-Security-Enhanced_Linux-SELinux_Contexts.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-SELinux_Contexts.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-SELinux_Contexts.html	11 Nov 2008 22:56:28 -0000	1.1
+++ chap-Security-Enhanced_Linux-SELinux_Contexts.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,39 +1,48 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 3.Â SELinux Contexts</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html" title="2.4.Â SELinux on other Operating Systems"/><link rel="next" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html" title="3.2.Â SELinux Contexts for Processes"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 3.Â SELinux Contexts</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n"
  href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-SELinux_Contexts">ChapterÂ 3.Â SELinux Contexts</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3. SELinux Contexts for Users</a></span></dt></dl></div><p>
-		As previously mentioned, on most operating systems, files, directories, sockets, devices, and so on, are called objects, and processes, such as a user running a command, the Firefox application, and the Apache HTTP Server, are called subjects. SELinux provides flexible MAC that supports a variety of different security models. In Fedora 10, SELinux provides a combination of Role-Based Access Control (RBAC), <span class="trademark">Type Enforcement</span>Â® (TE), and optionally, Multi-Level Security (MLS). Subjects and objects are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 3.Â SELinux Contexts</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html" title="2.4.Â SELinux on Other Operating Systems"/><link rel="next" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html" title="3.2.Â SELinux Contexts for Processes"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 3.Â SELinux Contexts</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating
 _Systems.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-SELinux_Contexts">ChapterÂ 3.Â SELinux Contexts</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3. SELinux Contexts for Users</a></span></dt></dl></div><p>
+		Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions. In Fedora 10, SELinux provides a combination of Role-Based Access Control (RBAC), <span class="trademark">Type Enforcement</span>Â® (TE), and, optionally, Multi-Level Security (MLS).
 	</p><p>
-		The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the <code class="command">ls -Z</code> command:
+		The following is an example SELinux context. SELinux contexts are used on processes, Linux users, and files, on Linux operating systems that run SELinux. Use the <code class="command">ls -Z</code> command to view the SELinux context of files and directories:
 	</p><pre class="screen">$ ls -Z file1
--rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1</pre><p>
+-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1
+</pre><p>
 		SELinux contexts follow the <span class="emphasis"><em>SELinux user:role:type:level</em></span> syntax:
 	</p><div class="variablelist"><dl><dt><span class="term"><span class="emphasis"><em>SELinux user</em></span></span></dt><dd><p>
-					The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles and for a specific MLS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session in order to bound what roles and levels they can enter. Run the <code class="command">/usr/sbin/semanage login -l</code> command to view a list of mappings between SELinux and Linux user accounts:
-				</p><pre class="screen">Login Name                SELinux User              MLS/MCS Range
+					The SELinux user identity is an identity known to the policy that is authorized for a specific set of roles, and for a specific MLS range. Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. The mapped SELinux user identity is used in the SELinux context for processes in that session, in order to bound what roles and levels they can enter. Run the <code class="command">semanage login -l</code> command as the Linux root user to view a list of mappings between SELinux and Linux user accounts:
+				</p><pre class="screen">
+# /usr/sbin/semanage login -l
+
+Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre><p>
-					Output may differ from system to system. The <code class="computeroutput">Login Name</code> column lists Linux users, and the the <code class="computeroutput">SELinux User</code> column lists which SELinux user is mapped to which Linux user. For processes, the SELinux user limits which roles and levels are accessible. The last column, <code class="computeroutput">MLS/MCS Range</code>, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are discussed briefly later.
+system_u                  system_u                  s0-s0:c0.c1023
+</pre><p>
+					Output may differ from system to system. The <code class="computeroutput">Login Name</code> column lists Linux users, and the the <code class="computeroutput">SELinux User</code> column lists which SELinux user is mapped to which Linux user. For processes, the SELinux user limits which roles and levels are accessible. The last column, <code class="computeroutput">MLS/MCS Range</code>, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS). Levels are briefly discussed later.
 				</p></dd><dt><span class="term"><span class="emphasis"><em>role</em></span></span></dt><dd><p>
 					Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered - ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
 				</p></dd><dt><span class="term"><span class="emphasis"><em>type</em></span></span></dt><dd><p>
 					The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
 				</p></dd><dt><span class="term"><span class="emphasis"><em>level</em></span></span></dt><dd><p>
-					The level is an attribute of MLS and Multi-Category Security (MCS). An MLS range is a pair of levels, written as <span class="emphasis"><em>lowlevel-highlevel</em></span> if the levels differ, or <span class="emphasis"><em>lowlevel</em></span> if the levels are identical (<code class="computeroutput">s0-s0</code> is the same as <code class="computeroutput">s0</code>). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as <span class="emphasis"><em>sensitivity:category-set</em></span>. If there are no categories, it is written as <span class="emphasis"><em>sensitivity</em></span>. If the category set is a contiguous series, it can be abbreviated. For example, <code class="computeroutput">c0.c3</code> is the same as <code class="computeroutput">c0,c1,c2,c3</code>. The <code class="filename">/etc/selinux/targeted/setrans.conf</code> file maps levels (<code class="computeroutput">s0:c0</code>) to human-re
 adable form (<code class="computeroutput">CompanyConfidential</code>). Do not allow end-users to edit <code class="filename">setrans.conf</code>. It is recommended that changes to <code class="filename">setrans.conf</code> be made using <code class="command">/usr/sbin/semanage</code>. Refer to the <span class="citerefentry"><span class="refentrytitle">semanage</span>(8)</span> manual page for further information. In Fedora 10, targeted policy enforces MCS, and in MCS, there is only one sensitivity, <code class="computeroutput">s0</code>. MCS in Fedora 10 supports 1024 different categories: <code class="computeroutput">c0</code> through to <code class="computeroutput">c1023</code>. <code class="computeroutput">s0-s0:c0.c1023</code> is sensitivity <code class="computeroutput">s0</code>, and authorized for all categories.
+					The level is an attribute of MLS and Multi-Category Security (MCS). An MLS range is a pair of levels, written as <span class="emphasis"><em>lowlevel-highlevel</em></span> if the levels differ, or <span class="emphasis"><em>lowlevel</em></span> if the levels are identical (<code class="computeroutput">s0-s0</code> is the same as <code class="computeroutput">s0</code>). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as <span class="emphasis"><em>sensitivity:category-set</em></span>. If there are no categories, it is written as <span class="emphasis"><em>sensitivity</em></span>.
+				</p><p>
+					If the category set is a contiguous series, it can be abbreviated. For example, <code class="computeroutput">c0.c3</code> is the same as <code class="computeroutput">c0,c1,c2,c3</code>. The <code class="filename">/etc/selinux/targeted/setrans.conf</code> file maps levels (<code class="computeroutput">s0:c0</code>) to human-readable form (<code class="computeroutput">CompanyConfidential</code>). Do not edit <code class="filename">setrans.conf</code> with a text editor: use <code class="command">semanage</code> to make changes. Refer to the <span class="citerefentry"><span class="refentrytitle">semanage</span>(8)</span> manual page for further information. In Fedora 10, targeted policy enforces MCS, and in MCS, there is one sensitivity, <code class="computeroutput">s0</code>. MCS in Fedora 10 supports 1024 different categories: <code class="computeroutput">c0</code> through to <code class="computeroutput">c1023</code>. <code class="computeroutput">s0-s0:c0.c1023</code> is
  sensitivity <code class="computeroutput">s0</code> and authorized for all categories.
 				</p><p>
 					MLS enforces the <a href="http://en.wikipedia.org/wiki/Bell-LaPadula_model">Bell-LaPadula Mandatory Access Model</a>, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the <span class="package">selinux-policy-mls</span> package, and configure MLS to be the default SELinux policy. The MLS policy shipped with Fedora omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the <a href="http://oss.tresys.com/projects/refpolicy">upstream SELinux Reference Policy</a> can be built that includes all program domains.
 				</p></dd></dl></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1.Â Domain Transitions</h2></div></div></div><p>
 			A process in one domain transitions to another domain by executing an application that has the <code class="computeroutput">entrypoint</code> type for the new domain. The <code class="computeroutput">entrypoint</code> permission is used in SELinux policy, and controls which applications can be used to enter a domain. The following example demonstrates a domain transition:
 		</p><div class="orderedlist"><ol><li><p>
-					A users wants to change their password. To change their password, they run the <code class="command">/usr/bin/passwd</code> application. The <code class="filename">/usr/bin/passwd</code> file is labeled with the <code class="computeroutput">passwd_exec_t</code> type:
+					A users wants to change their password. To change their password, they run the <code class="command">passwd</code> application. The <code class="filename">/usr/bin/passwd</code> file is labeled with the <code class="computeroutput">passwd_exec_t</code> type:
 				</p><pre class="screen">$ ls -Z /usr/bin/passwd
--rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd</pre><p>
-					The <span class="application"><strong>passwd</strong></span> application needs to access the <code class="filename">/etc/shadow</code> file, which is labeled with the <code class="computeroutput">shadow_t</code> type:
+-rwsr-xr-x  root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
+</pre><p>
+					The <span class="application"><strong>passwd</strong></span> application accesses <code class="filename">/etc/shadow</code>, which is labeled with the <code class="computeroutput">shadow_t</code> type:
 				</p><pre class="screen">$ ls -Z /etc/shadow
--r--------  root root system_u:object_r:shadow_t:s0    /etc/shadow</pre></li><li><p>
-					An SELinux policy rule states that processes running in the <code class="computeroutput">passwd_t</code> domain are allowed to read and write to files that are labeled with the <code class="computeroutput">shadow_t</code> type. Only files and their back up copies that are required for a password change, such as <code class="filename">/etc/gshadow</code>, <code class="filename">/etc/gshadow-</code> and <code class="filename">/etc/shadow</code>, are labeled with the <code class="computeroutput">shadow_t</code> type.
+-r--------  root root system_u:object_r:shadow_t:s0    /etc/shadow
+</pre></li><li><p>
+					An SELinux policy rule states that processes running in the <code class="computeroutput">passwd_t</code> domain are allowed to read and write to files labeled with the <code class="computeroutput">shadow_t</code> type. Only files and their back up copies that are required for a password change, such as <code class="filename">/etc/gshadow</code>, <code class="filename">/etc/gshadow-</code> and <code class="filename">/etc/shadow</code>, are labeled with the <code class="computeroutput">shadow_t</code> type.
 				</p></li><li><p>
 					An SELinux policy rule states that the <code class="computeroutput">passwd_t</code> domain has <code class="computeroutput">entrypoint</code> permission to the <code class="computeroutput">passwd_exec_t</code> type.
 				</p></li><li><p>
@@ -41,11 +50,11 @@
 				</p></li></ol></div><p>
 			This example is not exhaustive, and is used as a basic example to explain domain transition. Although there is an actual rule that allows subjects running in the <code class="computeroutput">passwd_t</code> domain to access objects labeled with the <code class="computeroutput">shadow_t</code> file type, other SELinux policy rules must be met before the subject can transition to a new domain. In this example, Type Enforcement ensures:
 		</p><div class="itemizedlist"><ul><li><p>
-					The <code class="computeroutput">passwd_t</code> domain can only be entered by executing an application labeled with the <code class="computeroutput">passwd_exec_t</code> type; can only execute from authorized shared libraries, such as the <code class="computeroutput">lib_t</code> type; and can not execute any other applications.
+					the <code class="computeroutput">passwd_t</code> domain can only be entered by executing an application labeled with the <code class="computeroutput">passwd_exec_t</code> type; can only execute from authorized shared libraries, such as the <code class="computeroutput">lib_t</code> type; and can not execute any other applications.
 				</p></li><li><p>
-					Only authorized domains, such as <code class="computeroutput">passwd_t</code>, can write to files labeled with the <code class="computeroutput">shadow_t</code> type. Even if other processes are running with superuser privileges, those processes can not write to files labeled with the <code class="computeroutput">shadow_t</code> type, as they are not running in the <code class="computeroutput">passwd_t</code> domain.
+					only authorized domains, such as <code class="computeroutput">passwd_t</code>, can write to files labeled with the <code class="computeroutput">shadow_t</code> type. Even if other processes are running with superuser privileges, those processes can not write to files labeled with the <code class="computeroutput">shadow_t</code> type, as they are not running in the <code class="computeroutput">passwd_t</code> domain.
 				</p></li><li><p>
-					Only authorized domains can transition to the <code class="computeroutput">passwd_t</code> domain. For example, the <code class="systemitem">sendmail</code> processes running in the <code class="computeroutput">sendmail_t</code> domain does not have a legitimate reason to run <code class="command">/usr/bin/passwd</code>; therefore, it can never transition to the <code class="computeroutput">passwd_t</code> domain.
+					only authorized domains can transition to the <code class="computeroutput">passwd_t</code> domain. For example, the <code class="systemitem">sendmail</code> process running in the <code class="computeroutput">sendmail_t</code> domain does not have a legitimate reason to execute <code class="command">/usr/bin/passwd</code>; therefore, it can never transition to the <code class="computeroutput">passwd_t</code> domain.
 				</p></li><li><p>
-					Processes running in the <code class="computeroutput">passwd_t</code> domain can only read and write authorized types, such as files labeled with the <code class="computeroutput">etc_t</code> or <code class="computeroutput">shadow_t</code> types. This prevents the <span class="application"><strong>passwd</strong></span> application from being tricked into reading or writing arbitrary files.
-				</p></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"><strong>Prev</strong>2.4.Â SELinux on other Operating Systems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong>3.2.Â SELinux Contexts for Processes</a></li></ul></body></html>
\ No newline at end of file
+					processes running in the <code class="computeroutput">passwd_t</code> domain can only read and write to authorized types, such as files labeled with the <code class="computeroutput">etc_t</code> or <code class="computeroutput">shadow_t</code> types. This prevents the <span class="application"><strong>passwd</strong></span> application from being tricked into reading or writing arbitrary files.
+				</p></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html"><strong>Prev</strong>2.4.Â SELinux on Other Operating Systems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Next</strong>3.2.Â SELinux Contexts for Processes</a></li></ul></body></html>
\ No newline at end of file


Index: chap-Security-Enhanced_Linux-Targeted_Policy.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-Targeted_Policy.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Targeted_Policy.html	11 Nov 2008 22:56:29 -0000	1.1
+++ chap-Security-Enhanced_Linux-Targeted_Policy.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 4.Â Targeted Policy</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html" title="3.3.Â SELinux Contexts for Users"/><link rel="next" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html" title="4.2.Â Unconfined Processes"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 4.Â Targeted Policy</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Tar
 geted_Policy-Unconfined_Processes.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Targeted_Policy">ChapterÂ 4.Â Targeted Policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3. Confined and Unconfined Users</a></span></dt></dl></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 4.Â Targeted Policy</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html" title="3.3.Â SELinux Contexts for Users"/><link rel="next" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html" title="4.2.Â Unconfined Processes"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 4.Â Targeted Policy</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Prev</strong></a
 ></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Targeted_Policy">ChapterÂ 4.Â Targeted Policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2. Unconfined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3. Confined and Unconfined Users</a></span></dt></dl></div><p>
 		Targeted policy is the default SELinux policy used in Fedora 10. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged in users run in the <code class="computeroutput">unconfined_t</code> domain, and system processes started by init run in the <code class="computeroutput">initrc_t</code> domain - both of these domains are unconfined.
 	</p><p>
-		Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain can not allocate writeable memory and execute it. This reduces vulnerability to <a href="http://en.wikipedia.org/wiki/Buffer_overflow">buffer overflow attacks</a>. These memory checks are disable by setting Booleans, which allow the SELinux policy to be modified during runtime. Configuring Booleans is discussed later.
+		Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain can not allocate writeable memory and execute it. This reduces vulnerability to <a href="http://en.wikipedia.org/wiki/Buffer_overflow">buffer overflow attacks</a>. These memory checks are disable by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.
 	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1.Â Confined Processes</h2></div></div></div><p>
 			Almost every process that has network access is confined in Fedora 10. Most processes that run as the Linux root user and perform tasks for users, such as the <span class="application"><strong>passwd</strong></span> application, are confined. When a process is confined, it runs in its own domain, such as the <code class="systemitem">httpd</code> process running in the <code class="computeroutput">httpd_t</code> domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
 		</p><p>
@@ -16,18 +16,21 @@
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy version:                 23
-Policy from config file:        targeted</pre><p>
+Policy from config file:        targeted
+</pre><p>
 					<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
 				</p></li><li><p>
 					As the Linux root user, run the <code class="command">touch /var/www/html/testfile</code> command to create a file.
 				</p></li><li><p>
 					Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the SELinux context:
-				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile</pre><p>
-					By default, Linux users run unconfined in Fedora 10, which is why the <code class="filename">testfile</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1196" href="#ftn.d0e1196" class="footnote">6</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
+				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
+</pre><p>
+					By default, Linux users run unconfined in Fedora 10, which is why the <code class="filename">testfile</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1219" href="#ftn.d0e1219" class="footnote">6</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
 				</p></li><li><p>
 					As the Linux root user, run the <code class="command">/sbin/service httpd start</code> command to start the <code class="systemitem">httpd</code> process. The output is as follows if <code class="systemitem">httpd</code> starts successfully:
 				</p><pre class="screen"># /sbin/service httpd start
-Starting httpd:                                            [  OK  ]</pre></li><li><p>
+Starting httpd:                                            [  OK  ]
+</pre></li><li><p>
 					Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are any changes to the default configuration, this command succeeds:
 				</p><pre class="screen">--2008-09-06 23:00:01--  http://localhost/testfile
 Resolving localhost... 127.0.0.1
@@ -38,31 +41,42 @@
 
 [ <=>                              ] 0     --.-K/s   in 0s
 		
-2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]</pre></li><li><p>
-					The <code class="command">/usr/bin/chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">/usr/sbin/semanage</code> command, which is discussed later. As the Linux root user, run the <code class="command">/usr/bin/chcon -t samba_share_t /var/www/html/testfile</code> command to change the type, to a type used by Samba. Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the changes:
-				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile</pre></li><li><p>
+2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
+</pre></li><li><p>
+					The <code class="command">/usr/bin/chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">semanage</code> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
+				</p><p>
+					<code class="command">/usr/bin/chcon -t samba_share_t /var/www/html/testfile</code>
+				</p><p>
+					Run the <code class="command">ls -Z /var/www/html/testfile</code> command to view the changes:
+				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
+</pre></li><li><p>
 					Note: the current DAC permissions allow the <code class="systemitem">httpd</code> process access to <code class="filename">testfile</code>. Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/testfile</code> command. Unless there are any changes to the default configuration, this command fails:
 				</p><pre class="screen">--2008-09-06 23:00:54--  http://localhost/testfile
 Resolving localhost... 127.0.0.1
 Connecting to localhost|127.0.0.1|:80... connected.
 HTTP request sent, awaiting response... 403 Forbidden
-2008-09-06 23:00:54 ERROR 403: Forbidden.</pre></li><li><p>
+2008-09-06 23:00:54 ERROR 403: Forbidden.
+</pre></li><li><p>
 					As the Linux root user, run the <code class="command">rm -i /var/www/html/testfile</code> command to remove <code class="filename">testfile</code>.
 				</p></li><li><p>
 					If you do not require <code class="systemitem">httpd</code> to be running, as the Linux root user, run the <code class="command">/sbin/service httpd stop</code> command to stop <code class="systemitem">httpd</code>:
 				</p><pre class="screen"># /sbin/service httpd stop
-Stopping httpd:                                            [  OK  ]</pre></li></ol></div><p>
-			This example demonstrates the additional security added by SELinux. Although DAC rules allowed the <code class="systemitem">httpd</code> process access to <code class="filename">testfile</code> in step 7, because the file was labeled with a type that <code class="systemitem">httpd</code> process does not have access to, SELinux denied access. After step 7, an error similar to the following is logged to <code class="filename">/var/log/messages</code>:
+Stopping httpd:                                            [  OK  ]
+</pre></li></ol></div><p>
+			This example demonstrates the additional security added by SELinux. Although DAC rules allowed the <code class="systemitem">httpd</code> process access to <code class="filename">testfile</code> in step 7, because the file was labeled with a type that the <code class="systemitem">httpd</code> process does not have access to, SELinux denied access. After step 7, an error similar to the following is logged to <code class="filename">/var/log/messages</code>:
 		</p><pre class="screen">Sep  6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
 to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
-run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654</pre><p>
+run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
+</pre><p>
 			Previous log files may use a <code class="filename">/var/log/messages.<em class="replaceable"><code>YYYYMMDD</code></em></code> format. When running <span class="application"><strong>syslog-ng</strong></span>, previous log files may use a <code class="filename">/var/log/messages.<em class="replaceable"><code>X</code></em></code> format. If the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> processes are running, errors similar to the following are logged to <code class="filename">/var/log/audit/audit.log</code>:
 		</p><pre class="screen">type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file
 
-type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)</pre><p>
+type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+</pre><p>
 			Also, an error similar to the following is logged to <code class="filename">/etc/httpd/logs/error_log</code>:
-		</p><pre class="screen">[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied</pre><div class="note"><h2>Note</h2><p>
+		</p><pre class="screen">[Sat Sep 06 23:00:54 2008] [error] [client <em class="replaceable"><code>127.0.0.1</code></em>] (13)Permission denied: access to /testfile denied
+</pre><div class="note"><h2>Note</h2><p>
 				In Fedora 10, the <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed by default. These packages include the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons respectively. These daemons run by default. Stopping either of these daemons changes where SELinux denials are written to. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html" title="5.2.Â Which Log File is Used">SectionÂ 5.2, â€œWhich Log File is Usedâ€</a> for further information.
-			</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e1196" href="#d0e1196" class="para">6</a>] </sup>
-						When using other policies, such as MLS, other roles may also be used, for example, <code class="computeroutput">secadm_r</code>.
+			</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e1219" href="#d0e1219" class="para">6</a>] </sup>
+						When using other policies, such as MLS, other roles may be used, for example, <code class="computeroutput">secadm_r</code>.
 					</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Prev</strong>3.3.Â SELinux Contexts for Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Next</strong>4.2.Â Unconfined Processes</a></li></ul></body></html>
\ No newline at end of file


Index: chap-Security-Enhanced_Linux-Trademark_Information.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-Trademark_Information.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Trademark_Information.html	11 Nov 2008 22:56:29 -0000	1.1
+++ chap-Security-Enhanced_Linux-Trademark_Information.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 1.Â Trademark Information</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="pr01s02.html" title="2.Â We Need Feedback!"/><link rel="next" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 1.Â Trademark Information</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="pr01s02.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-
 Enhanced_Linux-Trademark_Information">ChapterÂ 1.Â Trademark Information</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 1.Â Trademark Information</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="pr01s02.html" title="2.Â We Need Feedback!"/><link rel="next" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 1.Â Trademark Information</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="pr01s02.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Next</strong></a></li></ul><div class="chapter" lang
 ="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Trademark_Information">ChapterÂ 1.Â Trademark Information</h2></div></div></div><p>
 		<span class="trademark">Linux</span>Â® is the registered trademark of Linus Torvalds in the U.S. and other countries.
 	</p><p>
 		UNIX is a registered trademark of The Open Group.


Index: chap-Security-Enhanced_Linux-Troubleshooting.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-Troubleshooting.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Troubleshooting.html	11 Nov 2008 22:56:29 -0000	1.1
+++ chap-Security-Enhanced_Linux-Troubleshooting.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,20 +1,22 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 7.Â Troubleshooting</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html" title="6.5.Â xguest: Kiosk Mode"/><link rel="next" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 7.Â Troubleshooting</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Troubleshooting
 -Top_Three_Causes_of_Problems.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Troubleshooting">ChapterÂ 7.Â Troubleshooting</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Pro
 blems-How_are_Confined_Services_Running.html">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.2. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.3. Raw Audit Messages</a></span></dt><dt>
 <span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.4. sealert Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages.html">7.3.5. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-audit2allow.html">7.3.6. audit2allow</a></span></dt></dl></dd></dl></div><p>
-		The following sections...
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 7.Â Troubleshooting</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html" title="6.5.Â xguest: Kiosk Mode"/><link rel="next" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 7.Â Troubleshooting</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong></a></li><li cl
 ass="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Troubleshooting">ChapterÂ 7.Â Troubleshooting</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span
  class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_P
 roblems-Manual_Pages_for_Services.html">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">7.3.8. Allowing Access: audit2allow</a></span></dt></dl></dd></dl></div><p>
+		The following chapter describes what happens when SELinux denies access; the top three causes of problems; where to find information about correct labeling; analyzing SELinux denials; and creating custom policy modules with <code class="command">audit2allow</code>.
 	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1.Â What Happens when Access is Denied</h2></div></div></div><p>
 			SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also know as "AVC denials", and are logged to a different location, depending on which daemons are running:
 		</p><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">setroubleshootd, rsyslogd, and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><p>
 			If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code> daemon running, a yellow star and a warning are displayed when access is denied by SELinux:
 		</p><div class="mediaobject"><img src="./images/setroubleshoot_denial.png"/></div><p>
-			Clicking on the star presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browing your website may receive an error similar to the following:
-		</p><pre class="screen">Forbidden
+			Clicking on the star presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:
+		</p><pre class="screen">
+Forbidden
 
-You don't have permission to access <em class="replaceable"><code>file name</code></em> on this server</pre><p>
-			For these situations, if DAC rules (standard Linux permissions) allow access, check <code class="filename">/var/log/messages</code> and <code class="filename">/var/log/audit/audit.log</code> for <code class="computeroutput">SELinux is preventing</code> and <code class="computeroutput">avc: denied</code> errors respectively. This can be done by running the following commands as the Linux root user:
+You don't have permission to access <em class="replaceable"><code>file name</code></em> on this server
+</pre><p>
+			For these situations, if DAC rules (standard Linux permissions) allow access, check <code class="filename">/var/log/messages</code> and <code class="filename">/var/log/audit/audit.log</code> for <code class="computeroutput">SELinux is preventing</code> and <code class="computeroutput">denied</code> errors respectively. This can be done by running the following commands as the Linux root user:
 		</p><p>
 			<code class="command">grep "SELinux is preventing" /var/log/messages</code>
 		</p><p>
-			<code class="command">grep "avc: denied" /var/log/audit/audit.log</code>
+			<code class="command">grep "denied" /var/log/audit/audit.log</code>
 		</p></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Prev</strong>6.5.Â xguest: Kiosk Mode</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Next</strong>7.2.Â Top Three Causes of Problems</a></li></ul></body></html>
\ No newline at end of file


Index: chap-Security-Enhanced_Linux-Working_with_SELinux.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- chap-Security-Enhanced_Linux-Working_with_SELinux.html	11 Nov 2008 22:56:29 -0000	1.1
+++ chap-Security-Enhanced_Linux-Working_with_SELinux.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 5.Â Working with SELinux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html" title="4.3.Â Confined and Unconfined Users"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html" title="5.2.Â Which Log File is Used"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 5.Â Working with SELinux</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-S
 ecurity-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Working_with_SELinux">ChapterÂ 5.Â Working with SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">5.4. Enabling and Disabling SEL
 inux</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Configuring
 _Booleans.html">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html">5.6.3. Examples: Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and
 _default_t_Types.html">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="sect-
 Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a h
 ref="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>ChapterÂ 5.Â Working with SELinux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html" title="4.3.Â Confined and Unconfined Users"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html" title="5.2.Â Which Log File is Used"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>ChapterÂ 5.Â Working with SELinux</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
 "><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Next</strong></a></li></ul><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security-Enhanced_Linux-Working_with_SELinux">ChapterÂ 5.Â Working with SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_wit
 h_SELinux-Enabling_and_Disabling_SELinux.html">5.4. Enabling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><s
 pan class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html">5.6.3. Examples: Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="sect
 ion"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.
 4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3. Chec
 king the Default SELinux Context</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></div><p>
 		The following sections give a brief overview of the main SELinux packages in Fedora 10; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the <code class="command">mount</code> command; mounting NFS file systems; and how to preserve SELinux contexts when copying and archiving files and directories.
 	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1.Â SELinux Packages</h2></div></div></div><p>
-			In Fedora 10, the SELinux packages are installed by default unless they are manually excluded during installation. By default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:
+			In Fedora 10, the SELinux packages are installed by default, unless they are manually excluded during installation. By default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:
 		</p><p>
 			<span class="package">policycoreutils</span>: provides utilities, such as <code class="command">semanage</code>, <code class="command">restorecon</code>, <code class="command">audit2allow</code>, <code class="command">semodule</code>, <code class="command">load_policy</code>, and <code class="command">setsebool</code>, for operating and managing SELinux.
 		</p><p>
@@ -16,9 +16,7 @@
 		</p><p>
 			<span class="package">setroubleshoot-server</span>: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with <code class="command">sealert</code> (which is provided by this package).
 		</p><p>
-			<span class="package">setroubleshoot</span>: a graphical user interface for viewing denials that are translated by <span class="package">setroubleshoot-server</span>.
-		</p><p>
-			<span class="package">setools</span>, <span class="package">setools-gui</span>, and <span class="package">setools-console</span>: these packages provide the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</a>, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management<sup>[<a id="d0e2006" href="#ftn.d0e2006" class="footnote">8</a>]</sup>. The <span class="package">setools</span> package is a meta-package for SETools. The <span class="package">setools-gui</span> package provides the <code class="command">apol</code>, <code class="command">seaudit</code>, and <code class="command">sediffx</code> tools. The <span class="package">setools-console</span> package provides the <code class="command">seaudit-report</code>, <code class="command">sechecker</code>, <code class="command">sediff</code>, <code class="command">seinfo</code>, <code class="command">sesearch</code>
 , <code class="command">findcon</code>, <code class="command">replcon</code>, and <code class="command">indexcon</code> command line tools. Refer to the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools</a> page for information about these tools.
+			<span class="package">setools</span>, <span class="package">setools-gui</span>, and <span class="package">setools-console</span>: these packages provide the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools distribution</a>, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management<sup>[<a id="d0e2035" href="#ftn.d0e2035" class="footnote">8</a>]</sup>. The <span class="package">setools</span> package is a meta-package for SETools. The <span class="package">setools-gui</span> package provides the <code class="command">apol</code>, <code class="command">seaudit</code>, and <code class="command">sediffx</code> tools. The <span class="package">setools-console</span> package provides the <code class="command">seaudit-report</code>, <code class="command">sechecker</code>, <code class="command">sediff</code>, <code class="command">seinfo</code>, <code class="command">sesearch</code>
 , <code class="command">findcon</code>, <code class="command">replcon</code>, and <code class="command">indexcon</code> command line tools. Refer to the <a href="http://oss.tresys.com/projects/setools">Tresys Technology SETools</a> page for information about these tools.
 		</p><p>
 			<span class="package">libselinux-utils</span>: provides the <code class="command">avcstat</code>, <code class="command">getenforce</code>, <code class="command">getsebool</code>, <code class="command">matchpathcon</code>, <code class="command">selinuxconlist</code>, <code class="command">selinuxdefcon</code>, <code class="command">selinuxenabled</code>, <code class="command">setenforce</code>, <code class="command">togglesebool</code> tools.
 		</p><p>
@@ -26,11 +24,11 @@
 		</p><p>
 			To install packages in Fedora 10, as the Linux root user, run the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. For example, to install the <span class="package">mcstrans</span> package, run the <code class="command">yum install mcstrans</code> command. To upgrade all installed packages in Fedora 10, run the <code class="command">yum update</code> command.
 		</p><p>
-			Refer to <a href="http://docs.fedoraproject.org/yum/en/">Managing Software with yum</a><sup>[<a id="d0e2118" href="#ftn.d0e2118" class="footnote">9</a>]</sup> for further information about using <code class="command">yum</code> to manage packages.
+			Refer to <a href="http://docs.fedoraproject.org/yum/en/">Managing Software with yum</a><sup>[<a id="d0e2147" href="#ftn.d0e2147" class="footnote">9</a>]</sup> for further information about using <code class="command">yum</code> to manage packages.
 		</p><div class="note"><h2>Note</h2><p>
 				In previous versions of Fedora, the <span class="package">selinux-policy-devel</span> package is required when making a local policy module with <code class="command">audit2allow -M</code>.
-			</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e2006" href="#d0e2006" class="para">8</a>] </sup>
+			</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e2035" href="#d0e2035" class="para">8</a>] </sup>
 				Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.
-			</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2118" href="#d0e2118" class="para">9</a>] </sup>
+			</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2147" href="#d0e2147" class="para">9</a>] </sup>
 				Managing Software with yum, written by Stuart Ellis, edited by Paul W. Frields, Rodrigo Menezes, and Hugo Cisneiros.
 			</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Prev</strong>4.3.Â Confined and Unconfined Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Next</strong>5.2.Â Which Log File is Used</a></li></ul></body></html>
\ No newline at end of file


Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html	11 Nov 2008 22:56:29 -0000	1.1
+++ index.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Security-Enhanced Linux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="description" content="This book is about managing and using Security-Enhanced Linux."/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="next" href="pref-Security-Enhanced_Linux-Preface.html" title="Preface"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>Security-Enhanced Linux</strong></a></p><ul class="docnav"><li class="previous"/><li class="next"><a accesskey="n" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong></a></li></ul><div class="book" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">10</span></div><div><h1 id="d0e1" class="title">Security-Enhanced Linux</h1></div><div><h2 class="sub
 title">User Guide</h2></div><p class="edition">Edition 1.0</p><div><h3 class="corpauthor">
-		<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"/></span>
-	</h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:mmcallis at redhat.com">mmcallis at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Dominick</span> <span class="surname">Grift</span></h3><span class="contrib">Technical editor for the Introduction, SELinux Contexts and Attributes, Targeted Policy, and Working with SELinux sections.</span>Â <code class="email"><a class="email" href="mailto:domg472 at gmail.com">domg472 at gmail.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">James</span> <span class="surname">Morris</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering<
 /span></div><code class="email"><a class="email" href="mailto:jmorris at redhat.com">jmorris at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Daniel</span> <span class="surname">Walsh</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:dwalsh at redhat.com">dwalsh at redhat.com</a></code></div></div></div><div><p class="copyright">Copyright Â© 2008 Red Hat, Inc.</p></div><hr/><div><div id="d0e35" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Security-Enhanced Linux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><meta name="description" content="This book is about managing and using Security-Enhanced Linux."/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="next" href="pref-Security-Enhanced_Linux-Preface.html" title="Preface"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>Security-Enhanced Linux</strong></a></p><ul class="docnav"><li class="previous"/><li class="next"><a accesskey="n" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong></a></li></ul><div class="book" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">10</span></div><div><h1
  id="d0e1" class="title">Security-Enhanced Linux</h1></div><div><h2 class="subtitle">User Guide</h2></div><p class="edition">Edition 1.0</p><div><h3 class="corpauthor">
+				<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"/></span>
+			</h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Murray</span> <span class="surname">McAllister</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Engineering Content Services</span></div><code class="email"><a class="email" href="mailto:mmcallis at redhat.com">mmcallis at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Daniel</span> <span class="surname">Walsh</span></h3><div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:dwalsh at redhat.com">dwalsh at redhat.com</a></code></div><div class="othercredit"><h3 class="othercredit"><span class="firstname">Dominick</span> <span class="surname">Grift</span></h3><span class="contrib">Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Us
 ers, and Troubleshooting chapters.</span>Â <div class="affiliation"><span class="orgname"/> <span class="orgdiv"/></div><code class="email"><a class="email" href="mailto:domg472 at gmail.com">domg472 at gmail.com</a></code></div><div class="othercredit"><h3 class="othercredit"><span class="firstname">Eric</span> <span class="surname">Paris</span></h3><span class="contrib">Technical editor for the Mounting File Systems and Raw Audit Messages sections.</span>Â <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv">Security Engineering</span></div><code class="email"><a class="email" href="mailto:eparis at parisplace.org">eparis at parisplace.org</a></code></div><div class="othercredit"><h3 class="othercredit"><span class="firstname">James</span> <span class="surname">Morris</span></h3><span class="contrib">Technical editor for the Introduction and Targeted Policy chapters.</span>Â <div class="affiliation"><span class="orgname">Red Hat</span> <span class="orgdiv
 ">Security Engineering</span></div><code class="email"><a class="email" href="mailto:jmorris at redhat.com">jmorris at redhat.com</a></code></div></div></div><div><p class="copyright">Copyright Â© 2008 Red Hat, Inc.</p></div><hr/><div><div id="d0e35" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><p>
 		Copyright <span class="trademark"/>Â© 2008 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at <a href="http://www.opencontent.org/openpub/">http://www.opencontent.org/openpub/</a>).
 	</p><p>
 		Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
@@ -13,4 +13,4 @@
 		All other trademarks and copyrights referred to are the property of their respective owners.
 	</p><p>
 		Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at <a href="http://fedoraproject.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>. 
-	</p></div></div><div><div class="abstract"><h6>Abstract</h6><p>This book is about managing and using Security-Enhanced <span class="trademark">Linux</span>Â®.</p></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="pref-Security-Enhanced_Linux-Preface.html">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e104">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e114">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e352">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e371">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="pr01s02.html">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-
 Enhanced_Linux-Trademark_Information.html">1. Trademark Information</a></span></dt><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Introduction.html">2. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2. Examples</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html">2.3. SELinux Architecture and Performance</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html">2.4. SELinux on other Operating Systems</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-SELinux_Contexts.html">3. SELinux Cont
 exts</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3. SELinux Contexts for Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Targeted_Policy.html">4. Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2. U
 nconfined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3. Confined and Unconfined Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Working_with_SELinux.html">5. Working with SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">5.4. En
 abling and Disabling SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Li
 nux-Booleans-Configuring_Booleans.html">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html">5.6.3. Examples: Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_wit
 h_SELinux-The_file_t_and_default_t_Types.html">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class=
 "section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><s
 pan class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Confining_Users.html">6. Confining Users</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_se
 manage_login.html">6.3. Confining Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5. xguest: Kiosk Mode</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Troubleshooting.html">7. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-T
 roubleshooting-Top_Three_Causes_of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Pr
 oblems-Searching_For_and_Viewing_Denials.html">7.3.2. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.3. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.4. sealert Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages.html">7.3.5. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-audit2allow.html">7.3.6. audit2allow</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="appe-Security-Enhanced_Linux-Revision_History.html">A. Revision History</a></span></dt></dl></div></div><ul class="docnav"><li class="previous"/><li class="next"><a accesskey="n" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong>Preface</a></l
 i></ul></body></html>
\ No newline at end of file
+	</p></div></div><div><div class="abstract"><h6>Abstract</h6><p>This book is about managing and using Security-Enhanced <span class="trademark">Linux</span>Â®.</p></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="pref-Security-Enhanced_Linux-Preface.html">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e146">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e156">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e372">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="pref-Security-Enhanced_Linux-Preface.html#d0e391">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="pr01s02.html">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-
 Enhanced_Linux-Trademark_Information.html">1. Trademark Information</a></span></dt><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Introduction.html">2. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux">2.1. Benefits of running SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-Examples.html">2.2. Examples</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html">2.3. SELinux Architecture</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html">2.4. SELinux on Other Operating Systems</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-SELinux_Contexts.html">3. SELinux Contexts</a></span></dt><dd><dl><dt>
 <span class="section"><a href="chap-Security-Enhanced_Linux-SELinux_Contexts.html#sect-Security-Enhanced_Linux-SELinux_Contexts-Domain_Transitions">3.1. Domain Transitions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html">3.2. SELinux Contexts for Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html">3.3. SELinux Contexts for Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Targeted_Policy.html">4. Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Targeted_Policy.html#sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes">4.1. Confined Processes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html">4.2. Unconfined Processes</a></span></
 dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html">4.3. Confined and Unconfined Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Working_with_SELinux.html">5. Working with SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Working_with_SELinux.html#sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Packages">5.1. SELinux Packages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html">5.2. Which Log File is Used</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html">5.3. Main Configuration File</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html">5.4. Enabling and Disabling SELinux</a>
 </span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1. Enabling SELinux</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html">5.4.2. Disabling SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html">5.5. SELinux Modes</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html">5.6. Booleans</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html#sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1. Listing Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Configuring_Boolean
 s.html">5.6.2. Configuring Booleans</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html">5.6.3. Examples: Booleans for NFS and CIFS</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">5.7. SELinux Contexts - Labeling Files</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html#sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1. Temporary Changes: chcon</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html">5.7.2. Persistent Changes: semanage fcontext</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default
 _t_Types.html">5.8. The file_t and default_t Types</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html">5.9. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html#sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1. Context Mounts</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html">5.9.2. Changing the Default Context</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html">5.9.3. Mounting an NFS File System</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html">5.9.4. Multiple NFS Mounts</a></span></dt><dt><span class="section"><a href="sect-Security
 -Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html">5.9.5. Making Context Mounts Persistent</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html">5.10. Maintaining SELinux Labels </a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html#sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1. Copying Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html">5.10.2. Moving Files and Directories</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html">5.10.3. Checking the Default SELinux Context</a></span></dt><dt><span class="section"><a href="sec
 t-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html">5.10.4. Archiving Files with tar</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html">5.10.5. Archiving Files with star</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Confining_Users.html">6. Confining Users</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Confining_Users.html#sect-Security-Enhanced_Linux-Confining_Users-Linux_and_SELinux_User_Mappings">6.1. Linux and SELinux User Mappings</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html">6.2. Confining New Linux Users: useradd</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html">6.3. Confinin
 g Existing Linux Users: semanage login</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html">6.4. Changing the Default Mapping</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html">6.5. xguest: Kiosk Mode</a></span></dt></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Troubleshooting.html">7. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Security-Enhanced_Linux-Troubleshooting.html#sect-Security-Enhanced_Linux-Troubleshooting-What_Happens_when_Access_is_Denied">7.1. What Happens when Access is Denied</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html">7.2. Top Three Causes of Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_
 of_Problems.html#sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1. Labeling Problems</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html">7.2.2. How are Confined Services Running?</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html">7.2.3. Evolving Rules and Broken Applications</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html">7.3. Fixing Problems</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1. Linux Permissions</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent
 _Denials.html">7.3.2. Possible Causes of Silent Denials</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages_for_Services.html">7.3.3. Manual Pages for Services</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html">7.3.4. Permissive Domains</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html">7.3.5. Searching For and Viewing Denials</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">7.3.6. Raw Audit Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html">7.3.7. sealert Messages</a></span></dt><dt><span class="section"><a href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">7.3.8. Allowing Access: audit2allo
 w</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="chap-Security-Enhanced_Linux-Further_Information.html">8. Further Information</a></span></dt><dt><span class="appendix"><a href="appe-Security-Enhanced_Linux-Revision_History.html">A. Revision History</a></span></dt></dl></div></div><ul class="docnav"><li class="previous"/><li class="next"><a accesskey="n" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Next</strong>Preface</a></li></ul></body></html>
\ No newline at end of file


Index: pr01s02.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/pr01s02.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- pr01s02.html	11 Nov 2008 22:56:29 -0000	1.1
+++ pr01s02.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>2.Â We Need Feedback!</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="pref-Security-Enhanced_Linux-Preface.html" title="Preface"/><link rel="prev" href="pref-Security-Enhanced_Linux-Preface.html" title="Preface"/><link rel="next" href="chap-Security-Enhanced_Linux-Trademark_Information.html" title="ChapterÂ 1.Â Trademark Information"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>2.Â We Need Feedback!</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div clas
 s="titlepage"><div><div><h2 class="title" id="d0e391">2.Â We Need Feedback!</h2></div></div></div><a id="d0e394" class="indexterm"/><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>2.Â We Need Feedback!</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="pref-Security-Enhanced_Linux-Preface.html" title="Preface"/><link rel="prev" href="pref-Security-Enhanced_Linux-Preface.html" title="Preface"/><link rel="next" href="chap-Security-Enhanced_Linux-Trademark_Information.html" title="ChapterÂ 1.Â Trademark Information"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>2.Â We Need Feedback!</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Trademark_Information.html">
 <strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e411">2.Â We Need Feedback!</h2></div></div></div><a id="d0e414" class="indexterm"/><p>
 		If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla: <a href="http://bugzilla.redhat.com/bugzilla/">http://bugzilla.redhat.com/bugzilla/</a>
-		against the product <span class="application"><strong>Documentation.</strong></span>
+		against the product <span class="application"><strong>Fedora Documentation.</strong></span>
 	</p><p>
-		When submitting a bug report, be sure to mention the manual's identifier: <em class="citetitle">SELinux_User_Guide</em>
+		When submitting a bug report, be sure to mention the manual's identifier: <em class="citetitle">selinux-user-guide</em>
 	</p><p>
 		If you have a suggestion for improving the documentation, try to be as specific as possible when describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.
 	</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="pref-Security-Enhanced_Linux-Preface.html"><strong>Prev</strong>Preface</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Trademark_Information.html"><strong>Next</strong>ChapterÂ 1.Â Trademark Information</a></li></ul></body></html>
\ No newline at end of file


Index: pref-Security-Enhanced_Linux-Preface.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/pref-Security-Enhanced_Linux-Preface.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- pref-Security-Enhanced_Linux-Preface.html	11 Nov 2008 22:56:29 -0000	1.1
+++ pref-Security-Enhanced_Linux-Preface.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,13 +1,23 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Preface</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="index.html" title="Security-Enhanced Linux"/><link rel="next" href="pr01s02.html" title="2.Â We Need Feedback!"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>Preface</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="index.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="pr01s02.html"><strong>Next</strong></a></li></ul><div class="preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security-Enhanced_Linux-Preface" class="title">Preface</h1></div></div></div><p>
-		fill me in later
-	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e104">1.Â Document Conventions</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Preface</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="index.html" title="Security-Enhanced Linux"/><link rel="prev" href="index.html" title="Security-Enhanced Linux"/><link rel="next" href="pr01s02.html" title="2.Â We Need Feedback!"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>Preface</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="index.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="pr01s02.html"><strong>Next</strong></a></li></ul><div class="preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security-Enhanced_Linux-Preface" class="title">Preface</h1></div></div></
 div><p>
+		The Fedora 10 SELinux User Guide is for people with minimal or no experience with SELinux. Although system administration experience is not necessary, content in this guide is written for system administration tasks. This guide provides an introduction to fundamental concepts and practical applications of SELinux. After reading this guide you should have an intermediate understanding of SELinux.
+	</p><p>
+		Thank you to everyone who offered encouragement, help, and testing - it is most appreciated. Very special thanks to:
+	</p><div class="itemizedlist"><ul><li><p>
+				Dominick Grift, Stephen Smalley, and Russell Coker for their contributions, help, and patience.
+			</p></li><li><p>
+				Karsten Wade for his help, adding a component for this guide to <a href="https://bugzilla.redhat.com/"> Red Hat Bugzilla</a>, and sorting out web hosting on <a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a>.
+			</p></li><li><p>
+				The <a href="http://fedoraproject.org/wiki/Infrastructure">Fedora Infrastructure Team</a> for providing hosting.
+			</p></li><li><p>
+				Jens-Ulrik Petersen for making sure the Red Hat Brisbane office has up-to-date Fedora mirrors.
+			</p></li></ul></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e146">1.Â Document Conventions</h2></div></div></div><p>
 		This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
 	</p><p>
 		In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
-	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e114">1.1.Â Typographic Conventions</h3></div></div></div><p>
+	</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e156">1.1.Â Typographic Conventions</h3></div></div></div><p>
 			Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
 		</p><p>
 			<code class="literal">Mono-spaced Bold</code>
@@ -15,12 +25,8 @@
 			Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
 		</p><div class="blockquote"><blockquote class="blockquote"><p>
 				To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span class="keycap"><strong>Enter</strong></span> to execute the command.
-			</p><p>
-				A useful shortcut for the above command (and many others) is <span class="keycap"><strong>Tab</strong></span> completion. Type <code class="command">cat my_</code> and then press the <span class="keycap"><strong>Tab</strong></span> key. Assuming there are no other files in the current directory which begin with 'my_', the rest of the file name will be entered on the command line for you.
-			</p><p>
-				(If other file names begin with 'my_', pressing the <span class="keycap"><strong>Tab</strong></span> key expands the file name to the point the names differ. Press <span class="keycap"><strong>Tab</strong></span> again to see all the files that match. Type enough of the file name you want to include on the command line to distinguish the file you want from the others and press <span class="keycap"><strong>Tab</strong></span> again.)
 			</p></blockquote></div><p>
-			The above includes a file name, a shell command and two key caps, all presented in Mono-spaced Bold and all distinguishable thanks to context.
+			The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
 		</p><p>
 			Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
 		</p><div class="blockquote"><blockquote class="blockquote"><p>
@@ -61,14 +67,17 @@
 			Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
 		</p><div class="blockquote"><blockquote class="blockquote"><p>
 				When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
-			</p></blockquote></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e352">1.2.Â Pull-quote Conventions</h3></div></div></div><p>
+			</p></blockquote></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e372">1.2.Â Pull-quote Conventions</h3></div></div></div><p>
 			Two, commonly multi-line, data types are set off visually from the surrounding text.
 		</p><p>
 			Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
-		</p><pre class="screen">books        Desktop   documentation  drafts  mss    photos   stuff  svn
-books_tests  Desktop1  downloads      images  notes  scripts  svgs</pre><p>
+		</p><pre class="screen">
+books        Desktop   documentation  drafts  mss    photos   stuff  svn
+books_tests  Desktop1  downloads      images  notes  scripts  svgs
+</pre><p>
 			Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
-		</p><pre class="programlisting">package org.jboss.book.jca.ex1;
+		</p><pre class="programlisting">
+package org.jboss.book.jca.ex1;
 
 import javax.naming.InitialContext;
 
@@ -87,12 +96,13 @@
       System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
    }
    
-}</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e371">1.3.Â Notes and Warnings</h3></div></div></div><p>
-			Finally, we use three distinct visual styles to highlight certain information nuggets.
+}
+</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e391">1.3.Â Notes and Warnings</h3></div></div></div><p>
+			Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
 		</p><div class="note"><h2>Note</h2><p>
-				A note is useful bit of information: a tip or shortcut or an alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
+				A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
 			</p></div><div class="important"><h2>Important</h2><p>
-				The Important information box highlights details that are easily missed: such as configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring important information won't cause data loss but may cause irritation and frustration.
+				Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
 			</p></div><div class="warning"><h2>Warning</h2><p>
-				A Warning highlights vital information that must not be ignored. Ignoring warnings will most likely cause data loss.
+				A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
 			</p></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="index.html"><strong>Prev</strong>Security-Enhanced Linux</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="pr01s02.html"><strong>Next</strong>2.Â We Need Feedback!</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,22 +1,25 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.6.2.Â Configuring Booleans</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/><link rel="next" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html" title="5.6.3.Â Examples: Booleans for NFS and CIFS"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.6.2.Â Configuring Booleans</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Secur
 ity-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2.Â Configuring Booleans</h3></div></div></div><p>
-				The <code class="command">/usr/sbin/setsebool <em class="replaceable"><code>boolean-name</code></em> <em class="replaceable"><code>x</code></em></code> command turns Booleans on or off, where <em class="replaceable"><code>boolean-name</code></em> is a Boolean name, and <em class="replaceable"><code>x</code></em> is either <code class="option">on</code> to turn the Boolean on, or <code class="option">off</code> to turn it off.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.6.2.Â Configuring Booleans</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/><link rel="next" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html" title="5.6.3.Â Examples: Booleans for NFS and CIFS"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.6.2.Â Configuring Booleans</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><s
 trong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans">5.6.2.Â Configuring Booleans</h3></div></div></div><p>
+				The <code class="command">setsebool <em class="replaceable"><code>boolean-name</code></em> <em class="replaceable"><code>x</code></em></code> command turns Booleans on or off, where <em class="replaceable"><code>boolean-name</code></em> is a Boolean name, and <em class="replaceable"><code>x</code></em> is either <code class="option">on</code> to turn the Boolean on, or <code class="option">off</code> to turn it off.
 			</p><p>
 				The following example demonstrates configuring the <code class="computeroutput">httpd_can_network_connect_db</code> Boolean:
 			</p><div class="orderedlist"><ol><li><p>
 						By default, the <code class="computeroutput">httpd_can_network_connect_db</code> Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
 					</p><pre class="screen">$ /usr/sbin/getsebool httpd_can_network_connect_db
-httpd_can_network_connect_db --> off</pre></li><li><p>
-						To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, as the Linux root user, run the <code class="command">/usr/sbin/setsebool httpd_can_network_connect_db on</code> command.
+httpd_can_network_connect_db --> off
+</pre></li><li><p>
+						To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, run the <code class="command">setsebool httpd_can_network_connect_db on</code> command as the Linux root user.
 					</p></li><li><p>
-						Use the <code class="command">/usr/sbin/getsebool httpd_can_network_connect_db</code> command to verify the Boolean is turned on:
+						Use the <code class="command">getsebool httpd_can_network_connect_db</code> command to verify the Boolean is turned on:
 					</p><pre class="screen">$ /usr/sbin/getsebool httpd_can_network_connect_db
-httpd_can_network_connect_db --> on</pre><p>
+httpd_can_network_connect_db --> on
+</pre><p>
 						This allows Apache HTTP Server scripts and modules to connect to database servers.
 					</p></li><li><p>
-						This change is not persistent across reboots. To make changes persistent across reboots, as the Linux root user, run the <code class="command">/usr/sbin/setsebool -P <em class="replaceable"><code>boolean-name</code></em> on</code> command. For example:
-					</p><pre class="screen"># /usr/sbin/setsebool -P httpd_can_network_connect_db on</pre></li><li><p>
-						To temporarily revert to the default behavior, as the Linux root user, run the <code class="command">/usr/sbin/setsebool httpd_can_network_connect_db off</code> command. For changes that persist across reboots, run the <code class="command">/usr/sbin/setsebool -P httpd_can_network_connect_db off</code> command.
+						This change is not persistent across reboots. To make changes persistent across reboots, run the <code class="command">setsebool -P <em class="replaceable"><code>boolean-name</code></em> on</code> command as the Linux root user:
+					</p><pre class="screen"># /usr/sbin/setsebool -P httpd_can_network_connect_db on
+</pre></li><li><p>
+						To temporarily revert to the default behavior, as the Linux root user, run the <code class="command">setsebool httpd_can_network_connect_db off</code> command. For changes that persist across reboots, run the <code class="command">setsebool -P httpd_can_network_connect_db off</code> command.
 					</p></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Prev</strong>5.6.Â Booleans</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Next</strong>5.6.3.Â Examples: Booleans for NFS and CIFS</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.6.3.Â Examples: Booleans for NFS and CIFS</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/><link rel="prev" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html" title="5.6.2.Â Configuring Booleans"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html" title="5.7.Â SELinux Contexts - Labeling Files"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.6.3.Â Examples: Booleans for NFS and CIFS</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Prev</strong></a></li><
 li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS">5.6.3.Â Examples: Booleans for NFS and CIFS</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.6.3.Â Examples: Booleans for NFS and CIFS</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/><link rel="prev" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html" title="5.6.2.Â Configuring Booleans"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html" title="5.7.Â SELinux Contexts - Labeling Files"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.6.3.Â Examples: Booleans for NFS and CIFS</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enha
 nced_Linux-Booleans-Configuring_Booleans.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS">5.6.3.Â Examples: Booleans for NFS and CIFS</h3></div></div></div><p>
 				By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <code class="computeroutput">nfs_t</code> type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the <code class="computeroutput">cifs_t</code> type.
 			</p><p>
 				Depending on policy configuration, services may not be able to read files labeled with the <code class="computeroutput">nfs_t</code> or <code class="computeroutput">cifs_t</code> types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be turned on or off to control which services are allowed to access the <code class="computeroutput">nfs_t</code> and <code class="computeroutput">cifs_t</code> types.


Index: sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,23 +1,29 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.4.Â Changing the Default Mapping</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html" title="6.3.Â Confining Existing Linux Users: semanage login"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html" title="6.5.Â xguest: Kiosk Mode"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.4.Â Changing the Default Mapping</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.h
 tml"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4.Â Changing the Default Mapping</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.4.Â Changing the Default Mapping</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html" title="6.3.Â Confining Existing Linux Users: semanage login"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html" title="6.5.Â xguest: Kiosk Mode"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.4.Â Changing the Default Mapping</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-
 Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping">6.4.Â Changing the Default Mapping</h2></div></div></div><p>
 			In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). If you would like new Linux users, and Linux users not specifically mapped to an SELinux user to be confined by default, change the default mapping with the <code class="command">semanage login</code> command.
 		</p><p>
-			The following example changes the default mapping from <code class="computeroutput">unconfined_u</code> to <code class="computeroutput">user_u</code>:
-		</p><pre class="screen">/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__</pre><p>
+			For example, run the following command as the Linux root user to change the default mapping from <code class="computeroutput">unconfined_u</code> to <code class="computeroutput">user_u</code>:
+		</p><p>
+			<code class="command">/usr/sbin/semanage login -m -S targeted -s "user_u" -r s0 __default__</code>
+		</p><p>
 			As the Linux root user, run the <code class="command">semanage login -l</code> command to verify that the <code class="computeroutput">__default__</code> login is mapped to <code class="computeroutput">user_u</code>:
-		</p><pre class="screen"># /usr/sbin/semanage login -l
+		</p><pre class="screen">
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               user_u                    s0
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre><p>
+system_u                  system_u                  s0-s0:c0.c1023
+</pre><p>
 			If a new Linux user is created and an SELinux user is not specified, or if an existing Linux user logs in and does not match a specific entry from the <code class="command">semanage login -l</code> output, they are mapped to <code class="computeroutput">user_u</code>, as per the <code class="computeroutput">__default__</code> login.
 		</p><p>
 			To change back to the default behavior, run the following command as the Linux root user to map the <code class="computeroutput">__default__</code> login to the SELinux <code class="computeroutput">unconfined_u</code> user:
 		</p><p>
+			
 <pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
-s0-s0:c0.c1023 __default__</pre>
+s0-s0:c0.c1023 __default__
+</pre>
 		</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Prev</strong>6.3.Â Confining Existing Linux Users: semanage log...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html"><strong>Next</strong>6.5.Â xguest: Kiosk Mode</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,42 +1,57 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.3.Â Confining Existing Linux Users: semanage login</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html" title="6.2.Â Confining New Linux Users: useradd"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html" title="6.4.Â Changing the Default Mapping"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.3.Â Confining Existing Linux Users: semanage login</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_
 Linux_Users_useradd.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3.Â Confining Existing Linux Users: semanage login</h2></div></div></div><p>
-			If a Linux user is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user (the default behavior), and you would like to change which SELinux user they are mapped to, use the <code class="command">semanage login</code> command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux <code class="computeroutput">user_u</code> user.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.3.Â Confining Existing Linux Users: semanage login</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html" title="6.2.Â Confining New Linux Users: useradd"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html" title="6.4.Â Changing the Default Mapping"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.3.Â Confining Existing Linux Users: semanage login</strong></a></p><ul class="docnav"><li class="previous"><a a
 ccesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login">6.3.Â Confining Existing Linux Users: semanage login</h2></div></div></div><p>
+			If a Linux user is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user (the default behavior), and you would like to change which SELinux user they are mapped to, use the <code class="command">semanage login</code> command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux <code class="computeroutput">user_u</code> user:
 		</p><div class="orderedlist"><ol><li><p>
 					As the Linux root user, run the <code class="command">/usr/sbin/useradd newuser</code> command to create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the <code class="command">/usr/sbin/semanage login -l</code> output:
-				</p><pre class="screen"># /usr/sbin/semanage login -l
+				</p><pre class="screen">
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre></li><li><p>
-					To map the Linux newuser user to the SELinux <code class="computeroutput">user_u</code> user, run the <code class="command">/usr/sbin/semanage login -a -s user_u newuser</code> command as the Linux root user. The <code class="option">-a</code> option adds a new record, and the <code class="option">-s</code> option specifies the SELinux user to map a Linux user to. The last argument, <code class="computeroutput">newuser</code>, is the Linux user you want mapped to the specified SELinux user.
+system_u                  system_u                  s0-s0:c0.c1023
+</pre></li><li><p>
+					To map the Linux newuser user to the SELinux <code class="computeroutput">user_u</code> user, run the following command as the Linux root user:
+				</p><p>
+					<code class="command">/usr/sbin/semanage login -a -s user_u newuser</code>
+				</p><p>
+					The <code class="option">-a</code> option adds a new record, and the <code class="option">-s</code> option specifies the SELinux user to map a Linux user to. The last argument, <code class="computeroutput">newuser</code>, is the Linux user you want mapped to the specified SELinux user.
 				</p></li><li><p>
 					To view the mapping between the Linux newuser user and <code class="computeroutput">user_u</code>, run the <code class="command">/usr/sbin/semanage login -l</code> command as the Linux root user:
-				</p><pre class="screen"># /usr/sbin/semanage login -l
+				</p><pre class="screen">
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 newuser                   user_u                    s0
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre></li><li><p>
+system_u                  system_u                  s0-s0:c0.c1023
+</pre></li><li><p>
 					As the Linux root user, run the <code class="command">passwd newuser</code> command to assign a password to the Linux newuser user:
-				</p><pre class="screen"># passwd newuser
+				</p><pre class="screen">
+# passwd newuser
 Changing password for user newuser.
-New UNIX password: <em class="replaceable"><code>Enter a password</code></em>Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em> 
-passwd: all authentication tokens updated successfully.</pre></li><li><p>
+New UNIX password: <em class="replaceable"><code>Enter a password</code></em>
+Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em> 
+passwd: all authentication tokens updated successfully.
+</pre></li><li><p>
 					Log out of your current session, and log in as the Linux newuser user. Run the <code class="command">id -Z</code> command to the newuser's SELinux context:
-				</p><pre class="screen">[newuser at rlocalhost ~]$ id -Z
-user_u:user_r:user_t:s0</pre></li><li><p>
-					Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, as the Linux root user, run the /usr/sbin/userdel -r newuser command to remove it, along with its home directory. Also, the mapping between the Linux newuser user and <code class="computeroutput">user_u</code> is removed:
-				</p><pre class="screen"># /usr/sbin/userdel -r newuser
+				</p><pre class="screen">
+[newuser at rlocalhost ~]$ id -Z
+user_u:user_r:user_t:s0
+</pre></li><li><p>
+					Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, as the Linux root user, run the <code class="command">/usr/sbin/userdel -r newuser</code> command to remove it, along with its home directory. Also, the mapping between the Linux newuser user and <code class="computeroutput">user_u</code> is removed:
+				</p><pre class="screen">
+# /usr/sbin/userdel -r newuser
 # /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Prev</strong>6.2.Â Confining New Linux Users: useradd</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Next</strong>6.4.Â Changing the Default Mapping</a></li></ul></body></html>
\ No newline at end of file
+system_u                  system_u                  s0-s0:c0.c1023
+</pre></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html"><strong>Prev</strong>6.2.Â Confining New Linux Users: useradd</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Next</strong>6.4.Â Changing the Default Mapping</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,32 +1,41 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.2.Â Confining New Linux Users: useradd</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html" title="6.3.Â Confining Existing Linux Users: semanage login"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.2.Â Confining New Linux Users: useradd</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Prev</strong></a></li><li class="ne
 xt"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2.Â Confining New Linux Users: useradd</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.2.Â Confining New Linux Users: useradd</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="next" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html" title="6.3.Â Confining Existing Linux Users: semanage login"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.2.Â Confining New Linux Users: useradd</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-En
 hanced_Linux-Confining_Users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-Confining_New_Linux_Users_useradd">6.2.Â Confining New Linux Users: useradd</h2></div></div></div><p>
 			Linux users mapped to the SELinux <code class="computeroutput">unconfined_u</code> user run in the <code class="computeroutput">unconfined_t</code> domain. This is seen by running the <code class="command">id -Z</code> command while logged-in as a Linux users mapped to <code class="computeroutput">unconfined_u</code>:
-		</p><pre class="screen">$ id -Z
-unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</pre><p>
+		</p><pre class="screen">
+$ id -Z
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+</pre><p>
 			When Linux users run in the <code class="computeroutput">unconfined_t</code> domain, SELinux policy rules are applied, but policy rules exist that allow Linux users running in the <code class="computeroutput">unconfined_t</code> domain almost all access. If unconfined Linux users execute an application that SELinux policy defines can transition from the <code class="computeroutput">unconfined_t</code> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy. Note: this does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
 		</p><p>
-			When creating Linux users with <code class="command">/usr/sbin/useradd</code>, use the <code class="option">-Z</code> option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser, and maps that user to the SELinux <code class="computeroutput">user_u</code> user. Linux users mapped to the SELinux <code class="computeroutput">user_u</code> user run in the <code class="computeroutput">user_t</code> domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as <code class="command">passwd</code>), can not run <code class="command">su</code> or <code class="command">sudo</code>, preventing them from becoming the Linux root user with these commands.
+			When creating Linux users with <code class="command">useradd</code>, use the <code class="option">-Z</code> option to specify which SELinux user they are mapped to. The following example creates a new Linux user, useruuser, and maps that user to the SELinux <code class="computeroutput">user_u</code> user. Linux users mapped to the SELinux <code class="computeroutput">user_u</code> user run in the <code class="computeroutput">user_t</code> domain. In this domain, Linux users are unable to run setuid applications unless SELinux policy permits it (such as <code class="command">passwd</code>), can not run <code class="command">su</code> or <code class="command">sudo</code>, preventing them from becoming the Linux root user with these commands.
 		</p><div class="orderedlist"><ol><li><p>
 					As the Linux root, run the <code class="command">/usr/sbin/useradd -Z user_u useruuser</code> command to create a new Linux user (useruuser) that is mapped to the SELinux <code class="computeroutput">user_u</code> user.
 				</p></li><li><p>
-					As the Linux root user, run the <code class="command">/usr/sbin/semanage login -l</code> command to view the mapping between the Linux <code class="computeroutput">useruuser</code> user and <code class="computeroutput">user_u</code>:
-				</p><pre class="screen"># /usr/sbin/semanage login -l
+					As the Linux root user, run the <code class="command">semanage login -l</code> command to view the mapping between the Linux <code class="computeroutput">useruuser</code> user and <code class="computeroutput">user_u</code>:
+				</p><pre class="screen">
+# /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
 system_u                  system_u                  s0-s0:c0.c1023
-useruuser                 user_u                    s0</pre></li><li><p>
+useruuser                 user_u                    s0
+</pre></li><li><p>
 					As the Linux root user, run the <code class="command">passwd useruuser</code> command to assign a password to the Linux useruuser user:
-				</p><pre class="screen"># passwd useruuser
+				</p><pre class="screen">
+# passwd useruuser
 Changing password for user useruuser.
-New UNIX password: <em class="replaceable"><code>Enter a password</code></em>Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em> 
-passwd: all authentication tokens updated successfully.</pre></li><li><p>
+New UNIX password: <em class="replaceable"><code>Enter a password</code></em>
+Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em> 
+passwd: all authentication tokens updated successfully.
+</pre></li><li><p>
 					Log out of your current session, and log in as the Linux useruuser user. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case, <code class="computeroutput">user_u</code>), and sets up the resulting SELinux context. The Linux user's shell is then launched with this SELinux context. To view the SELinux context for a Linux user, run the <code class="command">id -Z</code> command:
-				</p><pre class="screen">[useruuser at localhost ~]$ id -Z
-user_u:user_r:user_t:s0</pre></li><li><p>
+				</p><pre class="screen">
+[useruuser at localhost ~]$ id -Z
+user_u:user_r:user_t:s0
+</pre></li><li><p>
 					Log out of the Linux useruuser's session, and log back in with your account. If you do not want the Linux useruuser user, as the Linux root user, run the <code class="command">/usr/sbin/userdel -r useruuser</code> command to remove it, along with its home directory.
 				</p></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Prev</strong>ChapterÂ 6.Â Confining Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Confining_Users-Confining_Existing_Linux_Users_semanage_login.html"><strong>Next</strong>6.3.Â Confining Existing Linux Users: semanage log...</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.5.Â xguest: Kiosk Mode</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html" title="6.4.Â Changing the Default Mapping"/><link rel="next" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.5.Â xguest: Kiosk Mode</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Securi
 ty-Enhanced_Linux-Troubleshooting.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5.Â xguest: Kiosk Mode</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>6.5.Â xguest: Kiosk Mode</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/><link rel="prev" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html" title="6.4.Â Changing the Default Mapping"/><link rel="next" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>6.5.Â xguest: Kiosk Mode</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Confining_Users-Changing_the_Default_Mapping.html"><st
 rong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode">6.5.Â xguest: Kiosk Mode</h2></div></div></div><p>
 			The <span class="package">xguest</span> package provides a kiosk user account. This account is used to secure machines that people walk up to and use, such as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk user account is very locked down: essentially, it only allows users to log in, and then use the <span class="application"><strong>Firefox</strong></span> application to browse Internet websites. Any changes made while logged in with his account, such as creating files or changing settings, are lost when you log out.
 		</p><p>
 			To set up the kiosk account:
@@ -9,8 +9,10 @@
 					As the Linux root user, run <code class="command">yum install xguest</code> command to install the <span class="package">xguest</span> package. Install dependencies as required.
 				</p></li><li><p>
 					In order to allow the kiosk account to be used by a variety of people, the account is not password-protected, and as such, the account can only be protected if SELinux is running in enforcing mode. Before logging in with this account, use the <code class="command">getenforce</code> command to confirm that SELinux is running in enforcing mode:
-				</p><pre class="screen">$ /usr/sbin/getenforce
-Enforcing</pre><p>
+				</p><pre class="screen">
+$ /usr/sbin/getenforce
+Enforcing
+</pre><p>
 					If this is not the case, refer to <a class="xref" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html" title="5.5.Â SELinux Modes">SectionÂ 5.5, â€œSELinux Modesâ€</a> for information about changing to enforcing mode. It is not possible to log in with this account if SELinux is in permissive mode or disabled.
 				</p></li><li><p>
 					You can only log in to this account via the GNOME Display Manager (GDM). Once the <span class="package">xguest</span> package is installed, a <code class="computeroutput">Guest</code> account is added to GDM. To log in, click on the <code class="computeroutput">Guest</code> account:


Index: sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html	24 Nov 2008 20:30:06 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.4.2.Â Disabling SELinux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html" title="5.4.Â Enabling and Disabling SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html" title="5.4.Â Enabling and Disabling SELinux"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html" title="5.5.Â SELinux Modes"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.4.2.Â Disabling SELinux</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>P
 rev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2.Â Disabling SELinux</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.4.2.Â Disabling SELinux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html" title="5.4.Â Enabling and Disabling SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html" title="5.4.Â Enabling and Disabling SELinux"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html" title="5.5.Â SELinux Modes"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.4.2.Â Disabling SELinux</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enha
 nced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux">5.4.2.Â Disabling SELinux</h3></div></div></div><p>
 				To disable SELinux, configure <code class="option">SELINUX=disabled</code> in <code class="filename">/etc/selinux/config</code>:
 			</p><pre class="screen"># This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@@ -12,7 +12,9 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted</pre><p>
-				Reboot your system. After reboot, confirm that the <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Disabled</code>:
+SELINUXTYPE=targeted
+</pre><p>
+				Reboot your system. After reboot, confirm that the <code class="command">getenforce</code> command returns <code class="computeroutput">Disabled</code>:
 			</p><pre class="screen">$ /usr/sbin/getenforce
-Disabled</pre></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Prev</strong>5.4.Â Enabling and Disabling SELinux</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong>5.5.Â SELinux Modes</a></li></ul></body></html>
\ No newline at end of file
+Disabled
+</pre></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Prev</strong>5.4.Â Enabling and Disabling SELinux</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Next</strong>5.5.Â SELinux Modes</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,12 +1,16 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.3.Â Raw Audit Messages</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html" title="7.3.2.Â Searching For and Viewing Denials"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html" title="7.3.4.Â sealert Messages"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.3.Â Raw Audit Messages</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Prev</strong></a></li><li clas
 s="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.3.Â Raw Audit Messages</h3></div></div></div><p>
-				Raw audit messages are logged to <code class="filename">/var/log/audit/audit.log</code>. The following is an example AVC denial that occurred when the Apache HTTP Server (running in the <code class="computeroutput">httpd_t</code> domain) attempted to access the <code class="filename">/var/www/html/file1</code> file (labeled with the <code class="computeroutput">samba_share_t</code> type):
-			</p><pre class="screen">type=AVC msg=audit(1225875185.864:96): avc:  denied  { getattr } for  pid=2608 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file</pre><div class="variablelist"><dl><dt><span class="term"><em class="replaceable"><code>{ getattr }</code></em></span></dt><dd><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.6.Â Raw Audit Messages</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html" title="7.3.5.Â Searching For and Viewing Denials"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html" title="7.3.7.Â sealert Messages"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.6.Â Raw Audit Messages</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-
 Searching_For_and_Viewing_Denials.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">7.3.6.Â Raw Audit Messages</h3></div></div></div><p>
+				Raw audit messages are logged to <code class="filename">/var/log/audit/audit.log</code>. The following is an example AVC denial (and the associated system call) that occurred when the Apache HTTP Server (running in the <code class="computeroutput">httpd_t</code> domain) attempted to access the <code class="filename">/var/www/html/file1</code> file (labeled with the <code class="computeroutput">samba_share_t</code> type):
+			</p><pre class="screen">
+type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for  pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+
+type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+</pre><div class="variablelist"><dl><dt><span class="term"><em class="replaceable"><code>{ getattr }</code></em></span></dt><dd><p>
 							The item in braces indicates the permission that was denied. <code class="computeroutput">getattr</code> indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include <code class="computeroutput">getattr</code>, <code class="computeroutput">read</code>, and <code class="computeroutput">write</code>.
 						</p></dd><dt><span class="term">comm="<em class="replaceable"><code>httpd</code></em>"</span></dt><dd><p>
-							The file that launched the process. In this case, the <code class="filename"> /usr/sbin/httpd</code> file launched the Apache HTTP Server.
+							The executable that launched the process. The full path of the executable is found in the <code class="computeroutput">exe=</code> section of the system call (<code class="computeroutput">SYSCALL</code>) message, which in this case, is <code class="computeroutput">exe="/usr/sbin/httpd"</code>.
 						</p></dd><dt><span class="term">path="<em class="replaceable"><code>/var/www/html/file1</code></em>"</span></dt><dd><p>
 							The path to the object (target) that the process attempted to access.
 						</p></dd><dt><span class="term">scontext="<em class="replaceable"><code>unconfined_u:system_r:httpd_t:s0</code></em>"</span></dt><dd><p>
@@ -16,5 +20,11 @@
 						</p><p>
 							In certain situations, the <code class="computeroutput">tcontext</code> may match the <code class="computeroutput">scontext</code>, for example, when a process attempts to execute a system service that will change characteristics of that running process, such as the user ID. Also, the <code class="computeroutput">tcontext</code> may match the <code class="computeroutput">scontext</code> when a process tries to use more resources (such as memory) than normal limits allow, resulting in a security check to see if that process is allowed to break those limits.
 						</p></dd></dl></div><p>
+				From the system call (<code class="computeroutput">SYSCALL</code>) message, two items are of interest:
+			</p><div class="itemizedlist"><ul><li><p>
+						<code class="computeroutput">success=<em class="replaceable"><code>no</code></em></code>: indicates whether the denial (AVC) was enforced or not. <code class="computeroutput">success=no</code> indicates the system call was not successful (SELinux denied access). <code class="computeroutput">success=yes</code> indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as <code class="computeroutput">initrc_t</code> and <code class="computeroutput">kernel_t</code>.
+					</p></li><li><p>
+						<code class="computeroutput">exe="<em class="replaceable"><code>/usr/sbin/httpd</code></em>"</code>: the full path to the executable that launched the process, which in this case, is <code class="computeroutput">exe="/usr/sbin/httpd"</code>.
+					</p></li></ul></div><p>
 				An incorrect file type is a common cause for SELinux denying access. To start troubleshooting, compare the source context (<code class="computeroutput">scontext</code>) with the target context (<code class="computeroutput">tcontext</code>). Should the process (<code class="computeroutput">scontext</code>) be accessing such an object (<code class="computeroutput">tcontext</code>)? For example, the Apache HTTP Server (<code class="computeroutput">httpd_t</code>) should only be accessing types specified in the <span class="citerefentry"><span class="refentrytitle">httpd_selinux</span>(8)</span> manual page, such as <code class="computeroutput">httpd_sys_content_t</code>, <code class="computeroutput">public_content_t</code>, and so on, unless configured otherwise.
-			</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Prev</strong>7.3.2.Â Searching For and Viewing Denials</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong>7.3.4.Â sealert Messages</a></li></ul></body></html>
\ No newline at end of file
+			</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Prev</strong>7.3.5.Â Searching For and Viewing Denials</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html"><strong>Next</strong>7.3.7.Â sealert Messages</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.2.Â Searching For and Viewing Denials</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html" title="7.3.3.Â Raw Audit Messages"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.2.Â Searching For and Viewing Denials</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Prev</strong></a></li><li class="next"><a accesskey=
 "n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.2.Â Searching For and Viewing Denials</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.5.Â Searching For and Viewing Denials</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html" title="7.3.4.2.Â Denials for Permissive Domains"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html" title="7.3.6.Â Raw Audit Messages"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.5.Â Searching For and Viewing Denials</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Securit
 y-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials">7.3.5.Â Searching For and Viewing Denials</h3></div></div></div><p>
 				This section assumes the <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, and that the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons are running. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html" title="5.2.Â Which Log File is Used">SectionÂ 5.2, â€œWhich Log File is Usedâ€</a> for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as <code class="command">ausearch</code>, <code class="command">aureport</code>, and <code class="command">sealert</code>.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-ausearch">ausearch</h5>
-					The <span class="package">audit</span> package provides <code class="command">ausearch</code>. From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page: "<code class="command">ausearch</code> is a tool that can query the audit daemon logs based for events based on different search criteria"<sup>[<a id="d0e5507" href="#ftn.d0e5507" class="footnote">16</a>]</sup>. The <code class="command">ausearch</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
+					The <span class="package">audit</span> package provides <code class="command">ausearch</code>. From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page: "<code class="command">ausearch</code> is a tool that can query the audit daemon logs based for events based on different search criteria"<sup>[<a id="d0e5841" href="#ftn.d0e5841" class="footnote">16</a>]</sup>. The <code class="command">ausearch</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user:
 				<div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Searching For</th><th>Command</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">all denials</td><td class="seg"><code class="command">/sbin/ausearch -m avc</code></td></tr><tr class="seglistitem"><td class="seg">denials for that today</td><td class="seg"><code class="command">/sbin/ausearch -m avc -ts today</code></td></tr><tr class="seglistitem"><td class="seg">denials from the last 10 minutes</td><td class="seg"><code class="command">/sbin/ausearch -m avc -ts recent</code></td></tr></tbody></table></div><p>
-				To search for SELinux denials for a particular service, use the <code class="option">-c <em class="replaceable"><code>comm-name</code></em></code> option, where <em class="replaceable"><code>comm-name</code></em> "is the executableâ€™s name"<sup>[<a id="d0e5559" href="#ftn.d0e5559" class="footnote">17</a>]</sup>, for example, <code class="systemitem">httpd</code> for the Apache HTTP Server, and <code class="systemitem">smbd</code> for Samba:
+				To search for SELinux denials for a particular service, use the <code class="option">-c <em class="replaceable"><code>comm-name</code></em></code> option, where <em class="replaceable"><code>comm-name</code></em> "is the executableâ€™s name"<sup>[<a id="d0e5893" href="#ftn.d0e5893" class="footnote">17</a>]</sup>, for example, <code class="systemitem">httpd</code> for the Apache HTTP Server, and <code class="systemitem">smbd</code> for Samba:
 			</p><p>
 				<code class="command">/sbin/ausearch -m avc -c httpd</code>
 			</p><p>
@@ -14,30 +14,38 @@
 			</p><p>
 				Refer to the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page for further <code class="command">ausearch</code> options.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-aureport">aureport</h5>
-					The <span class="package">audit</span> package provides <code class="command">aureport</code>. From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page: "<code class="command">aureport</code> is a tool that produces summary reports of the audit system logs"<sup>[<a id="d0e5619" href="#ftn.d0e5619" class="footnote">18</a>]</sup>. The <code class="command">aureport</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <code class="command">aureport -a</code> command. The following is example output that includes two denials:
-				<pre class="screen"># /sbin/aureport -a
+					The <span class="package">audit</span> package provides <code class="command">aureport</code>. From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page: "<code class="command">aureport</code> is a tool that produces summary reports of the audit system logs"<sup>[<a id="d0e5953" href="#ftn.d0e5953" class="footnote">18</a>]</sup>. The <code class="command">aureport</code> tool accesses <code class="filename">/var/log/audit/audit.log</code>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <code class="command">aureport -a</code> command. The following is example output that includes two denials:
+				<pre class="screen">
+# /sbin/aureport -a
 
 AVC Report
 ========================================================
 # date time comm subj syscall class permission obj event
 ========================================================
 1. 11/01/2008 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
-2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4</pre><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-sealert">sealert</h5>
+2. 11/03/2008 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
+</pre><p>
+				Refer to the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page for further <code class="command">aureport</code> options.
+			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Searching_For_and_Viewing_Denials-sealert">sealert</h5>
 					The <span class="package">setroubleshoot-server</span> package provides <code class="command">sealert</code>, which reads denial messages translated by <span class="package">setroubleshoot-server</span>. Denials are assigned IDs, as seen in <code class="filename">/var/log/messages</code>. The following is an example denial from <code class="filename">messages</code>:
-				<pre class="screen">setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</pre><p>
+				<pre class="screen">
+setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+</pre><p>
 				In this example, the denial ID is <code class="computeroutput">84e0b04d-d0ad-4347-8317-22e74f6cd020</code>. The <code class="option">-l</code> option takes an ID as an argument. Running the <code class="command">sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
 			</p><p>
 				If you are running the X Window System, have the <span class="package">setroubleshoot</span> and <span class="package">setroubleshoot-server</span> packages installed, and the <code class="systemitem">setroubleshootd</code> daemon running, a yellow star and a warning are displayed when access is denied by SELinux. Clicking on the star launches the <code class="command">sealert</code> GUI, and displays denials in HTML output:
 			</p><div class="mediaobject"><img src="./images/sealert_gui.png"/></div><div class="itemizedlist"><ul><li><p>
 						Run the <code class="command">sealert -b</code> command to launch the <code class="command">sealert</code> GUI.
 					</p></li><li><p>
-						Run the <code class="command">sealert -l \*</code> command to view a detailed anaylsis of all denials.
+						Run the <code class="command">sealert -l \*</code> command to view a detailed analysis of all denials.
 					</p></li><li><p>
 						As the Linux root user, run the <code class="command">sealert -a /var/log/audit/audit.log -H > audit.html</code> command to create a HTML version of the <code class="command">sealert</code> analysis, as seen with the <code class="command">sealert</code> GUI.
-					</p></li></ul></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e5507" href="#d0e5507" class="para">16</a>] </sup>
+					</p></li></ul></div><p>
+				Refer to the <span class="citerefentry"><span class="refentrytitle">sealert</span>(8)</span> manual page for further <code class="command">sealert</code> options.
+			</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e5841" href="#d0e5841" class="para">16</a>] </sup>
 						From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 10.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5559" href="#d0e5559" class="para">17</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5893" href="#d0e5893" class="para">17</a>] </sup>
 					From the <span class="citerefentry"><span class="refentrytitle">ausearch</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 10.
-				</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5619" href="#d0e5619" class="para">18</a>] </sup>
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e5953" href="#d0e5953" class="para">18</a>] </sup>
 						From the <span class="citerefentry"><span class="refentrytitle">aureport</span>(8)</span> manual page, as shipped with the <span class="package">audit</span> package in Fedora 10.
-					</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Prev</strong>7.3.Â Fixing Problems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong>7.3.3.Â Raw Audit Messages</a></li></ul></body></html>
\ No newline at end of file
+					</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Permissive_Domains-Denials_for_Permissive_Domains.html"><strong>Prev</strong>7.3.4.2.Â Denials for Permissive Domains</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Next</strong>7.3.6.Â Raw Audit Messages</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,11 +1,14 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.4.Â sealert Messages</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html" title="7.3.3.Â Raw Audit Messages"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages.html" title="7.3.5.Â Manual Pages for Services"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.4.Â sealert Messages</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Securit
 y-Enhanced_Linux-Fixing_Problems-Manual_Pages.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.4.Â sealert Messages</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.7.Â sealert Messages</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html" title="7.3.6.Â Raw Audit Messages"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html" title="7.3.8.Â Allowing Access: audit2allow"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.7.Â sealert Messages</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_M
 essages.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages">7.3.7.Â sealert Messages</h3></div></div></div><p>
 				Denials are assigned IDs, as seen in <code class="filename">/var/log/messages</code>. The following is an example AVC denial (logged to <code class="filename">messages</code>) that occurred when the Apache HTTP Server (running in the <code class="computeroutput">httpd_t</code> domain) attempted to access the <code class="filename">/var/www/html/file1</code> file (labeled with the <code class="computeroutput">samba_share_t</code> type):
-			</p><pre class="screen"><em class="replaceable"><code>hostname</code></em> setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</pre><p>
+			</p><pre class="screen">
+<em class="replaceable"><code>hostname</code></em> setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+</pre><p>
 				As suggested, run the <code class="command">sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</code> command to view the complete message. This command only works on the local machine, and presents the same information as the <code class="command">sealert</code> GUI:
-			</p><pre class="screen">$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
+			</p><pre class="screen">
+$ sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
 
 Summary:
 
@@ -37,7 +40,8 @@
 Source                        httpd
 Source Path                   /usr/sbin/httpd
 Port                          <Unknown>
-Host                          <em class="replaceable"><code>hostname</code></em>Source RPM Packages           httpd-2.2.10-2
+Host                          <em class="replaceable"><code>hostname</code></em>
+Source RPM Packages           httpd-2.2.10-2
 Target RPM Packages
 Policy RPM                    selinux-policy-3.5.13-11.fc10
 Selinux Enabled               True
@@ -58,7 +62,8 @@
 
 node=<em class="replaceable"><code>hostname</code></em> type=AVC msg=audit(1225812178.788:101): avc:  denied  { getattr } for  pid=2441 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284916 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
 
-node=<em class="replaceable"><code>hostname</code></em> type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)</pre><div class="variablelist"><dl><dt><span class="term">Summary</span></dt><dd><p>
+node=<em class="replaceable"><code>hostname</code></em> type=SYSCALL msg=audit(1225812178.788:101): arch=40000003 syscall=196 success=no exit=-13 a0=b8e97188 a1=bf87aaac a2=54dff4 a3=2008171 items=0 ppid=2439 pid=2441 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+</pre><div class="variablelist"><dl><dt><span class="term">Summary</span></dt><dd><p>
 							A brief summary of the denied action. This is the same as the denial in <code class="filename">/var/log/messages</code>. In this example, the <code class="systemitem">httpd</code> process was denied access to a file (<code class="filename">file1</code>), which is labeled with the <code class="computeroutput">samba_share_t</code> type.
 						</p></dd><dt><span class="term">Detailed Description</span></dt><dd><p>
 							A more verbose description. In this example, <code class="filename">file1</code> is labeled with the <code class="computeroutput">samba_share_t</code>. This type is used for files and directories that you want to export via Samba. The description suggests changing the type to a type that can be accessed by the Apache HTTP Server and Samba, if such access is desired.
@@ -69,5 +74,5 @@
 						</p></dd><dt><span class="term">Additional Information</span></dt><dd><p>
 							Information that is useful in bug reports, such as the policy package name and version (<code class="computeroutput">selinux-policy-3.5.13-11.fc10</code>), but may not help towards solving why the denial occurred.
 						</p></dd><dt><span class="term">Raw Audit Messages</span></dt><dd><p>
-							The raw audit messages from <code class="filename">/var/log/audit/audit.log</code> that are associated with the denial. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html" title="7.3.3.Â Raw Audit Messages">SectionÂ 7.3.3, â€œRaw Audit Messagesâ€</a> for information about each item in the AVC denial.
-						</p></dd></dl></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Prev</strong>7.3.3.Â Raw Audit Messages</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Manual_Pages.html"><strong>Next</strong>7.3.5.Â Manual Pages for Services</a></li></ul></body></html>
\ No newline at end of file
+							The raw audit messages from <code class="filename">/var/log/audit/audit.log</code> that are associated with the denial. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html" title="7.3.6.Â Raw Audit Messages">SectionÂ 7.3.6, â€œRaw Audit Messagesâ€</a> for information about each item in the AVC denial.
+						</p></dd></dl></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html"><strong>Prev</strong>7.3.6.Â Raw Audit Messages</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html"><strong>Next</strong>7.3.8.Â Allowing Access: audit2allow</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Introduction-Examples.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Introduction-Examples.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Introduction-Examples.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Introduction-Examples.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,28 +1,28 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>2.2.Â Examples</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/><link rel="prev" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/><link rel="next" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html" title="2.3.Â SELinux Architecture and Performance"/></head><body class="draft"><p id="title"><a href="http://docs.fedoraproject.org"><strong>2.2.Â Examples</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Introduction-SELinu
 x_Architecture_and_Performance.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2.Â Examples</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>2.2.Â Examples</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/><link rel="prev" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/><link rel="next" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html" title="2.3.Â SELinux Architecture"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>2.2.Â Examples</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-En
 hanced_Linux-Introduction-SELinux_Architecture.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-Examples">2.2.Â Examples</h2></div></div></div><p>
 			The following examples demonstrate how SELinux increases security:
 		</p><div class="itemizedlist"><ul><li><p>
-					The default action is deny. If an SELinux policy rule does not exist to allow a process access to a file or directory, or a process access to another process, access is denied.
+					the default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied.
 				</p></li><li><p>
-					Confining users: SELinux can confine Linux users. A number of restricted SELinux users exist. Linux users can be mapped to SELinux users to take advantage of confined SELinux users. For example, mapping a Linux user account to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as <code class="command">/usr/bin/sudo</code> and <code class="command">su</code>. Also, you can disable the execution of files (such as an application) in user home directories for Linux users that are mapped to the SELinux user_u user. If configured, this prevents users from executing malicious files, which they may have downloaded from the Internet, from their home directories.
+					SELinux can confine Linux users. A number of confined SELinux users exist. Linux users can be mapped to SELinux users to take advantage of confined SELinux users. For example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as <code class="command">sudo</code> and <code class="command">su</code>, as well as preventing them from executing files and applications in their home directory- if configured, this prevents users from executing malicious files from their home directories.
 				</p></li><li><p>
-					Process separation. Processes run in their own domains. This prevents other processes from accessing files used by other processes, as well as processes accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server to read and write to files used by other processes, such as files comprising a website that is read by the Apache HTTP server.
+					process separation. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as processes accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server to read and write to files used by other processes, such as databases used by <span class="trademark">MySQL</span>Â®.
 				</p></li><li><p>
-					Help limit the damage done by configuration mistakes. <a href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System (DNS)</a> servers can replicate information between each other. This is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <a href="http://www.isc.org/index.pl?/sw/bind/index.php">Berkeley Internet Name Domain (BIND)</a> DNS server in Fedora 10, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <sup>[<a id="d0e587" href="#ftn.d0e587" class="footnote">3</a>]</sup> from being updated by zone transfers, the BIND <code class="systemitem">named</code> daemon, and any other subjects.
+					help limit the damage done by configuration mistakes. <a href="http://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System (DNS)</a> servers can replicate information between each other. This is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <a href="https://www.isc.org/software/bind">Berkeley Internet Name Domain (BIND)</a> DNS server in Fedora 10, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <sup>[<a id="d0e609" href="#ftn.d0e609" class="footnote">3</a>]</sup> from being updated by zone transfers, the BIND <code class="systemitem">named</code> daemon, and other processes.
 				</p></li><li><p>
-					Refer to the <a href="http://www.redhatmagazine.com/">Red Hat Magazine</a> article, <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">Risk report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a id="d0e602" href="#ftn.d0e602" class="footnote">4</a>]</sup>, for exploits against PHP and an exploit against MySQL, which were not successful due to the default SELinux targeted policy for the Apache HTTP Server and MySQL on Red Hat Enterprise Linux 4.
+					refer to the <a href="http://www.redhatmagazine.com/"><span class="trademark">Red Hat</span>Â® Magazine</a> article, <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">Risk report: Three years of Red Hat Enterprise Linux 4</a><sup>[<a id="d0e626" href="#ftn.d0e626" class="footnote">4</a>]</sup>, for exploits that were restricted due to the default SELinux targeted policy in <span class="trademark">Red Hat</span>Â® Enterprise <span class="trademark">Linux</span>Â® 4.
 				</p></li><li><p>
-					Refer to the <a href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">A seatbelt for server software: SELinux blocks real-world exploits</a><sup>[<a id="d0e616" href="#ftn.d0e616" class="footnote">5</a>]</sup>, for background information about SELinux, and information about various exploits that SELinux has prevented.
+					refer to the <a href="http://www.linuxworld.com">LinuxWorld.com</a> article, <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">A seatbelt for server software: SELinux blocks real-world exploits</a><sup>[<a id="d0e646" href="#ftn.d0e646" class="footnote">5</a>]</sup>, for background information about SELinux, and information about various exploits that SELinux has prevented.
 				</p></li><li><p>
-					Refer to James Morris's <a href="http://james-morris.livejournal.com/25421.html">SELinux mitigates remote root vulnerability in OpenPegasus</a> blog entry, for information about an exploit in <a href="http://www.openpegasus.org/">OpenPegasus</a> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
+					refer to James Morris's <a href="http://james-morris.livejournal.com/25421.html">SELinux mitigates remote root vulnerability in OpenPegasus</a> blog post, for information about an exploit in <a href="http://www.openpegasus.org/">OpenPegasus</a> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5.
 				</p></li></ul></div><p>
 			The <a href="http://www.tresys.com/">Tresys Technology</a> website has an <a href="http://www.tresys.com/innovation.php">SELinux Mitigation News</a> section (on the right-hand side), that lists recent exploits that have been mitigated or prevented by SELinux.
-		</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e587" href="#d0e587" class="para">3</a>] </sup>
+		</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e609" href="#d0e609" class="para">3</a>] </sup>
 						Text files that include information, such as hostname to IP address mappings, that are used by DNS servers.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e602" href="#d0e602" class="para">4</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e626" href="#d0e626" class="para">4</a>] </sup>
 						Cox, Mark. "Risk report: Three years of Red Hat Enterprise Linux 4". Published 26 February 2008. Accessed 28 August 2008: <a href="http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/">http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/</a>.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e616" href="#d0e616" class="para">5</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e646" href="#d0e646" class="para">5</a>] </sup>
 						Marti, Don. "A seatbelt for server software: SELinux blocks real-world exploits". Published 24 February 2008. Accessed 28 August 2008: <a href="http://www.linuxworld.com/news/2008/022408-selinux.html?page=1">http://www.linuxworld.com/news/2008/022408-selinux.html?page=1</a>.
-					</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong>ChapterÂ 2.Â Introduction</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html"><strong>Next</strong>2.3.Â SELinux Architecture and Performance</a></li></ul></body></html>
\ No newline at end of file
+					</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Introduction.html"><strong>Prev</strong>ChapterÂ 2.Â Introduction</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><strong>Next</strong>2.3.Â SELinux Architecture</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>2.4.Â SELinux on other Operating Systems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/><link rel="prev" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html" title="2.3.Â SELinux Architecture and Performance"/><link rel="next" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/></head><body class="draft"><p id="title"><a href="http://docs.fedoraproject.org"><strong>2.4.Â SELinux on other Operating Systems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html"><strong>Prev</strong>
 </a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems">2.4.Â SELinux on other Operating Systems</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>2.4.Â SELinux on Other Operating Systems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction"/><link rel="prev" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html" title="2.3.Â SELinux Architecture"/><link rel="next" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>2.4.Â SELinux on Other Operating Systems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><stro
 ng>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Introduction-SELinux_on_other_Operating_Systems">2.4.Â SELinux on Other Operating Systems</h2></div></div></div><p>
 			Refer to the following for information about running SELinux on operating systems:
 		</p><div class="itemizedlist"><ul><li><p>
-					Hardened Gentoo: <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml">http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml</a> and <a href="http://gentoo-wiki.com/HOWTO_Understand_SELinux">http://gentoo-wiki.com/HOWTO_Understand_SELinux</a>.
+					Hardened Gentoo: <a href="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml">http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml</a>.
 				</p></li><li><p>
 					Debian: <a href="http://wiki.debian.org/SELinux">http://wiki.debian.org/SELinux</a>.
 				</p></li><li><p>
 					Ubuntu: <a href="https://wiki.ubuntu.com/SELinux">https://wiki.ubuntu.com/SELinux</a> and <a href="https://help.ubuntu.com/community/SELinux">https://help.ubuntu.com/community/SELinux</a>.
 				</p></li><li><p>
-					<span class="trademark">Red Hat</span>Â® Enterprise <span class="trademark">Linux</span>Â®: <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html">Red Hat Enterprise Linux Deployment Guide</a> and <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/">Red Hat Enterprise Linux 4 SELinux Guide</a>.
-				</p></li></ul></div><p>
-			Refer to <a href="http://fedoraproject.org/wiki/SELinux/FAQ">http://fedoraproject.org/wiki/SELinux/FAQ</a> for further information about SELinux in Fedora.
-		</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture_and_Performance.html"><strong>Prev</strong>2.3.Â SELinux Architecture and Performance</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Next</strong>ChapterÂ 3.Â SELinux Contexts</a></li></ul></body></html>
\ No newline at end of file
+					Red Hat Enterprise Linux: <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html">Red Hat Enterprise Linux Deployment Guide</a> and <a href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/">Red Hat Enterprise Linux 4 SELinux Guide</a>.
+				</p></li><li><p>
+					Fedora: <a href="http://fedoraproject.org/wiki/SELinux">http://fedoraproject.org/wiki/SELinux</a> and the <a href="http://docs.fedoraproject.org/selinux-faq-fc5/">Fedora Core 5 SELinux FAQ</a>.
+				</p></li></ul></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Introduction-SELinux_Architecture.html"><strong>Prev</strong>2.3.Â SELinux Architecture</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Next</strong>ChapterÂ 3.Â SELinux Contexts</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,33 +1,41 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.5.Â Archiving Files with star</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html" title="5.10.4.Â Archiving Files with tar"/><link rel="next" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.5.Â Archiving Files with star</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>
 Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5.Â Archiving Files with star</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.5.Â Archiving Files with star</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html" title="5.10.4.Â Archiving Files with tar"/><link rel="next" href="chap-Security-Enhanced_Linux-Confining_Users.html" title="ChapterÂ 6.Â Confining Users"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.5.Â Archiving Files with star</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enha
 nced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Confining_Users.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star">5.10.5.Â Archiving Files with star</h3></div></div></div><p>
 				<code class="command">star</code> does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use <code class="command">star -xattr -H=exustar</code> to create archives that retain contexts. The <span class="package">star</span> package is not installed by default. To install <code class="command">star</code>, run the <code class="command">yum install star</code> command as the Linux root user.
 			</p><p>
 				The following example demonstrates creating a Star archive that retains SELinux contexts:
 			</p><div class="orderedlist"><ol><li><p>
 						As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
-					</p><pre class="screen"># touch /var/www/html/file{1,2,3}
+					</p><pre class="screen">
+# touch /var/www/html/file{1,2,3}
 # ls -Z /var/www/html/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3</pre></li><li><p>
+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
+</pre></li><li><p>
 						Run the <code class="command">cd /var/www/html/</code> command to change into the <code class="filename">/var/www/html/</code> directory. Once in this directory, as the Linux root user, run the <code class="command">star -xattr -H=exustar -c -f=test.star file{1,2,3}</code> command to create a Star archive named <code class="filename">test.star</code>:
-					</p><pre class="screen"># star -xattr -H=exustar -c -f=test.star file{1,2,3}
-star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).</pre></li><li><p>
+					</p><pre class="screen">
+# star -xattr -H=exustar -c -f=test.star file{1,2,3}
+star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">mkdir /test</code> command to create a new directory, and then, run the <code class="command">chmod 777 /test/</code> command to allow all users full-access to the <code class="filename">/test/</code> directory.
 					</p></li><li><p>
 						Run the <code class="command">cp /var/www/html/test.star /test/</code> command to copy the <code class="filename">test.star</code> file in to the <code class="filename">/test/</code> directory.
 					</p></li><li><p>
 						Run the <code class="command">cd /test/</code> command to change into the <code class="filename">/test/</code> directory. Once in this directory, run the <code class="command">star -x -f=test.star</code> command to extract the Star archive:
-					</p><pre class="screen">$ star -x -f=test.star 
-star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).</pre></li><li><p>
+					</p><pre class="screen">
+$ star -x -f=test.star 
+star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
+</pre></li><li><p>
 						Run the <code class="command">ls -lZ /test/</code> command to view the SELinux contexts. The <code class="computeroutput">httpd_sys_content_t</code> type has been retained, rather than being changed to <code class="computeroutput">default_t</code>, which would have happened had the <code class="option">--selinux</code> not been used:
-					</p><pre class="screen">$ ls -lZ /test/
+					</p><pre class="screen">
+$ ls -lZ /test/
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
--rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star</pre></li><li><p>
+-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star
+</pre></li><li><p>
 						If the <code class="filename">/test/</code> directory is no longer required, as the Linux root user, run the <code class="command"> rm -ri /test/</code> command to remove it, as well as all files in it.
 					</p></li><li><p>
 						If <code class="command">star</code> is no longer required, as the Linux root user, run the <code class="command">yum remove star</code> command to remove the package.


Index: sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,19 +1,23 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.4.Â Archiving Files with tar</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html" title="5.10.3.Â Checking the Default SELinux Context"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html" title="5.10.5.Â Archiving Files with star"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.4.Â Archiving Files with tar</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-M
 aintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4.Â Archiving Files with tar</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.4.Â Archiving Files with tar</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html" title="5.10.3.Â Checking the Default SELinux Context"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html" title="5.10.5.Â Archiving Files with star"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.4.Â Archiving Files with tar</strong></a></p><ul class="docn
 av"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_star.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar">5.10.4.Â Archiving Files with tar</h3></div></div></div><p>
 				<code class="command">tar</code> does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use <code class="command">tar --selinux</code> to create archives that retain contexts. If a Tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, run the archive through <code class="command">/sbin/restorecon</code>:
-			</p><pre class="screen">$ tar -xf <em class="replaceable"><code>archive.tar</code></em> | /sbin/restorecon -f -</pre><p>
+			</p><pre class="screen">
+$ tar -xf <em class="replaceable"><code>archive.tar</code></em> | /sbin/restorecon -f -
+</pre><p>
 				Note: depending on the directory, you may need to be the Linux root user to run the <code class="command">/sbin/restorecon</code> command.
 			</p><p>
 				The following example demonstrates creating a Tar archive that retains SELinux contexts:
 			</p><div class="orderedlist"><ol><li><p>
 						As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
-					</p><pre class="screen"># touch /var/www/html/file{1,2,3}
+					</p><pre class="screen">
+# touch /var/www/html/file{1,2,3}
 # ls -Z /var/www/html/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3</pre></li><li><p>
+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
+</pre></li><li><p>
 						Run the <code class="command">cd /var/www/html/</code> command to change into the <code class="filename">/var/www/html/</code> directory. Once in this directory, as the Linux root user, run the <code class="command">tar --selinux -cf test.tar file{1,2,3}</code> command to create a Tar archive named <code class="filename">test.tar</code>.
 					</p></li><li><p>
 						As the Linux root user, run the <code class="command">mkdir /test</code> command to create a new directory, and then, run the <code class="command">chmod 777 /test/</code> command to allow all users full-access to the <code class="filename">/test/</code> directory.
@@ -23,11 +27,13 @@
 						Run the <code class="command">cd /test/</code> command to change into the <code class="filename">/test/</code> directory. Once in this directory, run the <code class="command">tar -xf test.tar</code> command to extract the Tar archive.
 					</p></li><li><p>
 						Run the <code class="command">ls -lZ /test/</code> command to view the SELinux contexts. The <code class="computeroutput">httpd_sys_content_t</code> type has been retained, rather than being changed to <code class="computeroutput">default_t</code>, which would have happened had the <code class="option">--selinux</code> not been used:
-					</p><pre class="screen">$ ls -lZ /test/
+					</p><pre class="screen">
+$ ls -lZ /test/
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
 -rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
--rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar</pre></li><li><p>
+-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar
+</pre></li><li><p>
 						If the <code class="filename">/test/</code> directory is no longer required, as the Linux root user, run the <code class="command"> rm -ri /test/</code> command to remove it, as well as all files in it.
 					</p></li></ol></div><p>
 				Refer to the <span class="citerefentry"><span class="refentrytitle">tar</span>(1)</span> manual page for further information about <code class="command">tar</code>, such as the <code class="option">--xattrs</code> option that retains all extended attributes.


Index: sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,26 +1,30 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.3.Â Checking the Default SELinux Context</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html" title="5.10.2.Â Moving Files and Directories"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html" title="5.10.4.Â Archiving Files with tar"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.3.Â Checking the Default SELinux Context</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_L
 inux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3.Â Checking the Default SELinux Context</h3></div></div></div><p>
-				Use the <code class="command">/usr/sbin/matchpathcon</code> command to check if files and directories have the correct SELinux context. From the <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page: "<code class="command">matchpathcon</code> queries the system policy and outputs the default security context associated with the file path."<sup>[<a id="d0e4299" href="#ftn.d0e4299" class="footnote">13</a>]</sup>. The following example demonstrates using the <code class="command">/usr/sbin/matchpathcon</code> command to verify that files in <code class="filename">/var/www/html/</code> directory are labeled correctly:
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.3.Â Checking the Default SELinux Context</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html" title="5.10.2.Â Moving Files and Directories"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html" title="5.10.4.Â Archiving Files with tar"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.3.Â Checking the Default SELinux Context</strong></a></p><ul class
 ="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context">5.10.3.Â Checking the Default SELinux Context</h3></div></div></div><p>
+				Use the <code class="command">/usr/sbin/matchpathcon</code> command to check if files and directories have the correct SELinux context. From the <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page: "<code class="command">matchpathcon</code> queries the system policy and outputs the default security context associated with the file path."<sup>[<a id="d0e4322" href="#ftn.d0e4322" class="footnote">13</a>]</sup>. The following example demonstrates using the <code class="command">/usr/sbin/matchpathcon</code> command to verify that files in <code class="filename">/var/www/html/</code> directory are labeled correctly:
 			</p><div class="orderedlist"><ol><li><p>
 						As the Linux root user, run the <code class="command">touch /var/www/html/file{1,2,3}</code> command to create three files (<code class="filename">file1</code>, <code class="filename">file2</code>, and <code class="filename">file3</code>). These files inherit the <code class="computeroutput">httpd_sys_content_t</code> type from the <code class="filename">/var/www/html/</code> directory:
 					</p><pre class="screen"># touch /var/www/html/file{1,2,3}
 # ls -Z /var/www/html/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3</pre></li><li><p>
+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">chcon -t samba_share_t /var/www/html/file1</code> command to change the <code class="filename">file1</code> type to <code class="computeroutput">samba_share_t</code>. Note: the Apache HTTP Server can not read files or directories labeled with the <code class="computeroutput">samba_share_t</code> type.
 					</p></li><li><p>
 						The <code class="command">/usr/sbin/matchpathcon</code> <code class="option">-V</code> option compares the current SELinux context to the correct, default context in SELinux policy. Run the <code class="command">/usr/sbin/matchpathcon -V /var/www/html/*</code> command to check all files in the <code class="filename">/var/www/html/</code> directory:
 					</p><pre class="screen">$ /usr/sbin/matchpathcon -V /var/www/html/*
 /var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
 /var/www/html/file2 verified.
-/var/www/html/file3 verified.</pre></li></ol></div><p>
+/var/www/html/file3 verified.
+</pre></li></ol></div><p>
 				The following output from the <code class="command">/usr/sbin/matchpathcon</code> command explains that <code class="filename">file1</code> is labeled with the <code class="computeroutput">samba_share_t</code> type, but should be labeled with the <code class="computeroutput">httpd_sys_content_t</code> type:
-			</p><pre class="screen">/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0</pre><p>
+			</p><pre class="screen">/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
 				To resolve the label problem and allow the Apache HTTP Server access to <code class="filename">file1</code>, as the Linux root user, run the <code class="command">/sbin/restorecon -v /var/www/html/file1</code> command:
 			</p><pre class="screen"># /sbin/restorecon -v /var/www/html/file1
-restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0</pre><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e4299" href="#d0e4299" class="para">13</a>] </sup>
+restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
+</pre><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e4322" href="#d0e4322" class="para">13</a>] </sup>
 					The <span class="citerefentry"><span class="refentrytitle">matchpathcon</span>(8)</span> manual page, as shipped with the <span class="package">libselinux-utils</span> package in Fedora, is written by Daniel Walsh. Any edits or changes in this version were done by Murray McAllister.
 				</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Prev</strong>5.10.2.Â Moving Files and Directories</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Archiving_Files_with_tar.html"><strong>Next</strong>5.10.4.Â Archiving Files with tar</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,21 +1,24 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.2.Â Moving Files and Directories</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html" title="5.10.3.Â Checking the Default SELinux Context"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.2.Â Moving Files and Directories</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux
 -Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2.Â Moving Files and Directories</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.2.Â Moving Files and Directories</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html" title="5.10.3.Â Checking the Default SELinux Context"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.2.Â Moving Files and Directories</strong></a></p><ul class="do
 cnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories">5.10.2.Â Moving Files and Directories</h3></div></div></div><p>
 				File and directories keep their current SELinux context when they are moved. In many cases, this is incorrect for the location they are being moved to. The following example demonstrates moving a file from a user's home directory to <code class="filename">/var/www/html/</code>, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
 			</p><div class="orderedlist"><ol><li><p>
 						Run the <code class="command">cd</code> command without any arguments to change into your home directory. Once in your home directory, run the <code class="command">touch file1</code> command to create a file. This file is labeled with the <code class="computeroutput">user_home_t</code> type:
 					</p><pre class="screen">$ ls -Z file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1</pre></li><li><p>
+-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+</pre></li><li><p>
 						Run the <code class="command">ls -dZ /var/www/html/</code> command to view the SELinux context of the <code class="filename">/var/www/html/</code> directory:
 					</p><pre class="screen">$ ls -dZ /var/www/html/
-drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/</pre><p>
+drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
+</pre><p>
 						By default, the <code class="filename">/var/www/html/</code> directory is labeled with the <code class="computeroutput">httpd_sys_content_t</code> type. Files and directories created under the <code class="filename">/var/www/html/</code> directory inherit this type, and as such, they are labeled with this type.
 					</p></li><li><p>
-						As the Linux root user, run the <code class="command">mv file1 /var/www/html</code> command to move <code class="filename">file1</code> to the <code class="filename">/var/www/html</code> directory. Since this file is moved, it keeps its current <code class="computeroutput">user_home_t</code> type:
-					</p><pre class="screen"># mv file1 /var/www/html
+						As the Linux root user, run the <code class="command">mv file1 /var/www/html/</code> command to move <code class="filename">file1</code> to the <code class="filename">/var/www/html/</code> directory. Since this file is moved, it keeps its current <code class="computeroutput">user_home_t</code> type:
+					</p><pre class="screen"># mv file1 /var/www/html/
 # ls -Z /var/www/html/file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1</pre></li></ol></div><p>
+-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
+</pre></li></ol></div><p>
 				By default, the Apache HTTP Server can not read files that are labeled with the <code class="computeroutput">user_home_t</code> type. If all files comprising a web page are labeled with the <code class="computeroutput">user_home_t</code> type, or another type that the Apache HTTP Server can not read, permission is denied when attempting to access them via Firefox or text-based Web browsers.
 			</p><div class="important"><h2>Important</h2><p>
 					Moving files and directories with the <code class="command">mv</code> command may result in the wrong SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.


Index: sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,18 +1,20 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.2.Â Changing the Default Context</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html" title="5.9.3.Â Mounting an NFS File System"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.2.Â Changing the Default Context</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><
 strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2.Â Changing the Default Context</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.2.Â Changing the Default Context</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html" title="5.9.3.Â Mounting an NFS File System"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.2.Â Changing the Default Context</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="s
 ect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context">5.9.2.Â Changing the Default Context</h3></div></div></div><p>
 				As mentioned in <a class="xref" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html" title="5.8.Â The file_t and default_t Types">SectionÂ 5.8, â€œThe file_t and default_t Typesâ€</a>, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. If it is desirable to use a different default context, mount the file system with the <code class="option">defcontext</code> option.
 			</p><p>
 				The following example mounts a newly-created file system (on <code class="filename">/dev/sda2</code>) to the newly-created <code class="filename">/test/</code> directory. It assumes that there are no rules in <code class="filename">/etc/selinux/targeted/contexts/files/</code> that define a context for the <code class="filename">/test/</code> directory:
-			</p><pre class="screen"># mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"</pre><p>
+			</p><pre class="screen">
+# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
+</pre><p>
 				In this example:
 			</p><div class="itemizedlist"><ul><li><p>
-						the <code class="option">defcontext</code> option defines that <code class="computeroutput">system_u:object_r:samba_share_t:s0</code> is "the default security context for unlabeled files"<sup>[<a id="d0e3848" href="#ftn.d0e3848" class="footnote">12</a>]</sup>.
+						the <code class="option">defcontext</code> option defines that <code class="computeroutput">system_u:object_r:samba_share_t:s0</code> is "the default security context for unlabeled files"<sup>[<a id="d0e3871" href="#ftn.d0e3871" class="footnote">12</a>]</sup>.
 					</p></li><li><p>
-						when mounted, the root directory (<code class="filename">/test/</code>) of the file system is treated as if it is labeled with the context specified by <code class="option">defcontext</code> (this label is not stored on disk). This affects the labelling for files created under <code class="filename">/test/</code>: new files inherit the <code class="computeroutput">samba_share_t</code> type, and these labels are stored on disk.
+						when mounted, the root directory (<code class="filename">/test/</code>) of the file system is treated as if it is labeled with the context specified by <code class="option">defcontext</code> (this label is not stored on disk). This affects the labeling for files created under <code class="filename">/test/</code>: new files inherit the <code class="computeroutput">samba_share_t</code> type, and these labels are stored on disk.
 					</p></li><li><p>
 						files created under <code class="filename">/test/</code> while the file system was mounted with a <code class="option">defcontext</code> option retain their labels.
-					</p></li></ul></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e3848" href="#d0e3848" class="para">12</a>] </sup>
+					</p></li></ul></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e3871" href="#d0e3871" class="para">12</a>] </sup>
 							Morris, James. "Filesystem Labeling in SELinux". Published 1 October 2004. Accessed 14 October 2008: <a href="http://www.linuxjournal.com/article/7426">http://www.linuxjournal.com/article/7426</a>.
 						</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Prev</strong>5.9.Â Mounting File Systems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Next</strong>5.9.3.Â Mounting an NFS File System</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,8 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.5.Â Making Context Mounts Persistent</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html" title="5.9.4.Â Multiple NFS Mounts"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.5.Â Making Context Mounts Persistent</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html
 "><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5.Â Making Context Mounts Persistent</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.5.Â Making Context Mounts Persistent</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html" title="5.9.4.Â Multiple NFS Mounts"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html" title="5.10.Â Maintaining SELinux Labels"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.5.Â Making Context Mounts Persistent</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" hre
 f="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent">5.9.5.Â Making Context Mounts Persistent</h3></div></div></div><p>
 				To make context mounts persistent across remounting and reboots, add entries for the file systems in <code class="filename">/etc/fstab</code> or an automounter map, and use the desired context as a mount option. The following example adds an entry to <code class="filename">/etc/fstab</code> for an NFS context mount:
-			</p><pre class="screen">server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0</pre><p>
+			</p><pre class="screen">
+server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
+</pre><p>
 				Refer to the <a href="http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/s1-nfs-client-config.html">Red Hat Enterprise Linux 5 Deployment Guide, Section 19.2. "NFS Client Configuration"</a> for information about mounting NFS file systems.
 			</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Prev</strong>5.9.4.Â Multiple NFS Mounts</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html"><strong>Next</strong>5.10.Â Maintaining SELinux Labels </a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html	11 Nov 2008 22:56:29 -0000	1.1
+++ sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,13 +1,14 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.3.Â Mounting an NFS File System</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html" title="5.9.2.Â Changing the Default Context"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html" title="5.9.4.Â Multiple NFS Mounts"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.3.Â Mounting an NFS File System</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.
 html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3.Â Mounting an NFS File System</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.3.Â Mounting an NFS File System</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html" title="5.9.2.Â Changing the Default Context"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html" title="5.9.4.Â Multiple NFS Mounts"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.3.Â Mounting an NFS File System</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="se
 ct-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System">5.9.3.Â Mounting an NFS File System</h3></div></div></div><p>
 				By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <code class="computeroutput">nfs_t</code> type. Depending on policy configuration, services, such as Apache HTTP Server and MySQL, may not be able to read files labeled with the <code class="computeroutput">nfs_t</code> type. This may prevent file systems labeled with this type from being mounted and then read or exported by other services.
 			</p><p>
 				If you would like to mount an NFS file system and read or export that file system with another service, use the <code class="option">context</code> option when mounting to override the <code class="computeroutput">nfs_t</code> type. Use the following context option to mount NFS file systems so that they can be shared via the Apache HTTP Server:
 			</p><pre class="screen">mount server:/export /local/mount/point -o\
-context="system_u:object_r:httpd_sys_content_t:s0"</pre><p>
+context="system_u:object_r:httpd_sys_content_t:s0"
+</pre><p>
 				Since context changes are not written to disk for these situations, the context specified with the <code class="option">context</code> option is only retained if the <code class="option">context</code> option is used on the next mount, and if the same context is specified.
 			</p><p>
-				As an alternative to mounting file systems with <code class="option">context</code> options, Booleans can be turned on to allow services access to file systems labeled with the <code class="computeroutput">nfs_t</code> type. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html" title="5.6.3.Â Examples: Booleans for NFS and CIFS">SectionÂ 5.6.3, â€œExamples: Booleans for NFS and CIFSâ€</a> for intructions on configuring Booleans to allow services access to the <code class="computeroutput">nfs_t</code> type.
+				As an alternative to mounting file systems with <code class="option">context</code> options, Booleans can be turned on to allow services access to file systems labeled with the <code class="computeroutput">nfs_t</code> type. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html" title="5.6.3.Â Examples: Booleans for NFS and CIFS">SectionÂ 5.6.3, â€œExamples: Booleans for NFS and CIFSâ€</a> for instructions on configuring Booleans to allow services access to the <code class="computeroutput">nfs_t</code> type.
 			</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Prev</strong>5.9.2.Â Changing the Default Context</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html"><strong>Next</strong>5.9.4.Â Multiple NFS Mounts</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,21 +1,27 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.4.Â Multiple NFS Mounts</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html" title="5.9.3.Â Mounting an NFS File System"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html" title="5.9.5.Â Making Context Mounts Persistent"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.4.Â Multiple NFS Mounts</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_
 System.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4.Â Multiple NFS Mounts</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.4.Â Multiple NFS Mounts</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html" title="5.9.3.Â Mounting an NFS File System"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html" title="5.9.5.Â Making Context Mounts Persistent"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.4.Â Multiple NFS Mounts</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" 
 href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Multiple_NFS_Mounts">5.9.4.Â Multiple NFS Mounts</h3></div></div></div><p>
 				When mounting multiple mounts from the same NFS export, attempting to override the SELinux context of each mount with a different context, results in subsequent mount commands failing. In the following example, the NFS server has a single export, <code class="filename">/export</code>, which has two subdirectories, <code class="filename">web/</code> and <code class="filename">database/</code>. The following commands attempt two mounts from a single NFS export, and try to override the context for each one:
-			</p><pre class="screen"># mount server:/export/web /local/web -o\
+			</p><pre class="screen">
+# mount server:/export/web /local/web -o\
 context="system_u:object_r:httpd_sys_content_t:s0"
 
 # mount server:/export/database /local/database -o\
-context="system_u:object_r:mysqld_db_t:s0"</pre><p>
+context="system_u:object_r:mysqld_db_t:s0"
+</pre><p>
 				The second mount command fails, and the following is logged to <code class="filename">/var/log/messages</code>:
-			</p><pre class="screen">kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)</pre><p>
+			</p><pre class="screen">
+kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev 0:15, type nfs)
+</pre><p>
 				To mount multiple mounts from a single NFS export, with each mount having a different context, use the <code class="option">-o nosharecache,context</code> options. The following example mounts multiple mounts from a single NFS export, with a different context for each mount (allowing a single service access to each one):
-			</p><pre class="screen"># mount server:/export/web /local/web -o\
+			</p><pre class="screen">
+# mount server:/export/web /local/web -o\
 nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
 
 # mount server:/export/database /local/database -o\
-nosharecache,context="system_u:object_r:mysqld_db_t:s0"</pre><p>
+nosharecache,context="system_u:object_r:mysqld_db_t:s0"
+</pre><p>
 				In this example, <code class="computeroutput">server:/export/web</code> is mounted locally to <code class="filename">/local/web/</code>, with all files being labeled with the <code class="computeroutput">httpd_sys_content_t</code> type, allowing Apache HTTP Server access. <code class="computeroutput">server:/export/database</code> is mounted locally to <code class="filename">/local/database</code>, with all files being labeled with the <code class="computeroutput">mysqld_db_t</code> type, allowing MySQL access. These type changes are not written to disk.
 			</p><div class="important"><h2>Important</h2><p>
 					The <code class="option">nosharecache</code> options allows you to mount the same subdirectory of an export multiple times with different contexts (for example, mounting <code class="filename">/export/web</code> multiple times). Do not mount the same subdirectory from an export multiple times with different contexts, as this creates an overlapping mount, where files are accessible under two different contexts.


Index: sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>3.2.Â SELinux Contexts for Processes</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/><link rel="prev" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/><link rel="next" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html" title="3.3.Â SELinux Contexts for Users"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>3.2.Â SELinux Contexts for Processes</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-
 Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2.Â SELinux Contexts for Processes</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>3.2.Â SELinux Contexts for Processes</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/><link rel="prev" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/><link rel="next" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html" title="3.3.Â SELinux Contexts for Users"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>3.2.Â SELinux Contexts for Processes</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><stron
 g>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes">3.2.Â SELinux Contexts for Processes</h2></div></div></div><p>
 			Use the <code class="command">ps -eZ</code> command to view the SELinux context for processes. For example:
 		</p><div class="orderedlist"><ol><li><p>
 					Open a terminal, such as <span class="guimenu"><strong>Applications</strong></span> â†’ <span class="guisubmenu"><strong>System Tools</strong></span> â†’ <span class="guimenuitem"><strong>Terminal</strong></span>.
@@ -9,7 +9,8 @@
 					Run the <code class="command">/usr/bin/passwd</code> command. Do not enter a new password.
 				</p></li><li><p>
 					Open a new tab, or another terminal, and run the <code class="command">ps -eZ | grep passwd</code> command. The output is similar to the following:
-				</p><pre class="screen">unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd</pre></li><li><p>
+				</p><pre class="screen">unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
+</pre></li><li><p>
 					In the first tab, press <strong class="userinput"><code>Ctrl+C</code></strong> to cancel the <span class="application"><strong>passwd</strong></span> application.
 				</p></li></ol></div><p>
 			In this example, when the <code class="filename">/usr/bin/passwd</code> application (labeled with the <code class="computeroutput">passwd_exec_t</code> type) is executed, the user's shell process transitions to the <code class="computeroutput">passwd_t</code> domain. Remember: the type defines a domain for processes, and a type for files.
@@ -21,6 +22,7 @@
 system_u:system_r:gpm_t:s0       1964 ?        00:00:00 gpm
 system_u:system_r:crond_t:s0-s0:c0.c1023 1973 ? 00:00:00 crond
 system_u:system_r:kerneloops_t:s0 1983 ?       00:00:05 kerneloops
-system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd</pre><p>
+system_u:system_r:crond_t:s0-s0:c0.c1023 1991 ? 00:00:00 atd
+</pre><p>
 			The <code class="computeroutput">system_r</code> role is used for system processes, such as daemons. Type Enforcement then separates each domain.
 		</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html"><strong>Prev</strong>ChapterÂ 3.Â SELinux Contexts</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html"><strong>Next</strong>3.3.Â SELinux Contexts for Users</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,8 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>3.3.Â SELinux Contexts for Users</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/><link rel="prev" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html" title="3.2.Â SELinux Contexts for Processes"/><link rel="next" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>3.3.Â SELinux Contexts for Users</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Prev</strong></a></li><li class="next"><a acces
 skey="n" href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3.Â SELinux Contexts for Users</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>3.3.Â SELinux Contexts for Users</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts"/><link rel="prev" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html" title="3.2.Â SELinux Contexts for Processes"/><link rel="next" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>3.3.Â SELinux Contexts for Users</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contex
 ts_for_Processes.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Users">3.3.Â SELinux Contexts for Users</h2></div></div></div><p>
 			Use the <code class="command">id -Z</code> command to view the SELinux context associated with your Linux user:
-		</p><pre class="screen">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</pre><p>
+		</p><pre class="screen">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+</pre><p>
 			In Fedora 10, Linux users run unconfined by default. This SELinux context shows that the Linux user is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user, running as the <code class="computeroutput">unconfined_r</code> role, and is running in the <code class="computeroutput">unconfined_t</code> domain. <code class="computeroutput">s0-s0</code> is an MLS range, which in this case, is the same as just <code class="computeroutput">s0</code>. The categories the user has access to is defined by <code class="computeroutput">c0.c1023</code>, which is all categories (<code class="computeroutput">c0</code> through to <code class="computeroutput">c1023</code>).
 		</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts-SELinux_Contexts_for_Processes.html"><strong>Prev</strong>3.2.Â SELinux Contexts for Processes</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Next</strong>ChapterÂ 4.Â Targeted Policy</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.7.2.Â Persistent Changes: semanage fcontext</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html" title="5.7.Â SELinux Contexts - Labeling Files"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html" title="5.7.Â SELinux Contexts - Labeling Files"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html" title="5.8.Â The file_t and default_t Types"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.7.2.Â Persistent Changes: semanage fcontext</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-
 Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2.Â Persistent Changes: semanage fcontext</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.7.2.Â Persistent Changes: semanage fcontext</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html" title="5.7.Â SELinux Contexts - Labeling Files"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html" title="5.7.Â SELinux Contexts - Labeling Files"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html" title="5.8.Â The file_t and default_t Types"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.7.2.Â Persistent Changes: semanage fcontext</strong></a></p
 ><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext">5.7.2.Â Persistent Changes: semanage fcontext</h3></div></div></div><p>
 				The <code class="command">/usr/sbin/semanage fcontext</code> command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts</code> file if the changes are to files that exists in <code class="filename">file_contexts</code>, or are added to <code class="filename">file_contexts.local</code> for new files and directories, such as creating a <code class="filename">/web/</code> directory. <code class="command">setfiles</code>, which is used when a file system is relabeled, and <code class="command">/sbin/restorecon</code>, which restores the default SELinux contexts, read these files. This means that changes made by <code class="command">/usr/sbin/semanage fcontext</code> are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Quick_Reference">Quick Reference</h5>
 					To make SELinux context changes that survive a file system relabel:
@@ -14,36 +14,44 @@
 				<div class="orderedlist"><ol><li><p>
 						As the Linux root user, run the <code class="command">touch /etc/file1</code> command to create a new file. By default, newly-created files in the <code class="filename">/etc/</code> directory are labeled with the <code class="computeroutput">etc_t</code> type:
 					</p><pre class="screen"># ls -Z /etc/file1
--rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1</pre></li><li><p>
+-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1</code> command to change the <code class="filename">file1</code> type to <code class="computeroutput">samba_share_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (<code class="computeroutput">samba_share_t</code>). Note: running this command does not directly change the type - <code class="filename">file1</code> is still labeled with the <code class="computeroutput">etc_t</code> type:
 					</p><pre class="screen"># /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
 # ls -Z /etc/file1
--rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/file1</pre><p>
+-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
+</pre><p>
 						The <code class="command">/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1</code> command adds the following entry to <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
-					</p><pre class="screen">/etc/file1    system_u:object_r:samba_share_t:s0</pre></li><li><p>
+					</p><pre class="screen">/etc/file1    unconfined_u:object_r:samba_share_t:s0
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">/sbin/restorecon -v /etc/file1</code> command to change the type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="filename">/etc/file1</code>, the <code class="command">/sbin/restorecon</code> command changes the type to <code class="computeroutput">samba_share_t</code>:
 					</p><pre class="screen"># /sbin/restorecon -v /etc/file1
-restorecon reset /etc/file1 context system_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0</pre></li><li><p>
+restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">rm -i /etc/file1</code> command to remove <code class="filename">file1</code>.
 					</p></li><li><p>
-						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d /etc/file1</code> command to remove the context added for <code class="filename">/etc/file1</code>. When the context is removed, if the <code class="filename">/etc/file1</code> file is created again, it is labeled with the <code class="computeroutput">etc_t</code> type, rather than the <code class="computeroutput">samba_share_t</code> type.
+						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d /etc/file1</code> command to remove the context added for <code class="filename">/etc/file1</code>. When the context is removed, running <code class="command">restorecon</code> changes the type to <code class="computeroutput">etc_t</code>, rather than <code class="computeroutput">samba_share_t</code>.
 					</p></li></ol></div><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Changing_a_Directorys_Type">Changing a Directory's Type</h5>
 					The following example demonstrates creating a new directory and changing that directory's file type, to a type used by Apache HTTP Server:
 				<div class="orderedlist"><ol><li><p>
-						As the Linux root user, run the <code class="command">mkdir /web</code> command to create a new directory. This directory is labeled with the <code class="computeroutput">default_t</code>type:
+						As the Linux root user, run the <code class="command">mkdir /web</code> command to create a new directory. This directory is labeled with the <code class="computeroutput">default_t</code> type:
 					</p><pre class="screen"># ls -dZ /web
-drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web</pre><p>
+drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
+</pre><p>
 						The <code class="command">ls</code> <code class="option">-d</code> option makes <code class="command">ls</code> list information about a directory, rather than its contents, and the <code class="option">-Z</code> option makes <code class="command">ls</code> display the SELinux context (in this example, <code class="computeroutput">unconfined_u:object_r:default_t:s0</code>).
 					</p></li><li><p>
 						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web</code> command to change the <code class="filename">/web/</code> type to <code class="computeroutput">httpd_sys_content_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (<code class="computeroutput">httpd_sys_content_t</code>). Note: running this command does not directly change the type - <code class="filename">/web/</code> is still labeled with the <code class="computeroutput">default_t</code> type:
 					</p><pre class="screen"># /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web
 # ls -dZ /web
-drwxr-xr-x  root root system_u:object_r:default_t:s0   /web</pre><p>
+drwxr-xr-x  root root unconfined_u:object_r:default_t:s0   /web
+</pre><p>
 						The <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /web</code> command adds the following entry to <code class="command">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
-					</p><pre class="screen">/web    system_u:object_r:httpd_sys_content_t:s0</pre></li><li><p>
+					</p><pre class="screen">/web    unconfined_u:object_r:httpd_sys_content_t:s0
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">/sbin/restorecon -v /web</code> command to change the type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="filename">/web</code>, the <code class="command">/sbin/restorecon</code> command changes the type to <code class="computeroutput">httpd_sys_content_t</code>:
 					</p><pre class="screen"># /sbin/restorecon -v /web
-restorecon reset /web context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0</pre><p>
+restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
 						By default, newly-created files and directories inherit the SELinux type of their parent folders. When using this example, and before removing the SELinux context added for <code class="filename">/web/</code>, files and directories created in the <code class="filename">/web/</code> directory are labeled with the <code class="computeroutput">httpd_sys_content_t</code> type.
 					</p></li><li><p>
 						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d /web</code> command to remove the context added for <code class="filename">/web/</code>.
@@ -58,38 +66,48 @@
 # ls -lZ /web
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3</pre></li><li><p>
-						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</code> to change the type of the <code class="filename">/web/</code> directory and the files in it, to <code class="computeroutput">httpd_sys_content_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (httpd_sys_content_t). The <code class="computeroutput">"/web(/.*)?"</code> regular expression causes the <code class="command">semanage</code> command to apply changes to the <code class="filename">/web/</code> directory, as well as the files in it. Note: running this command does not directly change the type - <code class="filename">/web/</code> and files in it are still labeled with the <code class="computeroutput">default_t</code> type:
+-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
+</pre></li><li><p>
+						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</code> command to change the type of the <code class="filename">/web/</code> directory and the files in it, to <code class="computeroutput">httpd_sys_content_t</code>. The <code class="option">-a</code> option adds a new record, and the <code class="option">-t</code> option defines a type (httpd_sys_content_t). The <code class="computeroutput">"/web(/.*)?"</code> regular expression causes the <code class="command">semanage</code> command to apply changes to the <code class="filename">/web/</code> directory, as well as the files in it. Note: running this command does not directly change the type - <code class="filename">/web/</code> and files in it are still labeled with the <code class="computeroutput">default_t</code> type:
 					</p><pre class="screen"># ls -dZ /web
 drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
 # ls -lZ /web
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3</pre><p>
+-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
+</pre><p>
 						The <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"</code> adds the following entry to <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
-					</p><pre class="screen">/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0</pre></li><li><p>
-						As the Linux root user, run the <code class="command">/sbin/restorecon -v -R /web</code> command to change the type of the <code class="filename">/web/</code> directory, as well as all files in it. The <code class="option">-R</code> is for recursive, which means all files and directories under the <code class="filename">/web/</code> directory are labeled with the <code class="computeroutput">httpd_sys_content_t</code> type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="computeroutput">/web(/.*)?</code>, the <code class="command">/sbin/restorecon</code> command changes the types to <code class="computeroutput">httpd_sys_content_t</code>:
-					</p><pre class="screen"># /sbin/restorecon -v -R /web
+					</p><pre class="screen">/web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+</pre></li><li><p>
+						As the Linux root user, run the <code class="command">/sbin/restorecon -R -v /web</code> command to change the type of the <code class="filename">/web/</code> directory, as well as all files in it. The <code class="option">-R</code> is for recursive, which means all files and directories under the <code class="filename">/web/</code> directory are labeled with the <code class="computeroutput">httpd_sys_content_t</code> type. Since the <code class="command">semanage</code> command added an entry to <code class="filename">file.contexts.local</code> for <code class="computeroutput">/web(/.*)?</code>, the <code class="command">/sbin/restorecon</code> command changes the types to <code class="computeroutput">httpd_sys_content_t</code>:
+					</p><pre class="screen"># /sbin/restorecon -R -v /web
 restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
 restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
 restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
-restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0</pre><p>
+restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
 						By default, newly-created files and directories inherit the SELinux type of their parents. In this example, files and directories created in the <code class="filename">/web/</code> directory will be labeled with the <code class="computeroutput">httpd_sys_content_t</code> type.
 					</p></li><li><p>
 						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d "/web(/.*)?"</code> command to remove the context added for <code class="computeroutput">"/web(/.*)?"</code>.
 					</p></li><li><p>
-						As the Linux root user, run the <code class="command">/sbin/restorecon -v -R /web</code> command to restore the default SELinux contexts.
+						As the Linux root user, run the <code class="command">/sbin/restorecon -R -v /web</code> command to restore the default SELinux contexts.
 					</p></li></ol></div><h5 class="formalpara" id="form-Security-Enhanced_Linux-Persistent_Changes_semanage_fcontext-Deleting_an_added_Context">Deleting an added Context</h5>
 					The following example demonstrates adding and removing an SELinux context:
 				<div class="orderedlist"><ol><li><p>
 						As the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -a -t httpd_sys_content_t /test</code> command. The <code class="filename">/test/</code> directory does not have to exist. This command adds the following context to <code class="filename">/etc/selinux/targeted/contexts/files/file_contexts.local</code>:
-					</p><pre class="screen">/test    system_u:object_r:httpd_sys_content_t:s0</pre></li><li><p>
+					</p><pre class="screen">/test    system_u:object_r:httpd_sys_content_t:s0
+</pre></li><li><p>
 						To remove the context, as the Linux root user, run the <code class="command">/usr/sbin/semanage fcontext -d <em class="replaceable"><code>file-name</code></em>|<em class="replaceable"><code>directory-name</code></em></code> command, where <em class="replaceable"><code>file-name</code></em>|<em class="replaceable"><code>directory-name</code></em> is the first part in <code class="filename">file_contexts.local</code>. The following is an example of a context in <code class="filename">file_contexts.local</code>:
-					</p><pre class="screen">/test    system_u:object_r:httpd_sys_content_t:s0</pre><p>
+					</p><pre class="screen">/test    system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
 						With the first part being <code class="computeroutput">/test</code>. To prevent the <code class="filename">/test/</code> directory from being labeled with the <code class="computeroutput">httpd_sys_content_t</code> after running <code class="command">/sbin/restorecon</code>, or after a file system relabel, run the following command as the Linux root user to delete the context from <code class="filename">file_contexts.local</code>:
-					</p><pre class="screen">/usr/sbin/semanage fcontext -d /test</pre></li></ol></div><p>
+					</p><p>
+						<code class="command">/usr/sbin/semanage fcontext -d /test</code>
+					</p></li></ol></div><p>
 				If the context is part of a regular expression, for example, <code class="computeroutput">/web(/.*)?</code>, use quotation marks around the regular expression:
-			</p><pre class="screen">/usr/sbin/semanage fcontext -d "/web(/.*)?"</pre><p>
+			</p><p>
+				<code class="command">/usr/sbin/semanage fcontext -d "/web(/.*)?"</code>
+			</p><p>
 				Refer to the <span class="citerefentry"><span class="refentrytitle">semanage</span>(8)</span> manual page for further information about <code class="command">/usr/sbin/semanage</code>.
 			</p><div class="important"><h2>Important</h2><p>
 					When changing the SELinux context with <code class="command">/usr/sbin/semanage fcontext -a</code>, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the <code class="command">/sbin/restorecon</code> command is run.


Index: sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,18 +1,20 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>4.3.Â Confined and Unconfined Users</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/><link rel="prev" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html" title="4.2.Â Unconfined Processes"/><link rel="next" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>4.3.Â Confined and Unconfined Users</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="cha
 p-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3.Â Confined and Unconfined Users</h2></div></div></div><p>
-			Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. This Linux user mapping is seen by running the <code class="command">/usr/sbin/semanage login -l</code> command as the Linux root user:
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>4.3.Â Confined and Unconfined Users</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/><link rel="prev" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html" title="4.2.Â Unconfined Processes"/><link rel="next" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>4.3.Â Confined and Unconfined Users</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.h
 tml"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users">4.3.Â Confined and Unconfined Users</h2></div></div></div><p>
+			Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. This Linux user mapping is seen by running the <code class="command">semanage login -l</code> command as the Linux root user:
 		</p><pre class="screen"># /usr/sbin/semanage login -l
 
 Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre><p>
+system_u                  system_u                  s0-s0:c0.c1023
+</pre><p>
 			In Fedora 10, Linux users are mapped to the SELinux <code class="computeroutput">__default__</code> login by default (which is mapped to the SELinux <code class="computeroutput">unconfined_u</code> user). The following defines the default-mapping:
-		</p><pre class="screen">__default__               unconfined_u              s0-s0:c0.c1023</pre><p>
-			The following example demonstates adding a new Linux user, and that Linux user being mapped to the SELinux unconfined_u user. It assumes that the Linux root user is running unconfined, as it does by default in Fedora 10:
+		</p><pre class="screen">__default__               unconfined_u              s0-s0:c0.c1023
+</pre><p>
+			The following example demonstrates adding a new Linux user, and that Linux user being mapped to the SELinux unconfined_u user. It assumes that the Linux root user is running unconfined, as it does by default in Fedora 10:
 		</p><div class="orderedlist"><ol><li><p>
 					As the Linux root user, run the <code class="command">/usr/sbin/useradd newuser</code> command to create a new Linux user named newuser.
 				</p></li><li><p>
@@ -21,11 +23,13 @@
 Changing password for user newuser.
 New UNIX password: <em class="replaceable"><code>Enter a password</code></em> 
 Retype new UNIX password: <em class="replaceable"><code>Enter the same password again</code></em> 
-passwd: all authentication tokens updated successfully.</pre></li><li><p>
-					Log out of your current session, and log in as the Linux newuser user. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case, unconfined_u), and sets up the resulting SELinux context. The Linux user's shell is then launched with this SELinux context. To view the SELinux context for a Linux user, run the <code class="command">id -Z</code> command:
+passwd: all authentication tokens updated successfully.
+</pre></li><li><p>
+					Log out of your current session, and log in as the Linux newuser user. When you log in, pam_selinux maps the Linux user to an SELinux user (in this case, unconfined_u), and sets up the resulting SELinux context. The Linux user's shell is then launched with this context. Run the <code class="command">id -Z</code> command to view the context for a Linux user:
 				</p><pre class="screen">[newuser at localhost ~]$ id -Z
-unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</pre></li><li><p>
-					Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, as the Linux root user, run the <code class="command">/usr/sbin/userdel -r newuser</code> command to remove it, along with the Linux newuser's home directory.
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+</pre></li><li><p>
+					Log out of the Linux newuser's session, and log in with your account. If you do not want the Linux newuser user, as the Linux root user, run the <code class="command">/usr/sbin/userdel -r newuser</code> command to remove it, along with the Linux newuser's home directory.
 				</p></li></ol></div><p>
 			Confined and unconfined Linux users are subject to executable and writeable memory checks, and are also restricted by MCS (and MLS, if the MLS policy is used). If unconfined Linux users execute an application that SELinux policy defines can transition from the <code class="computeroutput">unconfined_t</code> domain to its own confined domain, unconfined Linux users are still subject to the restrictions of that confined domain. The security benefit of this is that, even though a Linux user is running unconfined, the application remains confined, and therefore, the exploitation of a flaw in the application can be limited by policy. Note: this does not protect the system from the user. Instead, the user and the system are being protected from possible damage caused by a flaw in the application.
 		</p><p>


Index: sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>4.2.Â Unconfined Processes</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/><link rel="prev" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/><link rel="next" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html" title="4.3.Â Confined and Unconfined Users"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>4.2.Â Unconfined Processes</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Targe
 ted_Policy-Confined_and_Unconfined_Users.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2.Â Unconfined Processes</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>4.2.Â Unconfined Processes</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/><link rel="prev" href="chap-Security-Enhanced_Linux-Targeted_Policy.html" title="ChapterÂ 4.Â Targeted Policy"/><link rel="next" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html" title="4.3.Â Confined and Unconfined Users"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>4.2.Â Unconfined Processes</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Prev</strong></a><
 /li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">4.2.Â Unconfined Processes</h2></div></div></div><p>
 			Unconfined processes run in unconfined domains, for example, init programs run in the unconfined <code class="computeroutput">initrc_t</code> domain, unconfined kernel processes run in the <code class="computeroutput">kernel_t</code> domain, and unconfined Linux users run in the <code class="computeroutput">unconfined_t</code> domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them.
 		</p><p>
 			The following example demonstrates how the Apache HTTP Server (<code class="systemitem">httpd</code>) can access data intended for use by Samba, when running unconfined. Note: in Fedora 10, the <code class="systemitem">httpd</code> process runs in the confined <code class="computeroutput">httpd_t</code> domain by default. This is an example, and should not be used in production. It assumes that the <span class="package">httpd</span>, <span class="package">wget</span>, <span class="package">setroubleshoot-server</span>, and <span class="package">audit</span> packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
@@ -12,30 +12,43 @@
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy version:                 23
-Policy from config file:        targeted</pre><p>
+Policy from config file:        targeted
+</pre><p>
 					<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
 				</p></li><li><p>
 					As the Linux root user, run the <code class="command">touch /var/www/html/test2file</code> command to create a file.
 				</p></li><li><p>
 					Run the <code class="command">ls -Z /var/www/html/test2file</code> command to view the SELinux context:
-				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file</pre><p>
-					By default, Linux users run unconfined in Fedora 10, which is why the <code class="filename">test2file</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1439" href="#ftn.d0e1439" class="footnote">7</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
+				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
+</pre><p>
+					By default, Linux users run unconfined in Fedora 10, which is why the <code class="filename">test2file</code> file is labeled with the SELinux <code class="computeroutput">unconfined_u</code> user. RBAC is used for processes, not files. Roles do not have a meaning for files - the <code class="computeroutput">object_r</code> role is a generic role used for files (on persistent storage and network file systems). Under the <code class="filename">/proc/</code> directory, files related to processes may use the <code class="computeroutput">system_r</code> role.<sup>[<a id="d0e1469" href="#ftn.d0e1469" class="footnote">7</a>]</sup> The <code class="computeroutput">httpd_sys_content_t</code> type allows the <code class="systemitem">httpd</code> process to access this file.
 				</p></li><li><p>
-					The <code class="command">/usr/bin/chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">/usr/sbin/semanage</code> command, which is discussed later. As the Linux root user, run the <code class="command">/usr/bin/chcon -t samba_share_t /var/www/html/test2file</code> command to change the type, to a type used by Samba. Run the <code class="command">ls -Z /var/www/html/test2file</code> command to view the changes:
-				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file</pre></li><li><p>
+					The <code class="command">/usr/bin/chcon</code> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <code class="command">semanage</code> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
+				</p><p>
+					<code class="command">/usr/bin/chcon -t samba_share_t /var/www/html/test2file</code>
+				</p><p>
+					Run the <code class="command">ls -Z /var/www/html/test2file</code> command to view the changes:
+				</p><pre class="screen">-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
+</pre></li><li><p>
 					Run the <code class="command">/sbin/service httpd status</code> command to confirm that the <code class="systemitem">httpd</code> process is not running:
 				</p><pre class="screen">$ /sbin/service httpd status
-httpd is stopped</pre><p>
+httpd is stopped
+</pre><p>
 					If the output differs, run the <code class="command">/sbin/service httpd stop</code> command as the Linux root user to stop the <code class="systemitem">httpd</code> process:
 				</p><pre class="screen"># /sbin/service httpd stop
-Stopping httpd:                                            [  OK  ]</pre></li><li><p>
+Stopping httpd:                                            [  OK  ]
+</pre></li><li><p>
 					To make the <code class="systemitem">httpd</code> process run unconfined, run the following command as the Linux root user to change the type of <code class="filename">/usr/sbin/httpd</code>, to a type that does not transition to a confined domain:
-				</p><pre class="screen">/usr/bin/chcon -t unconfined_exec_t /usr/sbin/httpd</pre></li><li><p>
-					Run the <code class="command">ls -Z /usr/sbin/httpd</code> command to confirm that <code class="filename">/usr/sbin/httpd</code> is labeled with the <code class="computeroutput">unconfined_exec_t</code>type:
-				</p><pre class="screen">-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd</pre></li><li><p>
+				</p><p>
+					<code class="command">/usr/bin/chcon -t unconfined_exec_t /usr/sbin/httpd</code>
+				</p></li><li><p>
+					Run the <code class="command">ls -Z /usr/sbin/httpd</code> command to confirm that <code class="filename">/usr/sbin/httpd</code> is labeled with the <code class="computeroutput">unconfined_exec_t</code> type:
+				</p><pre class="screen">-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
+</pre></li><li><p>
 					As the Linux root user, run the <code class="command">/sbin/service httpd start</code> command to start the <code class="systemitem">httpd</code> process. The output is as follows if <code class="systemitem">httpd</code> starts successfully:
 				</p><pre class="screen"># /sbin/service httpd start
-Starting httpd:                                            [  OK  ]</pre></li><li><p>
+Starting httpd:                                            [  OK  ]
+</pre></li><li><p>
 					Run the <code class="command">ps -eZ | grep httpd</code> command to view the <code class="systemitem">httpd</code> running in the <code class="computeroutput">unconfined_t</code> domain:
 				</p><pre class="screen">$ ps -eZ | grep httpd
 unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7721</code></em> ?      00:00:00 httpd
@@ -46,7 +59,8 @@
 unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7727</code></em> ?      00:00:00 httpd
 unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7728</code></em> ?      00:00:00 httpd
 unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7729</code></em> ?      00:00:00 httpd
-unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7730</code></em> ?      00:00:00 httpd</pre></li><li><p>
+unconfined_u:system_r:unconfined_t <em class="replaceable"><code>7730</code></em> ?      00:00:00 httpd
+</pre></li><li><p>
 					Change into a directory where your Linux user has write access to, and run the <code class="command">wget http://localhost/test2file</code> command. Unless there are any changes to the default configuration, this command succeeds:
 				</p><pre class="screen">--2008-09-07 01:41:10--  http://localhost/test2file
 Resolving localhost... 127.0.0.1
@@ -57,16 +71,19 @@
 
 [ <=>                            ]--.-K/s   in 0s      
 	
-2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]</pre><p>
+2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
+</pre><p>
 					Although the <code class="systemitem">httpd</code> process does not have access to files labeled with the <code class="computeroutput">samba_share_t</code> type, <code class="systemitem">httpd</code> is running in the unconfined <code class="computeroutput">unconfined_t</code> domain, and falls back to using DAC rules, and as such, the <code class="command">wget</code> command succeeds. Had <code class="systemitem">httpd</code> been running in the confined <code class="computeroutput">httpd_t</code> domain, the <code class="command">wget</code> command would have failed.
 				</p></li><li><p>
 					The <code class="command">/sbin/restorecon</code> command restores the default SELinux context for files. As the Linux root user, run the <code class="command">restorecon -v /usr/sbin/httpd</code> command to restore the default SELinux context for <code class="filename">/usr/sbin/httpd</code>:
 				</p><pre class="screen"># restorecon -v /usr/sbin/httpd
-restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0</pre><p>
+restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
+</pre><p>
 					Run the <code class="command">ls -Z /usr/sbin/httpd</code> command to confirm that <code class="filename">/usr/sbin/httpd</code> is labeled with the <code class="computeroutput">httpd_exec_t</code> type:
 				</p><pre class="screen">$ ls -Z /usr/sbin/httpd
--rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd</pre></li><li><p>
-					As the Linux root user, run the <code class="command">/sbin/service httpd restart</code> command t restart <code class="systemitem">httpd</code>. After restarting, run the <code class="command">ps -eZ | grep httpd</code> to confirm that <code class="systemitem">httpd</code> is running in the confined <code class="computeroutput">httpd_t</code> domain:
+-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
+</pre></li><li><p>
+					As the Linux root user, run the <code class="command">/sbin/service httpd restart</code> command to restart <code class="systemitem">httpd</code>. After restarting, run the <code class="command">ps -eZ | grep httpd</code> to confirm that <code class="systemitem">httpd</code> is running in the confined <code class="computeroutput">httpd_t</code> domain:
 				</p><pre class="screen"># /sbin/service httpd restart
 Stopping httpd:                                            [  OK  ]
 Starting httpd:                                            [  OK  ]
@@ -79,13 +96,15 @@
 unconfined_u:system_r:httpd_t    8886 ?        00:00:00 httpd
 unconfined_u:system_r:httpd_t    8887 ?        00:00:00 httpd
 unconfined_u:system_r:httpd_t    8888 ?        00:00:00 httpd
-unconfined_u:system_r:httpd_t    8889 ?        00:00:00 httpd</pre></li><li><p>
+unconfined_u:system_r:httpd_t    8889 ?        00:00:00 httpd
+</pre></li><li><p>
 					As the Linux root user, run the <code class="command">rm -i /var/www/html/test2file</code> command to remove <code class="filename">test2file</code>.
 				</p></li><li><p>
 					If you do not require <code class="systemitem">httpd</code> to be running, as the Linux root user, run the <code class="command">/sbin/service httpd stop</code> command to stop <code class="systemitem">httpd</code>:
 				</p><pre class="screen"># /sbin/service httpd stop
-Stopping httpd:                                            [  OK  ]</pre></li></ol></div><p>
+Stopping httpd:                                            [  OK  ]
+</pre></li></ol></div><p>
 			The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux).
-		</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e1439" href="#d0e1439" class="para">7</a>] </sup>
+		</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e1469" href="#d0e1469" class="para">7</a>] </sup>
 						When using other policies, such as MLS, other roles may also be used, for example, <code class="computeroutput">secadm_r</code>.
 					</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Targeted_Policy.html"><strong>Prev</strong>ChapterÂ 4.Â Targeted Policy</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html"><strong>Next</strong>4.3.Â Confined and Unconfined Users</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,13 +1,17 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.2.3.Â Evolving Rules and Broken Applications</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html" title="7.2.2.Â How are Confined Services Running?"/><link rel="next" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.2.3.Â Evolving Rules and Broken Applications</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Top_Three_Causes_o
 f_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3.Â Evolving Rules and Broken Applications</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.2.3.Â Evolving Rules and Broken Applications</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html" title="7.2.2.Â How are Confined Services Running?"/><link rel="next" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html" title="7.3.Â Fixing Problems"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.2.3.Â Evolving Rules and Broken Applications</strong></a></p><ul class="docnav"><li class="pr
 evious"><a accesskey="p" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications">7.2.3.Â Evolving Rules and Broken Applications</h3></div></div></div><p>
 				Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving - SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released, it may perform actions that the current policy has not seen before, causing access to be denied, even though access should be allowed.
 			</p><p>
 				For these situations, after access is denied, use <code class="command">audit2allow</code> to create a custom policy module to allow access. The following example searches for <code class="computeroutput">postgresql</code> entries in <code class="filename">audit.log</code>, and sends those entries through <code class="command">audit2allow</code> to create a custom module:
-			</p><pre class="screen"># grep postgresql /var/log/audit/audit.log | audit2allow \
--R -M mypostgresql</pre><p>
+			</p><pre class="screen">
+# grep postgresql /var/log/audit/audit.log | audit2allow \
+-R -M mypostgresql
+</pre><p>
 				To install the module, run the <code class="command">semodule -i</code> command as the Linux root user:
-			</p><pre class="screen"># /usr/sbin/semodule -i mypostgresql.pp</pre><p>
+			</p><pre class="screen">
+# /usr/sbin/semodule -i mypostgresql.pp
+</pre><p>
 				The <code class="command">audit2allow</code> command may allow more access than desired. When access is denied, it is best to report the denial in <a href="https://bugzilla.redhat.com/">Red Hat Bugzilla</a>, (against the <span class="package">selinux-policy</span> package), or to a mailing list, such as <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list">fedora-selinux-list</a>, allowing a more strict rule to be added, or to add your changes to the distribution's or upstream policy.
 			</p></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Prev</strong>7.2.2.Â How are Confined Services Running?</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html"><strong>Next</strong>7.3.Â Fixing Problems</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,43 +1,53 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.2.2.Â How are Confined Services Running?</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/><link rel="next" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html" title="7.2.3.Â Evolving Rules and Broken Applications"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.2.2.Â How are Confined Services Running?</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanc
 ed_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2.Â How are Confined Services Running?</h3></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.2.2.Â How are Confined Services Running?</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/><link rel="prev" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html" title="7.2.Â Top Three Causes of Problems"/><link rel="next" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html" title="7.2.3.Â Evolving Rules and Broken Applications"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.2.2.Â How are Confined Services Running?</strong></a></p><ul c
 lass="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running">7.2.2.Â How are Confined Services Running?</h3></div></div></div><p>
 				Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the <code class="command">semanage</code> command.
 			</p><p>
 				For example, to allow the Apache HTTP Server to communicate with MySQL, turn the <code class="computeroutput">httpd_can_network_connect_db</code> Boolean on:
-			</p><pre class="screen"># /usr/sbin/setsebool -P httpd_can_network_connect_db on</pre><p>
+			</p><pre class="screen">
+# /usr/sbin/setsebool -P httpd_can_network_connect_db on
+</pre><p>
 				If access is denied for a particular service, use the <code class="command">getsebool</code> and <code class="command">grep</code> commands to see if any Booleans are available to allow access. For example, use the <code class="command">getsebool -a | grep ftp</code> command to search for FTP related Booleans:
-			</p><pre class="screen">$ /usr/sbin/getsebool -a | grep ftp
+			</p><pre class="screen">
+$ /usr/sbin/getsebool -a | grep ftp
 allow_ftpd_anon_write --> off
 allow_ftpd_full_access --> off
 allow_ftpd_use_cifs --> off
 allow_ftpd_use_nfs --> off
 ftp_home_dir --> off
 httpd_enable_ftp_server --> off
-tftp_anon_write --> off</pre><p>
-				[link to section about running denials through audit2allow -w]
-			</p><p>
-				For a list of Booleans and whether they are on or off, run the <code class="command">/usr/sbin/getsebool -a</code> command. For a list of Booleans, an explanation of what each one is, and whether it is on or off, as the Linux root user, run the <code class="command">/usr/sbin/semanage boolean -l</code> command. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans">SectionÂ 5.6, â€œBooleansâ€</a> for information about listing and configuring Booleans.
+tftp_anon_write --> off
+</pre><p>
+				For a list of Booleans and whether they are on or off, run the <code class="command">/usr/sbin/getsebool -a</code> command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, as the Linux root user, run the <code class="command">/usr/sbin/semanage boolean -l</code> command. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans">SectionÂ 5.6, â€œBooleansâ€</a> for information about listing and configuring Booleans.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-How_are_Confined_Services_Running-Port_Numbers">Port Numbers</h5>
 					Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the <code class="command">semanage port -l | grep http</code> command to list <code class="systemitem">http</code> related ports:
-				<pre class="screen"># /usr/sbin/semanage port -l | grep http
+				<pre class="screen">
+# /usr/sbin/semanage port -l | grep http
 http_cache_port_t              tcp      3128, 8080, 8118
 http_cache_port_t              udp      3130
 http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
 pegasus_http_port_t            tcp      5988
-pegasus_https_port_t           tcp      5989</pre><p>
+pegasus_https_port_t           tcp      5989
+</pre><p>
 				The <code class="computeroutput">http_port_t</code> port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures <code class="filename">httpd.conf</code> so that <code class="systemitem">httpd</code> listens on port 9876 (<code class="option">Listen 9876</code>), but policy is not updated to reflect this, the <code class="command">service httpd start</code> command fails:
-			</p><pre class="screen"># /sbin/service httpd start
+			</p><pre class="screen">
+# /sbin/service httpd start
 Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
 no listening sockets available, shutting down
 Unable to open logs
-						            [FAILED]</pre><p>
+						            [FAILED]
+</pre><p>
 				An SELinux denial similar to the following is logged to <code class="filename">/var/log/audit/audit.log</code>:
-			</p><pre class="screen">type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket</pre><p>
-				To allow <code class="systemitem">httpd</code> to listen on a port that is not listed for the <code class="computeroutput">http_port_t</code> port type, run the <code class="command">semanage port</code> command to add a port to policy configuration<sup>[<a id="d0e5331" href="#ftn.d0e5331" class="footnote">15</a>]</sup>:
-			</p><pre class="screen"># /usr/sbin/semanage port -a -t http_port_t -p tcp 9876</pre><p>
+			</p><pre class="screen">
+type=AVC msg=audit(1225948455.061:294): avc:  denied  { name_bind } for  pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
+</pre><p>
+				To allow <code class="systemitem">httpd</code> to listen on a port that is not listed for the <code class="computeroutput">http_port_t</code> port type, run the <code class="command">semanage port</code> command to add a port to policy configuration<sup>[<a id="d0e5365" href="#ftn.d0e5365" class="footnote">15</a>]</sup>:
+			</p><pre class="screen">
+# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
+</pre><p>
 				The <code class="option">-a</code> option adds a new record; the <code class="option">-t</code> option defines a type; and the <code class="option">-p</code> option defines a protocol. The last argument is the port number to add.
-			</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e5331" href="#d0e5331" class="para">15</a>] </sup>
+			</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e5365" href="#d0e5365" class="para">15</a>] </sup>
 					The <code class="command">semanage port -a</code> command adds an entry to the <code class="filename">/etc/selinux/targeted/modules/active/ports.local</code> file. Note: by default, this file can only be viewed by the Linux root user.
 				</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html"><strong>Prev</strong>7.2.Â Top Three Causes of Problems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Next</strong>7.2.3.Â Evolving Rules and Broken Applications</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,17 +1,21 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.Â Fixing Problems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/><link rel="prev" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html" title="7.2.3.Â Evolving Rules and Broken Applications"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html" title="7.3.2.Â Searching For and Viewing Denials"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.Â Fixing Problems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_A
 pplications.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3.Â Fixing Problems</h2></div></div></div><p>
-			The following sections...
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.3.Â Fixing Problems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/><link rel="prev" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html" title="7.2.3.Â Evolving Rules and Broken Applications"/><link rel="next" href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html" title="7.3.2.Â Possible Causes of Silent Denials"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.3.Â Fixing Problems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Se
 curity-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems">7.3.Â Fixing Problems</h2></div></div></div><p>
+			The following sections help troubleshoot issues. They go over: checking Linux permissions, which are checked before SELinux rules; possible causes of SELinux denying access but no denials being logged; manual pages for services, which contain information about labeling and Booleans; permissive domains, for allowing one process to run permissive, rather than the whole system; how to search for and view denial messages; analyzing denials; and creating custom policy modules with <code class="command">audit2allow</code>.
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Fixing_Problems-Linux_Permissions">7.3.1.Â Linux Permissions</h3></div></div></div><p>
 				When access is denied, check standard Linux permissions. As mentioned in <a class="xref" href="chap-Security-Enhanced_Linux-Introduction.html" title="ChapterÂ 2.Â Introduction">ChapterÂ 2, <i>Introduction</i></a>, most operating systems use a Discretionary Access Control (DAC) system to control access, allowing users to control the permissions of files that they own. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
 			</p><p>
 				If access is denied and no SELinux denials are logged, use the <code class="command">ls -l</code> command to view the standard Linux permissions:
-			</p><pre class="screen">$ ls -l /var/www/html/index.html
--rw-r----- 1 root root 0 2008-11-07 11:06 index.html</pre><p>
+			</p><pre class="screen">
+$ ls -l /var/www/html/index.html
+-rw-r----- 1 root root 0 2008-11-07 11:06 index.html
+</pre><p>
 				In this example, <code class="filename">index.html</code> is owned by the root user and group. The root user has read and write permissions (<code class="computeroutput">-rw</code>), and members of the root group have read permissions (<code class="computeroutput">-r-</code>). Everyone else has no access (<code class="computeroutput">---</code>). By default, such permissions do not allow <code class="systemitem">httpd</code> to read this file. To resolve this issue, use the <code class="command">chown</code> command to change the owner and group. This command must be run as the Linux root user:
-			</p><pre class="screen"># chown apache:apache /var/www/html/index.html</pre><p>
+			</p><pre class="screen">
+# chown apache:apache /var/www/html/index.html
+</pre><p>
 				This assumes the default configuration, in which <code class="systemitem">httpd</code> runs as the Linux apache user. If you run <code class="systemitem">httpd</code> with a different user, replace <code class="computeroutput">apache:apache</code> with that user.
 			</p><p>
 				Refer to the <a href="http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions">Fedora Documentation Project "Permissions"</a> draft for information about managing Linux permissions.
-			</p></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong>7.2.3.Â Evolving Rules and Broken Applications</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials.html"><strong>Next</strong>7.3.2.Â Searching For and Viewing Denials</a></li></ul></body></html>
\ No newline at end of file
+			</p></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Evolving_Rules_and_Broken_Applications.html"><strong>Prev</strong>7.2.3.Â Evolving Rules and Broken Applications</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html"><strong>Next</strong>7.3.2.Â Possible Causes of Silent Denials</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,30 +1,40 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.2.Â Top Three Causes of Problems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/><link rel="prev" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/><link rel="next" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html" title="7.2.2.Â How are Confined Services Running?"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.2.Â Top Three Causes of Problems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" 
 href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2.Â Top Three Causes of Problems</h2></div></div></div><p>
-			The following sections...
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>7.2.Â Top Three Causes of Problems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/><link rel="prev" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting"/><link rel="next" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html" title="7.2.2.Â How are Confined Services Running?"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>7.2.Â Top Three Causes of Problems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Troubles
 hooting.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems">7.2.Â Top Three Causes of Problems</h2></div></div></div><p>
+			The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules.
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-Labeling_Problems">7.2.1.Â Labeling Problems</h3></div></div></div><p>
 				On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files.
 			</p><p>
 				A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using <code class="filename">/var/www/html/</code> for a website, an administrator wants to use <code class="filename">/srv/myweb/</code>. On Fedora 10, the <code class="filename">/srv/</code> directory is labeled with the <code class="computeroutput">var_t</code> type. Files and directories created and <code class="filename">/srv/</code> inherit this type. Also, newly-created top-level directories (such as <code class="filename">/myserver</code>) may be labeled with the <code class="computeroutput">default_t</code> type. SELinux prevents the Apache HTTP Server (<code class="systemitem">httpd</code>) from accessing both of these types. To allow access, SELinux must know that the files in <code class="filename">/srv/myweb/</code> are to be accessible to <code class="systemitem">httpd</code>:
-			</p><pre class="screen"># /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
-"/srv/myweb(/.*)?"</pre><p>
-				This <code class="command">semanage</code> command adds the context for the <code class="filename">/srv/myweb/</code> directory (and all files and directories under it) to the SELinux file-context configuration<sup>[<a id="d0e5167" href="#ftn.d0e5167" class="footnote">14</a>]</sup>. The <code class="command">semanage</code> command does not change the context. As the Linux root user, run the <code class="command">restorecon</code> command to apply the changes:
-			</p><pre class="screen"># /sbin/restorecon -R -v /srv/myweb</pre><p>
+			</p><pre class="screen">
+# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \
+"/srv/myweb(/.*)?"
+</pre><p>
+				This <code class="command">semanage</code> command adds the context for the <code class="filename">/srv/myweb/</code> directory (and all files and directories under it) to the SELinux file-context configuration<sup>[<a id="d0e5203" href="#ftn.d0e5203" class="footnote">14</a>]</sup>. The <code class="command">semanage</code> command does not change the context. As the Linux root user, run the <code class="command">restorecon</code> command to apply the changes:
+			</p><pre class="screen">
+# /sbin/restorecon -R -v /srv/myweb
+</pre><p>
 				Refer to <a class="xref" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html" title="5.7.2.Â Persistent Changes: semanage fcontext">SectionÂ 5.7.2, â€œPersistent Changes: semanage fcontextâ€</a> for further information about adding contexts to the file-context configuration.
 			</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security-Enhanced_Linux-Labeling_Problems-What_is_the_Correct_Context">7.2.1.1.Â What is the Correct Context?</h4></div></div></div><p>
 					The <code class="command">matchpathcon</code> command checks the context of a file path and compares it to the default label for that path. The following example demonstrates using <code class="command">matchpathcon</code> on a directory that contains incorrectly labeled files:
-				</p><pre class="screen">$ matchpathcon -V /var/www/html/*
+				</p><pre class="screen">
+$ matchpathcon -V /var/www/html/*
 /var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
-/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0</pre><p>
-					In this example, the <code class="filename">index.html</code> and <code class="filename">page1.html</code> are labeled with the <code class="computeroutput">user_home_t</code> type. This type is used for files in user home directories. Using the <code class="command">mv</code> command to move files from your home directory may result in files being labeled with the <code class="computeroutput">user_home_t</code> type. This type should not exist outside of home directories. Use the <code class="command">restorecon</code> command to restore such files to their correct type:
-				</p><pre class="screen"># restorecon -v /var/www/html/index.html 
-restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0</pre><p>
+/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
+					In this example, the <code class="filename">index.html</code> and <code class="filename">page1.html</code> files are labeled with the <code class="computeroutput">user_home_t</code> type. This type is used for files in user home directories. Using the <code class="command">mv</code> command to move files from your home directory may result in files being labeled with the <code class="computeroutput">user_home_t</code> type. This type should not exist outside of home directories. Use the <code class="command">restorecon</code> command to restore such files to their correct type:
+				</p><pre class="screen">
+# restorecon -v /var/www/html/index.html 
+restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
 					To restore the context for all files under a directory, use the <code class="option">-R</code> option:
-				</p><pre class="screen"># restorecon -R -v /var/www/html/
+				</p><pre class="screen">
+# restorecon -R -v /var/www/html/
 restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
-restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0</pre><p>
+restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
+</pre><p>
 					Refer to <a class="xref" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context.html" title="5.10.3.Â Checking the Default SELinux Context">SectionÂ 5.10.3, â€œChecking the Default SELinux Contextâ€</a> for a more detailed example of <code class="command">matchpathcon</code>.
-				</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e5167" href="#d0e5167" class="para">14</a>] </sup>
+				</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e5203" href="#d0e5203" class="para">14</a>] </sup>
 					Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
 				</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Troubleshooting.html"><strong>Prev</strong>ChapterÂ 7.Â Troubleshooting</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Top_Three_Causes_of_Problems-How_are_Confined_Services_Running.html"><strong>Next</strong>7.2.2.Â How are Confined Services Running?</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,30 +1,35 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.6.Â Booleans</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html" title="5.5.Â SELinux Modes"/><link rel="next" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html" title="5.6.2.Â Configuring Booleans"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.6.Â Booleans</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Booleans-Conf
 iguring_Booleans.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6.Â Booleans</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.6.Â Booleans</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html" title="5.5.Â SELinux Modes"/><link rel="next" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html" title="5.6.2.Â Configuring Booleans"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.6.Â Booleans</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Prev</strong></a></li><li 
 class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans">5.6.Â Booleans</h2></div></div></div><p>
 			Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Booleans-Listing_Booleans">5.6.1.Â Listing Booleans</h3></div></div></div><p>
-				For a list of Booleans, an explanation of what each one is, and whether it is on or off, as the Linux root user, run the <code class="command">/usr/sbin/semanage boolean -l</code> command. The following example does not list all Booleans:
+				For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <code class="command">semanage boolean -l</code> command as the Linux root user. The following example does not list all Booleans:
 			</p><pre class="screen"># /usr/sbin/semanage boolean -l
 SELinux boolean                          Description
 
 ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
 xen_use_nfs                    -> off   Allow xen to manage nfs files
-xguest_connect_network         -> on    Allow xguest to configure Network Manager</pre><p>
+xguest_connect_network         -> on    Allow xguest to configure Network Manager
+</pre><p>
 				The <code class="computeroutput">SELinux boolean</code> column lists Boolean names. The <code class="computeroutput">Description</code> column lists whether the Booleans are on or off, and what they do.
 			</p><p>
 				In the following example, the <code class="computeroutput">ftp_home_dir</code> Boolean is off, preventing the FTP daemon (<code class="systemitem">vsftpd</code>) from reading and writing to files in user home directories:
-			</p><pre class="screen">ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories</pre><p>
-				The <code class="command">/usr/sbin/getsebool -a</code> command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
+			</p><pre class="screen">ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
+</pre><p>
+				The <code class="command">getsebool -a</code> command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
 			</p><pre class="screen">$ /usr/sbin/getsebool -a
 allow_console_login --> off
 allow_cvs_read_shadow --> off
-allow_daemons_dump_core --> on</pre><p>
-				Run the <code class="command">/usr/sbin/getsebool <em class="replaceable"><code>boolean-name</code></em></code> command to only list the status of the <em class="replaceable"><code>boolean-name</code></em> Boolean:
+allow_daemons_dump_core --> on
+</pre><p>
+				Run the <code class="command">getsebool <em class="replaceable"><code>boolean-name</code></em></code> command to only list the status of the <em class="replaceable"><code>boolean-name</code></em> Boolean:
 			</p><pre class="screen">$ /usr/sbin/getsebool allow_console_login
-allow_console_login --> off</pre><p>
+allow_console_login --> off
+</pre><p>
 				Use a space-separated list to list multiple Booleans:
 			</p><pre class="screen">$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core
 allow_console_login --> off
 allow_cvs_read_shadow --> off
-allow_daemons_dump_core --> on</pre></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Prev</strong>5.5.Â SELinux Modes</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Next</strong>5.6.2.Â Configuring Booleans</a></li></ul></body></html>
\ No newline at end of file
+allow_daemons_dump_core --> on
+</pre></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html"><strong>Prev</strong>5.5.Â SELinux Modes</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Booleans-Configuring_Booleans.html"><strong>Next</strong>5.6.2.Â Configuring Booleans</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,20 +1,22 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.4.Â Enabling and Disabling SELinux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html" title="5.3.Â Main Configuration File"/><link rel="next" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html" title="5.4.2.Â Disabling SELinux"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.4.Â Enabling and Disabling SELinux</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Prev</strong><
 /a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4.Â Enabling and Disabling SELinux</h2></div></div></div><p>
-			Use the <code class="command">/usr/sbin/getenforce</code> or <code class="command">/usr/sbin/sestatus</code> commands to check the status of SELinux. The <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Enforcing</code>, <code class="computeroutput">Permissive</code>, or <code class="computeroutput">Disabled</code>. The <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Enforcing</code> when SELinux is enabled (SELinux policy rules are enforced):
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.4.Â Enabling and Disabling SELinux</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html" title="5.3.Â Main Configuration File"/><link rel="next" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html" title="5.4.2.Â Disabling SELinux"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.4.Â Enabling and Disabling SELinux</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_L
 inux-Working_with_SELinux-Main_Configuration_File.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux">5.4.Â Enabling and Disabling SELinux</h2></div></div></div><p>
+			Use the <code class="command">/usr/sbin/getenforce</code> or <code class="command">/usr/sbin/sestatus</code> commands to check the status of SELinux. The <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code>, <code class="computeroutput">Permissive</code>, or <code class="computeroutput">Disabled</code>. The <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code> when SELinux is enabled (SELinux policy rules are enforced):
 		</p><pre class="screen">$ /usr/sbin/getenforce
-Enforcing</pre><p>
-			The <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Permissive</code> when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Disabled</code> if SELinux is disabled.
+Enforcing
+</pre><p>
+			The <code class="command">getenforce</code> command returns <code class="computeroutput">Permissive</code> when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The <code class="command">getenforce</code> command returns <code class="computeroutput">Disabled</code> if SELinux is disabled.
 		</p><p>
-			The <code class="command">/usr/sbin/sestatus</code> command returns the SELinux status and the SELinux policy being used:
+			The <code class="command">sestatus</code> command returns the SELinux status and the SELinux policy being used:
 		</p><pre class="screen">$ /usr/sbin/sestatus
 SELinux status:                 enabled
 SELinuxfs mount:                /selinux
 Current mode:                   enforcing
 Mode from config file:          enforcing
 Policy version:                 23
-Policy from config file:        targeted</pre><p>
+Policy from config file:        targeted
+</pre><p>
 			<code class="computeroutput">SELinux status: enabled</code> is returned when SELinux is enabled. <code class="computeroutput">Current mode: enforcing</code> is returned when SELinux is running in enforcing mode. <code class="computeroutput">Policy from config file: targeted</code> is returned when the SELinux targeted policy is used.
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux">5.4.1.Â Enabling SELinux</h3></div></div></div><p>
 				On systems with SELinux disabled, the <code class="computeroutput">SELINUX=disabled</code> option is configured in <code class="filename">/etc/selinux/config</code>:
@@ -27,23 +29,20 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted</pre><p>
-				Also, the <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Disabled</code>:
+SELINUXTYPE=targeted
+</pre><p>
+				Also, the <code class="command">getenforce</code> command returns <code class="computeroutput">Disabled</code>:
 			</p><pre class="screen">$ /usr/sbin/getenforce
-Disabled</pre><p>
+Disabled
+</pre><p>
 				To enable SELinux:
 			</p><div class="orderedlist"><ol><li><p>
-						Use the <code class="command">rpm -qa | grep selinux</code>, <code class="command">rpm -q policycoreutils</code>, and <code class="command">rpm -qa | grep setroubleshoot</code> commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: <span class="package">selinux-policy-targeted</span>, <span class="package">selinux-policy</span>, <span class="package">libselinux</span>, <span class="package">libselinux-python</span>, <span class="package">libselinux-utils</span>, <span class="package">policycoreutils</span>, <span class="package">setroubleshoot-server</span>, <span class="package">setroubleshoot-plugins</span>. If these packages are not installed, as the Linux root user, install them via the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. The following packages are optional: <span class="package">policycoreutils-gui</span>, <span class="package">setrou
 bleshoot</span>, <span class="package">selinux-policy-devel</span>, and <span class="package">mcstrans</span>.
+						Use the <code class="command">rpm -qa | grep selinux</code>, <code class="command">rpm -q policycoreutils</code>, and <code class="command">rpm -qa | grep setroubleshoot</code> commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: <span class="package">selinux-policy-targeted</span>, <span class="package">selinux-policy</span>, <span class="package">libselinux</span>, <span class="package">libselinux-python</span>, <span class="package">libselinux-utils</span>, <span class="package">policycoreutils</span>, <span class="package">setroubleshoot</span>, <span class="package">setroubleshoot-server</span>, <span class="package">setroubleshoot-plugins</span>. If these packages are not installed, as the Linux root user, install them via the <code class="command">yum install <em class="replaceable"><code>package-name</code></em></code> command. The following packages are optional: <span class="package">policycoreu
 tils-gui</span>, <span class="package">setroubleshoot</span>, <span class="package">selinux-policy-devel</span>, and <span class="package">mcstrans</span>.
 					</p><p>
-						After installing the <span class="package">setroubleshoot-server</span> package, as the Linux root user, run the <code class="command">/sbin/service setroubleshoot start</code> command to start <code class="systemitem">setroubleshootd</code>:
-					</p><pre class="screen"># /sbin/service setroubleshoot start
-Starting setroubleshootd:                                  [  OK  ]</pre><p>
-						If <code class="systemitem">setroubleshootd</code> is already running, the output is as follows:
-					</p><pre class="screen"># /sbin/service setroubleshoot start
-Starting setroubleshootd:</pre><p>
-						Use the <code class="command">/sbin/chkconfig --list setroubleshoot</code> command to confirm that <code class="systemitem">setroubleshootd</code> starts when the system is running in runlevel<sup>[<a id="d0e2460" href="#ftn.d0e2460" class="footnote">10</a>]</sup> 3, 4, and 5:
+						After installing the <span class="package">setroubleshoot-server</span> package, use the <code class="command">/sbin/chkconfig --list setroubleshoot</code> command to confirm that <code class="systemitem">setroubleshootd</code> starts when the system is running in runlevel<sup>[<a id="d0e2475" href="#ftn.d0e2475" class="footnote">10</a>]</sup> 3, 4, and 5:
 					</p><pre class="screen">$ /sbin/chkconfig --list setroubleshoot
-setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off</pre><p>
+setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
+</pre><p>
 						If the output differs, as the Linux root user, run the <code class="command">/sbin/chkconfig --levels 345 setroubleshoot on</code> command. This makes <code class="systemitem">setroubleshootd</code> automatically start when the system is in runlevel 3, 4, and 5.
 					</p></li><li><p>
 						Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure <code class="computeroutput">SELINUX=permissive</code> in <code class="filename">/etc/selinux/config</code>:
@@ -56,15 +55,17 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted</pre></li><li><p>
+SELINUXTYPE=targeted
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">reboot</code> command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
 					</p><pre class="screen">*** Warning -- SELinux targeted policy relabel is required.
 *** Relabeling could take a very long time, depending on file
 *** system size and speed of hard drives.
-****</pre><p>
+****
+</pre><p>
 						Each <code class="computeroutput">*</code> character on the bottom line represents 1000 files that have been labeled. In the above example, four <code class="computeroutput">*</code> characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
 					</p></li><li><p>
-						In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the <code class="command">grep "SELinux is preventing" /var/log/messages</code> command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. [link to troubleshooting section]
+						In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the <code class="command">grep "SELinux is preventing" /var/log/messages</code> command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to <a class="xref" href="chap-Security-Enhanced_Linux-Troubleshooting.html" title="ChapterÂ 7.Â Troubleshooting">ChapterÂ 7, <i>Troubleshooting</i></a> for troubleshooting information if SELinux denied access during boot.
 					</p></li><li><p>
 						If there were no denial messages in <code class="filename">/var/log/messages</code>, configure <code class="computeroutput">SELINUX=enforcing</code> in <code class="filename">/etc/selinux/config</code>:
 					</p><pre class="screen"># This file controls the state of SELinux on the system.
@@ -76,31 +77,42 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted</pre></li><li><p>
-						Reboot your system. After reboot, confirm that the <code class="command">/usr/sbin/getenforce</code> command returns <code class="computeroutput">Enforcing</code>:
+SELINUXTYPE=targeted
+</pre></li><li><p>
+						Reboot your system. After reboot, confirm that the <code class="command">getenforce</code> command returns <code class="computeroutput">Enforcing</code>:
 					</p><pre class="screen">$ /usr/sbin/getenforce
-Enforcing</pre></li><li><p>
-						As the Linux root user, run the <code class="command">semanage login -l</code> command to view the mapping between SELinux and Linux users. The output should be as follows:
+Enforcing
+</pre></li><li><p>
+						As the Linux root user, run the <code class="command">/usr/sbin/semanage login -l</code> command to view the mapping between SELinux and Linux users. The output should be as follows:
 					</p><pre class="screen">Login Name                SELinux User              MLS/MCS Range
 
 __default__               unconfined_u              s0-s0:c0.c1023
 root                      unconfined_u              s0-s0:c0.c1023
-system_u                  system_u                  s0-s0:c0.c1023</pre></li></ol></div><p>
-				If this is not the case, run the following commands as the Linux root user to fix the user mappings:
+system_u                  system_u                  s0-s0:c0.c1023
+</pre></li></ol></div><p>
+				If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the <code class="computeroutput">SELinux-user<em class="replaceable"><code> username</code></em> is already defined</code> warnings if they occur, where <em class="replaceable"><code>username</code></em> can be <code class="computeroutput">unconfined_u</code>, <code class="computeroutput">guest_u</code>, or <code class="computeroutput">xguest_u</code>:
 			</p><div class="orderedlist"><ol><li><p>
-<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u</pre>
-					</p></li><li><p>
-<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__</pre>
-					</p></li><li><p>
-<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root</pre>
-					</p></li><li><p>
-<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u</pre>
-					</p></li><li><p>
-<pre class="screen">/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u</pre>
-					</p></li></ol></div><p>
-				It is safe to ignore the <code class="computeroutput">SELinux-user<em class="replaceable"><code> username</code></em> is already defined</code> warnings if they occur, where <em class="replaceable"><code>username</code></em> can be <code class="computeroutput">unconfined_u</code>, <code class="computeroutput">guest_u</code>, or <code class="computeroutput">xguest_u</code>.
-			</p><div class="important"><h2>Important</h2><p>
+						
+<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
+</pre>
+					</p></li><li><p>
+						
+<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
+</pre>
+					</p></li><li><p>
+						
+<pre class="screen">/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
+</pre>
+					</p></li><li><p>
+						
+<pre class="screen">/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
+</pre>
+					</p></li><li><p>
+						
+<pre class="screen">/usr/sbin/semanage user -a -S targeted  -P user -R xguest_r xguest_u
+</pre>
+					</p></li></ol></div><div class="important"><h2>Important</h2><p>
 					When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly. Also, files created while SELinux is disabled are not labeled. This causes problems when changing to enforcing mode. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from disabled mode to permissive or enforcing mode.
-				</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e2460" href="#d0e2460" class="para">10</a>] </sup>
+				</p></div></div><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e2475" href="#d0e2475" class="para">10</a>] </sup>
 							Refer to <a href="http://en.wikipedia.org/wiki/Runlevel">http://en.wikipedia.org/wiki/Runlevel</a> for information about runlevels.
 						</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Prev</strong>5.3.Â Main Configuration File</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Next</strong>5.4.2.Â Disabling SELinux</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.3.Â Main Configuration File</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html" title="5.2.Â Which Log File is Used"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html" title="5.4.Â Enabling and Disabling SELinux"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.3.Â Main Configuration File</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Prev</strong></a>
 </li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3.Â Main Configuration File</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.3.Â Main Configuration File</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html" title="5.2.Â Which Log File is Used"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html" title="5.4.Â Enabling and Disabling SELinux"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.3.Â Main Configuration File</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Lin
 ux-Working_with_SELinux-Which_Log_File_is_Used.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File">5.3.Â Main Configuration File</h2></div></div></div><p>
 			The <code class="filename">/etc/selinux/config</code> file is the main SELinux configuration file. It controls the SELinux mode and the SELinux policy to use:
 		</p><pre class="screen"># This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@@ -12,7 +12,8 @@
 # SELINUXTYPE= can take one of these two values:
 #       targeted - Targeted processes are protected,
 #       mls - Multi Level Security protection.
-SELINUXTYPE=targeted</pre><div class="variablelist"><dl><dt><span class="term"><code class="computeroutput">SELINUX=enforcing</code></span></dt><dd><p>
+SELINUXTYPE=targeted
+</pre><div class="variablelist"><dl><dt><span class="term"><code class="computeroutput">SELINUX=enforcing</code></span></dt><dd><p>
 						The <code class="option">SELINUX</code> option sets the mode SELinux runs in. SELinux has three modes: enforcing, permissive, and disabled. When using enforcing mode, SELinux policy is enforced, and SELinux denies access based on SELinux policy rules. Denial messages are logged. When using permissive mode, SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running SELinux in enforcing mode. When using disabled mode, SELinux is disabled (the SELinux module is not registered with the Linux kernel), and only DAC rules are used.
 					</p></dd><dt><span class="term"><code class="computeroutput">SELINUXTYPE=targeted</code></span></dt><dd><p>
 						The <code class="option">SELINUXTYPE</code> option sets the SELinux policy to use. Targeted policy is the default policy. Only change this option if you want to use the MLS policy. To use the MLS policy, install the <span class="package">selinux-policy-mls</span> package; configure <code class="option">SELINUXTYPE=mls</code> in <code class="filename">/etc/selinux/config</code>; and reboot your system.


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,56 +1,67 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.Â Maintaining SELinux Labels</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html" title="5.9.5.Â Making Context Mounts Persistent"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html" title="5.10.2.Â Moving Files and Directories"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.Â Maintaining SELinux Labels </strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_
 Mounts_Persistent.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10.Â Maintaining SELinux Labels </h2></div></div></div><p>
-			These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preseve contexts when copying and archiving.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.10.Â Maintaining SELinux Labels</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html" title="5.9.5.Â Making Context Mounts Persistent"/><link rel="next" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html" title="5.10.2.Â Moving Files and Directories"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.10.Â Maintaining SELinux Labels </strong></a></p><ul class="docnav"><li class="previous"><a accesske
 y="p" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Making_Context_Mounts_Persistent.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Moving_Files_and_Directories.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Maintaining_SELinux_Labels_">5.10.Â Maintaining SELinux Labels </h2></div></div></div><p>
+			These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Copying_Files_and_Directories">5.10.1.Â Copying Files and Directories</h3></div></div></div><p>
 				When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context (unless options were used to preserve the original context). For example, files created in user home directories are labeled with the <code class="computeroutput">user_home_t</code> type:
-			</p><pre class="screen">$ touch file1
+			</p><pre class="screen">
+$ touch file1
 $ ls -Z file1 
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1</pre><p>
+-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+</pre><p>
 				If such a file is copied to another directory, such as <code class="filename">/etc/</code>, the new file is created in accordance to default-labeling rules for the <code class="filename">/etc/</code> directory. Copying a file (without additional options) may not preserve the original context:
-			</p><pre class="screen">$ ls -Z file1 
+			</p><pre class="screen">
+$ ls -Z file1 
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 # cp file1 /etc/
 $ ls -Z /etc/file1
--rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1</pre><p>
+-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
+</pre><p>
 				When <code class="filename">file1</code> is copied to <code class="filename">/etc/</code>, if <code class="filename">/etc/file1</code> does not exist, <code class="filename">/etc/file1</code> is created as a new file. As shown in the example above, <code class="filename">/etc/file1</code> is labeled with the <code class="computeroutput">etc_t</code> type, in accordance to default-labeling rules.
 			</p><p>
 				When a file is copied over an existing file, the existing file's context is preserved, unless the user specified <code class="command">cp</code> options to preserve the context of the original file, such as <code class="option">--preserve=context</code>. SELinux policy may prevent contexts from being preserved during copies.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_Without_Preserving_SELinux_Contexts">Copying Without Preserving SELinux Contexts</h5>
 					When copying a file with the <code class="command">cp</code> command, if no options are given, the type is inherited from the targeted, parent directory:
-				<pre class="screen">$ touch file1
+				<pre class="screen">
+$ touch file1
 $ ls -Z file1
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 $ ls -dZ /var/www/html/
 drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
 # cp file1 /var/www/html/
 $ ls -Z /var/www/html/file1
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1</pre><p>
+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
+</pre><p>
 				In this example, <code class="filename">file1</code> is created in a user's home directory, and is labeled with the <code class="computeroutput">user_home_t</code> type. The <code class="filename">/var/www/html/</code> directory is labeled with the <code class="computeroutput">httpd_sys_content_t</code> type, as shown with the <code class="command">ls -dZ /var/www/html/</code> command. When <code class="filename">file1</code> is copied to <code class="filename">/var/www/html/</code>, it inherits the <code class="computeroutput">httpd_sys_content_t</code> type, as shown with the <code class="command">ls -Z /var/www/html/file1</code> command.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Preserving_SELinux_Contexts_When_Copying">Preserving SELinux Contexts When Copying</h5>
 					Use the <code class="command">cp --preserve=context</code> command to preserve contexts when copying:
-				<pre class="screen">$ touch file1
+				<pre class="screen">
+$ touch file1
 $ ls -Z file1
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 $ ls -dZ /var/www/html/
 drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
 # cp --preserve=context file1 /var/www/html/
 $ ls -Z /var/www/html/file1
--rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1</pre><p>
+-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
+</pre><p>
 				In this example, <code class="filename">file1</code> is created in a user's home directory, and is labeled with the <code class="computeroutput">user_home_t</code> type. The <code class="filename">/var/www/html/</code> directory is labeled with the <code class="computeroutput">httpd_sys_content_t</code> type, as shown with the <code class="command">ls -dZ /var/www/html/</code> command. Using the <code class="option">--preserve=context</code> option preserves SELinux contexts during copy operations. As shown with the <code class="command">ls -Z /var/www/html/file1</code> command, the <code class="filename">file1</code> <code class="computeroutput">user_home_t</code> type was preserved when the file was copied to <code class="filename">/var/www/html/</code>.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_and_Changing_the_Context">Copying and Changing the Context</h5>
 					Use the <code class="command">cp -Z</code> command to change the destination copy's context. The following example was performed in the user's home directory:
-				<pre class="screen">$ touch file1
+				<pre class="screen">
+$ touch file1
 $ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
 $ ls -Z file1 file2
 -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
 -rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2
-$ rm file1 file2</pre><p>
+$ rm file1 file2
+</pre><p>
 				In this example, the context is defined with the <code class="option">-Z</code> option. Without the <code class="option">-Z</code> option, <code class="filename">file2</code> would be labeled with the <code class="computeroutput">unconfined_u:object_r:user_home_t</code> context.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Copying_Files_and_Directories-Copying_a_File_Over_an_Existing_File">Copying a File Over an Existing File</h5>
 					When a file is copied over an existing file, the existing file's context is preserved (unless an option is used to preserve contexts). For example:
-				<pre class="screen"># touch /etc/file1
+				<pre class="screen">
+# touch /etc/file1
 # ls -Z /etc/file1
 -rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
 # touch /tmp/file2
@@ -58,7 +69,8 @@
 -rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
 # cp /tmp/file2 /etc/file1
 # ls -Z /etc/file1
--rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1</pre><p>
+-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
+</pre><p>
 				In this example, two files are created: <code class="filename">/etc/file1</code>, labeled with the <code class="computeroutput">etc_t</code> type, and <code class="filename">/tmp/file2</code>, labeled with the <code class="computeroutput">user_tmp_t</code> type. The <code class="command">cp /tmp/file2 /etc/file1</code> command overwrites <code class="filename">file1</code> with <code class="filename">file2</code>. After copying, the <code class="command">ls -Z /etc/file1</code> command shows <code class="filename">file1</code> labeled with the <code class="computeroutput">etc_t</code> type, not the <code class="computeroutput">user_tmp_t</code> type from <code class="filename">/tmp/file2</code> that replaced <code class="filename">/etc/file1</code>.
 			</p><div class="important"><h2>Important</h2><p>
 					Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.Â Mounting File Systems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html" title="5.8.Â The file_t and default_t Types"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html" title="5.9.2.Â Changing the Default Context"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.Â Mounting File Systems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><stron
 g>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9.Â Mounting File Systems</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.9.Â Mounting File Systems</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html" title="5.8.Â The file_t and default_t Types"/><link rel="next" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html" title="5.9.2.Â Changing the Default Context"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.9.Â Mounting File Systems</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-E
 nhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Mounting_File_Systems-Changing_the_Default_Context.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems">5.9.Â Mounting File Systems</h2></div></div></div><p>
 			By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the <span class="emphasis"><em>security.selinux</em></span> extended attribute of the file. Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type.
 		</p><p>
 			Use the <code class="command">mount -o context</code> command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The <code class="command">mount -o context</code> command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS file systems. The context specified with the <code class="option">context</code> is not written to disk: the original contexts are preserved, and are seen when mounting without a <code class="option">context</code> option (if the file system had extended attributes in the first place).
@@ -10,8 +10,10 @@
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-Mounting_File_Systems-Context_Mounts">5.9.1.Â Context Mounts</h3></div></div></div><p>
 				To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the Linux root user, use the <code class="command">mount -o context=<em class="replaceable"><code>SELinux_user:role:type:level</code></em></code> command when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the <code class="computeroutput">nfs_t</code> type. Without additional mount options, this may prevent sharing NFS file systems via other services, such as the Apache HTTP Server. The following example mounts an NFS file system so that it can be shared via the Apache HTTP Server:
 			</p><p>
+				
 <pre class="screen"># mount server:/export /local/mount/point -o\
-context="system_u:object_r:httpd_sys_content_t:s0"</pre>
+context="system_u:object_r:httpd_sys_content_t:s0"
+</pre>
 			</p><p>
 				Newly-created files and directories on this file system appear to have the SELinux context specified with <code class="option">-o context</code>; however, since context changes are not written to disk for these situations, the context specified with the <code class="option">context</code> option is only retained if the <code class="option">context</code> option is used on the next mount, and if the same context is specified.
 			</p><p>


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,15 +1,16 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.7.Â SELinux Contexts - Labeling Files</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html" title="5.6.3.Â Examples: Booleans for NFS and CIFS"/><link rel="next" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html" title="5.7.2.Â Persistent Changes: semanage fcontext"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.7.Â SELinux Contexts - Labeling Files</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Booleans-Examp
 les_Booleans_for_NFS_and_CIFS.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7.Â SELinux Contexts - Labeling Files</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.7.Â SELinux Contexts - Labeling Files</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html" title="5.6.3.Â Examples: Booleans for NFS and CIFS"/><link rel="next" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html" title="5.7.2.Â Persistent Changes: semanage fcontext"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.7.Â SELinux Contexts - Labeling Files</strong></a></p><ul class="docnav"><li class
 ="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Booleans-Examples_Booleans_for_NFS_and_CIFS.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files">5.7.Â SELinux Contexts - Labeling Files</h2></div></div></div><p>
 			On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. For files, this is viewed using the <code class="command">ls -Z</code> command:
 		</p><pre class="screen">$ ls -Z file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1</pre><p>
+-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+</pre><p>
 			In this example, SELinux provides a user (<code class="computeroutput">unconfined_u</code>), a role (<code class="computeroutput">object_r</code>), a type (<code class="computeroutput">user_home_t</code>), and a level (<code class="computeroutput">s0</code>). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
 		</p><p>
-			There are multiple commands for managing the SELinux context for files, such as <code class="command">chcon</code>, <code class="command">/usr/sbin/semanage fcontext</code>, and <code class="command">/sbin/restorecon</code>.
+			There are multiple commands for managing the SELinux context for files, such as <code class="command">chcon</code>, <code class="command">semanage fcontext</code>, and <code class="command">restorecon</code>.
 		</p><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Temporary_Changes_chcon">5.7.1.Â Temporary Changes: chcon</h3></div></div></div><p>
-				The <code class="command">chcon</code> command changes the SELinux context for files. These changes do not survive a file system relabel, or the <code class="command">/sbin/restorecon</code> command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using <code class="command">chcon</code>, users provide all or part of the SELinux context to change. An incorrect file type is a common cause for SELinux denying access.
+				The <code class="command">chcon</code> command changes the SELinux context for files. These changes do not survive a file system relabel, or the <code class="command">/sbin/restorecon</code> command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using <code class="command">chcon</code>, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
 			</p><h5 class="formalpara" id="form-Security-Enhanced_Linux-Temporary_Changes_chcon-Quick_Reference">Quick Reference</h5>
 					<div class="itemizedlist"><ul><li><p>
 								Run the <code class="command">chcon -t <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>file-name</code></em></code> command to change the file type, where <em class="replaceable"><code>type</code></em> is a type, such as <code class="computeroutput">httpd_sys_content_t</code>, and <em class="replaceable"><code>file-name</code></em> is a file or directory name.
@@ -23,15 +24,18 @@
 					</p></li><li><p>
 						Run the <code class="command">touch file1</code> command to create a new file. Use the <code class="command">ls -Z file1</code> command to view the SELinux context for <code class="filename">file1</code>:
 					</p><pre class="screen">$ ls -Z file1
--rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1</pre><p>
-						In this example, the SELinux context for <code class="filename">file1</code> includes the SELinux <code class="computeroutput">unconfined_u</code> user, <code class="computeroutput">object_r</code> role, <code class="computeroutput">user_home_t</code> type, and the <code class="computeroutput">s0</code> level. For a description of each part of the SELinux context, refer to
+-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
+</pre><p>
+						In this example, the SELinux context for <code class="filename">file1</code> includes the SELinux <code class="computeroutput">unconfined_u</code> user, <code class="computeroutput">object_r</code> role, <code class="computeroutput">user_home_t</code> type, and the <code class="computeroutput">s0</code> level. For a description of each part of the SELinux context, refer to <a class="xref" href="chap-Security-Enhanced_Linux-SELinux_Contexts.html" title="ChapterÂ 3.Â SELinux Contexts">ChapterÂ 3, <i>SELinux Contexts</i></a>.
 					</p></li><li><p>
 						Run the <code class="command">chcon -t samba_share_t file1</code> command to change the type to <code class="computeroutput">samba_share_t</code>. The <code class="option">-t</code> option only changes the type. View the change with <code class="command">ls -Z file1</code>:
 					</p><pre class="screen">$ ls -Z file1 
--rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1</pre></li><li><p>
+-rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
+</pre></li><li><p>
 						Use the <code class="command">/sbin/restorecon -v file1</code> command to restore the SELinux context for the <code class="filename">file1</code> file. Use the <code class="option">-v</code> option to view what changes:
 					</p><pre class="screen">$ /sbin/restorecon -v file1
-restorecon reset file1 context system_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0</pre><p>
+restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
+</pre><p>
 						In this example, the previous type, <code class="computeroutput">samba_share_t</code>, is restored to the correct, <code class="computeroutput">user_home_t</code> type. When using targeted policy (the default SELinux policy in Fedora 10), the <code class="command">/sbin/restorecon</code> command reads the files in the <code class="filename">/etc/selinux/targeted/contexts/files/</code> directory, to see which SELinux context files should have.
 					</p></li></ol></div><p>
 				The example in this section works the same for directories, for example, if <code class="filename">file1</code> was a directory.
@@ -44,7 +48,8 @@
 # ls -lZ /web
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3</pre></li><li><p>
+-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
+</pre></li><li><p>
 						As the Linux root user, run the <code class="command">chcon -R -t httpd_sys_content_t /web/</code> command to change the type of the <code class="filename">/web/</code> directory (and its contents) to <code class="computeroutput">httpd_sys_content_t</code>:
 					</p><pre class="screen"># chcon -R -t httpd_sys_content_t /web/
 # ls -dZ /web/
@@ -52,13 +57,15 @@
 # ls -lZ /web/
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
 -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
--rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3</pre></li><li><p>
-						As the Linux root user, run the <code class="command">/sbin/restorecon -v -R /web/</code> command to restore the default SELinux contexts:
-					</p><pre class="screen">restorecon -v -R /web/
+-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
+</pre></li><li><p>
+						As the Linux root user, run the <code class="command">/sbin/restorecon -R -v /web/</code> command to restore the default SELinux contexts:
+					</p><pre class="screen"># /sbin/restorecon -R -v /web/
 restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
 restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
 restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
-restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0</pre></li></ol></div><p>
+restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
+</pre></li></ol></div><p>
 				Refer to the <span class="citerefentry"><span class="refentrytitle">chcon</span>(1)</span> manual page for further information about <code class="command">chcon</code>.
 			</p><div class="note"><h2>Note</h2><p>
 					Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored.


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.5.Â SELinux Modes</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html" title="5.4.2.Â Disabling SELinux"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.5.Â SELinux Modes</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Securit
 y-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5.Â SELinux Modes</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.5.Â SELinux Modes</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html" title="5.4.2.Â Disabling SELinux"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html" title="5.6.Â Booleans"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.5.Â SELinux Modes</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html"><str
 ong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Modes">5.5.Â SELinux Modes</h2></div></div></div><p>
 			SELinux has three modes:
 		</p><div class="itemizedlist"><ul><li><p>
 					Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.8.Â The file_t and default_t Types</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html" title="5.7.2.Â Persistent Changes: semanage fcontext"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.8.Â The file_t and default_t Types</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persi
 stent_Changes_semanage_fcontext.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8.Â The file_t and default_t Types</h2></div></div></div><p>
-			On file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The <code class="computeroutput">file_t</code> type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the <code class="computeroutput">file_t</code> type is never used in file-context configuration<sup>[<a id="d0e3697" href="#ftn.d0e3697" class="footnote">11</a>]</sup>.
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.8.Â The file_t and default_t Types</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html" title="5.7.2.Â Persistent Changes: semanage fcontext"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html" title="5.9.Â Mounting File Systems"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.8.Â The file_t and default_t Types</strong></a></p><ul class="docnav"><li class="previous"><a accesske
 y="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-The_file_t_and_default_t_Types">5.8.Â The file_t and default_t Types</h2></div></div></div><p>
+			On file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the <code class="computeroutput">file_t</code> type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The <code class="computeroutput">file_t</code> type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the <code class="computeroutput">file_t</code> type is never used in file-context configuration<sup>[<a id="d0e3720" href="#ftn.d0e3720" class="footnote">11</a>]</sup>.
 		</p><p>
 			The <code class="computeroutput">default_t</code> type is used on files that do not match any other pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally kept inaccessible to confined domains. If you create a new top-level directory, such as <code class="filename">/mydirectory/</code>, this directory may be labeled with the <code class="computeroutput">default_t</code> type. If services need access to such a directory, update the file-contexts configuration for this location. Refer to <a class="xref" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html" title="5.7.2.Â Persistent Changes: semanage fcontext">SectionÂ 5.7.2, â€œPersistent Changes: semanage fcontextâ€</a> for details on adding a context to the file-context configuration.
-		</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e3697" href="#d0e3697" class="para">11</a>] </sup>
+		</p><div class="footnotes"><br/><hr/><div class="footnote"><p><sup>[<a id="ftn.d0e3720" href="#d0e3720" class="para">11</a>] </sup>
 				Files in <code class="filename">/etc/selinux/targeted/contexts/files/</code> define contexts for files and directories. Files in this directory are read by <code class="command">restorecon</code> and <code class="command">setfiles</code> to restore files and directories to their default contexts.
 			</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html"><strong>Prev</strong>5.7.2.Â Persistent Changes: semanage fcontext</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html"><strong>Next</strong>5.9.Â Mounting File Systems</a></li></ul></body></html>
\ No newline at end of file


Index: sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html	11 Nov 2008 22:56:30 -0000	1.1
+++ sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used.html	24 Nov 2008 20:30:07 -0000	1.2
@@ -1,20 +1,29 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.2.Â Which Log File is Used</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html" title="5.3.Â Main Configuration File"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.2.Â Which Log File is Used</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Securit
 y-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2.Â Which Log File is Used</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>5.2.Â Which Log File is Used</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content="Fedora-Security-Enhanced_Linux-10-en-US-1.0-1"/><link rel="start" href="index.html" title="Security-Enhanced Linux"/><link rel="up" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="prev" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html" title="ChapterÂ 5.Â Working with SELinux"/><link rel="next" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html" title="5.3.Â Main Configuration File"/></head><body><p id="title"><a href="http://docs.fedoraproject.org"><strong>5.2.Â Which Log File is Used</strong></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><str
 ong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong></a></li></ul><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used">5.2.Â Which Log File is Used</h2></div></div></div><p>
 			In Fedora 10, the <span class="package">setroubleshoot-server</span> and <span class="package">audit</span> packages are installed if packages are not removed from the default package selection. These packages include the <code class="systemitem">setroubleshootd</code> and <code class="systemitem">auditd</code> daemons respectively. These daemons run by default.
 		</p><p>
 			SELinux denial messages, such as the following, are written to <code class="filename">/var/log/audit/audit.log</code> by default:
-		</p><pre class="screen">type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file</pre><p>
+		</p><pre class="screen">type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
+</pre><p>
 			Also, if <code class="systemitem">setroubleshootd</code> is running, which is it by default, denial messages from <code class="filename">/var/log/audit/audit.log</code> are translated to an easier-to-read form and sent to <code class="filename">/var/log/messages</code>:
-		</p><pre class="screen">Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d</pre><p>
+		</p><pre class="screen">Oct  3 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
+</pre><p>
 			Denial messages are sent to a different location, depending on which daemons are running:
 		</p><div class="segmentedlist"><table border="0"><thead><tr class="segtitle"><th>Daemon</th><th>Log Location</th></tr></thead><tbody><tr class="seglistitem"><td class="seg">auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code></td></tr><tr class="seglistitem"><td class="seg">auditd off; rsyslogd on</td><td class="seg"><code class="filename">/var/log/messages</code></td></tr><tr class="seglistitem"><td class="seg">setroubleshootd, rsyslogd, and auditd on</td><td class="seg"><code class="filename">/var/log/audit/audit.log</code>. Easier-to-read denial messages also sent to <code class="filename">/var/log/messages</code></td></tr></tbody></table></div><h5 class="formalpara" id="form-Security-Enhanced_Linux-Which_Log_File_is_Used-Starting_Daemons_Automatically">Starting Daemons Automatically</h5>
 				To configure the <code class="systemitem">auditd</code>, <code class="systemitem">rsyslogd</code>, and <code class="systemitem">setroubleshootd</code> daemons to automatically start at boot, run the following commands as the Linux root user:
-			<pre class="screen">/sbin/chkconfig --levels 2345 auditd on</pre><pre class="screen">/sbin/chkconfig --levels 2345 rsyslog on</pre><pre class="screen">/sbin/chkconfig --levels 345 setroubleshoot on</pre><p>
+			<pre class="screen">/sbin/chkconfig --levels 2345 auditd on
+</pre><pre class="screen">/sbin/chkconfig --levels 2345 rsyslog on
+</pre><pre class="screen">/sbin/chkconfig --levels 345 setroubleshoot on
+</pre><p>
 			Use the <code class="command">service <em class="replaceable"><code>service-name</code></em> status</code> command to check if these services are running, for example:
-		</p><pre class="screen">$ /sbin/service auditd status
-auditd (pid  <em class="replaceable"><code>1318</code></em>) is running...</pre><p>
-			If the above services are not running (<code class="computeroutput"><em class="replaceable"><code>service-name</code></em> is stopped</code>), use the <code class="command">service <em class="replaceable"><code>service-name</code></em> start</code> command as the Linux root user to start them:
-		</p><pre class="screen"># /sbin/service setroubleshoot start
-Starting setroubleshootd:                                  [  OK  ]</pre></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Prev</strong>ChapterÂ 5.Â Working with SELinux</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong>5.3.Â Main Configuration File</a></li></ul></body></html>
\ No newline at end of file
+		</p><pre class="screen">
+$ /sbin/service auditd status
+auditd (pid  <em class="replaceable"><code>1318</code></em>) is running...
+</pre><p>
+			If the above services are not running (<code class="computeroutput"><em class="replaceable"><code>service-name</code></em> is stopped</code>), use the <code class="command">service <em class="replaceable"><code>service-name</code></em> start</code> command as the Linux root user to start them. For example:
+		</p><pre class="screen">
+# /sbin/service setroubleshoot start
+Starting setroubleshootd:                                  [  OK  ]
+</pre></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security-Enhanced_Linux-Working_with_SELinux.html"><strong>Prev</strong>ChapterÂ 5.Â Working with SELinux</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html"><strong>Next</strong>5.3.Â Main Configuration File</a></li></ul></body></html>
\ No newline at end of file


